All_about_network

So this is the long promised scenario that can be used with windows XP (even though it is not really user friendly).

If you need a “PC-client – VPN-concentrator” scenario. Huawei does offer only one-way ticket for you and it is l2tp over IPSec. Unless you want to use some MPLS over IPSec which is in theory also a possibility but I guess it is supported only on high-end boxes. One can say why to use such a thing like l2tp when the IPsec provides almost everything by itself. Well there are some obvious reasons and some not-so-obvious ones. Lets go through them one-by-one.

1. Huawei does not provide a software VPN client for the windows XP box (or any other) so guys with cisco experience can surely forget about the easy config on the client side (that is especially valid for Stefano ;) ) the only solution is using the “dialled connection wizard” from windows and some minor change in windows registry
2. As for IPSec – this is L3 tunneling protocol so no services relying on broadcast will work without some help of another encapsulated protocol. If you think that this is no issue try to remember there is DHCP (which you definitely want to use if the use is more in larger scale) which is not relayed by client as there is no client. But this is only one that can be easily overcome by static IPs. But in common network is much more than DHCP, the most common service that needs L2 is the Microsoft sharing services (actually only the name-resolving  but that is enough). And many others…
3. There is also one serious limitation in standard windows XP as for the dialed client is impossible to use tunnel mode for IPSec so only possibility is to use transport mode which is again not so good as the payload is still unencrypted. I am not sure if this had changed somehow in Vista but my guess would be that it remained the same.

This being said the prospect seems to be a bit grim. But hey you can still be sure the tunnel is secure against man-in-the-middle attacks and also that no fiddling with your traffic occurred. If you request encryption of the data itself you really should use some upper layer encrypted protocol like SSH, maybe even use it for tunneling etc. I guess you got the point now.

So that’s for limitations and basics. Now straight to the code.

Important notice this was done on VRP 3.40 but it should work without problem on VRP 5.X as well.

Step one  - creation of IPSec service (the details of this config are in other articles so without explanation this time).

#
ike peer 1
pre-shared-key test
remote-address 10.0.0.1
#
ipsec proposal 1
encapsulation-mode transport
#
ipsec policy-template tunnet-1 10
ike-peer 1
proposal 1
#
ipsec policy p 10 isakmp template tunnel-1
#
interface Ethernet2/0
description to PC 1
ip address 10.0.0.2 255.255.255.0
ipsec policy tunnel-1
#

So that’s the IPsec tunnel prepared. Now follows an optional but recommended step of creating an DHCP ip-pool for the connecting clients. Ideally you can re-use the pool which is already set for your LAN. But you may also want to have your remote connections in different network so it is up to you really. I just re-used the pool I had.

#
domain system
ip pool swimming-pool-1 20.0.0.1 20.0.0.100
#

Now it is time for the second step – preparation of  l2tp

At first it is important to create user with a password and service-type ppp as we will use authentication

#
local-user test
password simple test
service-type ppp

#

So Now when we have a user that can be authenticated let’s create thel2tp  service itself

We have to define a virtual-template interface where is set what kind of ppp authentication, what IP  and what DHCP pool will be used for the remote clients (if any).

#
interface Virtual-Template 0
ppp authentication-mode chap
ip address 20.o.0.1 255.255.255.0
remote address pool swimming-pool-1
#

Now with our virtual-template interface in place we can finally define l2tp. It is done through binding of the virtual-template into a l2tp group.

#
l2tp-group 1
allow l2tp virtual-template 0
#

That’s it if you have done this you will be able to start a ppp session over the tunnel made of IPSec and then get authenticated against local user database.

This is for the router side as for the windows (XP) you need to make some adjustments. First important thing is to change (or checks if you have) a registry key on this location.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManParameters

here change or create key named ProhibitIpSec and it should be reg_dword type and value set to 1

This has to be done as windows have the IPSec disabled by default. So if you have done that you definitely have to reboot so the windows system can reload the network settings. After this tweak you just need to create and configure the virtual connection from the station. To do so  go to following location start/run/networking connections/New Connection Wizard.

After you enter the wizard select these options

1. Connect to the network at my workplace
2. Virtual Private Network Connection
3. Company Name
4. Don’t dial the initial connection
5. VPN Server Selection(ip address 10.0.0.2)

When you finish this basic setup it is time to adjust it for the settings of our server . In Connect Virtual Private Network Properties change values as seen on pictures below.

After this change the password in security tab as shown below.

And then select the chap for ppp authentication with options set like this

Now just check if the tunnel is going up on the router side with the notorious display ike sa and display ipsec sa commands and if you are getting the right IP address on client side are done.

I realize that this is now very nice solution especially in comparison with cisco but as far as I know this is the only way on low and mid-end boxes.