MSR Routers

LAC-Auto-Initiated L2TP Tunnel Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Software versions used· 1

Configuration example· 1

Network configuration· 1

Analysis· 1

Procedures· 2

Configuring LAC· 2

Configuring LNS· 3

Configuring the remote host 4

Verifying the configuration· 4

Configuration files· 4

 

Introduction

This document provides examples for configuring L2TP VPNs on routers.

Prerequisites

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of L2TP VPN.

Software versions used

This configuration example was created and verified on Version 7.1.064 Feature 6749L15 of the MSR3610 router.

Configuration example

Network configuration

As shown in Figure 1, before PPP users access, establish an LAC-auto-initiated L2TP tunnel between the LAC and LNS. After PPP users access, they access the HQ of the company through the established L2TP tunnel.

Figure 1 Network diagram

 

Analysis

1.     Configure the LAC and LNS separately.

2.     Enable tunnel authentication, and set the tunnel authentication key.

3.     Host accesses through the established L2TP tunnel.

Procedures

Configuring LAC

Configuring IP addresses for interfaces

# Enter the view of interface GigabitEthernet 0/1 and configure its IP address as 3.3.3.1/24.

<LAC> system-view

[LAC] interface gigabitethernet 0/1

[LAC-GigabitEthernet0/1] ip address 3.3.3.1 24

[LAC-GigabitEthernet0/1] quit

# Enter the view of interface GigabitEthernet 0/2 and configure its IP address as 10.2.0.1/16.

[LAC] interface gigabitethernet 0/2

[LAC-GigabitEthernet0/2] ip address 10.2.0.1 16

[LAC-GigabitEthernet0/2] quit

Configuring L2TP

# Enable L2TP.

[LAC] l2tp enable

# Create L2TP group 1 in LAC mode.

[LAC] l2tp-group 1 mode lac

# Configure the local tunnel name as LAC, and specify LNS IP address 3.3.3.2.

[LAC-l2tp1] tunnel name LAC

[LAC-l2tp1] lns-ip 3.3.3.2

# Enable tunnel authentication, and set the tunnel authentication key to aabbcc.

[LAC-l2tp1] tunnel authentication

[LAC-l2tp1] tunnel password simple aabbcc

[LAC-l2tp1] quit

Configuring a virtual template

# Create interface virtual-PPP 1. On the interface, configure the PPP username as vpdnuser and the password as 123456TESTplat&!, and configure the PPP authentication mode as PAP.

[LAC] interface virtual-ppp 1

[LAC-Virtual-PPP1] ip address ppp-negotiate

[LAC-Virtual-PPP1] ppp pap local-user vpdnuser password simple 123456TESTplat&!

[LAC-Virtual-PPP1] quit

Configuring routing

# Configure a private network route, so that the packets to the HQ of the company are forwarded through an L2TP tunnel.

[LAC] ip route-static 10.1.0.0 16 virtual-ppp 1

Configuring the tunnel

# Trigger the LAC to automatically establish an L2TP tunnel.

[LAC] interface virtual-ppp 1

[LAC-Virtual-PPP1] l2tp-auto-client l2tp-group 1

Configuring LNS

Configuring IP addresses for interfaces

# Enter the view of interface GigabitEthernet 0/1 and configure its IP address as 3.3.3.2/24.

<LNS> system-view

[LNS] interface gigabitethernet 0/1

[LNS-GigabitEthernet0/1] ip address 3.3.3.2 24

[LNS-GigabitEthernet0/1] quit

# Enter the view of interface GigabitEthernet 0/2 and configure its IP address as 10.1.0.1/16.

[LNS] interface gigabitethernet 0/2

[LNS-GigabitEthernet0/2] ip address 10.1.0.1 16

[LNS-GigabitEthernet0/2] quit

Configuring PPP users

# Create a local PPP user with the username as vpdnuser and the password as 123456TESTplat&!.

[LNS] local-user vpdnuser class network

[LNS-luser-network-vpdnuser] password simple 123456TESTplat&!

[LNS-luser-network-vpdnuser] service-type ppp

[LNS-luser-network-vpdnuser] quit

Configuring a virtual template

# Create VT interface 1, and assign an IP address to the VT interface. Configure the PPP authentication method as PAP on VT interface 1, and specify VT interface 1 to allocate IP address 192.168.0.10 to the LAC client.

[LNS] interface virtual-template 1

[LNS-Virtual-Template1] ip address 192.168.0.1 24

[LNS-Virtual-Template1] ppp authentication-mode pap

[LNS-Virtual-Template1] remote address 192.168.0.10

[LAC-Virtual-PPP1] quit

Configuring an ISP domain

# Configure ISP domain system to perform local authentication for PPP users.

[LNS] domain system

[LNS-isp-system] authentication ppp local

[LNS-isp-system] quit

Configuring L2TP

# Enable L2TP, and create L2TP group 1 in LNS mode.

[LNS] l2tp enable

[LNS] l2tp-group 1 mode lns

# Configure the local tunnel name as LNS on the LNS, and specify VT interface 1 for receiving calls from the peer named LAC.

[LNS-l2tp1] tunnel name LNS

[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC

# Enable tunnel authentication, and set the tunnel authentication password to aabbcc.

[LNS-l2tp1] tunnel authentication

[LNS-l2tp1] tunnel password simple aabbcc

[LNS-l2tp1] quit

Configuring routing

# Configure a private network route. Specify the next hop as the private network IP address 192.168.0.10 allocated to interface Virtual-PPP 1 on the LAC by the LNS  for forwarding PPP user packets through the L2TP tunnel.

[LNS] ip route-static 10.2.0.0 16 192.168.0.10

Configuring the remote host

Configure the LAC as the gateway on the remote host.

Verifying the configuration

# On the LNS, execute the display l2tp session command to display the established L2TP sessions.

[LNS] display l2tp session

LocalSID      RemoteSID      LocalTID      State

21409         3395           4501          Established

# On the LNS, execute the display l2tp tunnel command to view the established L2TP tunnels.

[LNS] display l2tp tunnel

LocalTID RemoteTID State         Sessions RemoteAddress    RemotePort RemoteName

4501     524       Established   1        3.3.3.1          1701       LAC

# On the LNS, verify that you can successfully ping the private network address 10.2.0.1 of the LAC, indicating that hosts in networks 10.2.0.0/16 and 10.1.0.0/16 can communicate through the L2TP tunnel.

[LNS] ping -a 10.1.0.1 10.2.0.1

Ping 10.2.0.1 (10.2.0.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.2.0.1: icmp_seq=0 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=1 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=2 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=3 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=4 ttl=128 time=1.000 ms

 

--- Ping statistics for 10.2.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms

Configuration files

·     LAC:

#

 sysname LAC

#

interface Virtual-PPP1

 ppp pap local-user vpdnuser password cipher $c$3$PaACxzHFVo2vHPsvHKK6bWn1Q8ViFklXJv9mCSSJaT5r5Sc=

 ip address ppp-negotiate

 l2tp-auto-client l2tp-group 1

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 3.3.3.1 255.255.255.0

 pppoe-client dial-bundle-number 1

#

interface GigabitEthernet0/2

 port link-mode route

 combo enable copper

 ip address 10.2.0.1 255.255.0.0

#

 ip route-static 10.1.0.0 16 Virtual-PPP1

#

l2tp-group 1 mode lac

 lns-ip 3.3.3.2

 tunnel name LAC

 tunnel password cipher $c$3$C8wwsI8LAeqUZtV1K6OmotFsyQvEeznMog==

#

 l2tp enable

·     LNS:

#

 sysname LNS

#

interface Virtual-Template1

 ppp authentication-mode pap

 remote address 192.168.0.10

 ip address 192.168.0.1 255.255.255.0

#

interface GigabitEthernet0/1

 port link-mode route

 ip address 3.3.3.2 255.255.255.0

 pppoe-client dial-bundle-number 1

#

interface GigabitEthernet0/2

 port link-mode route

 combo enable copper

 ip address 10.1.0.1 255.255.0.0

#

 ip route-static 10.2.0.0 16 192.168.0.10

#

domain system

 authentication ppp local

#

local-user vpdnuser class network

 password cipher $c$3$0dtejUEZZmKQjqoqVWDWJCmFCQkYjSqrH9pKSs/Ay5G45OM=

 service-type ppp

 authorization-attribute user-role network-operator

#

l2tp-group 1 mode lns

 allow l2tp virtual-template 1 remote LAC

 tunnel name LAC

 tunnel password cipher $c$3$DqBEx8gmAMULJ8E3vm1d0/JbUDDbOBA/dA==

#

 l2tp enable