No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the LAC to Initiate Call-Triggered L2TP Connections (PPPoE Users)

Example for Configuring the LAC to Initiate Call-Triggered L2TP Connections (PPPoE Users)

Networking Requirements

As shown in Figure 1-21, an enterprise has some branches located in other cities, and branches use the Ethernet network.

The branch staff need to establish VPDN connections with the headquarters. L2TP is deployed between the branch and the headquarters. The branch has no dial-up network, and its gateway functions as a PPPoE server to allow dial-up data to be transmitted over the Ethernet. The branch gateway also functions as the LAC to establish L2TP tunnels with the headquarters.

The gateway at the enterprise headquarters is configured as the LNS to establish L2TP connections between the branch and headquarters.

Figure 1-21  Networking diagram for the LAC to initiate call-triggered L2TP connections (PPPoE users)

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the LAC as a PPPoE server and enable CHAP authentication so that the LAC can accept dial-up data from branch users over the Ethernet.

  2. Configure local AAA authentication for the LNS to authenticate dial-up users.

  3. Configure the LAC to establish L2TP connections to the headquarters for dial-up users that are authenticated.

  4. Configure local AAA authentication for the LNS to authenticate dial-up users.

  5. Create an IP address pool and allocate IP addresses to users, so that the LNS can manage the users.

  6. Configure negotiation parameters using the virtual interface template, so that the LNS can implement PPP negotiation with the users.

  7. Configure an L2TP group and create a tunnel between the LAC and LNS, so that the LNS can accept L2TP connection requests.

Procedure

  1. Configure the LAC as a PPPoE server.

    # Create a virtual interface template and configure PPP negotiation mode.

    <Huawei> system-view
    [Huawei] sysname LAC
    [LAC] interface virtual-template 1
    [LAC-Virtual-Template1] ppp authentication-mode chap
    [LAC-Virtual-Template1] quit

    # Configure the PPPoE service on the physical interface at the user side and bind the interface to a virtual interface template.

    [LAC] interface gigabitethernet 2/0/0
    [LAC-GigabitEthernet2/0/0] pppoe-server bind virtual-template 1
    [LAC-GigabitEthernet2/0/0] quit

  2. Configure the AAA authentication, and set the user name and password to huawei and Huawei@1234 on the LAC.

    [LAC] aaa
    [LAC-aaa] local-user huawei password
    Please configure the login password (8-128)
    It is recommended that the password consist of at least 2 types of characters, i
    ncluding lowercase letters, uppercase letters, numerals and special characters. 
    Please enter password: 
    Please confirm password:
    Info: Add a new user.
    Warning: The new user supports all access modes. The management user access mode
    s such as Telnet, SSH, FTP, HTTP, and Terminal have security risks. You are advi
    sed to configure the required access modes only. 
    [LAC-aaa] local-user huawei service-type ppp
    [LAC-aaa] quit

  3. Configure the LAC to initiate an L2TP connection.

    # Enable L2TP and configure an L2TP group.

    [LAC] l2tp enable
    [LAC] l2tp-group 1

    # Configure a tunnel name for the LAC local end and specify a public IP address for the LNS.

    [LAC-l2tp1] tunnel name lac
    [LAC-l2tp1] start l2tp ip 202.1.1.1 fullusername huawei

    # Enable the tunnel authentication function, and configure an authentication password. The password must be the same as that on the LNS.

    [LAC-l2tp1] tunnel authentication
    [LAC-l2tp1] tunnel password cipher huawei
    [LAC-l2tp1] quit

    # Configure an IP address for the public-network-side interface.

    [LAC] interface gigabitethernet 1/0/0
    [LAC-GigabitEthernet1/0/0] ip address 202.1.2.1 255.255.255.0
    [LAC-GigabitEthernet1/0/0] quit

    # Configure a static route to the LNS. For example, set the next hop IP address to 202.1.2.2.

    [LAC] ip route-static 202.1.1.1 32 202.1.2.2

  4. Configure the AAA authentication on the LNS.

    <Huawei> system-view
    [Huawei] sysname LNS
    [LNS] aaa
    [LNS-aaa] local-user huawei password cipher Huawei@1234
    [LNS-aaa] local-user huawei service-type ppp
    [LNS-aaa] quit

  5. Configure a private IP address pool for the LNS.

    [LNS] ip pool 1
    [LNS-ip-pool-1] network 192.168.1.0 mask 24
    [LNS-ip-pool-1] gateway-list 192.168.1.1
    [LNS-ip-pool-1] quit

  6. Set PPP negotiation parameters for the LNS.

    [LNS] interface virtual-template 1
    [LNS-Virtual-Template1] ip address 192.168.1.1 255.255.255.0
    [LNS-Virtual-Template1] ppp authentication-mode chap
    [LNS-Virtual-Template1] remote address pool 1
    [LNS-Virtual-Template1] quit

  7. Configure the LNS to respond to the L2TP connection request.

    # Enable L2TP and configure an L2TP group.

    [LNS] l2tp enable
    [LNS] l2tp-group 1

    # Configure an LNS tunnel name and LAC tunnel name.

    [LNS-l2tp1] tunnel name lns
    [LNS-l2tp1] allow l2tp virtual-template 1 remote lac

    # Enable the tunnel authentication function, and configure an authentication password.

    [LNS-l2tp1] tunnel authentication
    [LNS-l2tp1] tunnel password cipher huawei
    [LNS-l2tp1] quit

    # Configure an IP address for the public-network-side interface.

    [LNS] interface gigabitethernet 1/0/0
    [LNS-GigabitEthernet1/0/0] ip address 202.1.1.1 255.255.255.0
    [LNS-GigabitEthernet1/0/0] quit

    # Configure a static route to the LAC. For example, set the next hop IP address to 202.1.1.2.

    [LNS] ip route-static 202.1.2.1 32 202.1.1.2

    # Configure a private IP address.

    [LNS] interface gigabitethernet 2/0/0
    [LNS-GigabitEthernet2/0/0] ip address 192.168.2.1 255.255.255.0
    [LNS-GigabitEthernet2/0/0] quit

  8. Verify the configuration.

    # After PC 1 goes on line, run the display pppoe-server session all command on the LAC to view the PPPoE sessions.

    [LAC] display pppoe-server session all
    SID Intf                      State OIntf          RemMAC         LocMAC                                                            
    1   Virtual-Template1:0       UP    GE2/0/0        5489.98f7.2fcb 5489.9872.366f

    # Run the display l2tp tunnel command on the LAC or LNS to view L2TP tunnel and session information. The command output for the LNS is shown as an example.

    [LNS] display l2tp tunnel
    
     Total tunnel : 1
     LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
     1        1         202.1.2.1        1701   1       lac

    # Check that PC 1 can communicate with PC 2 in the enterprise headquarters.

Configuration Files

  • Configuration file of the LAC

    #
     sysname LAC
    #
     l2tp enable
    #
    aaa
     local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
     local-user huawei privilege level 0  
     local-user huawei service-type ppp
    #
    interface Virtual-Template1
     ppp authentication-mode chap
    #
    interface GigabitEthernet1/0/0
     ip address 202.1.2.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     pppoe-server bind Virtual-Template 1
    #
    l2tp-group 1
     tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
     tunnel name lac
     start l2tp ip 202.1.1.1 fullusername huawei
    #
    ip route-static 202.1.1.1 255.255.255.255 202.1.2.2
    #
    return
  • Configuration file of the LNS

    #
     sysname LNS
    #
     l2tp enable
    #
    ip pool 1
     network 192.168.1.0 mask 255.255.255.0
     gateway-list 192.168.1.1
    #
    aaa
     local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
     local-user huawei privilege level 0  
     local-user huawei service-type ppp
    #
    interface Virtual-Template1
     ppp authentication-mode chap
     remote address pool 1
     ip address 192.168.1.1 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     ip address 202.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 192.168.2.1 255.255.255.0
    #
    l2tp-group 1
     allow l2tp virtual-template 1 remote lac
     tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
     tunnel name lns
    #
    ip route-static 202.1.2.1 255.255.255.255 202.1.1.2
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152377

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next