Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Client to site with L2TP/IPSec and IKEV1 And IKEv2

 
MJaat
Occasional Contributor

Client to site with L2TP/IPSec and IKEV1 And IKEv2

Hi,


Managed to make configuration for client to site:

- L2TP/IPSec -> Windows 10 compatible(ms-chap-v2)

- IKEv1 with preshared key(tunnel)

- IKEv2 with preshared key


Still i do not undestand the ACL's.

ISP on GE0/0 and local natted on GE0/1.

 

#
 version 7.1.064, Release 0605P13
#
 sysname normain
#
 ip pool l2tp1 192.168.15.20 192.168.15.40
#
 dhcp enable
 dhcp server always-broadcast
#
 dns proxy enable
#
 password-recovery enable
#
vlan 1
#
object-group ip address l2tpkayttajat
#
object-group service http1
#
object-group service http2
#
object-group service https1
#
object-group service https2
#
object-group service icmp1
#
object-group service ikev1
#
object-group service l2tppavelut
#
dhcp server ip-pool GigabitEthernet0/1
 gateway-list 192.168.16.2
 network 192.168.16.0 mask 255.255.255.0
 address range 192.168.16.230 192.168.16.250
 dns-list 192.168.16.2
#
controller Cellular0/0
#
interface Aux0
#
interface Virtual-Template1
 ppp authentication-mode ms-chap-v2
 remote address pool l2tp1
 ip address 192.168.15.2 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
 port link-mode route
 description Multiple_Line
 ip address dhcp-alloc
 packet-filter ipv6 name GigabitEthernet0/0 inbound
 packet-filter name GigabitEthernet0/0 inbound
 packet-filter ipv6 name GigabitEthernet0/0 outbound
 nat outbound
 ipsec apply policy NorVPN
#
interface GigabitEthernet0/1
 port link-mode route
 ip address 192.168.16.2 255.255.255.0
#
interface Tunnel9 mode ipv4-ipv4
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
 scheduler logfile size 16
#
line class aux
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 speed 115200
 user-role network-admin
 screen-length 512
#
line vty 0 63
 authentication-mode scheme
 user-role network-operator
#
 ssh server enable
#
acl advanced name GigabitEthernet0/0
 rule 100 permit icmp
 rule 101 permit tcp destination-port eq 443
 rule 102 permit tcp destination-port eq 500
 rule 102 comment VPN ike
 rule 103 permit tcp destination-port eq 4500
 rule 103 comment VPN ike nat
 rule 104 permit udp destination-port eq 500
 rule 104 comment VPN ike
 rule 115 permit udp destination-port eq 4500
 rule 120 permit 50
 rule 130 permit udp destination-port eq 1701
 rule 9999 deny ip
#
acl ipv6 advanced name GigabitEthernet0/0
 rule 65534 deny ipv6
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$tRC9AKyVikQqchKp$eLmHWP/R5RKUgzdQSECq7iR1n7Xj5OKG5urFe7uU8Jhs5YrMc+0x/9Mv3UaKskSPn0g31dodFH9rq8RNg9rphQ== service-type ssh telnet http https authorization-attribute user-role network-admin # local-user testia class manage authorization-attribute user-role network-operator # local-user salainen123 class network password cipher $c$3$973UwDm7PF9vnF4YVJ/zfpq9ld56vpzcoJDd81oK service-type ppp authorization-attribute user-role network-operator # local-user testi class network password cipher $c$3$jwA28TMl0+LJEvOprCTGTJKokp1WhZ/Q service-type advpn service-type ike service-type lan-access service-type portal service-type ppp service-type sslvpn authorization-attribute acl 3000 authorization-attribute user-role network-operator authorization-attribute sslvpn-policy-group norsslvpn # local-user testi123 class network password cipher $c$3$9rX9i8moHKW8bQrzC8HtnNxmms39MZQtFJeB service-type portal authorization-attribute user-role network-operator # ipsec logging packet enable ipsec logging negotiation enable # ipsec transform-set NorVPN encapsulation-mode transport esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha1 ah authentication-algorithm sha256 # ipsec transform-set NorVPNTrans1 esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha256 ah authentication-algorithm sha256 pfs dh-group2 # ipsec policy-template NorVPN 65535 transform-set NorVPN NorVPNTrans1 ike-profile NorVPN ikev2-profile norikev2 sa duration time-based 3600 sa duration traffic-based 1843200 tfc enable # ipsec policy NorVPN 65535 isakmp template NorVPN # l2tp-group 1 mode lns allow l2tp virtual-template 1 undo tunnel authentication tunnel name NorVPN # l2tp enable # ike logging negotiation enable # ike profile NorVPN keychain NorVPN keychain norikev2 local-identity address 0.0.0.0 match remote identity address 0.0.0.0 0.0.0.0 proposal 65535 65534 # ike proposal 65534 encryption-algorithm aes-cbc-256 dh group2 authentication-algorithm sha256 sa duration 28800 # ike proposal 65535 encryption-algorithm 3des-cbc dh group2 sa duration 28800 # ike keychain NorVPN pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$Ro0d6ttejVcVKYhJGSAcCdS418csOvQkbFhqdGY1 # ip https enable # ips signature auto-update-url https://tmc.tippingpoint.com/TMC/msrIPSDVInfo # ikev2 keychain norikev2 peer norikev2 address 0.0.0.0 0.0.0.0 identity key-id 0.0.0.0 pre-shared-key ciphertext $c$3$qN1rqZZU91Vz37x+d3EWMQxuwJc6NxM8kNYmbH0f # ikev2 profile norikev2 authentication-method local pre-share authentication-method remote pre-share keychain norikev2 identity local key-id 0.0.0.0 match remote identity key-id 0.0.0.0 # ikev2 proposal norikev2 encryption aes-cbc-256 integrity sha256 dh group2 # ikev2 policy norikev2 priority 1 proposal norikev2 # return

Any advices for me?

 

*Addresses, users and passworss are not final.