No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring L2TP Access in NAS-initiated VPN Scenarios

Example for Configuring L2TP Access in NAS-initiated VPN Scenarios

This section provides an example for configuring L2TP access in NAS-initiated VPN scenarios, including the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

As shown in Figure 10-7, PC1 is connected to the Public Switched Telephone Network (PSTN) through a modem, and is then connected to the LAC, namely, NE40E A, across the PSTN. PC2 is connected to NE40E A through a tunnel. The LAC and the LNS are connected through the Internet. The LAC and the LNS communicate with each other through a tunnel. Users access the tunnel by using domain names. On both the LAC and the LNS, the user name and the password are authenticated by RADIUS.

Figure 10-7 Networking diagram of L2TP access in NAS-initiated VPN scenarios
NOTE:

Interfaces1 is GE1/0/0.



Configuration Roadmap

A user intends to communicate with the server in the headquarters. The IP address of the server is a private IP address. In this manner, the user cannot access the server directly through the Internet. A VPN is needed to help the user access the data of the internal network. The user is connected through the domain huawei.com and obtains an IP address from the address pool of the LNS.

The configuration roadmap is as follows:

  1. Configure corresponding parameters on the user side.

  2. Configure an LAC.

    • Assign an IP address to the interface and configure a reachable route to the LNS.
    • Configure relevant tasks of PPPoX access services, including configuring the virtual template interface, configuring the AAA scheme, specifying an interface as the virtual template interface, and configuring the BAS interface.
    • Enable basic L2TP functions.
    • Configure tunnel connections on the LAC side.
    • Configure the tunnel authentication mode.
    • Configure L2TP user attributes.
  3. Configure an LNS.

    • Assign an IP address to the interface and configure a reachable route to the LAC.
    • Configure a virtual template interface.
    • Configure tunnel connections on the LNS side.
    • Configure the user and tunnel authentication modes.
    • Set parameters for the tunnel on the LNS side.
    • Configure an address pool for allocating IP addresses to L2TP users.
    • Configure domains for L2TP users and specify the address pool in each domain.

Data Preparation

To complete the configuration, you need the following data:

  • Consistent user name, domain name, and password of the NE40E on both the LAC side and the LNS side

  • The protocol used on the LNS side, tunnel authentication mode (CHAP is used), password for the tunnel, tunnel name and remote peer name

  • Number, IP address, and network mask of the virtual template

  • L2TP group number

  • Number, range, and address mask of the remote address pool

Procedure

  1. Configure the user side.

    Create a dial-in connection, and an access number named huawei1. In addition, receive the address assigned by the LNS server.

    Enter the user name "vpdnuser@huawei.com" in the dial-up terminal window that pops up, with the password being Hello. Note that the user name and password should have been registered on the LNS server of the company.

  2. Configure NE40E A that functions as an LAC.

    In this example, the IP address of GE 1/0/0 on the LAC that connects the tunnel is 202.38.160.1; the IP address of GE 1/0/0 on the LNS that connects the tunnel is 202.38.160.2.

    # Configure IP addresses for GE 1/0/0.

    <Device> system-view
    [~Device] sysname DeviceA
    [*DeviceA] interface gigabitethernet 1/0/0
    [*DeviceA-GigabitEthernet1/0/0] ip address 202.38.160.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/0] commit
    [~DeviceA-GigabitEthernet1/0/0] quit

    # Enable Basic L2TP Functions and configure an L2TP connection on the LAC.

    [~DeviceA] l2tp enable
    [*DeviceA] l2tp-group 1
    [*DeviceA-l2tp-1] tunnel name LAC
    [*DeviceA-l2tp-1] start l2tp ip 202.38.160.2
    [*DeviceA-l2tp-1] tunnel source gigabitethernet 1/0/0
    [*DeviceA-l2tp-1] commit
    [~DeviceA-l2tp-1] quit

    # Enable tunnel authentication and set the tunnel passward.

    [*DeviceA-l2tp-1] tunnel authentication
    [*DeviceA-l2tp-1] tunnel password simple 1qaz#EDC
    [*DeviceA-l2tp-1] commit
    [~DeviceA-l2tp-1] quit

    Configure relevant tasks of PPPoX access services.

    # Configure the RADIUS server.

    [~DeviceA] radius-server group radius1
    [*DeviceA-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*DeviceA-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*DeviceA-radius-radius1] radius-server shared-key itellin
    [*DeviceA-radius-radius1] commit
    [~DeviceA-radius-radius1] quit

    # Configure the domain.

    [~DeviceA] aaa
    [~DeviceA-aaa] domain huawei.com
    [*DeviceA-aaa-domain-huawei.com] authentication-scheme default1 
    [*DeviceA-aaa-domain-huawei.com] accounting-scheme default1
    [*DeviceA-aaa-domain-huawei.com] radius-server group radius1
    [*DeviceA-aaa-domain-huawei.com]  l2tp-group 1
    [*DeviceA-aaa-domain-huawei.com] commit
    [~DeviceA-aaa-domain-huawei.com] quit
    [~DeviceA-aaa] quit
    # Configure a virtual template and PPP authentication mode.
    [~DeviceA] interface virtual-template 1
    [*DeviceA-Virtual-Template1] ppp authentication-mode chap
    [*DeviceA-Virtual-Template1] commit
    [~DeviceA-Virtual-Template1] quit
    # Bind virtual template 1 to GE 2/0/0.100.
    [~DeviceA] interface gigabitethernet 2/0/0.100
    [*DeviceA-GigabitEthernet2/0/0.100] pppoe-server bind virtual-template 1
    [*DeviceA-GigabitEthernet2/0/0.100] user-vlan 1 100
    [*DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] commit
    [~DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] quit

    # Configure a BAS interface.

    [~DeviceA-GigabitEthernet2/0/0.100] bas
    [*DeviceA-GigabitEthernet2/0/0.100-bas] access-type layer2-subscriber default-domain authentication huawei.com
    [*DeviceA-GigabitEthernet2/0/0.100-bas] commit
    [~DeviceA-GigabitEthernet2/0/0.100-bas] quit
    [~DeviceA-GigabitEthernet2/0/0.100] quit

  3. Configure NE40E B (the LNS side)

    # Assign an IP address to the interface that is connected to the tunnel.

    <Device> system-view
    [~Device] sysname DeviceB
    [*DeviceB] interface gigabitethernet 1/0/0
    [*DeviceB-gigabitethernet1/0/0] ip address 202.38.160.2 255.255.255.0
    [*DeviceB-gigabitethernet1/0/0] commit
    [~DeviceB-gigabitethernet1/0/0] quit

    # Create and configure a virtual template.

    [~DeviceB] interface virtual-template 1
    [*DeviceB-Virtual-Template1] ppp authentication-mode chap
    [*DeviceB-Virtual-Template1] commit
    [~DeviceB-Virtual-Template1] quit

    # Enable L2TP and configure an L2TP group.

    [~DeviceB] l2tp enable
    [~DeviceB] l2tp-group 1

    # Set the name of local tunnel end on the LNS and the name of the peer tunnel end.

    [*DeviceB-l2tp-1] tunnel name LNS
    [*DeviceB-l2tp-1] allow l2tp virtual-template 1 remote LAC

    # Enable tunnel authentication and set the tunnel passward.

    [*DeviceB-l2tp-1] tunnel authentication
    [*DeviceB-l2tp-1] tunnel password simple 1qaz#EDC

    # Perform the mandatory CHAP authentication on the local end.

    [*DeviceB-l2tp-1] mandatory-chap
    [*DeviceB-l2tp-1] commit
    [~DeviceB-l2tp-1] quit
    # Create LNS group 1.
    [~DeviceB] lns-group group1

    # Bind tunnel board 1 to LNS group 1.

    [*DeviceB-lns-group-group1] bind slot 1 
    # Bind GE 1/0/0 to LNS group 1.
    [*DeviceB-lns-group-group1] bind source gigabitethernet 1/0/0
    [*DeviceB-lns-group-group1] commit
    [~DeviceB-lns-group-group1] quit
    # Configure the address pool used to assign addresses to dialup users.
    [~DeviceB] ip pool 1 bas local
    [*DeviceB-ip-pool-1] gateway 192.168.0.2 255.255.255.0
    [*DeviceB-ip-pool-1] section 0 192.168.0.10 192.168.0.100
    [*DeviceB-ip-pool-1] commit
    [~DeviceB-ip-pool-1] quit

    # Configure the RADIUS server.

    [~DeviceB] radius-server group radius1
    [*DeviceB-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*DeviceB-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*DeviceB-radius-radius1] radius-server shared-key itellin
    [*DeviceB-radius-radius1] commit
    [~DeviceB-radius-radius1] quit

    # Configure the domain for user access.

    [~DeviceB] aaa
    [~DeviceB-aaa] domain huawei.com
    [*DeviceB-aaa-domain-huawei.com] authentication-scheme default1
    [*DeviceB-aaa-domain-huawei.com] accounting-scheme default1
    [*DeviceB-aaa-domain-huawei.com] radius-server group radius1
    [*DeviceB-aaa-domain-huawei.com] ip-pool 1
    [*DeviceB-aaa-domain-huawei.com] commit
    [~DeviceB-aaa-domain-huawei.com] quit
    [~DeviceB-aaa] quit

  4. Verify the configuration.

    # After VPN users log into the tunnel, run the display l2tp tunnel command. You can find that the tunnel is set up. Take the display on the LNS as an example:

    [~DeviceB] display l2tp tunnel
     ---------------------------------------------------------                     
      -----------tunnel information in LAC----------------------                    
     Total 0,0 printed                                                              
                                                                                    
      ---------------------------------------------------------                     
      -----------tunnel information in LNS----------------------                    
     The tunnel information of k board 1                                            
     LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName                 
      ---------------------------------------------------------                     
     13921   7958       202.38.160.1     57344   1          LAC                                    
      ---------------------------------------------------------                     
      Total 1,1 printed from slot 1 

    # Run the display l2tp session command. You can check whether the L2TP session is set up. Take the display on the LNS side as an example.

    [~DeviceB] display l2tp session lns slot 1
    LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName                                                                       
     ------------------------------------------------------------------------------                                                     
      2036       1469      13921      7958       62172    vpdnuser@huawei.com                           
     ------------------------------------------------------------------------------                     
    Total 1, 1 printed from slot 1

    # In this manner, VPN users can access the server in the headquarters.

Configuration Files

  • Configuration file of Device A

#
 sysname DeviceA
#
 l2tp enable
#
radius-server group radius1
 radius-server authentication 20.20.20.1 1812 
 radius-server accounting 20.20.20.1 1813 
 radius-server shared-key itellin
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet2/0/0
 undo shutdown
#
interface GigabitEthernet2/0/0.100
 pppoe-server bind Virtual-Template 1
 undo shutdown
 user-vlan 1 100
 bas
  access-type layer2-subscriber default-domain authentication huawei.com
#
interface gigabitethernet1/0/0
 undo shutdown
 ip address 202.38.160.1 255.255.255.0
#
l2tp-group 1
 tunnel password simple  1qaz#EDC
 tunnel name LAC
 start l2tp ip 202.38.160.2
 tunnel source gigabitethernet 1/0/0
#
aaa
 domain huawei.com
  authentication-scheme default1
  accounting-scheme default1
  radius-server group radius1
  l2tp-group 1
#
return
  • Configuration file of Device B

#
sysname DeviceB
#
l2tp enable
#
radius-server group radius1
 radius-server authentication 20.20.20.1 1812 
 radius-server accounting 20.20.20.1 1813 
 radius-server shared-key itellin
#
interface gigabitethernet1/0/0
undo shutdown
ip address 202.38.160.2 255.255.255.0
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface LoopBack0
 ip address 192.168.10.1 255.255.255.255
#
l2tp-group 1
mandatory-chap
allow l2tp virtual-template 1 remote LAC
tunnel password simple  1qaz#EDC
tunnel name LNS
#
lns-group group1
bind slot 1 
bind source gigabitethernet1/0/0
#
ip pool 1 bas local
 gateway 192.168.0.2 255.255.255.0
 section 0 192.168.0.10 192.168.0.100
#
aaa
 domain huawei.com
  authentication-scheme default1
  accounting-scheme default1
  radius-server group radius1
  ip pool 1
#
return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17787

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next