Login
- Table of Contents
-
- 09-L2TP Configuration
- 01-ER G3 Routers L2TP VPN Configuration Examples
- 02-Set Up L2TP VPN Connection by Using Custom iNode Client for Windows
- 03-MER Routers L2TP (LAC-Auto-Initiated Mode) Configuration Examples
- 04-MER Routers L2TP VPN Configuration Examples
- 05-MSR Routers LAC-Auto-Initiated L2TP Tunnel Configuration Examples
- 06-MSR Routers L2TP VPN+RADIUS Server Configuration Examples
- 07-MSR Routers L2TP VPN Configuration Examples (CLI)
- 08-MSR Routers L2TP VPN Configuration Examples
- 09-Setting Up L2TP VPN in macOS
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ER G3 Routers L2TP VPN Configuration Examples | 647.12 KB |
ERG3 Routers
L2TP VPN Configuration Examples
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Introduction
This document provides examples for configuring L2TP VPNs on routers.
Prerequisites
This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of L2TP VPN.
Software versions used
This configuration example was created and verified on Release 0136 of the ER3200G3 Router Series.
Configuration example
Network configuration
As shown in Figure 1, the enterprise needs to create L2TP tunnels to allow traveling employees and employees in branches to access servers on the internal network deployed at the HQ.
Analysis
1. Configure Router A for the HQ to access the Internet, and enable the L2TP server on Router A.
2. Configure Router B for a branch to access the Internet, and enable the L2TP client on Router B.
3. Configure the L2TP client on the PCs of traveling employees.
Procedures
Configuring Router A
Configuring WAN1 to connect to the Internet
|
|
NOTE: In this example, select the single-WAN scenario for Router A, and set the connection mode of the selected WAN interface to fixed IP. |
1. From the navigation pane, select Network > External Networks.
2. Click the Configure Interface Mode tab, and select the single-WAN mode, and click Apply.
3. Click the WAN Settings tab.
4. Click the Edit icon for interface WAN1. On the page that opens, perform the following tasks:
¡ Select Fixed IP from the Connection Mode list.
¡ Enter 20.1.1.1 in the IP Address field.
¡ Enter 255.255.255.0 in the Subnet Mask field.
¡ Enter 20.1.1.254 in the Gateway Address field.
¡ Use the default settings for the other parameters.
5. Click Apply to save the configuration.
Figure 2 Configuring WAN1 to connect to the Internet
Enabling and configuring the L2TP server
|
|
NOTE: In this example, you must configure two L2TP groups (tunnels) named LNS1 and LNS2, which provide connections for PCs of traveling employees and routers in branches separately. |
From the navigation pane, select Virtual Network > L2TP Server. Select Enable L2TP Server, and click Apply.
Figure 3 Enabling the L2TP server
Configuring LNS1 (for PCs of traveling employees)
# On the L2TP Config tab, click Add. On the Create L2TP Group page that opens, perform the following tasks:
· Do not select the Peer Tunnel Name option, and you do not need to configure a tunnel peer name. If you select this option, you must enter the name of the PC of a traveling employee.
· Enter LNS1 in the Local Tunnel Name field.
· Select Off for the Tunnel Authentication field. When a PC acts as an L2TP client, as a best practice, do not enable tunnel authentication.
· Select CHAP from the PPP Authentication Mode list.
· Enter a VT interface address as needed (for example, 172.16.10.1) in the VT Interface Address field. Make sure it is not an internal network IP address.
· Enter a VT interface address mask (for example, 255.255.255.0) in the Subnet Mask field.
· Enter an available DNS server IP (for example, 114.114.114.114) in the DNS1 field.
· Enter an available DNS server IP (for example, 8.8.8.8) in the DNS2 field.
· Enter a user address pool (for example, 172.16.10.2-172.16.10.5) in the User Address Pool field.
· Use the default Hello interval, 60 seconds.
· Click Apply.
Figure 4 Configuring LNS1
Configuring LNS2 (for routers in branches)
# On the L2TP Config tab, click Add. On the Create L2TP Group page that opens, perform the following tasks:
· Enter a tunnel peer name (for example, LAC) in the Peer Tunnel Name field.
· Enter LNS2 in the Local Tunnel Name field.
· Select On for the Tunnel Authentication field, and enter abc123 in the Tunnel Auth Password field.
· Select CHAP from the PPP Authentication Mode list.
· Enter a VT interface address as needed (for example, 172.16.20.1) in the VT Interface Address field. Make sure it is not on the same subnet as an internal network IP address.
· Enter a VT interface address mask (for example, 255.255.255.0) in the Subnet Mask field.
· Enter an available DNS server IP (for example, 114.114.114.114) in the DNS1 field.
· Enter an available DNS server IP (for example, 8.8.8.8) in the DNS2 field.
· Enter a user address pool (for example, 172.16.20.2-172.16.20.5) in User Address Pool field.
· Use the default Hello interval, 60 seconds.
· Click Apply.
Figure 5 Configuring LNS2
Figure 6 Configuring L2TP groups
Adding L2TP users
|
|
NOTE: L2TP user settings mainly include the username and password for an L2TP client to dial up. |
1. Configure the username and password for a branch router acting as a client.
a. From the navigation pane, select Virtual Network > L2TP Server.
b. Click the L2TP User tab.
c. On the page that opens, click Add. On the Add User page that opens, perform the following tasks:
- Enter a username (for example, vpdn1) in the Account field.
- Select On for the State field.
- Enter a password (for example, user123) in the Password field.
- Enter the maximum number of concurrent L2TP client connections supported by the account (for example, 1) in the Max Users field.
- Select Not Set for the Validity Period field. If you select Set, you must select the expiration date of the account from the date selector.
- Click Apply.
Figure 7 Adding L2TP users
2. Add the username and password for the PCs of traveling employees.
Add username vpdnuser and password user1234 in the same way.
Configuring Router B
Configuring WAN1 to connect to the Internet
|
|
NOTE: In this example, select the single-WAN scenario for Router B, and set the connection mode of the selected WAN interface to fixed IP. |
1. From the navigation pane, select Network > External Networks.
2. Click the Configure Interface Mode tab, and select the single-WAN mode, and click Apply.
3. Click the WAN Settings tab.
4. Click the Edit icon for interface WAN1. On the page that opens, perform the following tasks:
¡ Select Fixed IP from the Connection Mode list.
¡ Enter 20.1.2.1 in the IP Address field.
¡ Enter 255.255.255.0 in the Subnet Mask field.
¡ Enter 20.1.2.254 in the Gateway Address field.
¡ Use the default settings for the other parameters.
5. Click Apply to save the configuration.
Figure 8 Configuring WAN1 to connect to the Internet
Enabling and configuring the L2TP client
|
|
NOTE: When configuring an L2TP client, make sure the L2TP client information is the same as that on the L2TP server. |
# From the navigation pane, Select Virtual Network > L2TP Client. Select Enable L2TP Client, and click Apply.
Figure 9 Enabling the L2TP client
# Click Add. On the Create L2TP Group page that opens, perform the following tasks:
· Enter LAC in the Local Tunnel Name field.
· Select Dynamic for the Address Acquisition Method field.
· Select On for the Tunnel Authentication field. Then, enter password abc123, which is set for LNS2, in the Tunnel Auth Password field.
· Select CHAP from the PPP Authentication Mode list. Then, enter vpdn1 in the Username field and user123 in the Password field.
· Select On from the NAT list. If you select Off, you must add a static route from the HQ to the branch.
· Enter 20.1.1.1 (IP address of interface WAN1 in the HQ) in the L2TP Server Address field.
· Use the default Hello interval, 60 seconds.
· Click Apply.
Figure 10 Configuring the L2TP client
Configuring static routes
|
|
NOTE: When the router acts as an L2TP client, you must add a static route destined to the subnet of the L2TP server (10.1.1.0/24). |
# From the navigation pane, select Advanced Settings > Static Routing. Click Add.
· Enter 10.1.1.0 in the Destination IP Address field.
· Enter 24 in the Mask Length field.
· Select the Output Interface option for the Next Hop field, and select L2TP1 (the L2TP tunnel interface) from the following list.
· Use the default settings for the other parameters. Click Apply.
Figure 11 Configuring static routes
Configuring PCs of traveling employees
|
|
NOTE: On the PC of a traveling employee, configure the L2TP client. In this example, the PC is installed with Windows 7. |
# Log in to the PC of the traveling
employee. Click the Network 
icon
in the lower right corner of the PC, and click Open Network
and Sharing Center.
Figure 12 Opening the network and sharing center window
# Click Set up a new connection or network to create an L2TP client.
Figure 13 Setting up a new connection or network
# In the Set up a Connection or Network window, select Connect to a workplace, and then click Next.
Figure 14 Connecting to the workspace
# Select Use my Internet connection (VPN), and then select I’ll set up an Internet connection later. Then, you can configure the Internet address for the connection.
Figure 15 Using my Internet connection (VPN)
# In the Internet address field, enter the IP address of interface WAN0 of the L2TP server to be connected, 20.1.1.1 in this example. In the Destination name field, enter the name of the L2TP client connection, l2tp in this example. Then, click Next.
Figure 16 Entering the Internet address you want to connect to
# In the User name and Password fields, enter the username and password set on the L2TP server, vpdnuser and user1234 in this example. Click Create.
Figure 17 Entering the username and password
# Click the Network
icon in the lower right corner of the desktop. Right-click the L2TP client name
(for example, l2tp), and select Properties.
Figure 18 L2TP client properties
# In the Properties dialog box that opens, click the Security tab. On this tab, select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) from the Type of VPN list, select Optional encryption (connect even if no encryption) from the Data encryption list, and then click OK.
Figure 19 Configuring security properties
# Open the dialup terminal for L2TP, and enter username vpdnuser and password user1234 in the Connect dialog box that opens. Then, click Connect.
Figure 20 L2TP connection
Verifying the configuration
Verify that both traveling employees and employees in branches can access servers in the HQ. Log in to the Web interface of Router A for the HQ. From the navigation pane, select Virtual Network > L2TP Server. Click the Tunnel Information tab. On this tab, you can view the corresponding L2TP tunnel information.
