No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring L2TP Client-Initiated L2TP Connections

Configuring L2TP Client-Initiated L2TP Connections

Access users do not need to dial up and they can access the L2TP Client in any means. The L2TP Client uses a virtual dial-up interface to initiate PPP sessions and L2TP connection requests to the LNS.

Context

An enterprise has some branches located in other cities, and its branches use the Ethernet and have gateways deployed, so that branch hosts can access the Internet.

A VPDN connection must be established between the headquarters gateway and branches to enable the headquarters to provide access services for the users. Any user from branches is allowed to access the headquarters gateway which only authenticates the gateways in branches. Configure the headquarters gateway as the LNS and the branch gateway as the L2TP Client. Configure virtual users on the branch gateway which dial up to initiate L2TP connections to the headquarters. In L2TP Client-Initiated mode, virtual point-to-point connections are established between the L2TP Client and LNS. After receiving IP packets from branch users, the L2TP Client forwards the packets through the virtual dial-up interface and the packets pass through L2TP tunnels to the LNS, which forwards the packets to the destination host.

Figure 1-17  Networking diagram for establishing L2TP Client-Initiated L2TP connections

Prerequisites

A reachable route has been configured between the LNS and the L2TP Client.

A LAN connection is established between branch users and the L2TP Client which functions as the gateway.

Configuration Process

Table 1-4 shows the configuration process on the L2TP Client. Table 1-5 shows the configuration process on the LNS.

Table 1-4  Configuration process on the L2TP Client

Configuration

Procedure

Description

Configure the L2TP Client to initiate an L2TP connection.

Enable L2TP.

Enable L2TP globally.

Configure PPP negotiation.

Configure parameters for a virtual interface template and use this template as a virtual dial-up interface.

Assign an IP address for the VT interface to make the configuration take effect.

Create an L2TP group.

Configure L2TP parameters, including the LAC tunnel name and password, LNS address, and VPDN user name.

You can also configure the AVP data to be transmitted in cipher text, primary and secondary LNSs, and an interval for sending Hello packets.

Table 1-5  Configuration process on the LNS

Configuration

Procedure

Description

Configure local or remote AAA authentication.

Configure local authentication.

Store user information, including the user name, password, and service type, on the local device.

You can also enable LCP renegotiation or mandatory CHAP authentication to implement second authentication on remote users.

Configure remote authentication.

Configure RADIUS server parameters to enable the RADIUS server to store user information, including the user name, password, and service type, and authenticate access users.

You can also enable LCP renegotiation or mandatory CHAP authentication to implement second authentication on remote users.

Configure the LNS to respond to the L2TP connection request.

Enable L2TP.

Enable L2TP globally.

Configure an IP address pool.

Assign an IP address dynamically for the remote user after the user is authenticated.

This step is not required when a static IP address is assigned to the remote user.

Configure PPP negotiation.

Set PPP negotiation mode to PAP or CHAP on the VT interface.

Configure an IP address and use this address as the private network gateway address of the L2TP tunnel.

Import an IP address pool to dynamically allocate IP addresses for remote users.

If mandatory CHAP authentication is configured, the PPP authentication mode must be CHAP.

Create an L2TP group.

Configure L2TP parameters, including the LNS tunnel name and password, number of the VT, and L2TP Client tunnel name.

You can also configure the AVP data to be transmitted in cipher text, and an interval for sending Hello packets.

Configuring AAA Authentication and Accounting

Context

The AAA authentication provides authentication, authorization, and accounting security functions to manage remote access users and ensure secure connections. In L2TP Client initiated mode, you can configure local or remote authentication on the LNS to authenticate the L2TP Client.

After users are authenticated by the LNS, they can access the Internet. If you want to charge the users on their accessed network resources, you can configure the AAA accounting function on the LNS.

For details about how to configure AAA authentication, see AAA Configuration in the Huawei AR Series Access Routers Configuration Guide.

NOTE:

If the L2TP Client is trusted by the LNS, you can run the authentication-mode none command in the authentication scheme view of the LNS to set the authentication mode to non-authentication. If the command is configured, the LNS does not perform second authentication on remote users.

Procedure

  • Configuring local authentication

    1. Run system-view

      Enter the system view.

    2. Run aaa

      Enter the AAA view.

    3. Run authentication-scheme authentication-scheme-name

      Create an authentication scheme, and enter the authentication scheme view.

      By default, the device has an authentication scheme named default, and its authentication mode is local.

    4. Run authentication-mode local

      Set the authentication mode to local.

      By default, local authentication is used.

    5. Run quit

      Return to the AAA view.

    6. Run domain domain-name

      Create a domain, and enter the domain view.

      By default, the device has a domain named default, and its authentication mode is local.

    7. Run authentication-scheme authentication-scheme-name

      Specify an authentication scheme for the domain.

    8. Run quit

      Return to the AAA view.

    9. Run local-user user-name password cipher password

      Configure a user name and password for the local user, and store the user name and password on the device as the VPDN user information. The information is used to verify remote users.

      The password is stored in cipher text mode.

      NOTE:

      To fully ensure the safety of the equipment, the users needs change the password on a regular basis.

    10. Run local-user user-name service-type ppp

      Configure a service type for the local user. The service type must be set to ppp because L2TP uses PPP negotiation.

    11. Run return

      Return to the user view.

  • Configuring remote authentication and accounting

    1. Run system-view

      Enter the system view.

    2. Run radius-server template template-name

      Create a RADIUS server template, and enter the RADIUS server template view. You can configure RADIUS server parameters in the RADIUS server template view.

    3. Run radius-server authentication ip-address port

      Configure an IP address and a port number for the RADIUS server.

    4. Run radius-server accounting ip-address port

      Configure a RADIUS accounting server.

      By default, no RADIUS accounting server is configured.

    5. Run radius-server shared-key cipher key-string

      Configure a shared key for connecting to the RADIUS server.

      By default, the shared key is huawei in cipher text.

    6. Run quit

      Return to the system view.

    7. Run aaa

      Enter the AAA view.

    8. Run authentication-scheme authentication-scheme-name

      Create an authentication scheme, and enter the authentication scheme view.

      By default, the device has an authentication scheme named default, and its authentication mode is local.

    9. Run authentication-mode radius

      Set the authentication mode to radius.

      By default, local authentication is used.

    10. (Optional)Run accounting-scheme accounting-scheme-name

      Create an accounting scheme and enter the accounting scheme view.

      A default accounting scheme named default is available on the device. The default scheme can only be modified but cannot be deleted.

    11. (Optional)Run accounting-mode radius

      Set the accounting mode to RADIUS.

      By default, non-accounting is used.

    12. (Optional)Run accounting start-fail { online | offline }

      Configure a policy for accounting-start failures.

      By default, users cannot go online if accounting-start fails.

    13. (Optional)Run accounting realtime interval

      Enable real-time accounting and set a real-time accounting interval.

    14. (Optional)Run accounting interim-fail [ max-times times ] { online | offline }

      Specify the maximum number of real-time accounting requests and a policy for real-time accounting failures.

    15. Run quit

      Return to the AAA view.

    16. Run domain domain-name

      Create a domain, and enter the domain view.

      By default, the device has a domain named default, and its authentication mode is local.

    17. Run authentication-scheme authentication-scheme-name

      Specify an authentication scheme for the domain.

      By default, the device has an authentication scheme named default, and its authentication mode is local.

    18. Run radius-server template-name

      Specify RADIUS server template for users in the domain.

    19. (Optional)Run accounting-scheme accounting-scheme-name

      Apply the accounting scheme to the domain.

      By default, the accounting scheme default is applied to a domain. In this accounting scheme, non-accounting is used and the real-time accounting function is disabled.

    20. (Optional)Run statistic enable

      If traffic-based accounting is used, enable traffic statistics collection in the domain.

      By default, traffic statistics collection is disabled for a domain.

    21. Run return

      Return to the user view.

Configuring the L2TP Client to Dial Up and Initiate L2TP Connections

Context

Create a virtual dial-up interface on the L2TP Client. The virtual users automatically dial up to initiate L2TP connections to the LNS.

When configuring the L2TP Client, note the following:
  • As a PPP dial-up client, the L2TP Client can obtain an IP address for its virtual tunnel (VT) interface through PPP negotiation from the LNS. Or you can manually specify an IP address for the VT interface.

  • Dial-up parameters, including the user name, password, and authentication mode, of the VT interface on the L2TP Client must be the same as those on the LNS.

  • Tunnel authentication is enabled by default, and no authentication password is configured.
    • If tunnel authentication is used, configure the same authentication password for the L2TP Client and LNS.
    • If tunnel authentication is not used, disable tunnel authentication on the L2TP Client and LNS.

Procedure

  • Configure the L2TP Client.

    1. Run system-view

      The system view is displayed.

    2. Run l2tp enable

      L2TP is enabled globally.

    3. Run interface virtual-template vt-number

      A virtual interface template is created, and the virtual template view is displayed.

      You can configure dial-up parameters for the VT interface.

      NOTE:

      PPPoE and L2TP services cannot be configured on the same VT interface simultaneously.

    4. Run ip address ppp-negotiate

      The L2TP Client is configured to obtain an IP address from the LNS.

      You can run either of the following commands to make the IP protocol take effect.
      • Run the ip address ip-address { mask | mask-length } command to assign an IP address for the interface.
      • Run the ip address unnumbered interface interface-type interface-number command to use one IP address of the other interfaces.
    5. Run ppp pap local-user username password { cipher | simple } password
      NOTE:

      When you specify simple, the password is saved in plain text in the configuration, which brings potential security risks. You are advised to specify cipher to save the password in the cipher text.

      The PPP negotiation mode is set to pap and a user name and password are specified.

      If the authentication mode is set to chap, run the following commands:
      • ppp chap user username

      • ppp chap password { cipher | simple } password

      NOTE:

      In PAP authentication, the password is transmitted in plain text on the network, which brings potential security risks.

    6. Run l2tp-auto-client enable

      The device dial-up function is enabled.

    7. Run mtu size

      The MTU of the interface is set.

      When the device interconnects with a non-Huawei device, set an MTU value on the virtual template interface to prevent an interconnection failure, for example, failure of the non-Huawei device to reassemble data packets after they are fragmented on a physical outbound interface of the Huawei device. The MTU value must be less than or equal to the encapsulation header length of L2TP packets (the encapsulation header length of an L2TP packet is 38 bytes but is 42 bytes when it carries sequence number information) subtracted from the MTU value on the physical outbound interface (1500 bytes by default). For example, when the MTU value on the physical outbound interface is 1500 bytes and the encapsulation header length of an L2TP packet is 42 bytes, the value of size in this step must be less than or equal to 1458.

      If a physical interface performs packet fragmentation again after the packet is fragmented on the corresponding VT interface, device performance degrades. To prevent this case, you are advised to set the MTU value of the VT interface to the range of 1400 to 1450.

    8. Run quit

      Return to the system view.

    9. Run interface interface-type interface-number

      The view of the physical interface connected to remote users is displayed.

    10. Run ip address ip-address { mask | mask-length }

      An IP address is configured for the interface and used as the gateway address.

    11. Run quit

      Return to the system view.

    12. Run l2tp-group group-number

      An L2TP group is created, and the L2TP group view is displayed.

      You can configure L2TP connection parameters to enable the L2TP Client to initiate L2TP connections to the LNS if the user information matches the configuration.

    13. Run tunnel password { simple | cipher } password

      The password of the L2TP tunnel is configured. The password must be the same as that of the tunnel on the LNS.

      Tunnel authentication is enabled by default, and no authentication password is configured.

      It is recommended that you enable the tunnel authentication function. If the tunnel authentication function is not required, run the undo tunnel authentication command to disable the function.

      If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

    14. Run tunnel name tunnel-name

      A tunnel name is configured to enable the LNS to accept L2TP connections based on the LAC tunnel name.

      By default, the device name is used as the tunnel name when no tunnel name is specified.

    15. Run either of the following commands to configure a public network address or domain name for the LNS, which specifies the destination address of control messages.
      • start l2tp ip ip-address &<1-4> { domain domain-name | fullusername user-name | interface interface-type interface-number | vpn-instance vpn-instance-name fullusername user-name }
      • start l2tp host hostname { domain domain-name | fullusername user-name }
      The keywords define VPDN users.
      • fullusername: specifies a name for VPDN users. L2TP connections can be established for remote users with the same user name.
      • domain: specifies a domain name for VPDN users. L2TP connections can be established for remote users with the same domain name.
      • vpn-instance: specifies the VPN instance to which the IP address of the L2TP connections of a specific L2TP group belongs.
    16. Run return

      Return to the user view.

Configuring the LNS to Respond to the L2TP Connection Request

Context

Configure L2TP parameters to enable the LNS to respond to L2TP connection requests to the LAC based on the LAC tunnel name.

When configuring the LNS, note the following:
  • When you configure PPP negotiation parameters on the virtual interface template, the authentication mode must be the same as that configured on the LAC.

  • If the L2TP group number is not 1, you must specify an LAC tunnel name.

  • Tunnel authentication is enabled by default, and no authentication password is configured.
    • If tunnel authentication is used, configure the same authentication password for the LAC and LNS.
    • If tunnel authentication is not used, disable tunnel authentication on the LAC and LNS.
  • If RADIUS authentication is used and Frame-IP and Frame-Route attributes are specified by the RADIUS server for users, the LNS delivers the Frame-IP and Frame-Route attributes to users and does not allocate IP addresses from the local address pool. The Frame-IP must be included in the local address pool.

  • If the VPN instance attributes are configured for users on the RADIUS server when RADIUS authentication is used, you cannot bind the VPN instance to the VT interface of the LNS.

NOTE:

The LNS does not know users' real MAC addresses because user terminals use virtual MAC addresses allocated by the device. These virtual MAC addresses change randomly and cannot be bound with static IP addresses.

Procedure

  • Configuring the LNS

    1. Run system-view

      The system view is displayed.

    2. Run l2tp enable

      L2TP is enabled globally.

    3. Run ip pool ip-pool-name

      A global IP address pool is created, and the global IP address pool view is displayed. The global IP address pool is used to allocate IP addresses to remote users.

      This step is not required if you have manually configured a static IP address for the user.

      NOTE:

      L2TP can only allocate IP addresses of the address pool configured using the ip pool command but not attributes of other address pools to users.

      If you want to allocate the DNS server address to users, add the service-scheme command to the AAA configuration.

    4. Run network ip-address [ mask { mask | mask-length } ]

      A network segment is configured to allocate IP addresses dynamically from the largest to the smallest.

    5. Run gateway-list ip-address &<1-8>

      A gateway address is configured, and allocated to the remote user.

    6. Run quit

      Return to the system view.

    7. Run interface virtual-template vt-number

      A virtual interface template is created, and the virtual template view is displayed.

      You can configure PPP negotiation parameters on the interface that functions as the private network gateway interface to accept L2TP connections of remote users.

      NOTE:

      PPPoE and L2TP services cannot be configured on the same VT interface simultaneously.

    8. Run ip address ip-address { mask | mask-length }

      An IP address is configured for the gateway in the headquarters.

    9. Run remote address { ip-address | pool pool-name }

      An IP address pool is configured to allocate IP addresses dynamically for remote users.

      This step is not required if you have configured static IP addresses for remote users.

      This step is not required if RADIUS authentication is used and an address pool name or Frame-IP attribute is specified by the RADIUS server. The LNS allocates IP addresses for remote users from the address pool specified by the RADIUS server.

      When L2TP supports multiple address pools, omit this step if the service-scheme command has been run to specify an address pool. The LNS allocates IP addresses to remote users from the address pool specified by the service-scheme command.

      NOTE:

      If multiple users dial up using the same static IP address, users can go online but their service packets may fail to be forwarded if forcible address allocation is not configured on the LNS. Customers need to correctly plan static IP addresses. If the device must identify users and allow only one user terminal to connect to it, the planned address for the user terminal must be in the address pool and the ppp ipcp remote-address forced command must be configured.

    10. Run ppp authentication-mode { pap | chap }

      The PPP authentication mode is set to pap or chap to authenticate remote users.

      The LAC and LNS must have the same authentication mode.

      NOTE:

      In PAP authentication, passwords are transmitted in plain text on the network, bringing potential security risks. CHAP authentication is recommended.

    11. Run mtu size

      The MTU of the interface is set.

      When the device interconnects with a non-Huawei device, set an MTU value on the virtual template interface to prevent an interconnection failure, for example, failure of the non-Huawei device to reassemble data packets after they are fragmented on a physical outbound interface of the Huawei device. The MTU value must be less than or equal to the encapsulation header length of L2TP packets (the encapsulation header length of an L2TP packet is 38 bytes but is 42 bytes when it carries sequence number information) subtracted from the MTU value on the physical outbound interface (1500 bytes by default). For example, when the MTU value on the physical outbound interface is 1500 bytes and the encapsulation header length of an L2TP packet is 42 bytes, the value of size in this step must be less than or equal to 1458.

      If a physical interface performs packet fragmentation again after the packet is fragmented on the corresponding VT interface, device performance degrades. To prevent this case, you are advised to set the MTU value of the VT interface to the range of 1400 to 1450.

    12. Run quit

      Return to the system view.

    13. Run l2tp-group group-number

      An L2TP group is created, and the L2TP group view is displayed.

      You can configure L2TP connection parameters to accept connections initiated by the LAC.

      When the L2TP group number is 1, the LNS accepts all the L2TP connections.

    14. Run tunnel password { simple | cipher } password

      The password of the L2TP tunnel is configured. The password must be the same as that of the tunnel on the LAC.

      Tunnel authentication is enabled by default, and no authentication password is configured.

      It is recommended that you enable the tunnel authentication function. If the tunnel authentication function is not required, run the undo tunnel authentication command to disable the function.

      If simple is selected, the password is saved in the configuration file in plain text. In this case, users at a lower level can easily obtain the password by viewing the configuration file. This brings security risks. Therefore, it is recommended that you select cipher to save the password in cipher text.

    15. Run tunnel name tunnel-name

      A tunnel name is configured. The tunnel name is used for PPP negotiation during tunnel establishment.

      By default, the device name is used as the tunnel name when no tunnel name is specified.

    16. Run allow l2tp virtual-template virtual-template-number [ remote remote-name [ vpn-instance vpn-instance-name ] ]

      The L2TP group is configured as the LNS to respond to L2TP connection requests initiated by the LAC.

      You must specify a virtual interface template and an LAC tunnel name.

      When the L2TP group number is 1, the LNS accepts any L2TP connection requests from the LAC. You can choose not to specify the remote tunnel name.

    17. Run return

      Return to the user view.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 145269

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next