No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the LAC to Initiate Call-Triggered L2TP Connections

Configuring the LAC to Initiate Call-Triggered L2TP Connections

The LAC functions as a PPPoE server to authenticate call connecting requests from remote users, and initiates L2TP connections to the LNS based on the user information contained in the request packets.

Context

An enterprise has some branches located in other cities, and its branches use the Ethernet and have gateways deployed, so that branch hosts can access the Internet. Hosts at the headquarters need to communicate with hosts at branches. You can use L2TP to configure the headquarter gateway as an LNS that uniformly manages access requests from branch hosts. Dial-up data of a branch host cannot be transmitted directly over the Ethernet network. However, when PPPoE dial-up software is deployed on the branch host, the host functions as the PPPoE client, and the branch gateway functions as the PPPoE server and the LAC. Dial-up data can then be transmitted to the headquarters.

Figure 1-16  Networking diagram for the LAC to initiate an L2TP connection request on receiving a dial-up call

Prerequisite

A reachable route has been configured between the LNS and the LAC.

Configuration Process

Table 1-2 shows the configuration process on the LAC. Table 1-3 shows the configuration process on the LNS.

Table 1-2  Configuration process on the LAC

Configuration

Procedure

Description

Configure local or remote AAA authentication.

Configure local authentication.

Store user information, including the user name, password, and service type, on the local device.

Configure remote authentication.

Configure RADIUS server parameters to enable the RADIUS server to store user information, including the user name, password, and service type, and authenticate access users.

Configure the LAC to initiate an L2TP connection.

Enable L2TP.

Enable L2TP globally.

Configure PPP negotiation.

Set the PPP negotiation mode to PAP or CHAP on the virtual tunnel interface.

Assign an IP address for the VT interface to make the configuration take effect.

Configure a PPPoE server on the physical interface at the user side.

Create an L2TP group.

Configure L2TP parameters, including the LAC tunnel name and password, LNS address, and VPDN user name.

You can also configure the Attribute Value Pair (AVP) data to be transmitted in cipher text, primary and secondary LNSs, and an interval for sending Hello packets.

Table 1-3  Configuration process on the LNS

Configuration

Procedure

Description

Configure local or remote AAA authentication.

Configure local authentication.

Store user information, including the user name, password, and service type, on the local device.

You can also enable LCP renegotiation or mandatory CHAP authentication to implement second authentication on remote users.

Configure remote authentication.

Configure RADIUS server parameters to enable the RADIUS server to store user information, including the user name, password, and service type, and authenticate access users.

You can also enable LCP renegotiation or mandatory CHAP authentication to implement second authentication on remote users.

Configure the LNS to respond to the L2TP connection request.

Enable L2TP.

Enable L2TP globally.

Configure an IP address pool.

Assign an IP address dynamically for the remote user after the user is authenticated.

This step is not required when a static IP address is assigned to the remote user.

Configure PPP negotiation.

Set PPP negotiation mode to PAP or CHAP on the VT interface.

Configure an IP address and use this address as the private network gateway address of the L2TP tunnel.

Import an IP address pool to dynamically allocate IP addresses for remote users.

If mandatory CHAP authentication is configured, the PPP authentication mode must be CHAP.

Create an L2TP group.

Configure L2TP parameters, including the LNS tunnel name and password, number of the VT, and LAC tunnel name.

You can also configure the AVP data to be transmitted in cipher text, and an interval for sending Hello packets.

Configuring AAA Authentication and Accounting

Context

The AAA provides authentication, authorization, and accounting security functions to manage access users and ensure secure connections. You can configure local or remote authentication on the LAC and LNS to authenticate remote users.

When users can access the Internet through only the LNS, you can configure the accounting function on the LNS to manage the online duration and traffic of the users.

The LAC checks the user name or domain name of the users to determine whether to establish a tunnel to the LNS. The user name and domain name are described as follows:
  • User name: applies to the scenario where there are few users and each user is managed independently. In this scenario, each user exclusively occupies an L2TP tunnel.

    If remote users are authenticated based on user names, the device uses the default domain named default, the authentication scheme named default. The authentication scheme named default uses the default authentication mode local.

  • Domain name: applies to the scenario where there are many access users and the users are managed uniformly. In this scenario, users with the same domain name occupy an L2TP tunnel.

    If remote users are authenticated based on the domain name, you need to configure a domain and an authentication scheme for the domain.

The LAC and LNS must have the same AAA authentication configurations.

For details about how to configure AAA authentication, see AAA Configuration in the Huawei AR Series Access Routers Configuration Guide.

NOTE:

If the LAC is trusted by the LNS, you can run the authentication-mode none command in the authentication scheme view of the LNS to set the authentication mode to non-authentication. If the command is configured, the LNS does not perform second authentication on remote users.

Procedure

  • Configuring local authentication

    1. Run system-view

      Enter the system view.

    2. Run aaa

      Enter the AAA view.

    3. Run authentication-scheme authentication-scheme-name

      Create an authentication scheme, and enter the authentication scheme view.

      By default, the device has an authentication scheme named default, and its authentication mode is local.

    4. Run authentication-mode local

      Set the authentication mode to local.

      By default, local authentication is used.

    5. Run quit

      Return to the AAA view.

    6. Run domain domain-name

      Create a domain, and enter the domain view.

      By default, the device has a domain named default, and its authentication mode is local.

    7. Run authentication-scheme authentication-scheme-name

      Specify an authentication scheme for the domain.

    8. Run quit

      Return to the AAA view.

    9. Run local-user user-name password cipher password

      Configure a user name and password for the local user, and store the user name and password on the device as the VPDN user information. The information is used to verify remote users.

      The password is stored in cipher text mode.

      NOTE:

      To fully ensure the safety of the equipment, the users needs change the password on a regular basis.

    10. Run local-user user-name service-type ppp

      Configure a service type for the local user. The service type must be set to ppp because L2TP uses PPP negotiation.

    11. Run return

      Return to the user view.

  • Configuring remote authentication and accounting

    1. Run system-view

      Enter the system view.

    2. Run radius-server template template-name

      Create a RADIUS server template, and enter the RADIUS server template view. You can configure RADIUS server parameters in the RADIUS server template view.

    3. Run radius-server authentication ip-address port

      Configure an IP address and a port number for the RADIUS server.

    4. Run radius-server accounting ip-address port

      Configure a RADIUS accounting server.

      By default, no RADIUS accounting server is configured.

    5. Run radius-server shared-key cipher key-string

      Configure a shared key for connecting to the RADIUS server.

      By default, the shared key is huawei in cipher text.

    6. Run quit

      Return to the system view.

    7. Run aaa

      Enter the AAA view.

    8. Run authentication-scheme authentication-scheme-name

      Create an authentication scheme, and enter the authentication scheme view.

      By default, the device has an authentication scheme named default, and its authentication mode is local.

    9. Run authentication-mode radius

      Set the authentication mode to radius.

      By default, local authentication is used.

    10. (Optional)Run accounting-scheme accounting-scheme-name

      Create an accounting scheme and enter the accounting scheme view.

      A default accounting scheme named default is available on the device. The default scheme can only be modified but cannot be deleted.

    11. (Optional)Run accounting-mode radius

      Set the accounting mode to RADIUS.

      By default, non-accounting is used.

    12. (Optional)Run accounting start-fail { online | offline }

      Configure a policy for accounting-start failures.

      By default, users cannot go online if accounting-start fails.

    13. (Optional)Run accounting realtime interval

      Enable real-time accounting and set a real-time accounting interval.

    14. (Optional)Run accounting interim-fail [ max-times times ] { online | offline }

      Specify the maximum number of real-time accounting requests and a policy for real-time accounting failures.

    15. Run quit

      Return to the AAA view.

    16. Run domain domain-name

      Create a domain, and enter the domain view.

      By default, the device has a domain named default, and its authentication mode is local.

    17. Run authentication-scheme authentication-scheme-name

      Specify an authentication scheme for the domain.

      By default, the device has an authentication scheme named default, and its authentication mode is local.

    18. Run radius-server template-name

      Specify RADIUS server template for users in the domain.

    19. (Optional)Run accounting-scheme accounting-scheme-name

      Apply the accounting scheme to the domain.

      By default, the accounting scheme default is applied to a domain. In this accounting scheme, non-accounting is used and the real-time accounting function is disabled.

    20. (Optional)Run statistic enable

      If traffic-based accounting is used, enable traffic statistics collection in the domain.

      By default, traffic statistics collection is disabled for a domain.

    21. Run return

      Return to the user view.

Configuring the LAC to Accept Dial-Up Calls and Initiate L2TP Connections

Context

Configure the LAC to accept dial-up calls for users and implement PPP negotiation with these users. Configure L2TP parameters to enable the LAC to initiate L2TP connections to the LNS based on the user name or domain name.

When configuring the LAC, note the following:
  • When the user initiates a call connection request, the authentication mode must be the same as that configured for the virtual interface template on the LAC.

  • Assign an IP address for the interface that connects the LAC to the user, to make the IP protocol on the interface take effect.

  • Tunnel authentication is enabled by default, and no authentication password is configured.
    • If tunnel authentication is used, configure the same authentication password for the LAC and LNS.
    • If tunnel authentication is not used, disable tunnel authentication on the LAC and LNS.

Procedure

  • Configure the LAC.

    1. Run system-view

      The system view is displayed.

    2. Run l2tp enable

      L2TP is enabled globally.

    3. Run interface virtual-template vt-number

      A virtual interface template is created, and the virtual template view is displayed.

      You can configure PPP negotiation parameters for the interface that functions as the PPPoE service interface.

      NOTE:

      PPPoE and L2TP services cannot be configured on the same VT interface simultaneously.

    4. Run ppp authentication-mode { pap | chap }

      The PPP authentication mode is set to pap or chap.

      The LAC and LNS must have the same authentication mode.

      NOTE:

      In PAP authentication, passwords are transmitted in plain text on the network, bringing potential security risks. CHAP authentication is recommended.

    5. Run mtu size

      The MTU of the interface is set.

      When the device interconnects with a non-Huawei device, set an MTU value on the virtual template interface to prevent an interconnection failure, for example, failure of the non-Huawei device to reassemble data packets after they are fragmented on a physical outbound interface of the Huawei device. The MTU value must be less than or equal to the encapsulation header length of L2TP packets (the encapsulation header length of an L2TP packet is 38 bytes but is 42 bytes when it carries sequence number information) subtracted from the MTU value on the physical outbound interface (1500 bytes by default). For example, when the MTU value on the physical outbound interface is 1500 bytes and the encapsulation header length of an L2TP packet is 42 bytes, the value of size in this step must be less than or equal to 1458.

      If a physical interface performs packet fragmentation again after the packet is fragmented on the corresponding VT interface, device performance degrades. To prevent this case, you are advised to set the MTU value of the VT interface to the range of 1400 to 1450.

    6. Run quit

      Return to the system view.

    7. Run interface interface-type interface-number

      The view of the physical interface connected to remote users is displayed.

    8. Run pppoe-server bind virtual-template vt-number

      The interface is configured to function as a PPPoE service interface, and bound to a virtual interface template.

    9. Run quit

      Return to the system view.

    10. Run l2tp-group group-number

      An L2TP group is created, and the L2TP group view is displayed.

      You can configure L2TP connection parameters to enable the LAC to initiate L2TP connections to the LNS if the user information matches the configuration.

    11. Run tunnel password { simple | cipher } password

      The password of the L2TP tunnel is configured. The password must be the same as that of the tunnel on the LNS.

      Tunnel authentication is enabled by default, and no authentication password is configured.

      It is recommended that you enable the tunnel authentication function. If the tunnel authentication function is not required, run the undo tunnel authentication command to disable the function.

      If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

    12. Run tunnel name tunnel-name

      A tunnel name is configured to enable the LNS to accept L2TP connections based on the LAC tunnel name.

      By default, the device name is used as the tunnel name when no tunnel name is specified.

    13. Run either of the following commands to configure a public network address or domain name for the LNS, which specifies the destination address of control messages.
      • start l2tp ip ip-address &<1-4> { domain domain-name | fullusername user-name | interface interface-type interface-number | vpn-instance vpn-instance-name fullusername user-name }
      • start l2tp host hostname { domain domain-name | fullusername user-name }
      The keywords define VPDN users.
      • fullusername: specifies a name for VPDN users. L2TP connections can be established for remote users with the same user name.
      • domain: specifies a domain name for VPDN users. L2TP connections can be established for remote users with the same domain name.
      • vpn-instance: specifies the VPN instance to which the IP address of the L2TP connections of a specific L2TP group belongs.
    14. Run return

      Return to the user view.

Configuring the LNS to Respond to the L2TP Connection Request

Context

Configure L2TP parameters to enable the LNS to respond to L2TP connection requests to the LAC based on the LAC tunnel name.

When configuring the LNS, note the following:
  • When you configure PPP negotiation parameters on the virtual interface template, the authentication mode must be the same as that configured on the LAC.

  • If the L2TP group number is not 1, you must specify an LAC tunnel name.

  • Tunnel authentication is enabled by default, and no authentication password is configured.
    • If tunnel authentication is used, configure the same authentication password for the LAC and LNS.
    • If tunnel authentication is not used, disable tunnel authentication on the LAC and LNS.
  • If RADIUS authentication is used and Frame-IP and Frame-Route attributes are specified by the RADIUS server for users, the LNS delivers the Frame-IP and Frame-Route attributes to users and does not allocate IP addresses from the local address pool. The Frame-IP must be included in the local address pool.

  • If the VPN instance attributes are configured for users on the RADIUS server when RADIUS authentication is used, you cannot bind the VPN instance to the VT interface of the LNS.

NOTE:

The LNS does not know users' real MAC addresses because user terminals use virtual MAC addresses allocated by the device. These virtual MAC addresses change randomly and cannot be bound with static IP addresses.

Procedure

  • Configuring the LNS

    1. Run system-view

      The system view is displayed.

    2. Run l2tp enable

      L2TP is enabled globally.

    3. Run ip pool ip-pool-name

      A global IP address pool is created, and the global IP address pool view is displayed. The global IP address pool is used to allocate IP addresses to remote users.

      This step is not required if you have manually configured a static IP address for the user.

      NOTE:

      L2TP can only allocate IP addresses of the address pool configured using the ip pool command but not attributes of other address pools to users.

      If you want to allocate the DNS server address to users, add the service-scheme command to the AAA configuration.

    4. Run network ip-address [ mask { mask | mask-length } ]

      A network segment is configured to allocate IP addresses dynamically from the largest to the smallest.

    5. Run gateway-list ip-address &<1-8>

      A gateway address is configured, and allocated to the remote user.

    6. Run quit

      Return to the system view.

    7. Run interface virtual-template vt-number

      A virtual interface template is created, and the virtual template view is displayed.

      You can configure PPP negotiation parameters on the interface that functions as the private network gateway interface to accept L2TP connections of remote users.

      NOTE:

      PPPoE and L2TP services cannot be configured on the same VT interface simultaneously.

    8. Run ip address ip-address { mask | mask-length }

      An IP address is configured for the gateway in the headquarters.

    9. Run remote address { ip-address | pool pool-name }

      An IP address pool is configured to allocate IP addresses dynamically for remote users.

      This step is not required if you have configured static IP addresses for remote users.

      This step is not required if RADIUS authentication is used and an address pool name or Frame-IP attribute is specified by the RADIUS server. The LNS allocates IP addresses for remote users from the address pool specified by the RADIUS server.

      When L2TP supports multiple address pools, omit this step if the service-scheme command has been run to specify an address pool. The LNS allocates IP addresses to remote users from the address pool specified by the service-scheme command.

      NOTE:

      If multiple users dial up using the same static IP address, users can go online but their service packets may fail to be forwarded if forcible address allocation is not configured on the LNS. Customers need to correctly plan static IP addresses. If the device must identify users and allow only one user terminal to connect to it, the planned address for the user terminal must be in the address pool and the ppp ipcp remote-address forced command must be configured.

    10. Run ppp authentication-mode { pap | chap }

      The PPP authentication mode is set to pap or chap to authenticate remote users.

      The LAC and LNS must have the same authentication mode.

      NOTE:

      In PAP authentication, passwords are transmitted in plain text on the network, bringing potential security risks. CHAP authentication is recommended.

    11. Run mtu size

      The MTU of the interface is set.

      When the device interconnects with a non-Huawei device, set an MTU value on the virtual template interface to prevent an interconnection failure, for example, failure of the non-Huawei device to reassemble data packets after they are fragmented on a physical outbound interface of the Huawei device. The MTU value must be less than or equal to the encapsulation header length of L2TP packets (the encapsulation header length of an L2TP packet is 38 bytes but is 42 bytes when it carries sequence number information) subtracted from the MTU value on the physical outbound interface (1500 bytes by default). For example, when the MTU value on the physical outbound interface is 1500 bytes and the encapsulation header length of an L2TP packet is 42 bytes, the value of size in this step must be less than or equal to 1458.

      If a physical interface performs packet fragmentation again after the packet is fragmented on the corresponding VT interface, device performance degrades. To prevent this case, you are advised to set the MTU value of the VT interface to the range of 1400 to 1450.

    12. Run quit

      Return to the system view.

    13. Run l2tp-group group-number

      An L2TP group is created, and the L2TP group view is displayed.

      You can configure L2TP connection parameters to accept connections initiated by the LAC.

      When the L2TP group number is 1, the LNS accepts all the L2TP connections.

    14. Run tunnel password { simple | cipher } password

      The password of the L2TP tunnel is configured. The password must be the same as that of the tunnel on the LAC.

      Tunnel authentication is enabled by default, and no authentication password is configured.

      It is recommended that you enable the tunnel authentication function. If the tunnel authentication function is not required, run the undo tunnel authentication command to disable the function.

      If simple is selected, the password is saved in the configuration file in plain text. In this case, users at a lower level can easily obtain the password by viewing the configuration file. This brings security risks. Therefore, it is recommended that you select cipher to save the password in cipher text.

    15. Run tunnel name tunnel-name

      A tunnel name is configured. The tunnel name is used for PPP negotiation during tunnel establishment.

      By default, the device name is used as the tunnel name when no tunnel name is specified.

    16. Run allow l2tp virtual-template virtual-template-number [ remote remote-name [ vpn-instance vpn-instance-name ] ]

      The L2TP group is configured as the LNS to respond to L2TP connection requests initiated by the LAC.

      You must specify a virtual interface template and an LAC tunnel name.

      When the L2TP group number is 1, the LNS accepts any L2TP connection requests from the LAC. You can choose not to specify the remote tunnel name.

    17. Run return

      Return to the user view.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152917

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next