Академический Документы
Профессиональный Документы
Культура Документы
iii
DVPN Configuration
Support for some commands may vary with device models. For relevant information, refer to the
corresponding command manual.
The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.
When configuring DVPN, go to these sections for information you are interested in:
z
DVPN Overview
DVPN Overview
Nowadays, more and more enterprises are demanding for virtual private networks (VPNs) to connect
their branches across the public network. However, branches of an enterprise usually use dynamically
assigned IP addresses to access the public network and each of them has no way to know the public
IP addresses of the other branches in advance. This makes it difficult for establishing VPNs. Dynamic
virtual private network (DVPN) is intended to address this issue.
DVPN collects, maintains, and distributes dynamic public addresses through the VPN Address
Management (VAM) protocol, making VPN establishment available between enterprise branches that
use dynamic addresses to access the public network.
In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of
DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual
channels between subnets of an intranet constitute the network layer. Branch devices dynamically
access the public network. DVPN can get the public IP addresses of the peers through VAM to set up
secure internal tunnels conveniently.
When a DVPN device forwards a packet from a user subnet to another, it performs these operations:
1)
Obtaining the next hop on the private network through a routing protocol.
2)
Inquiring the public network address of the next hop through the VAM protocol.
3)
Encapsulating the packet, using the public address as the destination address of the tunnel.
4)
1-1
DVPN node
A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device or a host. A DVPN
node takes part in tunnel setup and must implement VAM client.
VAM server
A VAM server receives registration information from DVPN nodes and manages and maintains
information about DVPN clients. Currently, a VAM server is usually a high performance routing device
with VAM server enabled.
VAM client
A VAM client registers its private address, public address, and VAM ID with the VAM server and
obtains information about other VAM clients from the VAM server. The VAM client function must be
implemented on DVPN nodes. Unless otherwise noted, the term VAN client in this document refers
to a Hub or a Spoke.
Hub
A Hub is a type of VAM client. As a central device of a VPN, it is the exchange center of routing
information. A Hub in a Hub-Spoke network is also a data forwarding center.
Spoke
A Spoke is a type of VAM client. Usually acting as the gateway of a branch office, a Spoke does not
forward data received from other DVPN nodes.
AAA server
An Authentication, Authorization, and Accounting (AAA) server is used for user authentication and
accounting.
Operation of DVPN
DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack,
DVPN uses UDP as its transport layer protocol.
A DVPN consists of one server and multiple clients. The public address of the server in a DVPN must
be static. The private address of a client needs to be statically assigned, while the public address of a
client can be manually configured or dynamically assigned. All the private addresses of the nodes
composing a DVPN must belong to the same network segment.
Each client registers the mapping of its private address and public address with the server. After a
client registers its address mapping with the server, other clients can get the public address of this
client from the server. This is for DVPN tunnel establishment between clients. Each client uses the
VAM protocol to communicate with the server and uses the DVPN tunneling protocol to establish,
maintain, and remove tunnels to other clients. Whenever there is a change in the topology, the server
will be notified automatically.
Full mesh DVPN: In a full mesh DVPN, Spokes can communicate with each other directly by
establishing tunnels between them, and the Hub is mainly used as the routing information
exchange center. As shown in Figure 1-1, after the Spokes (the clients) register with the VAM
server and get the Hub information in the VPN domain, they establish permanent tunnels with the
Hub. Any two Spokes can establish a tunnel directly between them, which is dynamic and will be
aged out if no data exchange occurs on it during the specified period of time (the idle timeout for
the Spoke-Spoke tunnel).
1-2
Hub
Hub-Spoke
Public network
Spoke 1
Spoke 2
Spoke-Spoke
Data
Site 1
Site 2
Hub-Spoke DVPN. In a Hub-Spoke DVPN, no tunnel can be established between two Spokes,
and data between them has to be forwarded through the Hub. That is, the Hub is used as both the
routing information exchange center and the data forwarding center. As shown in Figure 1-2,
each Spoke establishes a permanent tunnel with the Hub, and data between Spokes is forwarded
through the Hub.
Hub
Public network
ta
Da
Da
ta
Hub-Spoke
Spoke 1
Spoke 2
Site 1
Site 2
Implementation of DVPN
DVPN works in three phases: connection initialization, registration, and tunnel establishment. The
following is a brief description of the phases:
If so, they negotiate the packet encryption and integrity validation algorithms, generate the keys, and
acknowledge the negotiated result. After the connection initialization process completes, the client
proceeds with the registration phase. Figure 1-3 shows the initialization process.
Figure 1-3 Initialization process
Client
Server
1) Connection request
2) Connection response
3) Negotiation acknowledgement
4) Negotiation acknowledgement
2)
The client sends the server a connection request, which carries the supported encryption and
integrity validation algorithms.
3)
Upon reception of the connection request, the server and the client begin to negotiate the
algorithms to be used, with the server dominating the negotiation. When negotiating an algorithm
to be used, the VAM server first compares the algorithm of the highest priority on its own
algorithm list against the algorithm list of the client. If a match is found, the algorithm is used. If not,
the server compares its next-highest priority algorithm against the list. The operation continues
until a match is found or all the algorithms on the servers algorithm list have been compared. If a
match is found, the server sends to the client a connection response, which carries the
negotiation result, and at the same time, the server and the client generate the encryption key and
integrity validation key.
4)
The client and server respectively checks whether the algorithm negotiation and key negotiation
are successful through the negotiation acknowledge packets.
Registration phase
Figure 1-4 Registration process
The client sends the server a registration request, which carries information about the client.
2)
Upon reception of the registration request, the server first determines whether to authenticate the
identity of the client. If identity authentication is not required, the server directly registers the client
and sends the client a registration acknowledgement. Otherwise, the server sends the client an
identity authentication request, indicating the required authentication algorithm. In the case of
CHAP authentication, a random number is also sent.
3)
4)
After receiving the identity information of the client, the server sends an authentication request to
the AAA server and, after receiving the expected authentication acknowledgement, sends an
accounting request to the AAA server. When the server receives the accounting
acknowledgement, it sends the client a registration acknowledgement, telling the client
information about the Hubs in the VPN.
Hub
1) Tunnel establishment request
2) Tunnel established
Spoke
Spoke
1) Tunnel establishment request
2) Tunnel established
2)
Hub-Spoke tunnel: After a Spoke registers itself successfully, it needs to establish a permanent
tunnel with each Hub in the VPN. Upon receiving the registered information of the hubs from the
server, the Spoke checks whether a tunnel is present to each Hub. If no tunnel exists between the
Spoke and a Hub, the Spoke sends a tunnel establishment request to the Hub.
Hub-Hub tunnel: After a Hub registers itself successfully, the server sends the registered
information of the other Hubs in the VPN to the Hub and the Hub checks whether a tunnel exists
to each of its peer Hubs. If not, the Hub sends a tunnel establishment request to the peer Hub.
Spoke-Spoke tunnel: In a full mesh network, when a Spoke receives a data packet but finds no
tunnel for forwarding the packet, it sends an address resolution request to the server and then,
after receiving the resolved address, sends a tunnel establishment request to the peer Spoke.
3)
The tunnel establishment request receiver saves the tunnel establishment information and sends
a response to the sender. If the request sender receives the response, a tunnel is established.
Otherwise, tunnel establishment attempt fails.
If neither of the two Spokes is behind a NAT gateway, a direct tunnel will be established between
them.
If only the tunnel initiator resides behind a NAT gateway, a Spoke-Spoke tunnel can be
established traversing the NAT gateway.
1-5
If the tunnel request receiver is behind a NAT gateway, packets must be forwarded by a Hub
before the intended receiver originates a tunnel establishment request.
If both Spokes reside behind NAT gateways, no tunnel can be established between them and
packets between them will be forwarded by a Hub.
Identity authentication of the VAM server and VAM client using the pre-shared key
A VAM client and the VAM server must be configured with the same pre-shared key to generate the
encryption/integrity validation key. The VAM client/VAM server can determine whether the pre-shared
keys of both sides are the same by checking the result of packet decryption and integrity validation, so
as to implement identity authentication of the VAM server/VAM client.
Remarks
Configuring AAA
Optional
Required
Required
Optional
1-6
Required
Required
Configuring AAA
A VAM server can employ AAA to authenticate the identities of clients accessing a VPN domain. For
AAA configuration, refer to AAA RADIUS HWTACACS Configuration in the Security Volume.
Remarks
Required
Required
Required
Optional
Optional
Required
Required
Optional
system-view
Remarks
Required
vam server vpn vpn-name
No VPN domain exists by default.
system-view
Enable VAM server for
vpn vpn-name }
Remarks
Required
Use either approach.
Disabled by default
server enable
1-7
Remarks
system-view
Required
[ port port-number ]
A VAM server listens to packets sent from VAM clients on only the configured IP address and UDP
port. A VAM server uses the same listening IP address and UDP port for all VPN domains.
Remarks
system-view
Optional
authentication-algorithm { none
| { md5 | sha-1 } * }
encryption-algorithm { { 3des |
aes-128 | des } * | none }
1-8
In the connection initialization process, SHA-1 is always used for authenticating connection
requests from clients and connection responses from the server. Whether subsequent protocol
packets are to be authenticated and what algorithms are available for authentication depend on
your configuration.
In the connection initialization process, AES-128 is always used for encrypting connection
requests from clients and connection responses from the server. Whether subsequent protocol
packets are to be encrypted and what algorithms are available for encryption depend on your
configuration.
The configuration order of the algorithms determines the priorities of the algorithms.
Remarks
system-view
Required
By default, a VAM server
authentication mode
Remarks
system-view
Required
IP addresses
[ public-ip public-ip-address ]
1-9
The public IP address is optional. When a Hub registers, the VAM server will get the public
address of the Hub. If you specify both the private and public addresses of a Hub on the server,
the server considers a client being a valid Hub only when both the public and private addresses
that the client registers with the server match those configured on the server.
Currently, up to two Hubs and 200 Spokes can be configured in a VPN domain.
Remarks
system-view
key-string
Required
No pre-shared key exists by
default.
Remarks
system-view
Optional
10 seconds by default
Set the maximum number of
transmission attempts
Optional
keepalive retry retry-times
3 by default
1-10
Your keepalive settings only apply to the clients registered after the configuration. The clients
registered before that continue to use the old settings.
Remarks
Required
Optional
Required
Optional
Optional
Required
Required
Required
Remarks
system-view
Required
vam client name client-name
No client is created by default.
Remarks
system-view
1-11
Optional
The maximum number of attempts to retransmit a VAM protocol packet is always 3; it is unmodifiable.
Remarks
system-view
Required
Remarks
system-view
Required
Remarks
system-view
1-12
Required
simple } string
Remarks
system-view
Required
vpn vpn-name
Remarks
system-view
Required
key-string
In a VPN domain, all the VAM clients and the VAM server must be configured with the same
pre-shared key.
1-13
To do
system-view
Enable VAM client for
Remarks
name client-name }
Required
Use either approach.
Disabled by default
client-name
VAM client
client enable
Configuration Prerequisites
Complete these tasks before configuring an IPsec profile:
z
For detailed configuration information about IPsec and IKE, refer to IPsec Configuration in the Security
Volume.
Configuration Procedure
Follow the following steps to configure an IPsec profile:
To do
Enter system view
Remarks
Required
proposal proposal-name&<1-6>
ike-peer peer-name
1-14
Optional
By default, PFS is not used for
Enable and configure perfect
negotiation.
dh-group5 | dh-group14 }
sa duration { time-based
seconds | traffic-based kilobytes }
An IPsec profile depends on IKE for SA negotiation. An IPsec profile can reference up to six IPsec
proposals. IKE searches for IPsec proposals that match at both ends during negotiation. If no
match is found, SAs cannot be established and the packets requiring IPsec protection will be
discarded.
When IKE uses a security policy to initiate a negotiation, if the local end uses PFS, the remote
end must also use PFS for negotiation and both ends must use the same Diffie-Hellman (DH)
group; otherwise, the negotiation will fail.
When an IPsec profile is used to protect DVPN traffic, the IPsec proposals referenced by the
IPsec profile must be configured to use the ESP protocol.
As DVPN addresses are dynamic, the setting by the remote-address keyword for the IKE peer
that an IPsec profile references does not take effect on the initiator.
For information about commands ipsec profile, proposal, ike-peer, pfs and sa duration, refer
to IPsec Commands in the Security Volume.
For information about global SA lifetime, refer to IPsec Configuration in the Security Volume.
Configuration Procedure
Follow these steps to configure a DVPN tunnel:
To do
Enter system view
1-15
Remarks
Required
Create a tunnel interface and enter
its view
mask-length } [ sub ]
source { ip-address |
interface-type interface-number }
up.
vam client client-name
The client to be bound must exist
and has not been bound to any
other tunnel interface.
No VAM client is bound to a DVPN
tunnel interface by default.
Optional
The defaults are as follows:
Optional
Spoke-Spoke tunnel
time-interval
Optional
period
time-interval
1-16
Required
Not specified by default
Specify the network type of the
OSPF interface
p2mp }
ip binding vpn-instance
a VPN instance
vpn-instance-name
1-17
If you configure the source address of a tunnel interface by specifying the source interface, the
tunnel takes the primary IP address of the source interface as its source address.
Tunnel interfaces of the same VPN domain must be configured with private addresses in the
same segment.
Tunnel interfaces of the same VPN domain must be configured with the same DVPN keepalive
interval and transmission attempt limit.
A DVPN tunnel interface can reference only one IPsec profile. To change the IPsec profile
referenced by a DVPN tunnel interface, you need to cancel the reference of the current IPsec
profile and then apply a new IPsec profile to the tunnel interface.
When configuring the network type of an OSPF interface, select broadcast for a full mesh network
and P2MP for a Hub-Spoke network.
For details about commands interface tunnel, tunnel-protocol, and source, refer to Tunneling
Commands of the IP Services Volume. For information about command ipsec profile, refer to
IPsec Commands in the Security Volume.
For details about the ospf network-type and ospf dr-priority commands, refer to OSPF
Commands of the IP Routing Volume.
For details about VPN multi-instance configuration, refer to MPLS L3VPN Configuration of the
MPLS Volume.
Configuring Routing
After you establish private networks across the public network using DVPN, you need to perform
routing configuration for devices in the private networks. In private networks of this type, route-related
operations, such as neighbor discovery, route updating, routing table establishment, are done over
DVPN tunnels. Routing information is exchanged between Hubs or Hubs and Spokes; it is not
exchanged between Spokes. Currently, OSPF can be used in DVPN networks.
For information about OSPF configuration on DVPN clients, refer to OSPF Configuration in the IP
Routing Volume.
Remarks
1-18
interface interface-type
tunnels
interface-number [ private-ip
ip-address ] }
Display information about a
profile-name ]
interface interface-type
interface-number [ private-ip
ip-address ] }
For information about command display ipsec profile, refer to IPsec Commands in the Security
Volume.
In the full mesh networks shown in Figure 1-6, the primary VAM server (main) and the secondary
VAM server (backup) manage and maintain information about the nodes. The AAA server takes
charge of VAM client authentication and accounting. With each being the backup of the other, the
two Hubs perform data forwarding and routing information exchange.
Spokes in the same VPN exchange data through dynamically established tunnels between them.
1-19
Tunnel1
Tunnel2
Hub 2
Eth1/1
Eth1/1
Tunnel1
Tunnel2
AAA server
IP network
Eth1/1
Tunnel1
Eth1/1
Eth1/1
Hub 2
Main server
Backup server
AAA server
Interface
Eth1/1
Tunnel1
Tunnel2
Eth1/1
Tunnel1
Tunnel2
Eth1/1
Eth1/1
Eth1/1
Eth1/2
Site 1
Device
Hub 1
Backup server
Tunnel2
Spoke 2
Spoke 1
Eth1/2
Tunnel1
Tunnel2
Spoke 3
Eth1/2
Site 2
IP address
192.168.1.1/24
10.0.1.1/24
10.0.2.1/24
192.168.1.2/24
10.0.1.2/24
10.0.2.2/24
192.168.1.22/24
192.168.1.33//24
192.168.1.11/24
Site 3
Device
Spoke 1
Spoke 2
Spoke 3
Interface
Eth1/1
Eth1/2
Tunnel1
Eth1/1
Eth1/2
Tunnel1
Tunnel2
Eth1/1
Eth1/2
Tunnel2
Configuration procedure
1)
Configure AAA
<MainServer> system-view
IP address
192.168.1.3/24
10.0.3.1/24
10.0.1.3/24
192.168.1.4/24
10.0.4.1/24
10.0.1.4/24
10.0.2.4/24
192.168.1.5/24
10.0.5.1/24
10.0.2.3/24
2)
Except for the listening IP address configuration, the configurations for the secondary VAM server are
the same as those for the primary VAM server and are thus omitted.
3)
Configure Hub 1
<Hub1> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn2hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn2hub1] pre-shared-key simple 456
1-21
Configure OSPF
1-22
4)
Configure Hub 2
<Hub2> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub2-vam-client-name-dvpn2hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn2hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn2hub2] pre-shared-key simple 456
1-23
Configure OSPF
5)
Configure Spoke 1
<Spoke1> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22
[Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33
[Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123
Configure OSPF
6)
Configure Spoke 2
<Spoke2> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke2-vam-client-name-dvpn2spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn2spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn2spoke2] pre-shared-key simple 456
1-26
Configure OSPF
7)
Configure Spoke 3
<Spoke3> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke3-vam-client-name-dvpn2spoke3] server primary ip-address 192.168.1.22
[Spoke3-vam-client-name-dvpn2spoke3] server secondary ip-address 192.168.1.33
[Spoke3-vam-client-name-dvpn2spoke3] pre-shared-key simple 456
1-27
[Spoke3-ipsec-profile-vamp] quit
z
Configure OSPF
8)
# Display the address mapping information of all VAM clients registered with the primary VAM server
(main).
[MainServer] display vam server address-map all
VPN name: 1
Total address-map number: 4
Private-ip
Public-ip
10.0.1.1
192.168.1.1
Hub
Type
0H 52M 7S
Holding time
10.0.1.2
192.168.1.2
Hub
0H 47M 31S
10.0.1.3
192.168.1.3
Spoke
0H 28M 25S
10.0.1.4
192.168.1.4
Spoke
0H 19M 15S
VPN name: 2
Total address-map number: 4
Private-ip
Public-ip
Type
Holding time
10.0.2.1
192.168.1.1
Hub
0H 51M 44S
10.0.2.2
192.168.1.2
Hub
0H 46M 45S
10.0.2.3
192.168.1.5
Spoke
0H 11M 25S
10.0.2.4
192.168.1.4
Spoke
0H 18M 32S
# Display the address mapping information of all VAM clients registered with the secondary VAM
server (backup).
[BackupServer] display vam server address-map all
VPN name: 1
Total address-map number: 4
Private-ip
Public-ip
Type
Holding time
10.0.1.1
192.168.1.1
Hub
0H 55M 3S
10.0.1.2
192.168.1.2
Hub
0H 50M 30S
1-28
10.0.1.3
192.168.1.3
Spoke
0H 31M 24S
10.0.1.4
192.168.1.4
Spoke
0H 22M 15S
VPN name: 2
Total address-map number: 4
Private-ip
Public-ip
Type
Holding time
10.0.2.1
192.168.1.1
Hub
0H 54M 43S
10.0.2.2
192.168.1.2
Hub
0H 49M 44S
10.0.2.3
192.168.1.5
Spoke
0H 14M 24S
10.0.2.4
192.168.1.4
Spoke
0H 21M 32S
The above output indicates that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their
address mapping information with the VAM servers.
# Display the DVPN tunnel information of Hub 1.
[Hub1] display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 3
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
Hub-Hub
State: SUCCESS
Holding time: 0h 1m 44s
Input: 101 packets, 100 data packets, 1 control packets
87 multicasts, 0 errors
Output: 106 packets, 99 data packets, 7 control packets
87 multicasts, 10 errors
Private IP:
10.0.1.3
Public IP:
192.168.1.3
Session type:
Hub-Spoke
State: SUCCESS
Holding time: 0h 8m 7s
Input: 164 packets, 163 data packets, 1 control packets
54 multicasts, 0 errors
Output: 77 packets, 76 data packets, 1 control packets
55 multicasts, 0 errors
Private IP:
10.0.1.4
Public IP:
192.168.1.4
Session type:
Hub-Spoke
State: SUCCESS
Holding time: 0h 27m 13s
Input: 174 packets, 167 data packets, 7 control packets
160 multicasts, 0 errors
Output: 172 packets, 171 data packets, 1 control packets
165 multicasts, 0 errors
10.0.2.2
Public IP:
192.168.1.2
Session type:
Hub-Hub
1-29
State: SUCCESS
Holding time: 0h 12m 10s
Input: 183 packets, 182 data packets, 1 control packets
0 multicasts, 0 errors
Output: 186 packets, 185 data packets, 1 control packets
155 multicasts, 0 errors
Private IP:
10.0.2.4
Public IP:
192.168.1.4
Session type:
Hub-Spoke
State: SUCCESS
Holding time: 0h 26m 39s
Input: 174 packets, 169 data packets, 5 control packets
162 multicasts, 0 errors
Output: 173 packets, 172 data packets, 1 control packets
167 multicasts, 0 errors
Private IP:
10.0.2.3
Public IP:
192.168.1.5
Session type:
Hub-Spoke
State: SUCCESS
Holding time: 0h 19m 30s
Input: 130 packets, 127 data packets, 3 control packets
120 multicasts, 0 errors
Output: 127 packets, 126 data packets, 1 control packets
119 multicasts, 0 errors
In VPN 1, Hub 1 has established a permenent tunnel with Hub 2, Spoke 1, and Spoke 2
respectively.
In VPN 2, Hub 1 has established a permenent tunnel with Hub 2, Spoke 2, and Spoke 3
respectively.
10.0.1.1
Public IP:
192.168.1.1
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 1h 1m 22s
Input: 381 packets, 380 data packets, 1 control packets
374 multicasts, 0 errors
Output: 384 packets, 376 data packets, 8 control packets
369 multicasts, 0 errors
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 0h 21m 53s
Input: 251 packets, 249 data packets, 1 control packets
1-30
10.0.2.1
Public IP:
192.168.1.1
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 0h 2m 47s
Input: 383 packets, 382 data packets, 1 control packets
377 multicasts, 0 errors
Output: 385 packets, 379 data packets, 6 control packets
372 multicasts, 0 errors
Private IP:
10.0.2.2
Public IP:
192.168.1.2
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
225 multicasts, 0 errors
The above information indicates that Spoke 2 has established a permenent Hub-Spoke tunnel with
Hub 1 and Hub 2 respectively in both VPN 1 and VPN 2.
The DVPN tunnel information of Spoke 1 and Spoke 3 is similar to that of Spoke 2.
# On Spoke 2, ping private address 10.0.5.1 of Spoke 3.
[Spoke2] ping 10.0.5.1
PING 10.0.5.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.5.1: bytes=56 Sequence=1 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=2 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=3 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=4 ttl=254 time=4 ms
Reply from 10.0.5.1: bytes=56 Sequence=5 ttl=254 time=4 ms
Private IP:
10.0.2.1
Public IP:
192.168.1.1
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 1h 10m 0s
Input: 451 packets, 450 data packets, 1 control packets
1-31
Private IP:
10.0.2.2
Public IP:
192.168.1.2
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
225 multicasts, 0 errors
Private IP:
10.0.2.3
Public IP:
192.168.1.5
Session type:
Spoke-Spoke
State: SUCCESS
Holding time: 0h 0m 0s
Input: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
The above information indicates that a Spoke-Spoke tunnel has been established dynamically
between Spoke 2 and Spoke 3.
In the Hub-Spoke networks shown in Figure 1-7, data is forwarded along Hub-Spoke tunnels. The
primary and secondary VAM servers (the main and backup servers in the following figure)
manage and maintain information about the nodes. The AAA server takes charge of VAM client
authentication and accounting. With each being the backup of the other, the two Hubs perform
data forwarding and routing information exchange.
1-32
Hub 2
Eth1/1
Tunnel1
Eth1/1
Tunnel1
AAA server
IP network
Eth1/1
Main server
Eth1/1
Tunnel1
Eth1/1
Tunnel1
Eth1/1
Backup server
Eth1/2
Spoke 1
Site 1
Site 1
Device
Hub 1
Hub 2
Main server
Backup server
AAA server
Interface
Eth1/1
Tunnel1
Eth1/1
Tunnel1
Eth1/1
Eth1/1
Spoke 2
IP address
192.168.1.1/24
10.0.1.1/24
192.168.1.2/24
10.0.1.2/24
192.168.1.22/24
192.168.1.33//24
192.168.1.11/24
Device
Spoke 1
Spoke 2
Interface
Eth1/1
Eth1/2
Tunnel1
Eth1/1
Eth1/2
Tunnel1
Configuration procedure
1)
Configure AAA.
<MainServer> system-view
1-33
IP address
192.168.1.3/24
10.0.2.1/24
10.0.1.3/24
192.168.1.4/24
10.0.3.1/24
10.0.1.4/24
2)
Except for the listening IP address configuration, the configurations for the secondary VAM server are
the same as those for the primary VAM server and are thus omitted.
3)
Configure Hub 1
<Hub1> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123
1-34
Configure OSPF
4)
Configure Hub 2
<Hub2> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123
1-35
[Hub2-ipsec-profile-vamp] quit
z
Configure OSPF
5)
Configure Spoke 1
<Spoke1> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22
[Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33
[Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123
1-36
Configure OSPF
6)
Configure Spoke 2
<Spoke2> system-view
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123
Configure OSPF
7)
# Display the address mapping information of all VAM clients registered with the primary VAM server
(main).
[MainServer] display vam server address-map all
VPN name: 1
Total address-map number: 4
Private-ip
Public-ip
Type
Holding time
10.0.1.1
192.168.1.1
Hub
0H 7M 35S
10.0.1.2
192.168.1.2
Hub
0H 13M 8S
10.0.1.3
192.168.1.3
Spoke
0H 3M 58S
10.0.1.4
192.168.1.4
Spoke
0H 0M 29S
# Display the address mapping information of all VAM clients registered with the secondary VAM
server (backup).
[BackupServer] display vam server address-map all
VPN name: 1
Total address-map number: 4
1-38
Private-ip
Public-ip
Type
Holding time
10.0.1.1
192.168.1.1
Hub
0H 8M 46S
10.0.1.2
192.168.1.2
Hub
0H 14M 58S
10.0.1.3
192.168.1.3
Spoke
0H 5M 9S
10.0.1.4
192.168.1.4
Spoke
0H 1M 40S
The above output indicates that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address
mapping information with the VAM servers.
# Display the DVPN tunnel information of Hub 1.
[Hub1] display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 3
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
Hub-Hub
State: SUCCESS
Holding time: 0h 1m 44s
Input: 101 packets, 100 data packets, 1 control packets
87 multicasts, 0 errors
Output: 106 packets, 99 data packets, 7 control packets
87 multicasts, 10 errors
Private IP:
10.0.1.3
Public IP:
192.168.1.3
Session type:
Hub-Spoke
State: SUCCESS
Holding time: 0h 4m 32s
Input: 36 packets, 18 data packets, 18 control packets
10 multicasts, 0 errors
Output: 35 packets, 17 data packets, 18 control packets
11 multicasts, 0 errors
Private IP:
10.0.1.4
Public IP:
192.168.1.4
Session type:
Hub-Spoke
State: SUCCESS
Holding time: 0h 3m 15s
Input: 20 packets, 0 data packets, 20 control packets
0 multicasts, 0 errors
Output: 20 packets, 6 data packets, 14 control packets
6 multicasts, 0 errors
The above information indicates that in VPN 1, Hub 1 has established a permenent tunnel with Hub 2,
Spoke 1, and Spoke 2 respectively. The DVPN tunnel information of Hub 2 is similar to that of Hub 1.
# Display the DVPN tunnel information of Spoke 1.
[Spoke1] display dvpn session all
Interface: Tunnel1 VPN name: 1 Total number: 2
Private IP:
10.0.1.1
Public IP:
192.168.1.1
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 1h 1m 22s
1-39
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 0h 21m 53s
Input: 251 packets, 249 data packets, 1 control packets
230 multicasts, 0 errors
Output: 252 packets, 240 data packets, 7 control packets
224 multicasts, 0 errors
The above information indicates that in VPN 1, Spoke 1 has established a permenent Hub-Spoke
tunnel with Hub 1 and Hub 2 respectively. The DVPN tunnel information of Spoke 2 is similar to that of
Spoke 1.
# On Spoke 1, ping private address 10.0.3.1 of Spoke 2.
[Spoke1] ping 10.0.3.1
PING 10.0.3.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=254 time=6 ms
Reply from 10.0.3.1: bytes=56 Sequence=2 ttl=254 time=54 ms
Reply from 10.0.3.1: bytes=56 Sequence=3 ttl=254 time=5 ms
Reply from 10.0.3.1: bytes=56 Sequence=4 ttl=254 time=6 ms
Reply from 10.0.3.1: bytes=56 Sequence=5 ttl=254 time=37 ms
--- 10.0.3.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/21/54 ms
Private IP:
10.0.2.1
Public IP:
192.168.1.1
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 1h 10m 0s
Input: 451 packets, 450 data packets, 1 control packets
435 multicasts, 0 errors
Output: 453 packets, 447 data packets, 6 control packets
430 multicasts, 0 errors
Private IP:
10.0.2.2
Public IP:
192.168.1.2
Session type:
Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
1-40
The above information indicates that Spoke 1 and Spoke 2 have no dynamic Spoke-Spoke tunnel
established between them, and they exchange data through the Hub.
1-41
GRE Configuration
Support for some features on the MSR series is shown below:
Feature
GRE-IPSec tunnel application
MSR 900
Yes
MSR 20-1X
Yes
MSR 20
Yes
MSR 30
Yes
MSR 50
Yes
Support for some commands may vary with device models. For relevant information, refer to the
corresponding command manual.
The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.
When configuring GRE, go to these sections for information you are interested in:
z
GRE Overview
Troubleshooting GRE
GRE Overview
Introduction to GRE
Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the
packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for
example, IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol.
A GER tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are
encapsulated at one end of the tunnel and de-encapsulated at the other end. Figure 2-1 depicts the
encapsulation and de-encapsulation processes.
Figure 2-1 X protocol networks interconnected through the GRE tunnel
2-1
The following takes the network shown in Figure 2-1 as an example to describe how an X protocol
packet traverses the IP network through a GRE tunnel.
Encapsulation process
1)
After receiving an X protocol packet through the interface connected to Group 1, Router A submits
it to the X protocol for processing.
2)
The X protocol checks the destination address field in the packet header to determine how to
route the packet.
3)
If the packet must be tunneled to reach its destination, Router A sends it to the tunnel interface.
4)
Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet. Then, the system
encapsulates the packet in an IP packet and forwards the IP packet based on its destination
address and the routing table.
As an example, Figure 2-3 shows the format of an X packet encapsulated for transmission over an IP
tunnel.
Figure 2-3 Format of an X packet encapsulated for transmission over an IP tunnel
Passenger protocol: Protocol that the payload packet uses, IPX in the example.
Encapsulation or carrier protocol: Protocol used to encapsulate the payload packet, that is, GRE.
Delivery or transport protocol: Protocol used to encapsulate the GRE packet and then forward the
packet to the other end of the tunnel, IP in this example.
Depending on the transport protocol, two tunnel modes are present: GRE over IPv4 and GRE over
IPv6.
De-encapsulation process
De-encapsulation is the reverse process of encapsulation:
1)
Upon receiving an IP packet from the tunnel interface, Router B checks the destination address.
2-2
2)
If the destination is itself, Router B strips off the IP header of the packet and submits the resulting
packet to the GRE protocol.
3)
The GRE protocol checks the key, checksum and sequence number in the packet, and then strips
off the GRE header and submits the payload to the X protocol for forwarding.
Encapsulation and de-encapsulation processes on both ends of the GRE tunnel and the resulting
increase in data volumes will degrade the forwarding efficiency for the GRE-enabled device to some
extent.
If the Key Present field of a GRE packet header is set to 1, the Key field will carry the key for the
receiver to authenticate the source of the packet. This key must be the same at both ends of a
tunnel. Otherwise, packets delivered over the tunnel will be discarded.
If the Checksum Present bit of a GRE packet header is set to 1, the Checksum field contains valid
information. The sender calculates the checksum for the GRE header and the payload and sends
the packet containing the checksum to the peer. The receiver calculates the checksum for the
received packet and compares it with that carried in the packet. If the checksums are the same,
the receiver considers the packet intact and continues to process the packet. Otherwise, the
receiver discards the packet.
GRE Applications
GRE supports these types of applications:
z
2-3
In the example shown in Figure 2-4, Group 1 and Group 2 are local networks running Novell IPX, and
Team 1 and Team 2 are local networks running IP. Through the GRE tunnel between Router A and
Router B, Group 1 can communicate with Group 2 and Team 1 can communicate with Team 2. They
will not interfere with each other.
When the hop count between two terminals exceeds 15, the terminals cannot communicate with each
other. Using GRE, you can hide some hops so as to enlarge the scope of the network.
2-4
In the example as shown in Figure 2-6, Group 1 and Group 2 running Novell IPX are deployed in
different cities. They can constitute a trans-WAN virtual private network (VPN) through the tunnel.
GRE can work with IPsec, allowing data packets like routing protocol, voice, and video packets to be
encapsulated by GRE and then encrypted by IPsec to improve security of data transmission in a
tunnel.
Support for the cooperation of GRE and IPsec depends on the device model.
Configuration Procedure
Follow these steps to configure a GRE over IPv4 tunnel:
To do
Enter system view
Remarks
Required
2-5
Required
Configure an IPv4 address for the
tunnel interface
mask-length }
source { ip-address |
interface-type interface-number }
destination ip-address
Optional
keepalive [ seconds [ times ] ]
Disabled by default
of transmission attempts
Enable the GRE packet checksum
function
Optional
gre checksum
Disabled by default
Optional
By default, no key is configured for
Optional
expediting enable
Disabled by default
Optional
mask
Note that:
2-6
Support for commands expediting enable and expediting subnet depends on the device model.
For details about tunnel interfaces and more configuration commands in a tunnel interface, refer to
Tunneling Configuration in the IP Services Volume. For details about the expedite termination
function, refer to Tunneling Configuration in the IP Services Volume.
The source address and destination address of a tunnel uniquely identify a path. They must be
configured at both ends of the tunnel and the source address at one end must be the destination
address at the other end and vice versa.
Tunnel interfaces using the same encapsulation protocol must have different source addresses
and destination addresses.
If you configure a source interface for a tunnel interface, the tunnel interface takes the primary IP
address of the source interface as its source address.
You can enable or disable the checksum function at both ends of the tunnel as needed. If the
checksum function is enabled at the local end but not at the remote end, the local end calculates
the checksum of a packet to be sent but does not check the checksum of a received packet.
Contrarily, if the checksum function is enabled at the remote end but not at the local end, the local
end checks the checksum of a received packet but does not calculate the checksum of a packet to
be sent.
When configuring a route through the tunnel, you can configure a static route, using the address of
the network segment that the original packet is destined for as its destination address and the
address of the peer tunnel interface as its next hop. Or, you can enable a dynamic routing protocol
on both the tunnel interface and the router interface connecting the private network, so that the
dynamic routing protocol can establish a routing entry that allows the tunnel to forward packets
through the tunnel. It is not allowed to set up a static route whose destination address is in the
subnet of the tunnel interface.
Configuration Procedure
Follow these steps to configure a GRE over IPv6 tunnel:
To do
Enter system view
Enable the IPv6 packet forwarding
function
Remarks
Required
ipv6
Disabled by default
Required
2-7
Required
Configure an IPv4 address for the
tunnel interface
mask-length }
source { ipv6-address |
interface-type interface-number }
destination ipv6-address
Optional
encapsulation-limit [ number ]
4 by default
Optional
gre checksum
Disabled by default
Optional
By default, no key is configured for
Note that:
z
For information about commands interface tunnel, tunnel-protocol, source, destination, and
encapsulation-limit, refer to Tunneling Commands in the IP Services Volume.
For details about tunnel interfaces and more configuration commands in a tunnel interface, refer to
Tunneling Configuration in the IP Services Volume.
If you delete a tunnel interface, the functions configured on this tunnel interface will be removed as
well.
2-8
The source address and destination address of a tunnel uniquely identify a path. They must be
configured at both ends of the tunnel and the source address at one end must be the destination
address at the other end and vice versa.
Tunnel interfaces using the same encapsulation protocol must have different source addresses
and destination addresses.
If you configure a source interface for a tunnel interface, the tunnel interface takes the primary IP
address of the source interface as its source address.
You can enable or disable the checksum function at both ends of the tunnel as needed. If the
checksum function is enabled at the local end but not at the remote end, the local end calculates
the checksum of a packet to be sent but does not check the checksum of a received packet.
Contrarily, if the checksum function is enabled at the remote end but not at the local end, the local
end checks the checksum of a received packet but does not calculate the checksum of a packet to
be sent.
When configuring a route through the tunnel, you can configure a static route, using the address of
the network segment the original packet is destined for as its destination address and the address
of the peer tunnel interface as its next hop. Or, you can enable a dynamic routing protocol on both
the tunnel interface and the router interface connecting the private network, so that the dynamic
routing protocol can establish a routing entry that allows the tunnel to forward packets through the
tunnel. It is not allowed to set up a static route whose destination address is in the subnet of the
tunnel interface.
[ number ]
tunnel interface
[ number ] [ verbose ]
Remarks
Support for the display ipv6 interface tunnel command depends on the device model.
For information about commands display interface tunnel and display ipv6 interface tunnel,
refer to Tunneling Commands in the IP Services Volume.
2-9
Figure 2-8 Network diagram for a GRE over IPv4 tunnel (on routers)
Configuration procedure
Before the configuration, make sure that Router A and Router B are reachable to each other.
1)
Configure Router A
# Configure an IPv4 address for interface Serial 2/0, the physical interface of the tunnel.
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ip address 1.1.1.1 255.255.255.0
[RouterA-Serial2/0] quit
# Configure the source address of interface Tunnel 0 to be the IP address of Serial 2/0.
[RouterA-Tunnel0] source 1.1.1.1
# Configure the destination address of interface Tunnel 0 to be the IP address of Serial 2/1 on Router
B.
[RouterA-Tunnel0] destination 2.2.2.2
[RouterA-Tunnel0] quit
2)
Configure Router B
# Configure an IPv4 address for interface Serial 2/1, the physical interface of the tunnel.
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ip address 2.2.2.2 255.255.255.0
2-10
[RouterB-Serial2/1] quit
# Configure the source address of interface Tunnel 0 to be the IP address of interface Serial 2/1.
[RouterB-Tunnel0] source 2.2.2.2
# Configure the destination address of interface Tunnel 0 to be the IP address of interface Serial 2/0 on
Router A.
[RouterB-Tunnel0] destination 1.1.1.1
[RouterB-Tunnel0] quit
3)
# After the above configuration, display the tunnel infterface status on Router A and Router B
respectively.
[RouterA] display interface tunnel 0
Tunnel0 current state: UP
Line protocol current state: UP
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1476
Internet Address is 10.1.2.1/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 1.1.1.1, destination 2.2.2.2
Tunnel keepalive disabled
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last clearing of counters: Never
Last 300 seconds input: 0 bytes/sec, 0 packets/sec
Last 300 seconds output: 0 bytes/sec, 0 packets/sec
10 packets input, 840 bytes
0 input error
10 packets output, 840 bytes
0 output error
[RouterB] display interface tunnel 0
Tunnel0 current state: UP
Line protocol current state: UP
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1476
Internet Address is 10.1.2.2/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 2.2.2.2, destination 1.1.1.1
Tunnel keepalive disabled
Tunnel protocol/transport GRE/IP
GRE key disabled
2-11
# From Router B, you can ping the IP address of Ethernet 1/1 on Router A.
[RouterB] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms
Configuration procedure
Before the configuration, make sure that Switch A and Switch B are reachable to each other.
1)
Configure Switch A
2-12
# Configure an IPv4 address for interface Ethernet 1/2, the physical interface of the tunnel.
[SwitchA] vlan 101
[SwitchA-vlan101] port ethernet 1/2
[SwitchA-vlan101] quit
[SwitchA] interface vlan-interface 101
[SwitchA-Vlan-interface101] ip address 1.1.1.1 255.255.255.0
[SwitchA-Vlan-interface101] quit
# Configure the source address of interface Tunnel 1 to be the IP address of the VLAN interface of
interface Ethernet 1/2.
[SwitchA-Tunnel1] source vlan-interface 101
# Configure the destination address for interface Tunnel 1 (IP address of the VLAN interface to which
Ethernet 1/2 of Switch B belongs).
[SwitchA-Tunnel1] destination 2.2.2.2
[SwitchA-Tunnel1] quit
2)
Configure Switch B
# Configure an IPv4 address for interface Ethernet 1/2, the physical interface of the tunnel.
[SwitchB] vlan 101
2-13
# Configure the source address for interface Tunnel 1 (IP address of the VLAN interface to which
Ethernet 1/2 belongs).
[SwitchB-Tunnel1] source vlan-interface 101
# Configure the destination address for interface Tunnel 1 (IP address of the VLAN interface to which
Ethernet 1/2 of Switch A belongs).
[SwitchB-Tunnel1] destination 1.1.1.1
[SwitchB-Tunnel1] quit
3)
# After the above configuration, view the tunnel interface status on Switch A and Switch B respectively.
[SwitchA] display interface tunnel 1
Tunnel1 current state: UP
Line protocol current state: UP
Description: Tunnel1 Interface
The Maximum Transmit Unit is 1476
Internet Address is 10.1.2.1/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID is 1.
Tunnel source 1.1.1.1, destination 2.2.2.2
Tunnel keepalive disabled
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last clearing of counters: Never
Last 300 seconds input: 0 bytes/sec, 0 packets/sec
2-14
# From Switch B, you can ping the IP address of VLAN-interface 100 on Switch A.
[SwitchB] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms
2-15
Figure 2-10 Network diagram for a GRE over IPv6 tunnel (on routers)
Configuration procedure
Before the configuration, make sure that Router A and Router B are reachable to each other.
1)
Configure Router A
<RouterA> system-view
# Enable IPv6.
[RouterA] ipv6
# Configure an IPv6 address for interface Serial 2/0, the physical interface of the tunnel.
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ipv6 address 2002::1:1 64
[RouterA-Serial2/0] quit
# Configure the source address of interface Tunnel 0 to be the IP address of interface Serial 2/0.
[RouterA-Tunnel0] source 2002::1:1
# Configure the destination address of interface Tunnel 0 to be the IP address of interface Serial 2/1 on
Router B).
[RouterA-Tunnel0] destination 2002::2:1
[RouterA-Tunnel0] quit
2)
Configure Router B
<RouterB> system-view
# Enable IPv6.
[RouterB] ipv6
2-16
# Configure an IPv6 address for interface Serial 2/1, the physical interface of the tunnel).
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ipv6 address 2002::2:1 64
[RouterB-Serial2/1] quit
# Configure the source address of interface Tunnel 0 to be the IP address of interface Serial 2/1.
[RouterB-Tunnel0] source 2002::2:1
# Configure the destination address of interface Tunnel 0 to be the IP address of interface Serial 2/0 on
Router A.
[RouterB-Tunnel0] destination 2002::1:1
[RouterB-Tunnel0] quit
3)
# After the above configuration, display the tunnel infterface status on Router A and Router B
respectively.
[RouterA] display interface Tunnel 0
Tunnel0 current state: UP
Line protocol current state: UP
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1456
Internet Address is 10.1.2.1/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 2002::1:1, destination 2002::2:1
Tunnel protocol/transport GRE/IPv6
GRE key disabled
Checksumming of GRE packets disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last clearing of counters: Never
Last 300 seconds input: 0 bytes/sec, 0 packets/sec
Last 300 seconds output: 0 bytes/sec, 0 packets/sec
10 packets input, 840 bytes
0 input error
10 packets output, 840 bytes
0 output error
[RouterB] display interface Tunnel 0
Tunnel0 current state: UP
Line protocol current state: UP
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1456
Internet Address is 10.1.2.2/24 Primary
2-17
# From Router B, you can ping the IP address of Ethernet 1/1 on Router A.
[RouterB] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms
Configuration procedure
Before the configuration, make sure that Switch A and Switch B are reachable to each other.
2-18
1)
Configure Switch A
<SwitchA> system-view
# Enable IPv6.
[SwitchA] ipv6
# Configure the source address of interface Tunnel 0 to be the IP address of interface VLAN-interface
100.
[SwitchA-Tunnel0] source 2002::1:1
2)
Configure Switch B
<SwitchB> system-view
# Enable IPv6.
[SwitchB] ipv6
2-19
# Configure the source address of interface Tunnel 0 to be the IP address of interface VLAN-interface
101.
[SwitchB-Tunnel0] source 2002::2:1
3)
# After the above configuration, view the tunnel interface status on Switch A and Switch B respectively.
[SwitchA] display interface Tunnel 0
Tunnel0 current state: UP
Line protocol current state: UP
Description: Tunnel0 Interface
The Maximum Transmit Unit is 1456
Internet Address is 10.1.2.1/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID is 1.
2-20
# From Switch B, you can ping the IP address of VLAN-interface 100 on Switch A.
[SwitchB] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms
2-21
Troubleshooting GRE
The key to configuring GRE is to keep the configurations consistent. Most faults can be located by
using the debugging gre or debugging tunnel command. This section analyzes one type of fault for
illustration, with the scenario shown in Figure 2-12.
Figure 2-12 Troubleshoot GRE
Symptom: The interfaces at both ends of the tunnel are configured correctly and can ping each other,
but Host A and Host B cannot ping each other.
Solution:
z
On Router A and Router C, execute the display ip routing-table command in any view
respectively. On Router A, observe whether there is a route from Router A through Tunnel 0 to
10.2.0.0/16. On Router C, observe whether there is a route from Router C through Tunnel 0 to
10.1.0.0/16.
If an expected static route is missing, use the route-static command in system view to configure.
For example, configure a static route on Router A as follows:
2-22
L2TP Configuration
Support for some commands may vary with device models. For relevant information, refer to the
corresponding command manual.
The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.
When configuring L2TP, go to these sections for information you are interested in:
z
L2TP Overview
Troubleshooting L2TP
The term router and the router icon in this document refer to a router in a generic sense or a Layer 3
switch.
L2TP Overview
This section covers these topics:
z
Introduction
L2TP Features
Introduction
A virtual private dial-up network (VPDN) is a virtual private network (VPN) that utilizes the dial-up
function of public networks such as ISDN or PSTN networks to provide access services for enterprises,
small Internet service providers (ISPs), and telecommuters. VPDN provides an economical and
effective, point-to-point way for remote users to connect to their home LANs.
The VPDN technology uses a specialized network communication protocol to build secure VPNs
across public networks for enterprises. Branches away from the headquarters and staff on business
3-1
can remotely access the Intranet resources in the headquarters through a virtual tunnel over public
networks, while other users on the public networks cannot.
A VPDN tunnel can be NAS-initiated or client-initiated:
z
NAS-initiated VPDN tunnel. The network access server (NAS) connects a users PPP connection
to the corporate VPDN gateway through a VPDN tunneling protocol, establishing a tunnel with the
VPDN gateway. The tunneling is transparent to users. A user only needs to perform login
operation once to access the enterprise network, which authenticates the user and assigns the
user a private IP address, eliminating the necessity of the user for a public address. This mode
requires that the NAS support VPDN and the authentication system support VPDN attributes.
Client-initiated VPDN tunnel. A user accesses the Internet first, and then establishes a tunnel with
the VPDN gateway through a piece of dedicated client software, such as the L2TP client offered
by Windows 2000. In this mode, a user can access the enterprise network anytime from any place,
without the involvement of any ISP. However, users must install dedicated software, which means
that they must use platforms supporting L2TP client. Usually, Windows 2000 platform is used.
Remote system
A remote system is usually the host of a remote user or the routing device of a remote branch that
needs to access the VPDN network.
z
LAC
An L2TP access concentrator (LAC) is a device that is attached to a packet-switched network and has
a PPP end system and the L2TP capability. An LAC is usually a NAS located at a local ISP, which
provides access services mainly for PPP users.
3-2
An LAC lies between an LNS and a remote system. Upon receiving a packet from a remote system, it
encapsulates the packet by using L2TP and sends the resulting packet to the LNS. Upon receiving a
packet from an LNS, it de-encapsulates the packet and sends it to the intended remote system.
Between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used
in a VPDN application.
z
LNS
An L2TP network server (LNS) is a device providing the L2TP server side services on a PPP end
system. It is usually an edge device of an enterprise network.
As an end system of an L2TP tunnel, an LNS is the peer of an LAC. It is the logical termination point of
a PPP session that is tunneled by the LAC. That is, with L2TP, the logical termination point of a PPP
session is moved from an LAC to an LNS, which resides on the enterprise network.
L2TP architecture
Figure 3-2 shows the relationship between the PPP frame, control channel, and data channel. PPP
frames are transferred over the unreliable L2TP data channels, while control messages are transferred
within the reliable L2TP control channels.
Figure 3-2 L2TP architecture
Figure 3-3 depicts the encapsulation structure of an L2TP data packet between the LAC and the LNS.
Usually, L2TP data is transferred in the form of User Data Protocol (UDP) packets. The well-known
UDP port for L2TP is 1701, which is only used in the initial tunnel creation stage. The L2TP tunnel
initiator selects an idle port (which may not be 1701) to send a packet to port 1701 of the receiver. After
receiving the packet, the receiver also selects an idle port (which may not be 1701 either) to return a
3-3
packet to the specified port of the initiator. From then on, the two parties use the negotiated ports to
communicate until the tunnel is disconnected.
Multiple L2TP tunnels can be established between an LNS and an LAC. A tunnel consists of a control
connection and one or more sessions. A session can be set up only after the tunnel is created. A
session corresponds to one PPP data stream between the LAC and the LNS.
Both control messages and PPP frames are transferred on the tunnel. L2TP uses Hello packets to
check the connectivity of a tunnel. The LAC and LNS regularly send Hello packets to each other. If no
response packet is received in a certain period of time, the tunnel is torn down.
Control messages are intended for establishment and maintenance of tunnels and sessions and
for transmission control. Control messages are transmitted over a reliable channel, which
supports flow control and congestion control.
Data messages are intended to encapsulate PPP frames to be tunneled. Data messages are
transmitted over an unreliable channel without flow control, congestion control, and
retransmission mechanisms.
Control messages and data messages share the same header structure. An L2TP header contains a
tunnel ID and a session ID, which are used to identify the tunnel and session respectively. Packets with
the same tunnel ID but different session IDs are multiplexed to the same tunnel. The tunnel ID and
session ID in a header are those of the intended receiver, not the sender.
NAS-initiated
In this mode, a remote system dials in the LAC through a PPPoE/ISDN network, and the LAC initiates
a tunneling request to the LNS over the Internet, as shown in Figure 3-4. The LNS will assign the
remote system a private IP address. Authentication and accounting of remote systems can be
implemented on the LAC or on the LNS.
Figure 3-4 NAS-initiated tunnel mode
Client-initiated
3-4
In this mode, after being permitted to access the Internet, a remote system running the L2TP client
application (LAC client) initiates a tunneling request to the LNS directly without any dedicated LAC
device. The LNS will assign the LAC client a private IP address.
In this mode, a LAC client needs a public network address in order to communicate with the LNS
through the Internet.
Figure 3-5 Client-initiated tunnel mode
Figure 3-7 depicts the setup procedure of an L2TP call in NAS-initiated mode.
3-5
3)
4)
The LAC authenticates the remote user using the Password Authentication Protocol (PAP) or
Challenge Handshake Authentication Protocol (CHAP).
5)
The LAC sends the authentication information (the username and password) to its RADIUS server
for authentication.
6)
7)
If the user passes authentication, the LAC initiates a tunneling request to the LNS.
8)
If authentication of the tunnel is required, the LAC sends a CHAP challenge to the LNS. The LNS
returns a CHAP response and sends its CHAP challenge to the LAC. Accordingly, the LAC returns
a CHAP response to the LNS.
9)
10) The LAC sends the CHAP response, response identifier, and PPP negotiation parameters of the
user to the LNS.
11) The LNS sends an access request to its RADIUS server for authentication.
12) The RADIUS server authenticates the access request and returns a response if the user passes
authentication.
13) If the LNS is configured to perform a mandatory CHAP authentication of the user, the LNS sends
a CHAP challenge to the user and the user returns a CHAP response.
14) The LNS resends the access request to its RADIUS server for authentication.
15) The RADIUS server authenticates the access request and returns a response if the user passes
authentication.
16) The LNS assigns an internal IP address to the remote user. Now, the user can access the internal
resources of the enterprise network.
3-6
L2TP Features
1)
L2TP itself does not provide security for connections. However, it has all the security features of PPP
for it allows for PPP authentication (CHAP or PAP). L2TP can also cooperate with IPsec to guarantee
data security, making tunneled data more resistant to attacks. In addition, tunnel encryption,
end-to-end data encryption, and end-to-end application-layer data encryption technologies can be
used together with L2TP for higher data security as required.
2)
Multi-protocol transmission
L2TP tunnels PPP frames, which can be used to encapsulate packets of multiple network layer
protocols.
3)
RADIUS authentication
An LAC and LNS can send the username and password of a remote user to a RADIUS server for
authentication.
4)
An LNS can reside behind the firewall of a corporate network, dynamically allocating private addresses
to remote users and managing the corporate private addresses (RFC 1918). This facilitates address
management and improves security.
5)
Accounting flexibility
Accounting can be carried out on the LAC and LNS simultaneously, allowing bills to be generated on
the ISP side and charging and auditing to take place on the enterprise gateway. L2TP can provide
such accounting data as statistics on inbound and outbound traffic (in packets and bytes) and
connection start time and end time. All these enable flexible accounting.
6)
Reliability
L2TP supports LNS backup. When the connection to the primary LNS is torn down, an LAC can
establish a new one with a secondary LNS, enhancing the reliability and fault tolerance of VPN
services.
Remarks
Enable L2TP
Configuring Basic L2TP
Capability
3-7
Required
Configuring an LNS
Required
Optional
Required
Required
Configuring the Local Address and the Address Pool for Allocation
Required
Required
Optional
Optional
Optional
Optional
Connection Parameters
Optional
system-view
Enable L2TP
l2tp enable
Remarks
Required
Disabled by default
Required
l2tp-group group-number
By default, no L2TP group exists.
3-8
Optional
Specify the local name of the
tunnel
Configuring an LAC
An LAC is responsible to establish tunnels with corresponding LNSs for users and sends user packets
to LNSs through the tunnels. Before configuring an LAC, you need to enable L2TP and create an L2TP
group.
Remarks
system-view
l2tp-group group-number
Required
fullusername user-name }
Up to five LNSs can be configured. The LAC initiates an L2TP tunneling request to its specified LNSs
one by one in their configuration order until it receives an acknowledgement from an LNS, which
becomes the tunnel peer.
Remarks
system-view
l2tp-group group-number
3-9
Optional
Specify that AVP data be
transferred in hidden mode
tunnel avp-hidden
With local AAA authentication, you need to create a local user and configure a password for each
remote user on the LAC. The LAC will authenticate a remote user by matching the provided
username and password against those configured locally.
With remote AAA authentication, you need to configure the username and password of each user
on the RADIUS/HWTACACS server. The LAC will send the username and password of a remote
user to the server for identity authentication.
Follow these steps to configure the local authentication, authorization, and accounting:
To do
Enter system view
Create a local user and enter its
view
Remarks
system-view
local-user username
Required
By default, no local user or
user
password
service-type ppp
Required
quit
domain isp-name
Required
Optional
Local
authentication/authorization/accou
3-10
For successful authentication of users, you also need to perform PPP configurations on the
corresponding interface of the LAC, for example, the asynchronous serial interface connecting
with users. For PPP configuration information, refer to PPP Configuration in the Access Volume.
You need to configure the authentication type of PPP users as PAP or CHAP on the user access
interfaces.
For information about AAA configuration commands and remote AAA authentication method
configuration, refer to AAA Configuration in the Security Volume.
Configuring an LNS
An LNS responds the tunneling requests from an LAC, authenticates users, and assign IP addresses
for users.
Before configuring an LNS, you need to enable L2TP and create an L2TP group.
system-view
interface virtual-template
virtual-template-number
Remarks
Required
By default, no virtual interface
template exists.
Configuring the Local Address and the Address Pool for Allocation
After an L2TP tunnel is set up between an LAC and an LNS, the LNS needs to assign an IP address to
a VPN user. For this purpose, you can specify an IP address directly, or specify an address pool.
Before specifying an address pool, use the ip pool command in system view or ISP domain view to
define the address pool. For a VPN user to be authenticated, an IP address will be selected from the
address pool configured in ISP domain view; for a VPN user not to be authenticated, it will be selected
from the global address pool defined in system view.
For details about the ip pool command, refer to AAA Commands in the Security Volume.
Follow these steps to configure a local address and address pool:
3-11
To do
system-view
interface virtual-template
view
virtual-template-number
Remarks
Required
Optional
By default, no authentication is
isp-name ]
Optional
[ pool-number ] | ip-address }
Remarks
system-view
l2tp-group group-number
Specify the
If the L2TP
virtual interface
group number is
template for
not 1
receiving calls,
the tunnel name
If the L2TP
the domain
group number is
name
1 (the default)
virtual-template-number remote
remote-name [ domain
Required
domain-name ]
virtual-template-number [ remote
incoming calls.
remote-name ] [ domain
domain-name ]
The start l2tp and allow l2tp commands are mutually exclusive. Configuring one of them disables
the other one automatically.
The LAC side tunnel name configured on the LNS must be consistent with the local tunnel name
configured on the LAC.
3-12
Remarks
system-view
l2tp-group group-number
Required
mandatory-chap
When the LNS uses proxy authentication and the user authentication information passed from the
LAC to the LNS is valid: if the authentication type configured on the virtual interface template is
PAP, the proxy authentication succeeds and a session can be established for the user; if the
authentication type configured on the virtual interface template is CHAP but that configured on the
LAC is PAP, the proxy authentication will fail and no session can be set up. This is because the
level of CHAP authentication, which is required by the LNS, is higher than that of PAP
authentication, which the LAC provides.
Some PPP clients may not support re-authentication, in which case LNS side CHAP
authentication will fail.
3-13
Remarks
system-view
l2tp-group group-number
Required
mandatory-lcp
Mandatory LCP re-negotiation authentication is configured on the LNS and the virtual interface
template requires authenticating PPP users.
After you configure AAA on the LNS, the LNS can authenticate the identities (usernames and
passwords) of VPN users for a second time. If a user passes the AAA authentication, the user can
communicate with the LNS. Otherwise, the L2TP session will be removed.
LNS side AAA configurations are similar to those on an LAC. Refer to Configuring AAA Authentication
of VPN Users on LAC Side for detailed information.
an L2TP group whose tunnel peer name and domain name match, the LNS will establish a session
according to the configuration information of the group. In this way, different sessions will be
established for VPN users of different domains.
Follow these steps to enable the L2TP multi-instance function:
To do
Enter system view
Enable the L2TP multi-instance
function
Remarks
Required
l2tpmoreexam enable
Disabled by default
In L2TP multi-instance applications, if the same remote tunnel name is configured on the LNS for
different L2TP groups, the tunnel authentication settings must also be the same respectively.
Otherwise, the expected tunnels and sessions cannot be established because the tunnel
authentication passwords do not match.
system-view
Remarks
Required
By default, an LNS sends ACCM.
Remarks
system-view
l2tp-group group-number
Optional
tunnel authentication
Enabled by default
Required
tunnel authentication
password
You are recommended to enable tunnel authentication for tunnel security. To change the tunnel
authentication password, do so after tearing down the tunnel. Otherwise, your change does not take
effect.
Remarks
system-view
l2tp-group group-number
Optional
60 seconds by default
Remarks
system-view
3-16
l2tp-group group-number
Optional
tunnel flow-control
Disabled by default
Remarks
Remarks
NAS-Initiated VPN
Network requirements
A VPN user accesses the corporate headquarters as follows:
1)
2)
The NAS determines whether the user is a valid VPN client. If so, it initiates a tunneling request to
the LNS.
3)
After a tunnel is set up between the NAS and the LNS, the NAS transfers what it has negotiated
with the VPN user to the LNS.
4)
The LNS decides whether to accept the connection request according to the negotiated results.
5)
The user communicates with the headquarters over the tunnel between the NAS and the LNS.
3-17
Configuration procedure
1)
# Enable L2TP.
[LAC] l2tp enable
2)
# Enable L2TP.
[LNS] l2tp enable
# Create an L2TP group, specify the virtual interface template for receiving calls and specify the name
of the tunnel on the peer.
[LNS] l2tp-group 1
[LNS-l2tp1] tunnel name LNS
[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC
3)
In the dial-up network window, enter vpdnuser as the username, Hello as the password.
4)
# After the dial-up connection is established, the user host can get an IP address (192.168.0.2 for
example) and can ping the private IP address of the LNS (192.168.0.1).
# On the LNS, use the display l2tp tunnel command to check the L2TP tunnels established.
[LNS] dis l2tp tunnel
Total tunnel = 1
1.1.2.1
Port
1701
Sessions RemoteName
LAC
# On the LNS, use the display l2tp session command to check the L2TP sessions established.
[LNS] display l2tp session
Total session = 1
729
Client-Initiated VPN
Network requirements
As shown in Figure 3-9, a VPN user accesses the corporate headquarters as follows:
1)
The user first accesses the Internet, and then initiates a tunneling request to the LNS directly.
2)
After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the
VPN user.
3)
The VPN user communicates with the headquarters over the tunnel.
Internet
Eth1/1
1.1.2.2/24
Corporate
network
LNS
VPN user
L2TP tunnel
3-19
Configuration procedure
1)
# Enable L2TP.
[LNS] l2tp enable
# Create an L2TP group and specify the virtual interface template for receiving calls.
[LNS] l2tp-group 1
[LNS-l2tp1] tunnel name LNS
[LNS-l2tp1] allow l2tp virtual-template 1
2)
On the user host, create a virtual private network connection by using the Windows system, or install
the L2TP client software (such as WinVPN Client) on the host and connect the host to the Internet in
dial-up mode. The IP address of the user host is 2.1.1.1. Configure a route between the user host and
the LNS (1.1.2.2), and then perform the following configurations (the configuration procedure depends
on the client software):
# Specify the VPN username as vpdnuser and the password as Hello.
# Specify the Internet interface address of the security gateway as the IP address of the LNS. In this
example, the Ethernet interface for the tunnel on the LNS has an IP address of 1.1.2.2.
# Modify the connection attributes, setting the protocol to L2TP, the encryption attribute to customized
and the authentication mode to CHAP.
3)
# On the user host, initiate the L2TP connection. After the connection is established, the user host can
get the IP address 192.168.0.2 and can ping the private IP address of the LNS (192.168.0.1).
# On the LNS, use the display l2tp session command to check the L2TP session established.
[LNS-l2tp1] display l2tp session
Total session = 1
3-20
647
# On the LNS, use the display l2tp tunnel command to check the L2TP tunnel established.
[LNS-l2tp1] display l2tp tunnel
Total tunnel = 1
2.1.1.1
Port
1701
Sessions RemoteName
l2tpuser
Eth1/3
1.1.1.1/24
Eth1/2
1.1.2.1/24
Eth1/1
1.1.1.2/24
WAN
L2TP tunnel
Eth1/1
1.1.2.2/24
LAC
LNS
Corporate
network 2
Host B
Configuration procedure
1)
In this example, Ethernet 1/1 and Ethernet 1/3 on the LAC are both user access interfaces. The IP
address of Ethernet 1/2 through which the LAC connects to the tunnel is 1.1.2.1, and the IP address of
Ethernet 1/1 through which the LNS connects to the tunnel is 1.1.2.2.
# Create two local users, set the passwords, and enable PPP service.
<LAC> system-view
[LAC] local-user vpdn1
[LAC-luser-vpdn1] password simple 11111
[LAC-luser-vpdn1] service-type ppp
[LAC-luser-vpdn1] quit
[LAC] local-user vpdn2
[LAC-luser-vpdn2] password simple 22222
[LAC-luser-vpdn2] service-type ppp
[LAC-luser-vpdn2] quit
3-21
[LAC-isp-bbb.net] quit
# Configure PPPoE servers on interface Ethernet 1/1 and Ethernet 1/3 respectively.
[LAC] interface ethernet 1/3
[LAC-Ethernet1/3] pppoe-server bind virtual-template 100
[LAC-Ethernet1/3] quit
[LAC] interface ethernet 1/1
[LAC-Ethernet1/1] pppoe-server bind virtual-template 101
[LAC-Ethernet1/1] quit
2)
<LNS> system-view
[LNS] l2tp enable
[LNS] l2tpmoreexam enable
# Create two local users, set the passwords, and enable PPP service.
[LNS] local-user vpdn1
[LNS-luser-vpdn1] password simple 11111
[LNS-luser-vpdn1] service-type ppp
[LNS-luser-vpdn1] quit
[LNS] local-user vpdn2
[LNS-luser-vpdn2] password simple 22222
[LNS-luser-vpdn2] service-type ppp
[LNS-luser-vpdn2] quit
# Specify the IP address of Ethernet 1/1 through which the LNS connects to the tunnel as 1.1.2.2.
[LNS] interface ethernet 1/1
[LNS-Ethernet1/1] ip address 1.1.2.2 255.255.255.0
3-22
[LNS-Ethernet1/1] quit
If RADIUS authentication is required on the LNS, modify the AAA configurations as needed. For AAA
configuration details, refer to AAA Configuration in the Security Volume.
3)
On Host A, enter vpdn1@aaa.net as the username and 11111 as the password in the dial-up
terminal window.
On Host B, enter vpdn2@aaa.net as the username and 22222 as the password in the dial-up
terminal window.
4)
# After Host A establishes a dial-up connection with enterprise 1, Host A gets IP address 10.0.1.10 and
can ping the private address of the LNS (10.0.1.1).
# After Host B establishes a dial-up connection with enterprise 2, Host B gets IP address 10.0.2.10 and
can ping the private address of the LNS (10.0.2.1).
# On the LNS, use the display l2tp session command to check the L2TP sessions established.
[LNS-l2tp1] display l2tp session
Total session = 2
3-23
4351
23914
10923
# On the LNS, use the display l2tp tunnel command to check the L2TP tunnels established.
[LNS-l2tp1] display l2tp tunnel
Total tunnel = 2
LocalTID RemoteTID RemoteAddress
Port
Sessions RemoteName
1.1.2.1
1701
LAC-1
1.1.2.1
1701
LAC-2
Troubleshooting L2TP
The VPN connection setup process is rather complicated. The following presents an analysis of some
common faults occurred in the process. Before troubleshooting the VPN, make sure that the LAC and
LNS are connected properly across the public network.
Symptom 1: Users cannot log in.
Analysis and solution:
Possible reasons for login failure are as follows:
1)
No L2TP group is configured on the LNS (usually a router) to receive calls from the tunnel peer.
For details, refer to the description of the allow command.
Tunnel authentication fails. For successful tunnel authentication, tunnel authentication must be
enabled on both the LAC and LNS and the passwords for tunnel authentication configured on the
two sides must match.
If the tunnel is torn down by force on the local end but the remote end has not received the
notification packet for reasons such as network delay, a new tunnel cannot be set up.
2)
The usernames and/or passwords are incorrectly configured on the LAC or not configured on the
LNS.
The LNS cannot allocate addresses. This may be because the address pool is too small or no
address pool is configured.
The authentication type is inconsistent. For example, if the default authentication type for a VPN
connection created on Windows 2000 is Microsoft Challenge Handshake Authentication Protocol
(MSCHAP) but the remote end does not support MSCHAP, PPP negotiation will fail. In this case,
CHAP is recommended.
Symptom 2: Data transmission fails. A connection is setup but data cannot be transmitted. For
example, the LAC and LNS cannot ping each other.
Analysis and solution:
3-24
The user address is set incorrectly. Usually, the address of a user is allocated by the LNS.
However it can also be set by the user. If the address set by the user is not in the same network
segment as that allocated by the LNS, data transmission fails. It is recommended that addresses
be allocated by the LNS.
4)
Congestion occurs on the Internet backbone and the packet loss ratio is high. L2TP data
transmission is based on UDP, which does not provide the packet error control function. If the line
is not stable, the LAC and LNS may not be able to ping each other and L2TP applications may fail.
3-25
The iNode client (the user host) connects to the LNS device through L2TP. After the client passes
PPP authentication, the CAMS/iMC server issues the isolation ACL to the device, which will then
filter packets from the client using the firewall function.
2)
After the IP Control Protocol (IPCP) negotiation, the CAMS/iMC server notifies its IP address,
which is permitted by the isolation ACL, to the iNode client by way of the device.
3)
The CAMS/iMC server performs EAD authentication and security check for the iNode client. After
the client passes the security authentication, the CAMS/iMC server issues a security ACL to the
device to allow the client to access network resources normally.
Make sure that the ACLs to be assigned by the authentication server have been configured
appropriately on the LNS device. An empty ACL or incorrect ACL rules can cause EAD
authentication failure.
You can configure different ACLs for different hosts. The device filters packets of a host according
to the corresponding ACL.
It is recommended to deploy this function for remote clients across the Internet. For LAN users, it
is recommended to use portal authentication instead.
For information about packet filtering firewall, refer to Firewall Configuration in the Security
Volume.
For information about AAA and RADIUS, refer to AAA Configuration in the Security Volume.
For information about portal, refer to Portal Configuration in the Security Volume.
4-1
Configuration Procedure
Follow these steps to configure the L2TP-based EAD function:
To do
system-view
interface virtual-template
virtual-template-number
Remarks
Required
Required
ppp access-control enable
Disabled by default
ppp access-control
Optional
match-fragments { exactly |
normally }
Remarks
interface-number }
In the public network, the Host communicates with the LNS at Layer 3 through an L2TP tunnel.
Both the security policy server and the RADIUS server are hosted by the CAMS/iMC platform,
whose IP address is 10.110.91.146/24.
The virus and patch server is in the quarantined area, and its IP address is 10.22.2.2/24.
The client agent is in the quarantined area, and its IP address is 10.22.2.1/24.
It is required that the host must pass identity authentication and security authentication to access the
network resources. If the host fails the security authentication, it can access only the virus and patch
server.
4-2
Eth
10 1/1
.11
0.9
1.1
/24
Configuration Procedure
1)
# Configure a RADIUS scheme that uses the CAMS/iMC server, setting the IP address to
10.110.91.146/24, and the keys to sysname.
[Router] radius scheme cams
[Router-radius-cams] server-type extended
[Router-radius-cams] primary authentication 10.110.91.146
[Router-radius-cams] primary accounting 10.110.91.146
[Router-radius-cams] key authentication sysname
[Router-radius-cams] key accounting sysname
[Router-radius-cams] quit
# Configure domain system to use the RADIUS scheme for PPP user authentication and accounting,
and use the IP address pool 10.200.1.0/24 to assign IP addresses to remote hosts.
[Router] domain system
[Router-isp-system] authentication ppp radius-scheme cams
[Router-isp-system] ip pool 1 10.200.1.2 10.200.1.254
[Router-isp-system] quit
4-3
# Configure the IP address of the virtual template interface, enable PAP authentication on this interface,
specify the address pool to be used to assign addresses for PPP users, enable L2TP access based
EAD, and set fragment match mode to exactly.
[Router] interface virtual-template 1
[Router-Virtual-Template1] ip address 10.200.1.1 255.255.255.0
[Router-Virtual-Template1] ppp authentication-mode pap
[Router-Virtual-Template1] remote address pool 1
[Router-Virtual-Template1] ppp access-control enable
[Router-Virtual-Template1] ppp access-control match-fragments exactly
[Router-Virtual-Template1] quit
# Enable L2TP service, configure an L2TP group, configure the local tunnel name as LNS, and disable
tunnel authentication.
[Router] l2tp enable
[Router] l2tp-group 1
[Router-l2tp1] tunnel name LNS
[Router-l2tp1] undo tunnel authentication
[Router-l2tp1] allow l2tp virtual-template 1
[Router-l2tp1] quit
# Enable the firewall function, specify the default filtering action as denying packets, and enable
fragment inspection.
[Router] firewall enable
[Router] firewall default deny
[Router] firewall fragments-inspect
# Configure security ACL 2000, so that users passing security authentication can access the Internet.
[Router] acl number 2000
[Router-acl-basic-2000] rule 0 permit
[Router-acl-basic-2000] quit
# Configure isolation ACL 3000, so that users failing security authentication can access only
quarantine area 10.22.2.0/24.
[Router] acl number 3000
[Router-acl-adv-3000] rule 0 permit ip destination 10.22.2.0 0.0.0.255
2)
Specify ACL 2000 as the security ACL and ACL 3000 as the isolation ACL in the security policy for the
user.
Refer to the related CAMS/iMC documentation for detailed configurations.
4-4
Support for some commands may vary with device models. For relevant information, refer to the
corresponding command manual.
The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.
When configuring SSL VPN, go to these sections for information you are interested in:
z
4-1
Administrator
Internet
SSL VPN gateway
Internal servers
Remote user
The administrator logs in to the Web interface of the SSL VPN gateway through HTTPS, and then
creates resources corresponding to the internal servers.
3)
The remote user establishes an HTTPS connection with the SSL VPN gateway. The SSL VPN
gateway and the remote user authenticate each other using the certificate-based authentication
function provided by SSL.
4)
After the HTTPS connection is established, the user can try to log in to the Web interface of the
SSL VPN gateway by entering the username, password, and authentication method (RADIUS
authentication, for example). The SSL VPN gateway will verify the user information.
5)
After logging in to the Web interface, the user finds the resources to access on the Web interface
and then sends an access request to the SSL VPN gateway through an SSL connection.
6)
The SSL VPN gateway resolves the request, interacts with the corresponding server, and then
forwards the servers reply to the user.
Specify the SSL server policy to be used by the SSL VPN service. To manage the SSL VPN
gateway or access the internal resources, both administrators and remote users need to log in to
the Web interface of the SSL VPN gateway through HTTPS. Therefore, it is required to specify an
SSL server policy on the SSL VPN gateway so that the gateway can determine the SSL
parameters to be used for providing the SSL VPN service.
Specify the TCP port number to be used by the SSL VPN service. The SSL VPN gateway acts as
the HTTPS server to provide the Web interface for administrators and remote users to log in.
Therefore, you need to specify the TCP port number for providing the HTTPS service.
Enable the SSL VPN service. Administrators and remote users can access the Web interface of
the SSL VPN gateway only after the SSL VPN service is enabled on the gateway.
Configuration Prerequisites
Before configuring SSL VPN, you need to create an SSL server policy. For how to configure an SSL
server policy, refer to SSL Configuration in the Security Volume.
4-2
Remarks
system-view
Required
Specify the SSL server policy
ssl-vpn server-policy
server-policy-name [ port
VPN service
port-number ]
ssl-vpn enable
Disabled by default
The IP address of the Certificate Authority (CA) is 10.2.1.1/24. The name of the CA is CA server,
which is used to issue certificates to the SSL VPN gateway and remote users.
Configuration procedure
4-3
In this example, the Windows Server is used as the CA. You need to install the Simple Certificate
Enrollment Protocol (SCEP) plugin on the CA.
Before the following configurations, make sure that the intended SSL VPN gateway, the CA, and
the host used by the remote user can reach each other, and the CA is enabled with the CA service
and can issue certificates to the device (SSL VPN gateway) and the host.
1)
# Configure a PKI entity named en and specify the common name of the entity as http-server.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server
[Device-pki-entity-en] quit
# Configure a PKI domain named sslvpn, and specify the trusted CA as ca server, the URL of the RA
server as http://10.2.1.1/certsrv/mscep/mscep.dll, registration authority for certificate requesting as
RA, and the entity as en.
[Device] pki domain sslvpn
[Device-pki-domain-sslvpn] ca identifier ca server
[Device-pki-domain-sslvpn] certificate request url http://10.2.1.1/certsrv/mscep/mscep.dll
[Device-pki-domain-sslvpn] certificate request from ra
[Device-pki-domain-sslvpn] certificate request entity en
[Device-pki-domain-sslvpn] quit
2)
# Configure an SSL server policy named myssl, and specify the policy to use PKI domain sslvpn.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain sslvpn
[Device-ssl-server-policy-myssl] quit
3)
# Specify the SSL server policy myssl and port 443 (default) for the SSL VPN service.
[Device] ssl-vpn server-policy myssl
4)
On the user host, launch the IE browser and input https://10.1.1.1/svpn/en/index.htm in the address
bar. You should be able to open the Web login interface of the SSL VPN gateway.
4-4
Refer to PKI Commands in the Security Volume for details of PKI configuration commands.
Refer to Public Key Commands in the Security Volume for details of the public-key local create
rsa command.
Refer to SSL Commands in the Security Volume for details of SSL configuration commands.
4-5