No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring L2TP Access in Client-initiated VPN Scenarios

Example for Configuring L2TP Access in Client-initiated VPN Scenarios

This section provides an example for configuring L2TP access in client-initiated VPN scenarios, including the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

As shown in Figure 10-8, the process of a VPN user accessing the company headquarters is as follows:

  • The VPN user is connected to the NAS through the PSTN; the LNS at the company headquarters is connected to the NAS. The VPN user needs to initiate a tunnel connection request to the LNS.

  • The LNS verifies the user name and password after receiving this connection request, and assigns a private IP address to the VPN user.

  • The VPN user communicates with the company headquarters by using the tunnel between the VPN user and LNS.

  • The VPN user accesses the Internet by using domain1 and obtains an IP address from address pool pool1.

Figure 10-8 Networking diagram of L2TP access in client-initiated VPN scenarios

Configuration Roadmap

The configuration roadmap is as follows:

  1. Install the client software on the user side and configure corresponding parameters.

  2. Configure an LNS:

    • Create a virtual template.

    • Configure the L2TP group and attributes.

    • Configure the address pool and domain.

    • Configure the LNS group and attributes.

Data Preparation

To complete the configuration, you need the following data:

  • User name and password on client and LNS

  • Loopback address

  • Name, network segment, and gateway of the address pool

  • Name of the domain that the client belongs to

NOTE:

This section provides only the procedures relevant to L2TP.

Procedure

  1. Configure the devices on the user side.

    # The host on the user side must be installed with the L2TP client software and connected to the Internet using dial-up. Then, configure the host as follows (the configuration process is related to the client software):
    • Set the user name and password of the VPN on the user side to vpdnuser and 1qaz@WSX respectively.

    • Set the IP address of the LNS as the IP address of the NE40E interface that connects to the Internet (In this example, the IP address of the interface connected to the tunnel on the LNS is 11.11.11.1).

    • Modify attributes of the connection and use L2TP.

  2. Configure the NE40E that functions as an LNS.

    # Create a virtual template and configure it.

    <Device> system-view
    [~Device] interface virtual-template 1
    [*Device-Virtual-Template1] ppp authentication-mode chap
    [*Device-Virtual-Template1] commit
    [~Device-Virtual-Template1] quit

    # Enable the L2TP service and create an L2TP group.

    [~Device] l2tp enable
    [~Device] l2tp-group lns1

    # Configure the name of the LNS and the name of the peer end of the tunnel.

    [*Device-l2tp-lns1] tunnel name LNS
    [*Device-l2tp-lns1] allow l2tp virtual-template 1 remote vpdnuser
    NOTE:

    Except the default LNS of the L2TP group, others must be configured with a remote lac-name.

    default-lns is the default group of the LNS. When the NE40E functions as an LNS, if the tunnel name sent by the LAC does not match the tunnel names configured in L2TP groups, the NE40E uses default-lns as the L2TP group.

    Run the tunnel name command to configure the remote lac-name on the LAC. By default, the remote lac-name is the host name of the LAC.

    # Enable tunnel authentication and set the password for tunnel authentication.

    [*Device-l2tp-lns1] tunnel authentication
    [*Device-l2tp-lns1] tunnel password simple 1qaz#EDC
    [*Device-l2tp-lns1] commit
    [~Device-l2tp-lns1] quit
    # Configure the address pool used to assign addresses to dialup users.
    [~Device] ip pool 1 bas local
    [*Device-ip-pool-1] gateway 192.168.0.2 255.255.255.0
    [*Device-ip-pool-1] section 0 192.168.0.10 192.168.0.100
    [*Device-ip-pool-1] commit
    [~Device-ip-pool-1] quit

    # Configure the RADIUS server.

    [~Device] radius-server group radius1
    [*Device-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*Device-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*Device-radius-radius1] radius-server shared-key itellin
    [*Device-radius-radius1] commit
    [~Device-radius-radius1] quit

    # Configure a domain named domain1.

    [~Device] aaa
    [*Device-aaa] domain domain1
    [*Device-aaa-domain-domain1] authentication-scheme default1
    [*Device-aaa-domain-domain1] accounting-scheme default1
    [*Device-aaa-domain-domain1] radius-server group radius1
    [*Device-aaa-domain-domain1] ip-pool pool1
    [*Device-aaa-domain-domain1] commit
    [~Device-aaa-domain-domain1] quit
    [~Device-aaa] quit

    # Create a loopback interface.

    [~Device] interface loopback 0
    [*Device-LoopBack0] ip address 192.168.10.1 255.255.255.255
    [*Device-LoopBack0] commit
    [~Device-LoopBack0] quit

    # Create an LNS group named group1, bind the tunnel board in slot 1 and loopback 0 to the LNS group.

    [~Device] lns-group group1
    [*Device-lns-group-group1] bind slot 1 
    [*Device-lns-group-group1] bind source loopback 0
    [*Device-lns-group-group1] commit
    [~Device-lns-group-group1] quit

  3. Verify the configuration.

    # After the VPN user logs in, run the display l2tp tunnel command on the LNS, and you can find that the tunnel is set up.

    [~Device] display l2tp tunnel lns slot 1 
    LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName                  
     ------------------------------------------------------------------------------  
                      1        1         100.1.1.1        2134   1        vpdnuser                       
     ------------------------------------------------------------------------------                      
    Total 1, 1 printed from slot 1 

    # Run the display l2tp session command on the LNS, and you can check whether the L2TP session is set up.

    <Device> display l2tp session lns slot 1 
    LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName                    
     ------------------------------------------------------------------------------                    
      278       24768      13921      7958       62172    vpdnuser@domain1                              
     ------------------------------------------------------------------------------                    
    Total 1, 1 printed from slot 1 

    In this manner, the VPN user can access the LNS at the company headquarters.

Configuration Files

Configuration file of the Device

#
 sysname Device
#
 l2tp enable
#
radius-server group radius1
 radius-server authentication 20.20.20.1 1812 
 radius-server accounting 20.20.20.1 1813 
 radius-server shared-key itellin
#
interface Virtual-Template1
 ppp authentication-mode auto 
#
interface GigabitEthernet1/0/0
 undo shutdown 
 ip address 11.11.11.1
#
interface LoopBack0
 ip address 192.168.10.1 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 202.38.160.0 0.0.0.255
  network 192.168.0.1 0.0.0.0
#
l2tp-group lns1
 allow l2tp virtual-template 1 remote vpdnuser
 tunnel password simple  1qaz#EDC
 tunnel name LNS
#
lns-group group1
 bind slot 1 
 bind source LoopBack0
#
ip pool 1 bas local
 gateway 192.168.0.2 255.255.255.0
 section 0 192.168.0.10 192.168.0.100
#
aaa
domain  domain1 
  authentication-scheme   default1
  accounting-scheme   default1
  radius-server group radius1
  ip-pool   pool1
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17314

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next