1.1.1 allow l2tp
Syntax
allow l2tp
virtual-template virtual-template-number remote
remote-name [
domain domain-name ]
undo allow
View
L2TP group view
Parameter
virtual-template-number: Specifies the virtual-template used when creating new virtual
access interface, an integer ranging from 0 to 1023.
remote-name:
Specifies the name of the peer end of the tunnel that initiates the connection
request, a case sensitive character string with length ranging from 1 to 30.
domain-name:
Specifies the name of enterprise with length ranging from 1 to 30.
Description
Use the allow l2tp command to
specify the name of the peer end of the tunnel on receiving call and the
Virtual-Template it uses.
Use the undo allow command to remove
the name of the peer end of the tunnel and the adopted virtual template.
By default, call receiving is disabled.
This command is used on LNS side.
For multi-instance applications of L2TP, the
domain-name parameter must be configured.
When L2TP group number1 (the default L2TP
group number) is used, the name of the peer end of the tunnel remote-name
can be unspecified. When configured in the view of L2TP group 1, the format of
the command is as follows:
allow l2tp virtual-template virtual-template-number [ remote remote-name ]
[ domain domain-name ]
If a peer end name is specified in L2TP
group 1 configuration, L2TP group 1 will not serve as the default L2TP group.
For example, given the environment of Windows 2000 beta 2, the local name of
VPN connection is NONE, so the peer end name that the router receives is NONE.
In order to allow the router to receive tunnel connection requests sent by this
kind of unknown peer ends, or for the test purpose, a default L2TP group can be
configured.
Caution:
The allow l2tp
command is used on the LNS side.
l
If the name of the tunnel peer is specified,
ensure that the name is the same as the local end name configured on the LAC
side.
l
If the domain-name in this command is
specified, it must be the same as that configured on the LAC side by using the start
l2tp command. Otherwise, a user cannot pass authentication.
Related command: l2tp-group.
Example
# Receive L2TP tunnel connection requests
sent by the peer end AS8010 (LAC side), and creates a virtual-access interface
on virtual-template 1.
[H3C-l2tp2] allow l2tp
virtual-template 1 remote AS8010
# Use L2TP group 1 as the default L2TP
group, receiving L2TP tunnel connection requests sent by any peer end, and
creates a virtual-access interface according to virtual-template 1.
[H3C] l2tp-group 1
[H3C-l2tp1] allow l2tp
virtual-template 1
Syntax
debugging l2tp { all | control | dump | error | event
| hidden | payload | time-stamp }
undo debugging l2tp { all | control | error | event | hidden
| payload | time-stamp }
View
System view
Parameter
all: Enables
all L2TP debugging.
control:
Enables control packet debugging.
dump:
Enables PPP packet debugging.
error:
Enables error debugging.
event:
Enables event debugging.
hidden:
Enables hidden AVP debugging.
payload:
Enables L2TP payload debugging.
time-stamp:
Enables time-stamp debugging.
Description
Use the debugging l2tp command to
enable L2TP debugging.
Use the undo debugging l2tp command
to disable L2TP debugging.
Example
# Enable all L2TP debugging.
<H3C> debugging l2tp all
Syntax
display l2tp session
View
Any view
Parameter
None
Description
Use the display l2tp session command
to view the current L2TP sessions.
The output information of the command
facilitates the user to learn information of the current L2TP sessions.
Related command: display l2tp tunnel.
Example
# Display current L2TP sessions.
<H3C> display l2tp session
LocalSID RemoteSID LocalTID Idle-Time-Left
1 1 2
600
Table 1-1 Description
on the fields of the display L2tp session command
|
Field
|
Description
|
|
Total
session
|
Number of
sessions
|
|
LocalSID
|
The number
uniquely identifies the local session.
|
|
RemoteSID
|
The number
uniquely identifies the peer session.
|
|
LocalTID
|
The local ID
number of the tunnel
|
|
Idle-Time-Left
|
The
residual time before the session is disconnected
|
Syntax
display l2tp tunnel
View
Any view
Parameter
None
Description
Use the display l2tp tunnel command
to view information of the current L2TP tunnels.
The output information of the command
facilitates the user to learn information of the current L2TP tunnels.
Related command: display l2tp session.
Example
# Display information of the current L2TP
tunnels.
<H3C> display l2tp tunnel
LocalTID RemoteTID RemoteAddress
Port Sessions RemoteName keepstand
2 22849 11.1.1.1 1701
1 lns YES
Total tunnel = 1
Table 1-2 Description
on the fields of the display L2tp tunnel command
|
Field
|
Description
|
|
Total
tunnels
|
Number of
tunnels
|
|
LocalTID
|
The number
uniquely identifies the local tunnel
|
|
RemoteTID
|
The number
uniquely identifies the peer tunnel
|
|
Remote
Name
|
Name of
the peer end
|
|
RemoteAddress
|
IP address
of the peer end
|
|
Port
|
Port
number of the peer end
|
|
Sessions
|
Number of
sessions on the tunnel
|
|
Remote
Name
|
Name of
the peer
|
|
KeepStand
|
State of the tunnel-hold function
|
Syntax
display l2tp user
View
Any view
Parameter
None
Description
Use the display l2tp user command to
view information about the current L2TP users.
Related command: display l2tp tunnel,
display l2tp session.
Example
# Display information about the current
L2TP users.
<H3C> display l2tp user
User Name LocalSID RemoteSID
LocalTID
w@h3c 1 1
2
Total user = 1
Table 1-3 Description on the fields of the display L2tp user command
|
Field
|
Description
|
|
User Name
|
User
|
|
LocalSID
|
Local
identifier of the session
|
|
RemoteSID
|
Remote
identifier of the session
|
|
LocalTID
|
Local
identifier of the tunnel
|
|
Total user
|
Total number of users
|
Syntax
display ppp access-control [ interface type number ]
View
Any view
Parameter
interface type
number: Specifies an interface by its type and number. Currently, you can
only specify a VT (Virtual-Template) interface.
Description
Use the display ppp access-control
command to display the statistics about the dynamic packet filtering firewalls
for VA (Virtual-Access) interfaces.
Example
# Display the statistics about the dynamic
packet filtering firewalls for VA interfaces.
[H3C] display ppp access-control
interface virtual-template 2
Interface: Virtual-Template2:0
User Name: mike
In-bound Policy: acl 3000
From 2000-04-29 18:47:05 to
2000-04-29 18:47:16
0 packets, 0 bytes, 0%
permitted,
0 packets, 0 bytes, 0% denied,
0 packets, 0 bytes, 0% permitted
default,
0 packets, 0 bytes, 0% denied
default,
Totally 0 packets, 0 bytes, 0%
permitted,
Totally 0 packets, 0 bytes, 0%
denied.
Interface: Virtual-Template2:1
User Name: tim
In-bound Policy: acl 3001
From 2000-04-30 18:41:05 to
2000-04-30 18:47:16
0 packets, 0 bytes, 0%
permitted,
0 packets, 0 bytes, 0% denied,
0 packets, 0 bytes, 0% permitted
default,
0 packets, 0 bytes, 0% denied
default,
Totally 0 packets, 0 bytes, 0%
permitted,
Totally 0 packets, 0 bytes, 0%
denied.
Table 1-4
Description on the fields of the display ppp
access-control command
|
Field
|
Description
|
|
Interface
|
VA interface where a PPP user is
accessing
|
|
User Name
|
Name of the PPP user
|
|
In-bound Policy
|
ACL created for the packet filtering
firewall of the PPP user
|
|
From xx to xx
|
Time period in which the firewall is
active
|
|
x packets, x bytes, x% permitted
|
Permitted ACL-matching packets, bytes,
and permission percentage
|
|
x packets, x bytes, x% denied
|
Denied ACL-matching packets, bytes, and denial
percentage
|
|
x packets, x bytes, x% permitted default
|
Permitted (by default) ACL-mismatching
packets, bytes, and permission percentage
|
|
x packets, x bytes, x% denied default
|
Denied (by default) ACL-mismatching
packets, bytes, and denial percentage
|
|
Totally x packets, x bytes, x% permitted
|
Total permitted packets, bytes, and permission
percentage
|
|
Totally x packets, x bytes, x% denied
|
Total denied packets, bytes, and denial percentage
|
Syntax
interface virtual-template virtual-template-number
undo interface virtual-template virtual-template-number
View
System view
Parameter
virtual-template-number: Number of a virtual template, an integer in the range 0 to 1023.
Description
Use the interface virtual-template
command to create a virtual template .
Use the undo interface virtual-template
command to delete the virtual template.
By default, no virtual template is created.
Virtual templates are mainly used to
configure parameters of the virtual interfaces dynamically created by the
router in operation, such as MP interfaces (bundled logical interfaces) and
L2TP logical interfaces.
Related command: allow l2tp.
Example
# Create virtual template 1 and enter its
view.
[H3C] interface virtual-template 1
Syntax
l2tp-auto-client enable
undo l2tp-auto-client enable
View
Virtual template interface view
Parameter
None
Description
Use the l2tp-auto-client enable
command to enable the LAC client to set up L2TP tunnel.
Use the undo l2tp-auto-client enable
command to disable the LAC client to set up L2TP tunnel.
Example
# Enter virtual template interface view.
[H3C] interface virtual-template 1
# Enable the LAC client to set up L2TP
tunnel.
[H3C-Virtual-Template1] l2tp-auto-client
enable
1.1.9 l2tp enable
Syntax
l2tp enable
undo l2tp
enable
View
System view
Parameter
None
Description
Use the l2tp enable command to
enable the L2TP function.
Use the undo l2tp enable command to
disable the L2TP function.
By default, the L2TP function is disabled.
This command and its undo form are
used to enable and disable the L2TP function. Only when this function is
enabled, can the L2TP service be implemented.
When an L2TP tunnel
is set up successfully or an L2TP tunnel is not set up due to failure to
authentication, disable L2TP and then enable L2TP on the LAC side. In this
case, if an L2TP tunnel cannot be set up, there may be two situations:
l
When the LAC serves as the client, use the undo
l2tp-auto-client enable command and then the l2tp-auto-client enable command
in virtual template interface view on the LAC side to set up an L2TP tunnel.
l When the LAC does not serve as the client, that is, a user dials in
the LAC remotely, re-connection is required to set up an L2TP tunnel.
Related command: l2tp-group.
Example
# Enable the L2TP function on the router.
[H3C] l2tp enable
1.1.10 l2tpmoreexam
enable
Syntax
l2tpmoreexam
enable
undo l2tpmoreexam
enable
View
System view
Parameter
None
Description
This command serves the LNS side of L2TP.
Use the l2tpmoreexam enable command
to enable the multi-instance function of L2TP.
Use the undo l2tpmoreexam enable
command to disable the function.
By default, L2TP multi-instance function is
disabled.
Only after the multi-instance function is
enabled, can the service be deployed.
Related command: l2tp enable.
Example
# Enable the multi-instance function at the
LNS side.
[H3C] l2tpmoreexam enable
Syntax
l2tp-group group-number
undo l2tp-group group-number
View
System view
Parameter
group-number:
Number of L2TP group, an integer ranging from 1 to 1000.
Description
Use the l2tp-group command to create
an L2TP group.
Use the undo l2tp-group command to
delete the L2TP group.
By default, no L2TP group is created.
Deleting an L2TP group using the undo
l2tp-group command will also delete its all configuration information.
(L2TP group 1 can be the default L2TP group).
You can configure a
device as both LAC and LNS, whose user names cannot be the same in this case.
Related command: allow l2tp and start
l2tp.
Example
# Create L2TP group 2 and enter L2TP group
2 view.
[H3C] l2tp-group 2
[H3C-l2tp2]
Syntax
mandatory-chap
undo mandatory-chap
View
L2TP group view
Parameter
None
Description
Use the mandatory-chap command to
force LNS to perform CHAP authentication again with the client.
Use the undo mandatory-chap command
to disable CHAP re-authentication.
By default, CHAP re-authentication is not
performed.
After LAC performs agent authentication on
clients, LNS can perform authentication on them again for enhancing security.
If the mandatory-chap command is used, each VPN client whose tunnel
connection is initialized by access server will undergo authentication both on
access server side and on LNS side. Some PPP clients may not support the second
authentication. In this case, local CHAP authentication will fail.
Related command: mandatory-lcp.
Example
# Perform
mandatory CHAP authentication.
[H3C-l2tp1]
mandatory-chap
Syntax
mandatory-lcp
undo mandatory-lcp
View
L2TP group view
Parameter
None
Description
Use the mandatory-lcp command to
allow LNS and client to renegotiate Link Control Protocol (LCP) between them.
Use the undo mandatory-lcp command
to disable LCP renegotiation.
By default, LCP is not renegotiated.
Concerning NAS-Initialized VPN client, PPP
negotiation will be first performed with Network Access Server (NAS) at the
beginning of a PPP session. If the negotiation is successful, the access server
will initiate the tunnel connection and transmit the information collected
during the negotiation to LNS. LNS will judge whether the user is legal based
on the information. The mandatory-lcp command can be used to force LNS
and client to renegotiate LCP. In this case, NAS agent authentication
information is ignored. If PPP clients do not support LCP renegotiation, LCP
renegotiation will fail.
Related command: mandatory-chap.
Example
# Enable LCP renegotiation.
[H3C-l2tp1] mandatory-lcp
Syntax
ppp access-control enable
undo ppp access-control enable
View
VT interface
view
Parameter
None
Description
Use the ppp access-control enable
command to enable L2TP-based EAD on the interface.
Use the undo ppp access-control enable
command to disable L2TP-based EAD on the interface.
By default, this function is disabled.
Example
# Disable L2TP-based EAD on VT 1
[H3C-Virtual-Template1] undo ppp
access-control enable
1.1.15 ppp access-control match-fragments
Syntax
ppp access-control match-fragments { normally | exactly }
undo ppp access-control match-fragments
View
VT interface view
Parameter
normally: Sets
the normal pattern.
exactly: Sets
the exact pattern.
Description
Use the ppp access-control
match-fragments command to set the fragment matching pattern for all VA
packet filtering firewalls on the VT interface.
Use the undo ppp access-control
match-fragments command to restore the default pattern setting.
By default, the fragment matching pattern is
normal for all VA packet filtering firewalls on a VT interface.
Related command: acl, display acl,
firewall fragments-inspect.
Example
# Set the
exact fragment matching pattern for all VA packet filtering firewalls on
interface VT1.
[H3C-Virtual-Template1] ppp
access-control match-fragments exactly
Syntax
reset l2tp session session-id
View
User view
Parameter
session-id: Local
identifier of a session connection.
Description
Use the reset l2tp session command
to disconnect a session. When the user calls in, the session can be set up
again.
Related command: reset l2tp tunnel.
Example
# Disconnect an L2TP session.
<H3C> reset l2tp session 1
Syntax
reset l2tp tunnel { remote-name | tunnel-id }
View
User view
Parameter
remote-name:
Name of the peer end of the tunnel, a character string with the length ranging
from 1 to 30.
tunnel-id: Local
ID of the tunnel.
Description
Use the reset l2tp tunnel command to
clear the specified tunnel connection and all sessions on the tunnel.
The tunnel
connection compulsorily disconnected by the reset l2tp tunnel command
can be reestablished again when the remote user calls in again. You may specify
tunnel connections to be disconnected by specifying remote name. If no such
tunnel connections exist, the current tunnel connections will not be affected.
If there are several tunnel connections (with the same name but different IP
addresses), all of them will be cleared. When tunnel-id is specified,
only the corresponding tunnel connection will be disconnected.
Related command: display l2tp tunnel.
Example
# Clear the tunnel connection with the peer
name of AS8010.
<H3C> reset l2tp tunnel AS8010
Syntax
reset l2tp user user-name
View
User view
Parameter
user-name: L2TP
user name.
Description
Use the reset l2tp user command to disconnect
the L2TP connection of the specified user. When the user calls in, the
connection can be set up.
Related command: reset l2tp tunnel, reset
l2tp session.
Example
# Disconnect the current L2TP user.
<H3C> reset l2tp user H3C@h3c
Syntax
session idle-time time
undo session idle-time
View
L2TP group view
Parameter
time: Timeout period in the range 0 to 10000 seconds. It defaults to 0,
meaning the session never expires.
Description
Use the session idle-time command to
set the L2TP session idle-timeout timer. Upon expiration of this timer, the
L2TP session is disconnected.
Use the undo session idle-time
command to disable the idle-timeout timer.
By default, the L2TP session never expires.
Example
# Enter L2TP group view.
[H3C] l2tp-group 1
# Set the L2TP session idle-timeout timer
to 600 seconds.
[H3C] session idle-time 600
Syntax
start l2tp { ip ip-addr [ ip ip-addr ] [
ip ip-addr ] ... } { domain domain-name
| fullusername user-name }
undo start
View
L2TP group view
Parameter
ip ip-addr: IP address of the peer end of the tunnel (LNS). Five IP addresses
can be set at most to provide LNS backup for each other.
domain-name:
Domain name triggering connection requests, a case sensitive character string
with the length ranging from 1 to 30.
user-name:
Full username triggering connection requests, a case sensitive character string
with the length ranging from 1 to 32.
Description
Use the start l2tp command to
specify conditions triggering the local end to place calls when it works as
L2TP LAC.
Use the undo start l2tp command to
delete the specified triggering conditions.
This command
is used on LAC side to specify IP address of LNS; it can support several
connection request triggering conditions, specifically,
l
Initiating tunnel connection request according
to the user’s domain name. For example, if domain name of user’s
company is h3c.com, the user with this domain name can be specified as a VPN
user.
l
Deciding whether a user is a VPN user according
to its dialed number. For example, if the number 8810188 is specified to be the
special service number, the access user who dials this number is a VPN user.
l
Specifying a user to be a VPN user by directly
specifying full username.
For a VPN user, the local end (LAC) will
send L2TP tunnel connection request to a certain LNS according to the
configured LNS priority or order. If receiving response from the LNS within the
specified period, LAC will take it as the peer end of the tunnel. If not, LAC
will send tunnel connection request to the next LNS.
Conflicts may exist between these VPN user
judgment ways. For example, LNS address specified according to full username is
1.1.1.1, while that according to domain name is 1.1.1.2. To avoid situations
like this, a user searching order is necessary to be specified. The system
always starts a search by looking for the specified L2TP group by full
username; if finding no match, it continues the search by domain name.
Caution:
If the domain-name
in this command is specified, it must be the same as that configured on the LNS
side by using the allow l2tp command. Otherwise, a user cannot pass
authentication.
Example
# Specify the users using the domain name
of h3c.com to be VPN users, with IP address of the L2TP access server of the
headquarters being 202.38.168.1.
[H3C-l2tp1] start l2tp ip
202.38.168.1 domain h3c.com
Syntax
start l2tp tunnel
View
L2TP group view
Parameter
None
Description
Use the start
l2tp tunnel command
to enable the L2TP LAC to start L2TP tunnel connection.
This command is used only on LAC side.
Related command: tunnel keepstanding.
Example
# Enable the LAC to start L2TP tunnel
connection. It requests the LNS at 1.1.1.1 first and then the LNS at 2.2.2.2 if
no response is received.
[H3C-l2tp1] start l2tp ip 1.1.1.1 ip 2.2.2.2
fullusername vpdnuser
[H3C-l2tp1] start l2tp tunnel
Caution:
You must use this command
in conjunction with the tunnel keepstanding command. Otherwise, the
tunnel will be torn down immediately after it is set up.
Syntax
tunnel authentication
undo tunnel authentication
View
L2TP group view
Parameter
None
Description
Use the l2tp tunnel authentication
command to enable L2TP tunnel authentication.
Use the undo l2tp tunnel authentication
command to disable L2TP tunnel authentication.
By default, L2TP tunnel authentication is
performed.
L2TP tunnel
authentication is permitted by default. Normally, authentication needs to be
performed on both ends of the tunnel for security’s sake. In case of
network connectivity test or receiving connection sent by nameless peer end,
tunnel authentication is not required.
Example
# Set not to authenticate the peer end of
the tunnel.
[H3C-l2tp1] undo tunnel
authentication
Syntax
tunnel avp-hidden
undo tunnel avp-hidden
View
L2TP group view
Parameter
None
Description
Use the tunnel avp-hidden command to
configure Attribute Value Pair (AVP) data to be transmitted in hidden format.
Use the undo tunnel avp-hidden
command to restore the default transmission way of AVP data.
By default, the tunnel transmits AVP data
in plain text.
Some parameters of L2TP protocol are
transmitted by AVP data. If high data security is desired, this command can be
used to configure AVP data to be transmitted in hidden format.
Example
# Set AVP data to be transmitted in hidden
format.
[H3C-l2tp1] tunnel avp-hidden
Syntax
tunnel flow-control
undo tunnel flow-control
View
L2TP group
view
Parameter
None
Description
Use the tunnel flow-control command
to enable L2TP tunnel flow-control.
Use the undo tunnel flow-control
command to disable the flow-control function.
By default, the L2TP tunnel flow-control
function is not performed.
Example
# Enable the flow-control function.
[H3C-l2tp1] tunnel flow-control
Syntax
tunnel keepstanding
undo tunnel keepstanding
View
L2TP group view
Parameter
None
Description
Use the tunnel keepstanding command
to enable the tunnel-hold function of L2TP, preventing the tunnel from being
disconnected when no session is present.
Use the undo tunnel keepstanding
command to disable the tunnel-hold function of L2TP.
Caution:
To have this command
take effect on a tunnel, you must configure it at both ends of the tunnel.
Example
# Enter L2TP
group view.
[H3C]
l2tp-group 1
# Enable the
tunnel-hold function of L2TP.
[H3C-l2tp1]
tunnel keepstanding
Syntax
tunnel name name
undo tunnel name
View
L2TP group view
Parameter
name: Local
name of the tunnel, a character string with the length ranging from 1 to 30.
Description
Use the tunnel name command to
specify local name of a tunnel.
Use the undo tunnel name command to
restore the local name to the default.
By default, local name is router name.
When creating an L2TP group, the system
initiates local name into router name.
Related command: sysname.
Example
# Set local name of the tunnel to itsme.
[H3C-l2tp1] tunnel name itsme
Syntax
tunnel password { simple | cipher } password
undo tunnel password
View
L2TP group view
Parameter
simple: Password in plain text.
cipher: Password in ciphertext.
password: Password used for tunnel authentication, a character string with
the length ranging from 1 to 16.
Description
Use the tunnel password command to
specify a password for tunnel authentication.
Use the undo l2tp tunnel password
command to remove the tunnel authentication password.
By default, tunnel authentication pass
