Академический Документы
Профессиональный Документы
Культура Документы
AR100&AR120&AR150&AR160&AR200&AR1200&AR
2200&AR3200&AR3600 Series Enterprise Routers
Web-based Configuration Examples 5 Implementing WAN Interconnection Through VPN
Networking Requirements
As shown in Figure 5-1, Router_1 is the gateway of an enterprise branch, and Router_2 is the
gateway of the headquarters. Router_1 and Router_2 communicate over the public network.
The enterprise wants to protect traffic transmitted over the public network between the
enterprise branch and headquarters. An IPSec tunnel can be established between the branch
gateway and headquarters gateway to protect data transmitted between them.
IPSec tunnel
PC_1 PC_2
10.1.1.2/24 10.1.2.2/24
Branch Headquarters
Procedure
Step 1 Configure IP addresses for interfaces of Router_1. The configuration of Router_2 is similar to
that of Router_1, and is not mentioned here.
1. Choose WAN Access > Ethernet Interface to access the Ethernet Interface page, as
shown in Figure 5-2.
Step 2 Configure a static route for Router_1. The configuration of Router_2 is similar to that of
Router_1, and is not mentioned here.
1. Choose IP Service > Route > Static Route Configuration to access the Static Route
Configuration page, as shown in Figure 5-4.
2. In IPv4 Static Route Configuration Table, click Create. On the pages shown in Figure
5-5, configure two static routes.
Step 3 Configure IPSec on Router_1. The configuration of Router_2 is similar to that of Router_1,
and is not mentioned here.
1. Choose Configuration Wizard > IPSec VPN Configuration Wizard, as shown in
Figure 5-6.
Select Site-to-Site and click Next.
2. Configure the interface to which the IPSec policy is to be applied and the peer device
address and click Next, as shown in Figure 5-7.
3. Enter the source IP address, destination IP address, and wildcard of source and
destination IP addresses based on protected data flows, and click Add. Then click Next,
as shown in Figure 5-8.
4. Configure the pre-shared key, IKE parameters, and IPSec parameters. The configurations
on both ends must be the same. Then click Next, as shown in Figure 5-9.
5. Check detailed information about the configured IPSec VPN. Click Finish. The IPSec
VPN configuration is complete., as shown in Figure 5-10
# PC_1 and PC_2 can ping each other successfully. If you run the display ipsec statistics esp
command on the router, you can find that the count of encapsulated and decapsulated packets
is not 0.
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
5.2 L2TP
Applicable Products
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-11, the geographical positions of employees on a business trip often
change. However, they need to communicate with the headquarters and access the internal
resources in the headquarters at any time. L2TP can be deployed to allow the traveling
employees to dial up to access the headquarters network. In this way, the headquarters
gateway can identify and manage the access users. A PC running the Windows 7 operating
system is used in this example.
10.1.2.2/24
Mobile user
PC2
(L2TP dialing
software) LNS Enterprise
GE0/0/1
1.1.1.1/24 headquarters
Internet
PC1 1.1.2.1/24 VT1
10.1.1.1/24
PC3
L2TP encapsulation
Procedure
Step 1 Configure the LNS.
1. Configure an IP address for the interface.
a. Choose WAN Access > Ethernet Interface to access the Ethernet Interface page,
as shown in Figure 5-12.
b. In IPv4 Static Route Configuration Table, click Create. The Create IPv4 Static
Route Service page shown in Figure 5-15 is displayed.
b. Click Create. The Create User page shown in Figure 5-17 is displayed.
Parameters and choose Create. In the dialog box that is displayed, click DWORD (32
bit) Value. In the dialog box that is displayed, set Value name to ProhibitIpSec and
Value data to 1. Restart the PC after modification is complete.
c. Set Internet address to 1.1.1.1 (the IP address of the LNS) and Destination name
such as L2TP. The destination name is used as the network connection name.
Select Don't connect now; just set it up so I can connect later and then click
Next.
d. Set User name and Password to huawei and Huawei@1234 respectively, and
click Create.
NOTE
e. Click Close.
b. Click the Options tab page and select the following items.
NOTE
You can also click PPP Settings on the page and remain other options unchanged.
c. Click the Security tab page, retain the default setting for Type of VPN or set it to
Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
Select the following items under Allow these protocols.
NOTE
If you click Advanced settings on the tab page, the IPSec Settings page is displayed for
you to set a pre-shared key for authentication. Do not set a pre-shared key here.
----End
Configuration Notes
l When you configure an L2TP group, tunnel authentication is not supported because
employees access the network using PCs.
l If employees need to access external networks, add their network segments to ACLs and
use NAT to translate their addresses.
l To enable employees to access external network resources using the domain names, you
need to configure the DNS server IP address that the LNS specifies for the peer device in
the VT interface template.