Comware

 View Only

Client to site with L2TP/IPSec and IKEV1 And IKEv2

This thread has been viewed 0 times
  • 1.  Client to site with L2TP/IPSec and IKEV1 And IKEv2

    Posted Jul 14, 2017 07:16 AM

    Hi,


    Managed to make configuration for client to site:

    - L2TP/IPSec -> Windows 10 compatible(ms-chap-v2)

    - IKEv1 with preshared key(tunnel)

    - IKEv2 with preshared key


    Still i do not undestand the ACL's.

    ISP on GE0/0 and local natted on GE0/1.

     

    #
     version 7.1.064, Release 0605P13
    #
     sysname normain
    #
     ip pool l2tp1 192.168.15.20 192.168.15.40
    #
     dhcp enable
     dhcp server always-broadcast
    #
     dns proxy enable
    #
     password-recovery enable
    #
    vlan 1
    #
    object-group ip address l2tpkayttajat
    #
    object-group service http1
    #
    object-group service http2
    #
    object-group service https1
    #
    object-group service https2
    #
    object-group service icmp1
    #
    object-group service ikev1
    #
    object-group service l2tppavelut
    #
    dhcp server ip-pool GigabitEthernet0/1
     gateway-list 192.168.16.2
     network 192.168.16.0 mask 255.255.255.0
     address range 192.168.16.230 192.168.16.250
     dns-list 192.168.16.2
    #
    controller Cellular0/0
    #
    interface Aux0
    #
    interface Virtual-Template1
     ppp authentication-mode ms-chap-v2
     remote address pool l2tp1
     ip address 192.168.15.2 255.255.255.0
    #
    interface NULL0
    #
    interface GigabitEthernet0/0
     port link-mode route
     description Multiple_Line
     ip address dhcp-alloc
     packet-filter ipv6 name GigabitEthernet0/0 inbound
     packet-filter name GigabitEthernet0/0 inbound
     packet-filter ipv6 name GigabitEthernet0/0 outbound
     nat outbound
     ipsec apply policy NorVPN
    #
    interface GigabitEthernet0/1
     port link-mode route
     ip address 192.168.16.2 255.255.255.0
    #
    interface Tunnel9 mode ipv4-ipv4
    #
    security-zone name Local
    #
    security-zone name Trust
    #
    security-zone name DMZ
    #
    security-zone name Untrust
    #
    security-zone name Management
    #
     scheduler logfile size 16
    #
    line class aux
     user-role network-admin
    #
    line class tty
     user-role network-operator
    #
    line class vty
     user-role network-operator
    #
    line aux 0
     speed 115200
     user-role network-admin
     screen-length 512
    #
    line vty 0 63
     authentication-mode scheme
     user-role network-operator
    #
     ssh server enable
    #
    acl advanced name GigabitEthernet0/0
     rule 100 permit icmp
     rule 101 permit tcp destination-port eq 443
     rule 102 permit tcp destination-port eq 500
     rule 102 comment VPN ike
     rule 103 permit tcp destination-port eq 4500
     rule 103 comment VPN ike nat
     rule 104 permit udp destination-port eq 500
     rule 104 comment VPN ike
     rule 115 permit udp destination-port eq 4500
     rule 120 permit 50
     rule 130 permit udp destination-port eq 1701
     rule 9999 deny ip
    #
    acl ipv6 advanced name GigabitEthernet0/0
     rule 65534 deny ipv6
    #
    domain system
    #
     domain default enable system
    #
    role name level-0
     description Predefined level-0 role
    #
    role name level-1
     description Predefined level-1 role
    #
    role name level-2
     description Predefined level-2 role
    #
    role name level-3
     description Predefined level-3 role
    #
    role name level-4
     description Predefined level-4 role
    #
    role name level-5
     description Predefined level-5 role
    #
    role name level-6
     description Predefined level-6 role
    #
    role name level-7
     description Predefined level-7 role
    #
    role name level-8
     description Predefined level-8 role
    #
    role name level-9
     description Predefined level-9 role
    #
    role name level-10
     description Predefined level-10 role
    #
    role name level-11
     description Predefined level-11 role
    #
    role name level-12
     description Predefined level-12 role
    #
    role name level-13
     description Predefined level-13 role
    #
    role name level-14
     description Predefined level-14 role
    #
    user-group system
    #
    local-user admin class manage
    password hash $h$6$tRC9AKyVikQqchKp$eLmHWP/R5RKUgzdQSECq7iR1n7Xj5OKG5urFe7uU8Jhs5YrMc+0x/9Mv3UaKskSPn0g31dodFH9rq8RNg9rphQ== service-type ssh telnet http https authorization-attribute user-role network-admin # local-user testia class manage authorization-attribute user-role network-operator # local-user salainen123 class network password cipher $c$3$973UwDm7PF9vnF4YVJ/zfpq9ld56vpzcoJDd81oK service-type ppp authorization-attribute user-role network-operator # local-user testi class network password cipher $c$3$jwA28TMl0+LJEvOprCTGTJKokp1WhZ/Q service-type advpn service-type ike service-type lan-access service-type portal service-type ppp service-type sslvpn authorization-attribute acl 3000 authorization-attribute user-role network-operator authorization-attribute sslvpn-policy-group norsslvpn # local-user testi123 class network password cipher $c$3$9rX9i8moHKW8bQrzC8HtnNxmms39MZQtFJeB service-type portal authorization-attribute user-role network-operator # ipsec logging packet enable ipsec logging negotiation enable # ipsec transform-set NorVPN encapsulation-mode transport esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha1 ah authentication-algorithm sha256 # ipsec transform-set NorVPNTrans1 esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha256 ah authentication-algorithm sha256 pfs dh-group2 # ipsec policy-template NorVPN 65535 transform-set NorVPN NorVPNTrans1 ike-profile NorVPN ikev2-profile norikev2 sa duration time-based 3600 sa duration traffic-based 1843200 tfc enable # ipsec policy NorVPN 65535 isakmp template NorVPN # l2tp-group 1 mode lns allow l2tp virtual-template 1 undo tunnel authentication tunnel name NorVPN # l2tp enable # ike logging negotiation enable # ike profile NorVPN keychain NorVPN keychain norikev2 local-identity address 0.0.0.0 match remote identity address 0.0.0.0 0.0.0.0 proposal 65535 65534 # ike proposal 65534 encryption-algorithm aes-cbc-256 dh group2 authentication-algorithm sha256 sa duration 28800 # ike proposal 65535 encryption-algorithm 3des-cbc dh group2 sa duration 28800 # ike keychain NorVPN pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$Ro0d6ttejVcVKYhJGSAcCdS418csOvQkbFhqdGY1 # ip https enable # ips signature auto-update-url https://tmc.tippingpoint.com/TMC/msrIPSDVInfo # ikev2 keychain norikev2 peer norikev2 address 0.0.0.0 0.0.0.0 identity key-id 0.0.0.0 pre-shared-key ciphertext $c$3$qN1rqZZU91Vz37x+d3EWMQxuwJc6NxM8kNYmbH0f # ikev2 profile norikev2 authentication-method local pre-share authentication-method remote pre-share keychain norikev2 identity local key-id 0.0.0.0 match remote identity key-id 0.0.0.0 # ikev2 proposal norikev2 encryption aes-cbc-256 integrity sha256 dh group2 # ikev2 policy norikev2 priority 1 proposal norikev2 # return

    Any advices for me?

     

    *Addresses, users and passworss are not final.