No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Client-Initiated L2TP Connections

Example for Configuring Client-Initiated L2TP Connections

Networking Requirements

As shown in Figure 1-19, traveling employees need to communicate with the headquarters and access the headquarters gateway through the Internet to use internal resources. However, the headquarters gateway cannot identify and manage access users. To solve this problem, configure the headquarters gateway as the LNS to establish a virtual point-to-point connection between the traveling employees and the headquarters gateway when the employees use the L2TP dialup software on the PC to initiate L2TP connections. A PC running Windows 7 operating system is used in this example.

Figure 1-19  Networking diagram for establishing client-initiated L2TP connections

Configuration Roadmap

The configuration roadmap is as follows:

  1. Connect the headquarters gateway to the Internet, and configure the gateway as the LNS to respond to L2TP connection requests sent by a traveling employee.

  2. Connect the employee to the Internet, and enable the employee to initiate L2TP connections to the LNS using the L2TP dialup software.


  1. Configure the LNS.

    # Configure an IP address and a route to the Internet. For example, set the next hop address to the Internet to

    <Huawei> system-view
    [Huawei] sysname LNS
    [LNS] interface gigabitethernet 1/0/0
    [LNS-GigabitEthernet1/0/0] ip address
    [LNS-GigabitEthernet1/0/0] quit
    [LNS] ip route-static 0

    # Set the user name, password, and service type to huawei, Huawei@1234, and ppp respectively.

    [LNS] aaa
    [LNS-aaa] local-user huawei password
    Please configure the login password (8-128)
    It is recommended that the password consist of at least 2 types of characters, i
    ncluding lowercase letters, uppercase letters, numerals and special characters. 
    Please enter password: 
    Please confirm password:
    Info: Add a new user.
    Warning: The new user supports all access modes. The management user access mode
    s such as Telnet, SSH, FTP, HTTP, and Terminal have security risks. You are advi
    sed to configure the required access modes only.  
    [LNS-aaa] local-user huawei service-type ppp
    [LNS-aaa] quit

    # Configure an IP address pool used to assign addresses to dialup users.

    [LNS] ip pool lns
    [LNS-ip-pool-lns] network mask 24
    [LNS-ip-pool-lns] gateway-list
    [LNS-ip-pool-lns] quit

    # Configure a virtual interface template.

    [LNS] interface virtual-template 1
    [LNS-Virtual-Template1] ip address
    [LNS-Virtual-Template1] ppp authentication-mode chap
    [LNS-Virtual-Template1] remote address pool lns
    [LNS-Virtual-Template1] quit

    # Enable L2TP and create an L2TP group numbered 1.

    [LNS] l2tp enable
    [LNS] l2tp-group 1

    # Disable the tunnel authentication function. The PC running Windows 7 operating system does not support tunnel authentication.

    [LNS-l2tp1] undo tunnel authentication

    # Bind the LNS to the virtual interface template.

    [LNS-l2tp1] allow l2tp virtual-template 1

  2. Configure the Windows 7 operating system.

    # Modify the Windows registry and disable the digital certificate authentication function.

    Choose Start > Run and enter regedit to open the Registry Editor. Open Parameters in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\, create DWORD and set the name and value to ProhibitIpSec and 1 respectively. After modifying the parameters, restart the PC.

    # Create an L2TP network connection.

    Choose Start > Run > Network and Sharing Center, click Set Up a Connection or Network, choose Connect to a workplace, and click Next.

    Click Use my Internet connection (VPN).

    Enter an Internet address which is the IP address of the LNS (, enter a destination name (for example, L2TP) as the network connection name, and click Next. You can customize a destination name.

    Enter the user name huawei and password Huawei@1234 and click Create.


    You do not need to set the domain.

    Click Close.

    # Set authentication parameters for the L2TP connection.

    Choose Start > Run > Network and Sharing Center and click Connect to a network. The created L2TP connection is displayed. Right-click L2TP and choose Properties to set connection parameters.

    You do not need to modify parameters on the General tab.

    Select Display progress while connecting and Prompt for name and password certificate, etc on the Options tab.


    Do not change the parameters that are displayed after you click PPP Settings.

    On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec for Type of VPN.

    Select Unencrypted password [PAP], Challenge Handshake Authentication Protocol [CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow these protocols.


    If you click Advanced settings, a dialog box is displayed on which you can set the IPSec pre-shared key. Do not set the IPSec pre-shared key here.

    You do not need to modify settings on the Networking and Sharing tabs.

    Choose Start > Run > Network and Sharing Center and click Connect to a network. The created L2TP connection is displayed. Right-click L2TP, enter the user name and password, and click Connect.

  3. Verify the configuration.

    # After the configurations are complete, PC 1 obtains a private network address for the L2TP connection, and PC 1 can communicate with the PC in the headquarters.

Configuration File

Configuration file of the LNS

 sysname LNS
 l2tp enable
interface GigabitEthernet1/0/0
 ip address
 local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
 local-user huawei privilege level 0
 local-user huawei server-type ppp
l2tp-group 1
 undo tunnel authentication
 allow l2tp virtual-template 1
interface Virtual-Template1
 ppp authentication-mode chap
 remote address pool lns
 ip address
ip pool lns
 network mask
ip route-static
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 168265

Downloads: 398

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next