No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Other L2TP Functions

Configuring Other L2TP Functions

L2TP provides some other functions to ensure better L2TP services, such as LCP Renegotiation, AVP Parameter Encryption and Tunnel Authentication.

Prerequisites

Basic L2TP functions have been configured, and L2TP connections have been established between the LAC and the LNS.

Pre-Configuration Tasks

The L2TP functions supported by the device are as follows, and these configurations are optional.

Configuring LCP Renegotiation

Context

The LAC authenticates access users. After the users are authenticated, the LAC sends authentication information to the LNS that determines whether the users are authorized users.

If the LNS does not trust the LAC, you can configure LCP renegotiation to implement second authentication on the users. The users renegotiate with the LNS, and L2TP connections can be established only after renegotiation succeeds.

LCP renegotiation and mandatory CHAP authentication cannot be configured simultaneously. LCP renegotiation has a higher priority than mandatory CHAP authentication. Therefore, when both of them are configured, the device performs LCP renegotiation.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run l2tp-group group-number

    The L2TP group view is displayed.

  3. Run mandatory-lcp

    LCP renegotiation is enabled.

Configuring CHAP Mandatory Authentication

Context

You can configure mandatory CHAP authentication after the LNS receives authentication information transmitted from the LAC, when the LNS demands high security. After mandatory CHAP authentication is configured, the LNS performs only CHAP authentication for remote users. If the authentication mode is set to PAP authentication on the LAC, the LNS authentication fails and L2TP sessions cannot be established.

LCP renegotiation and mandatory CHAP authentication cannot be configured simultaneously. LCP renegotiation has a higher priority than mandatory CHAP authentication. Therefore, when both of them are configured, the device performs LCP renegotiation.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run l2tp-group group-number

    The L2TP group view is displayed.

  3. Run mandatory-chap

    Mandatory CHAP authentication is enabled.

Configuring Primary and Secondary LNSs

Context

You can configure double gateways (one primary and one secondary) in an enterprise headquarters if the enterprise demands high reliability. When the primary gateway fails, services are switched to the secondary gateway. However, L2TP connection requests initiated by the LAC cannot reach the primary LNS. To ensure that L2TP connection requests are sent to the secondary LNS, you must configure the IP address of the secondary gateway on the LAC, so that when the first IP address is unreachable, the LAC sends the request packets to the address of the secondary gateway.

Figure 1-18  Networking diagram of primary and secondary LNSs

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run l2tp-group group-number

    The L2TP group view is displayed.

  3. Run start l2tp ip ip-address &<1-4> { domain domain-name | fullusername user-name }

    An L2TP connection is initiated. A maximum of four LNS addresses can be configured.

Configuring AVP Parameter Encryption

Context

An L2TP connection is established so that control messages can be exchanged between the LAC and LNS. Control messages carry various types of AVP parameters, including the user name and password. When the AVP parameter encryption is configured, AVP parameters are encrypted and the key information is hidden to improve communication security.

You must configure the L2TP tunnel authentication function before enabling the AVP parameter encryption.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run l2tp-group group-number

    The L2TP group view is displayed.

  3. Run tunnel authentication

    The L2TP tunnel authentication is enabled.

  4. Run tunnel password { simple | cipher } password

    An authentication password is configured. This password can also be used for encrypting AVP parameters.

    If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

  5. Run tunnel avp-hidden

    The AVP parameter encryption is enabled to hide key AVP parameters in L2TP packets.

Configuring L2TP Tunnel Authentication

Context

You can configure the L2TP tunnel authentication when a network has a high security requirement. Configure the same authentication password on the LAC and LNS.

The LAC and LNS check the authentication password configured for each other. If the authentication password is the same, an L2TP tunnel can be established.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run l2tp-group group-number

    The L2TP group view is displayed.

  3. Run tunnel authentication

    The L2TP tunnel authentication is enabled.

  4. Run tunnel password { simple | cipher } password

    An authentication password is configured.

    If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

Configuring L2TP Tunnel Connectivity

Context

Hello packets are used to detect tunnel connectivity between the LAC and LNS.

When Hello packets time out, L2TP tunnels are automatically deleted to release network resources. The interval for sending Hello packets is set based on network requirements.
  • If the network is stable, you can set a longer interval for sending Hello packets to reduce network burdens.

  • If the network is unstable, you can set a shorter interval for sending Hello packets to detect tunnel status. When the primary and secondary LNSs are deployed, L2TP connection requests are sent to the IP address of the secondary LNS if the tunnel disconnection is detected.

When the device attempts to set up a tunnel to an LNS but the LNS runs abnormally, the device marks the LNS as unusable and does not set up a tunnel to the LNS in a period. This period is the LNS locking duration. After the locking duration, the device attempts to set up a tunnel to the LNS again.

Procedure

  • Configuring interval for sending Hello packets
    1. Run system-view

      The system view is displayed.

    2. Run l2tp-group group-number

      The L2TP group view is displayed.

    3. Run tunnel timer hello interval

      The interval for sending Hello packets is configured.

      By default, Hello packets are sent at intervals of 60s.

  • Configuring LNS locking duration
    1. Run system-view

      The system view is displayed.

    2. Run l2tp aging time

      The LNS locking duration is configured.

      By default, the LNS locking duration is 30 seconds.

      Perform this step on the LAC only.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 144268

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next