HPE Community
Comware Based
1752618 Members
4312 Online
108788 Solutions
New Discussion

Client to site with L2TP/IPSec and IKEV1 And IKEv2

 
MJaat
Occasional Advisor

‎07-14-2017 04:15 AM - edited ‎07-14-2017 04:58 AM

‎07-14-2017 04:15 AM - edited ‎07-14-2017 04:58 AM

Client to site with L2TP/IPSec and IKEV1 And IKEv2

Hi,


Managed to make configuration for client to site:

- L2TP/IPSec -> Windows 10 compatible(ms-chap-v2)

- IKEv1 with preshared key(tunnel)

- IKEv2 with preshared key


Still i do not undestand the ACL's.

ISP on GE0/0 and local natted on GE0/1.

 

#
 version 7.1.064, Release 0605P13
#
 sysname normain
#
 ip pool l2tp1 192.168.15.20 192.168.15.40
#
 dhcp enable
 dhcp server always-broadcast
#
 dns proxy enable
#
 password-recovery enable
#
vlan 1
#
object-group ip address l2tpkayttajat
#
object-group service http1
#
object-group service http2
#
object-group service https1
#
object-group service https2
#
object-group service icmp1
#
object-group service ikev1
#
object-group service l2tppavelut
#
dhcp server ip-pool GigabitEthernet0/1
 gateway-list 192.168.16.2
 network 192.168.16.0 mask 255.255.255.0
 address range 192.168.16.230 192.168.16.250
 dns-list 192.168.16.2
#
controller Cellular0/0
#
interface Aux0
#
interface Virtual-Template1
 ppp authentication-mode ms-chap-v2
 remote address pool l2tp1
 ip address 192.168.15.2 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
 port link-mode route
 description Multiple_Line
 ip address dhcp-alloc
 packet-filter ipv6 name GigabitEthernet0/0 inbound
 packet-filter name GigabitEthernet0/0 inbound
 packet-filter ipv6 name GigabitEthernet0/0 outbound
 nat outbound
 ipsec apply policy NorVPN
#
interface GigabitEthernet0/1
 port link-mode route
 ip address 192.168.16.2 255.255.255.0
#
interface Tunnel9 mode ipv4-ipv4
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
 scheduler logfile size 16
#
line class aux
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 speed 115200
 user-role network-admin
 screen-length 512
#
line vty 0 63
 authentication-mode scheme
 user-role network-operator
#
 ssh server enable
#
acl advanced name GigabitEthernet0/0
 rule 100 permit icmp
 rule 101 permit tcp destination-port eq 443
 rule 102 permit tcp destination-port eq 500
 rule 102 comment VPN ike
 rule 103 permit tcp destination-port eq 4500
 rule 103 comment VPN ike nat
 rule 104 permit udp destination-port eq 500
 rule 104 comment VPN ike
 rule 115 permit udp destination-port eq 4500
 rule 120 permit 50
 rule 130 permit udp destination-port eq 1701
 rule 9999 deny ip
#
acl ipv6 advanced name GigabitEthernet0/0
 rule 65534 deny ipv6
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 password hash $h$6$tRC9AKyVikQqchKp$eLmHWP/R5RKUgzdQSECq7iR1n7Xj5OKG5urFe7uU8Jhs5YrMc+0x/9Mv3UaKskSPn0g31dodFH9rq8RNg9rphQ==
 service-type ssh telnet http https
 authorization-attribute user-role network-admin
#
local-user testia class manage
 authorization-attribute user-role network-operator
#
local-user salainen123 class network
 password cipher $c$3$973UwDm7PF9vnF4YVJ/zfpq9ld56vpzcoJDd81oK
 service-type ppp
 authorization-attribute user-role network-operator
#
local-user testi class network
 password cipher $c$3$jwA28TMl0+LJEvOprCTGTJKokp1WhZ/Q
 service-type advpn
 service-type ike
 service-type lan-access
 service-type portal
 service-type ppp
 service-type sslvpn
 authorization-attribute acl 3000
 authorization-attribute user-role network-operator
 authorization-attribute sslvpn-policy-group norsslvpn
#
local-user testi123 class network
 password cipher $c$3$9rX9i8moHKW8bQrzC8HtnNxmms39MZQtFJeB
 service-type portal
 authorization-attribute user-role network-operator
#
 ipsec logging packet enable
 ipsec logging negotiation enable
#
ipsec transform-set NorVPN
 encapsulation-mode transport
 esp encryption-algorithm aes-cbc-256
 esp authentication-algorithm sha1
 ah authentication-algorithm sha256
#
ipsec transform-set NorVPNTrans1
 esp encryption-algorithm aes-cbc-256
 esp authentication-algorithm sha256
 ah authentication-algorithm sha256
 pfs dh-group2
#
ipsec policy-template NorVPN 65535
 transform-set NorVPN NorVPNTrans1
 ike-profile NorVPN
 ikev2-profile norikev2
 sa duration time-based 3600
 sa duration traffic-based 1843200
 tfc enable
#
ipsec policy NorVPN 65535 isakmp template NorVPN
#
l2tp-group 1 mode lns
 allow l2tp virtual-template 1
 undo tunnel authentication
 tunnel name NorVPN
#
 l2tp enable
#
 ike logging negotiation enable
#
ike profile NorVPN
 keychain NorVPN
 keychain norikev2
 local-identity address 0.0.0.0
 match remote identity address 0.0.0.0 0.0.0.0
 proposal 65535 65534
#
ike proposal 65534
 encryption-algorithm aes-cbc-256
 dh group2
 authentication-algorithm sha256
 sa duration 28800
#
ike proposal 65535
 encryption-algorithm 3des-cbc
 dh group2
 sa duration 28800
#
ike keychain NorVPN
 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$Ro0d6ttejVcVKYhJGSAcCdS418csOvQkbFhqdGY1
#
 ip https enable
#
ips signature auto-update-url https://tmc.tippingpoint.com/TMC/msrIPSDVInfo
#
ikev2 keychain norikev2
 peer norikev2
  address 0.0.0.0 0.0.0.0
  identity key-id 0.0.0.0
  pre-shared-key ciphertext $c$3$qN1rqZZU91Vz37x+d3EWMQxuwJc6NxM8kNYmbH0f
#
ikev2 profile norikev2
 authentication-method local pre-share
 authentication-method remote pre-share
 keychain norikev2
 identity local key-id 0.0.0.0
 match remote identity key-id 0.0.0.0
#
ikev2 proposal norikev2
 encryption aes-cbc-256
 integrity sha256
 dh group2
#
ikev2 policy norikev2
 priority 1
 proposal norikev2
#
return

Any advices for me?

 

*Addresses, users and passworss are not final.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.