05-Layer 2—WAN Access Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C MSR810[2600][3600] Routers Configuration Guides(V7)-R0809-6W40005-Layer 2—WAN Access Configuration Guide
02-L2TP configuration
Title Size Download
02-L2TP configuration 394.27 KB

Contents

Configuring L2TP·· 1

About L2TP· 1

Typical L2TP networking· 1

L2TP message types and encapsulation structure· 1

L2TP tunnel and session· 2

L2TP tunneling modes and tunnel establishment process· 2

L2TP features· 5

L2TP-based EAD·· 7

Protocols and standards· 7

Prerequisites for L2TP· 7

L2TP tasks at a glance· 8

LAC tasks at a glance· 8

LNS tasks at a glance· 8

Configuring basic L2TP capabilities· 9

Configuring an LAC· 10

Configuring an LAC to initiate tunneling requests for a user 10

Specifying LNS IP addresses· 10

Configuring the source IP address of L2TP tunnel packets· 10

Enabling transferring AVP data in hidden mode· 11

Configuring AAA authentication on an LAC· 11

Configuring an LAC to automatically establish an L2TP tunnel 12

Configuring the polling feature· 12

Specifying traffic processing slots for a virtual PPP interface· 13

Restoring the default settings for a virtual PPP interface· 16

Configuring an LNS· 16

Creating a VT interface· 16

Configuring a VA pool 16

Configuring an LNS to accept L2TP tunneling requests from an LAC· 17

Configuring user authentication on an LNS· 17

Configuring AAA authentication on an LNS· 19

Setting the maximum number of ICRQ packets that the LNS can process per second· 19

Configuring optional L2TP parameters· 19

Configuring L2TP tunnel authentication· 19

Setting the Hello interval 20

Enabling session flow control 20

Setting the DSCP value of L2TP packets· 21

Assigning a tunnel peer to a VPN· 21

Setting the TSA ID of the LTS· 21

Setting the receiving window size for an L2TP tunnel 22

Setting the sending window size for an L2TP tunnel 23

Enabling L2TP-based EAD·· 23

Configuring IMSI/SN binding authentication· 24

Configuring IMSI/SN binding authentication on the LNS· 24

Configuring IMSI/SN binding authentication on the LAC client 25

Display and maintenance commands for L2TP· 26

L2TP configuration examples· 26

Example: Configuring a NAS-initiated L2TP tunnel 26

Example: Configuring a client-initiated L2TP tunnel 28

Example: Configuring an LAC-auto-initiated L2TP tunnel 30

Troubleshooting L2TP· 32

Failure to access the private network· 32

Data transmission failure· 33

 


Configuring L2TP

About L2TP

The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dialup Network (VPDN) tunneling protocol. L2TP sets up point-to-point tunnels across a public network (for example, the Internet) and transmits encapsulated PPP frames (L2TP packets) over the tunnels. With L2TP, remote users can access the private networks through L2TP tunnels after connecting to a public network by using PPP.

As a Layer 2 VPN technology, L2TP provides a secure, cost-effective solution for remote users to access private networks.

Typical L2TP networking

Figure 1 L2TP network diagram

As shown in Figure 1, a typical L2TP network has the following components:

·     Remote system—A remote system is usually a remote user's host or a remote branch's device that needs to access the private network.

·     LAC—An L2TP access concentrator (LAC) is both PPP and L2TP capable. It is usually a network access server (NAS) located at a local ISP, which provides access services mainly for PPP users.

An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system by using L2TP and then sends the encapsulated packets to the LNS. It decapsulates packets received from the LNS and then sends the decapsulated packets to the intended remote system.

·     LNS—An L2TP network server (LNS) is both PPP and L2TP capable. It is usually an edge device on an enterprise network.

An LNS is the other endpoint of an L2TP tunnel. It is the logical termination point of a PPP session tunneled by the LAC. L2TP extends the termination point of a PPP session from a NAS to an LNS by establishing a tunnel.

L2TP message types and encapsulation structure

L2TP uses the following types of messages:

·     Control messages—Used to establish, maintain, and delete L2TP tunnels and sessions. Control messages are transmitted over a reliable control channel, which supports flow control and congestion control.

·     Data messages—Used to encapsulate PPP frames, as shown in Figure 2. Data messages are transmitted over an unreliable data channel and are not retransmitted when packet loss occurs. Data messages can use sequence numbers to reorder packets that are disordered during transport.

Figure 2 Data message format

 

As shown in Figure 3, both control messages and data messages are encapsulated in UDP datagrams.

Figure 3 L2TP encapsulation structure

L2TP tunnel and session

An L2TP tunnel is a virtual point-to-point connection between an LAC and an LNS. Multiple L2TP tunnels can be established between an LNS and an LAC. An L2TP tunnel can carry one or more L2TP sessions. Each L2TP session corresponds to a PPP session and is multiplexed on an L2TP tunnel. An L2TP session is established between the LAC and LNS when an end-to-end PPP session is established between a remote system and the LNS. Data frames for the PPP session are transmitted over the tunnel between the LAC and LNS.

L2TP tunneling modes and tunnel establishment process

L2TP tunneling modes include NAS-initiated, client-initiated, and LAC-auto-initiated.

NAS-initiated tunneling mode

As shown in Figure 4, a remote system dials in to the LAC through a PPPoE/ISDN network. The LAC initiates a tunneling request to the LNS over the Internet.

Figure 4 NAS-initiated tunneling mode

A NAS-initiated tunnel has the following characteristics:

·     The remote system only needs to support PPP, and it does not need to support L2TP.

·     Authentication and accounting of the remote system can be implemented on the LAC or LNS.

Figure 5 NAS-initiated tunnel establishment process

As shown in Figure 5, the following workflow is used to establish a NAS-initiated tunnel:

1.     A remote system (Host A) initiates a PPP connection to the LAC (Device A).

2.     The remote system and LAC perform PPP LCP negotiation.

3.     The LAC authenticates PPP user information of Host A by using PAP or CHAP.

4.     The LAC sends the authentication information (username and password) to its RADIUS server (RADIUS server A) for authentication.

5.     RADIUS server A authenticates the user and returns the result.

6.     The LAC initiates an L2TP tunneling request to the LNS (Device B) when the following conditions exist:

¡     The user passes the authentication.

¡     The user is determined to be an L2TP user according to the username or the ISP domain to which the user belongs.

7.     If tunnel authentication is needed, the LAC and LNS send CHAP challenge messages to authenticate each other before successfully establishing an L2TP tunnel.

8.     The LAC and LNS negotiate to establish L2TP sessions.

9.     The LAC sends PPP user information and PPP negotiation parameters to the LNS.

10.     The LNS sends the authentication information to its RADIUS server (RADIUS server B) for authentication.

11.     RADIUS server B authenticates the user and returns the result.

12.     If the user passes the authentication, the LNS assigns a private IP address to the remote system (Host A).

13.     The PPP user can access internal resources of the enterprise.

In steps 12 and 13, the LAC forwards packets for the remote system and LNS. Host A and LAC exchange PPP frames, and the LAC and LNS exchange L2TP packets.

Client-initiated tunneling mode

As shown in Figure 6, a remote system running L2TP (LAC client) has a public IP address to communicate with the LNS through the Internet. The LAC client can directly initiate a tunneling request to the LNS without any dedicated LAC devices.

Figure 6 Client-initiated tunneling mode

A client-initiated tunnel has the following characteristics:

·     A client-initiated tunnel has higher security because it is established between a remote system and the LNS.

·     The remote system must support L2TP and be able to communicate with the LNS. This causes poor expandability.

As shown in Figure 7, the workflow for establishing a client-initiated tunnel is similar to that for establishing a NAS-initiated tunnel. (Details not shown.)

Figure 7 Client-initiated tunnel establishment process

LAC-auto-initiated tunneling mode

In NAS-initiated mode, a remote system must successfully dial in to the LAC through PPPoE or ISDN.

In LAC-auto-initiated mode, you can use the l2tp-auto-client command on the LAC to trigger the LAC to initiate a tunneling request to the LNS. When a remote system accesses the private network, the LAC forwards data through the L2TP tunnel.

Figure 8 LAC-auto-initiated tunneling mode

An LAC-auto-initiated tunnel has the following characteristics:

·     The connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection.

·     An L2TP session is established immediately after an L2TP tunnel is established. Then, the LAC and LNS, acting as the PPPoE client and PPPoE server, respectively, perform PPP negotiation.

·     The LNS assigns a private IP address to the LAC instead of to the remote system.

As shown in Figure 9, the workflow for establishing an LAC-auto-initiated tunnel is similar to that for establishing a NAS-initiated tunnel. (Details not shown.)

Figure 9 Establishment process for LAC-auto-initiated tunnels

L2TP features

·     Flexible identity authentication mechanism and high security—L2TP by itself does not provide security for connections. However, it has all the security features of PPP and allows for PPP authentication (CHAP or PAP). L2TP can also cooperate with IPsec to improve security for tunneled data.

·     Multiprotocol transmissionL2TP tunnels PPP frames, which can be used to encapsulate packets of multiple network layer protocols.

·     RADIUS authentication—An LAC or LNS can send the username and password of a remote user to a RADIUS server for authentication.

·     Private address allocation—An LNS can dynamically allocate private addresses to remote users. This facilitates address allocation for private internets (RFC 1918) and improves security.

·     Flexible accounting—Accounting can be simultaneously performed on the LAC and LNS. This allows bills to be generated on the ISP side and charging and auditing to be processed on the enterprise gateway. L2TP can provide accounting data, including inbound and outbound traffic statistics (in packets and bytes) and the connection's start time and end time. The AAA server uses these data for flexible accounting.

·     Reliability—L2TP supports LNS backup. When the connection to the primary LNS is torn down, an LAC can establish a new connection to a secondary LNS. This redundancy enhances the reliability of L2TP services.

·     Issuing tunnel attributes by RADIUS server to LAC—In NAS-initiated mode, the tunnel attributes can be issued by the RADIUS server to the LAC. For the LAC to receive these attributes, enable L2TP and configure remote AAA authentication for PPP users on the LAC.

When an L2TP user dials in to the LAC, the LAC as the RADIUS client sends the user information to the RADIUS server. The RADIUS server authenticates the PPP user, returns the result to the LAC, and issues L2TP tunnel attributes for the PPP user to the LAC. The LAC then sets up an L2TP tunnel and sessions based on the issued L2TP tunnel attributes.

Table 1 Tunnel attributes that can be issued by the RADIUS server

Attribute number

Attribute name

Description

64

Tunnel-Type

Tunnel type, which can only be L2TP.

65

Tunnel-Medium-Type

Transmission medium type for the tunnel, which can only be IPv4.

67

Tunnel-Server-Endpoint

IP address of the LNS.

69

Tunnel-Password

Key used to authenticate a peer of the tunnel.

81

Tunnel-Private-Group-ID

Group ID for the tunnel.

The LAC sends this value to the LNS for the LNS to perform an operation accordingly.

82

Tunnel-Assignment-ID

Assignment ID for the tunnel.

It is used to indicate the tunnel to which a session is assigned. L2TP users with the same Tunnel-Assignment-ID, Tunnel-Server-Endpoint, and Tunnel-Password attributes share an L2TP tunnel.

90

Tunnel-Client-Auth-ID

Tunnel name.

It is used to indicate the local tunnel.

The RADIUS server can issue only one set of the L2TP tunnel attributes in a RADIUS packet.

The RADIUS-issued tunnel attributes override the tunnel attributes manually configured on the LAC, but not vice versa.

·     L2TP tunnel switchingAlso called multihop L2TP tunneling. As shown in Figure 10, the Layer 2 tunnel switch (LTS) terminates L2TP packets from each LAC as an LNS. It then sends these packets to a destination LNS as an LAC.

L2TP tunnel switching has the following features:

¡     Simplified configuration and deployment—When LACs and LNSs are in different management domains:

-     All LACs consider the LTS as an LNS and do not need to differentiate LNSs on the network.

-     All LNSs consider the LTS as an LAC and are not affected by the addition or deletion of LACs.

¡     L2TP tunnel sharing—Different users can share the same L2TP tunnel between the LAC and the LTS. The LTS distributes data of different users to different LNSs.

Figure 10 L2TP tunnel switching network diagram

L2TP-based EAD

EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD authentication can access network resources. PPP users that fail EAD authentication can only access the resources in the quarantine areas.

EAD uses the following procedure:

1.     The iNode client uses L2TP to access the LNS. After the client passes the PPP authentication, the CAMS/IMC server assigns isolation ACLs to the LNS. The LNS uses the isolation ACLs to filter incoming packets.

2.     After the IPCP negotiation, the LNS sends the IP address of the CAMS/IMC server to the iNode client. The server IP address is permitted by the isolation ACLs.

3.     The CAMS/IMC server authenticates the iNode client and performs security check for the iNode client. If the iNode client passes security check, the CAMS/IMC server assigns security ACLs for the iNode client to the LNS. The iNode client can access network resources.

Protocols and standards

·     RFC 1661, The Point-to-Point Protocol (PPP)

·     RFC 1918, Address Allocation for Private Internets

·     RFC 2661, Layer Two Tunneling Protocol "L2TP"

·     RFC 2868, RADIUS Attributes for Tunnel Protocol Support

Prerequisites for L2TP

When you configure L2TP, perform the following tasks:

1.     Determine the network devices needed according to the networking environment.

¡     For NAS-initiated mode and LAC-auto-initiated mode, configure both the LAC and the LNS.

¡     For client-initiated mode, you only need to configure the LNS.

2.     Configure the devices based on the intended role (LAC or LNS) on the network.

L2TP tasks at a glance

LAC tasks at a glance

To configure a device as an LAC in NAS-initiated or LAC-auto-initiated mode, complete the following tasks:

1.     Configuring basic L2TP capabilities

2.     Configuring an LAC

¡     Configuring an LAC to initiate tunneling requests for a user

This task is required for NAS-initiated mode and unnecessary for LAC-auto-initiated mode.

¡     Specifying LNS IP addresses

¡     Configuring the source IP address of L2TP tunnel packets

¡     (Optional) Enabling transferring AVP data in hidden mode

¡     Configuring AAA authentication on an LAC

This task is required for NAS-initiated mode and unnecessary for LAC-auto-initiated mode.

¡     Configuring an LAC to automatically establish an L2TP tunnel

This task is required for NAS-initiated mode and unnecessary for LAC-auto-initiated mode.

¡     (Optional) Configuring the polling feature

¡     (Optional) Specifying traffic processing slots for a virtual PPP interface

¡     (Optional) Restoring the default settings for a virtual PPP interface

3.     (Optional) Configuring optional L2TP parameters

¡     Configuring L2TP tunnel authentication

¡     Setting the Hello interval

¡     Enabling session flow control

¡     Setting the DSCP value of L2TP packets

¡     Assigning a tunnel peer to a VPN

¡     Setting the TSA ID of the LTS

LNS tasks at a glance

1.     Configuring basic L2TP capabilities

2.     Configuring an LNS

¡     Creating a VT interface

¡     (Optional.) Configuring a VA pool

¡     Configuring an LNS to accept L2TP tunneling requests from an LAC

¡     (Optional.) Configuring user authentication on an LNS

¡     (Optional.) Configuring AAA authentication on an LNS

¡     (Optional.) Setting the maximum number of ICRQ packets that the LNS can process per second

3.     (Optional) Configuring optional L2TP parameters

¡     Configuring L2TP tunnel authentication

¡     Setting the Hello interval

¡     Enabling session flow control

¡     Setting the DSCP value of L2TP packets

¡     Assigning a tunnel peer to a VPN

¡     Setting the TSA ID of the LTS

¡     Setting the receiving window size for an L2TP tunnel

¡     Setting the sending window size for an L2TP tunnel

4.     Enabling L2TP-based EAD

Perform this task to use the security policy server to perform further security check for users that pass the L2TP authentication.

5.     Configuring IMSI/SN binding authentication

Perform this task in either of the following conditions:

¡     A 3G or 4G router acts as a LAC client and accesses the LNS in client-initiated mode.

¡     A 4G router acts as an LAC and is automatically triggered to access the LNS in LAC-auto-initiated mode.

Configuring basic L2TP capabilities

About this task

Basic L2TP capability configuration includes the following tasks:

·     Enabling L2TP—L2TP must be enabled for L2TP configurations to take effect.

·     Creating an L2TP group—An L2TP group is intended to represent a group of parameters. This enables not only flexible L2TP configuration on devices, but also one-to-one and one-to-many networking applications for LACs and LNSs. An L2TP group has local significance only. However, the relevant settings of the L2TP groups on the LAC and LNS must match. For example, the local tunnel name configured on the LAC must match the tunnel peer name configured on the LNS.

·     Configuring the local tunnel name—The local tunnel name identifies the tunnel at the local end during tunnel negotiation between an LAC and an LNS.

Procedure

1.     Enter system view.

system-view

2.     Enable L2TP.

l2tp enable

By default, L2TP is disabled.

3.     Create an L2TP group, specify its mode, and enter its view.

l2tp-group group-number mode { lac | lns }

Specify the mode as lac on the LAC side and as lns on the LNS side.

4.     Specify the local tunnel name.

tunnel name name

By default, the device name is used.

The local tunnel name configured on the LAC must match the tunnel peer name configured on the LNS.

Configuring an LAC

Configuring an LAC to initiate tunneling requests for a user

About this task

This task configures an LAC to initiate tunneling requests to an LNS for a user. When the PPP user information matches the specified user, the LAC determines that the PPP user is an L2TP user and initiates tunneling requests to the LNS.

You can specify a user by configuring one of the following items:

·     Fully qualified name—The LAC initiates tunneling requests to the LNS only if the username of a PPP user matches the configured fully qualified name.

·     Domain name—The LAC initiates tunneling requests to the LNS only if the ISP domain name of a PPP user matches the configured domain name.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view in LAC mode.

l2tp-group group-number [ mode lac ]

3.     Configure the LAC to initiate tunneling requests for a user.

user { domain domain-name | fullusername user-name }

By default, an LAC does not initiate tunneling requests for any users.

Specifying LNS IP addresses

About this task

You can specify up to five LNS IP addresses. The LAC initiates an L2TP tunneling request to its specified LNSs consecutively in their configuration order until it receives an acknowledgment from an LNS. That LNS then becomes the tunnel peer.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view in LAC mode.

l2tp-group group-number [ mode lac ]

3.     Specify LNS IP addresses.

lns-ip { ip-address }&<1-5>

By default, no LNS IP addresses are specified.

Configuring the source IP address of L2TP tunnel packets

Restrictions and guidelines

For high availability, as a best practice, use the IP address of a loopback interface as the source IP address of L2TP tunnel packets on the LAC. If equal cost routing paths exist between the LAC and LNS, you must use the IP address of a loopback interface as the source IP address of L2TP tunnel packets. To do so, use the source-ip command or use the RADIUS server to assign a loopback interface address.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view in LAC mode.

l2tp-group group-number [ mode lac ]

3.     Configure the source IP address of L2TP tunnel packets.

source-ip ip-address

By default, the source IP address of L2TP tunnel packets is the IP address of the egress interface.

Enabling transferring AVP data in hidden mode

About this task

L2TP uses Attribute Value Pairs (AVPs) to transmit tunnel negotiation parameters, session negotiation parameters, and user authentication information. Transferring AVP data in hidden mode can hide sensitive AVP data such as user passwords. This feature encrypts AVP data with the key configured by using the tunnel password command before transmission.

Restrictions and guidelines

This configuration takes effect only when the tunnel authentication feature is enabled. For more information about configuring tunnel authentication, see "Configuring L2TP tunnel authentication."

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view in LAC mode.

l2tp-group group-number [ mode lac ]

3.     Enable transferring AVP data in hidden mode.

tunnel avp-hidden

By default, AVP data is transferred in plain text.

Configuring AAA authentication on an LAC

You can configure AAA authentication on an LAC to authenticate the remote dialup users and initiate a tunneling request only for qualified users. A tunnel will not be established for unqualified users.

The device supports both local AAA authentication and remote AAA authentication.

·     For local AAA authentication, create a local user and configure a password for each remote user on the LAC. The LAC then authenticates a remote user by matching the provided username and password with those configured locally.

·     For remote AAA authentication, configure the username and password of each user on the RADIUS/HWTACACS server. The LAC then sends the remote user's username and password to the server for authentication.

For more information about AAA, see Security Configuration Guide.

To enable AAA authentication on an LAC, you also need to configure PAP or CHAP authentication for PPP users on the user access interfaces. For information about configuring PAP or CHAP, see Configuring PPP in Layer 2WAN Access Configuration Guide.

Configuring an LAC to automatically establish an L2TP tunnel

1.     Enter system view.

system-view

2.     Create a virtual PPP interface and enter its view.

interface virtual-ppp interface-number

3.     Configure the IP address of the virtual PPP interface.

¡     Assign an IP address to the virtual PPP interface.

ip address address mask

By default, no IP address is configured.

¡     Enable IP address negotiation on the virtual PPP interface.

ip address ppp-negotiate

By default, IP address negotiation on a virtual PPP interface is disabled.

4.     Configure the peer to be authenticated.

Use the ppp pap or ppp chap command to specify the PPP authentication method and configure the username and password of the PPP user. The LNS then authenticates the PPP user. For more information, see PPP commands in Layer 2WAN Access Command Reference.

5.     (Optional.) Set the description for the interface.

description text

By default, the description of an interface is in the format of interface-name Interface, for example, Virtual-PPP254 Interface.

6.     (Optional.) Set the MTU size of the interface.

mtu size

The default setting is 1500 bytes.

7.     (Optional.) Set the expected bandwidth for the interface.

bandwidth bandwidth-value

By default, the expected bandwidth (in kbps) is interface baudrate divided by 1000.

8.     (Optional.) Bring up the interface.

undo shutdown

By default, an interface is up.

9.     Configure the LAC to automatically establish an L2TP tunnel with the LNS.

l2tp-auto-client l2tp-group group-number

By default, an LAC does not establish an L2TP tunnel.

An L2TP tunnel automatically established in LAC-auto-initiated mode exists until you remove the tunnel by using the undo l2tp-auto-client or undo l2tp-group group-number command.

Configuring the polling feature

About this task

The polling feature checks L2TP link state.

On an interface that uses L2TP encapsulation, the link layer sends keepalives at keepalive intervals to detect the availability of the peer. If the interface fails to receive keepalives when the keepalive retry limit is reached, it tears down the link and reports a link layer down event.

To set the keepalive retry limit, use the timer-hold retry command.

The keepalive interval of 0 disables sending of keepalives.

Restrictions and guidelines

On a slow link, increase the keepalive interval to prevent false shutdown of the interface. This situation might occur when keepalives are delayed because a large packet is being transmitted on the link.

The keepalive interval must be smaller than the negotiation timeout time.

Procedure

1.     Enter system view.

system-view

2.     Enter virtual PPP interface view.

interface virtual-ppp interface-number

3.     Set the keepalive interval.

timer-hold seconds

The default setting is 10 seconds.

4.     Set the keepalive retry limit.

timer-hold retry retries

The default setting is 5.

Specifying traffic processing slots for a virtual PPP interface

About this task

Specify traffic processing slots if a feature requires that all traffic on a virtual PPP interface be processed on the same slot.

For high availability, you can specify one primary and one backup traffic processing slot by using the service command and the service standby command, respectively.

If you specify both primary and backup slots for an interface, traffic on that interface is processed as follows:

·     The backup slot takes over when the primary slot becomes unavailable. The backup slot continues to process traffic for the interface after the primary slot becomes available again. The switchover will not occur until the backup slot becomes unavailable.

·     When no specified traffic processing slots are available, the traffic is processed on the slot at which it arrives. Then, the processing slot that first becomes available again takes over.

If you do not specify a primary or a backup traffic processing slot for an interface, traffic on that interface is processed on the slot at which the traffic arrives.

This command affects only L2TP data messages. The control messages are always processed on the active MPU.

Hardware and feature compatibility

Hardware

Feature compatibility

MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK

No

MSR810-LMS, MSR810-LUS

No

MSR810-LMS-EA, MSR810-LME

·     In standalone mode: No

·     In IRF mode: Yes

MSR2600-6-X1, MSR2600-10-X1

No

MSR 2630

·     In standalone mode: No

·     In IRF mode: Yes

MSR3600-28, MSR3600-51

·     In standalone mode: No

·     In IRF mode: Yes

MSR3600-28-SI, MSR3600-51-SI

·     In standalone mode: No

·     In IRF mode: Yes

MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP

·     In standalone mode: No

·     In IRF mode: Yes

MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD

No

MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC

·     In standalone mode: No

·     In IRF mode: Yes

MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660

·     In standalone mode: No

·     In IRF mode: Yes

MSR3610-G, MSR3620-G

·     In standalone mode: No

·     In IRF mode: Yes

 

Hardware

Feature compatibility

MSR810-W-WiNet, MSR810-LM-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR830-4LM-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR830-6BHI-WiNet, MSR830-10BHI-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR2600-6-WiNet, MSR2600-10-X1-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR2630-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR3600-28-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR3610-X1-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet

·     In standalone mode: No

·     In IRF mode: Yes

 

Hardware

Feature compatibility

MSR2630-XS

·     In standalone mode: No

·     In IRF mode: Yes

MSR3600-28-XS

·     In standalone mode: No

·     In IRF mode: Yes

MSR3610-XS

·     In standalone mode: No

·     In IRF mode: Yes

MSR3620-XS

·     In standalone mode: No

·     In IRF mode: Yes

MSR3610-I-XS

·     In standalone mode: No

·     In IRF mode: Yes

MSR3610-IE-XS

·     In standalone mode: No

·     In IRF mode: Yes

 

Hardware

Feature compatibility

MSR810-LM-GL

No

MSR810-W-LM-GL

No

MSR830-6EI-GL

·     In standalone mode: No

·     In IRF mode: Yes

MSR830-10EI-GL

·     In standalone mode: No

·     In IRF mode: Yes

MSR830-6HI-GL

·     In standalone mode: No

·     In IRF mode: Yes

MSR830-10HI-GL

·     In standalone mode: No

·     In IRF mode: Yes

MSR2600-6-X1-GL

No

MSR3600-28-SI-GL

·     In standalone mode: No

·     In IRF mode: Yes

Restrictions and guidelines

To avoid processing slot switchover, specify the primary slot before specifying the backup slot. If you specify the backup slot before specifying the primary slot, traffic is switched over to the primary slot immediately after you specify the primary slot.

Procedure

1.     Enter system view.

system-view

2.     Enter virtual PPP interface view.

interface virtual-ppp interface-number

3.     Specify a primary traffic processing slot for the interface.

In IRF mode:

service slot slot-number

By default, no primary traffic processing slot is specified for an interface.

4.     Specify a backup traffic processing slot for the interface.

In IRF mode:

service standby slot slot-number

By default, no backup traffic processing slot is specified for an interface.

Restoring the default settings for a virtual PPP interface

Restrictions and guidelines

The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you execute it on a live network.

The default command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use the undo forms of these commands or follow the command reference to individually restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Procedure

1.     Enter system view.

system-view

2.     Enter virtual PPP interface view.

interface virtual-ppp interface-number

3.     Restore the default settings for the interface.

default

Configuring an LNS

Creating a VT interface

After an L2TP session is established, a virtual access (VA) interface is needed for data exchange with the peer. The system will dynamically create VA interfaces based on the parameters of the virtual template (VT) interface. To configure an LNS, first create a VT interface and configure the following parameters for it:

·     Interface IP address.

·     Authentication mode for PPP users.

·     IP addresses allocated by the LNS to PPP users.

For information about configuring VT interfaces, see PPP configuration in Layer 2WAN Access Configuration Guide and IP addressing configuration in Layer 3—IP Services Configuration Guide.

Configuring a VA pool

About this task

A VA pool contains a group of VA interfaces. You can configure a VA pool to improve the performance of establishing or terminating L2TP connections. The LNS selects a VA interface from the pool for a requesting user and releases the VA interface when the user goes offline. When a VA pool is exhausted, the system creates a VA interface for an L2TP connection and deletes it when the user goes offline.

Restrictions and guidelines

A VT interface can be associated with only one VA pool. To change the capacity of a VA pool, delete the previous configuration and reconfigure the VA pool.

Creating or deleting a VA pool takes time. During the process of creating or deleting a VA pool, users can come online or go offline, but the VA pool does not take effect.

The system might create a VA pool that contains VA interfaces less than the specified number because of insufficient resources. To view the number of available VA interfaces and the current state of the VA pool, use the display l2tp va-pool command.

Create a VA pool with an appropriate capacity, because a VA pool occupies much system memory.

Deleting a VA pool does not log off the users who are using VA interfaces in the VA pool.

Procedure

1.     Enter system view.

system-view

2.     Create a VA pool.

l2tp virtual-template template-number va-pool va-volume

By default, no VA pool exists.

Configuring an LNS to accept L2TP tunneling requests from an LAC

About this task

When receiving a tunneling request, an LNS performs the following operations:

·     Determines whether to accept the tunneling request by checking whether the name of the tunnel peer (LAC) matches the one configured.

·     Determines the VT interface to be used for creating the VA interface.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view in LNS mode.

l2tp-group group-number [ mode lns ]

3.     Configure the LNS to accept tunneling requests from an LAC and specify the VT interface to be used for tunnel setup.

¡     If the L2TP group number is 1:

allow l2tp virtual-template virtual-template-number [ remote remote-name ]

¡     If the L2TP group number is not 1:

allow l2tp virtual-template virtual-template-number remote remote-name

By default, an LNS denies tunneling requests from any LAC.

If the L2TP group number is 1, the remote remote-name option is optional. If you do not specify this option, the LNS accepts tunneling requests from any LAC.

Configuring user authentication on an LNS

About this task

An LNS can be configured to authenticate a user that has passed authentication on the LAC to increase security. In this case, the user is authenticated once on the LAC and once on the LNS. An L2TP tunnel can be established only when both authentications succeed.

An LNS provides the following authentication methods in ascending order of priority:

·     Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all user authentication information from users and the authentication method configured on the LAC itself. The LNS then checks the user validity according to the received information and the locally configured authentication method.

·     Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate users who have passed authentication on the LAC.

·     LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new round of LCP negotiation with the user.

The LNS chooses an authentication method depending on your configuration.

·     If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP renegotiation.

·     If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication for users after proxy authentication succeeds.

·     If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the LAC for proxy authentication.

Restrictions and guidelines for user authentication on an LNS

This mandatory CHAP authentication and LCP renegotiation methods are effective only on NAS-initiated L2TP tunnels.

For mandatory CHAP authentication to take effect, you must also configure CHAP authentication for the PPP user on the VT interface of the LNS.

For the LNS not to accept LCP negotiation parameters, configure this feature to perform a new round of LCP negotiation between the LNS and the user. In this case, the LNS authenticates the user by using the authentication method configured on the corresponding VT interface.

Configuring mandatory CHAP authentication

1.     Enter system view.

system-view

2.     Enter L2TP group view in LNS mode.

l2tp-group group-number [ mode lns ]

3.     Configure mandatory CHAP authentication.

mandatory-chap

By default, CHAP authentication is not performed on an LNS.

Some users might not support the authentication on the LNS. In this situation, do not enable this feature, because CHAP authentication on the LNS will fail.

4.     Return to system view.

quit

5.     Enter VT interface view and set the authentication type of PPP users to CHAP.

For more information about VT interfaces, see PPP configuration in Layer 2WAN Access Configuration Guide.

Configuring LCP renegotiation

1.     Enter system view.

system-view

2.     Enter L2TP group view in LNS mode.

l2tp-group group-number [ mode lns ]

3.     Configure the LNS to perform LCP renegotiation with users.

mandatory-lcp

By default, an LNS does not perform LCP renegotiation with users.

This command is effective only on NAS-initiated L2TP tunnels.

If you enable LCP renegotiation but configure no authentication for the corresponding VT interface, the LNS does not perform an additional authentication for users.

Configuring AAA authentication on an LNS

After you configure AAA authentication on an LNS, the LNS can authenticate the usernames and passwords of remote access users. If a user passes AAA authentication, the user can communicate with the LNS to access the private network.

Configure AAA authentication on the LNS in one of the following cases:

·     LCP renegotiation is not configured in NAS-initiated mode.

·     The VT interface is configured with PPP user authentication and LCP renegotiation is configured in NAS-initiated mode.

·     The VT interface is configured with PPP user authentication in client-initiated mode or LAC-auto-initiated mode.

LNS side AAA configurations are similar to those on an LAC (see "Configuring AAA authentication on an LAC").

Setting the maximum number of ICRQ packets that the LNS can process per second

Restrictions and guidelines

To avoid device performance degradation and make sure the LNS can processes ICRQ requests correctly, use this feature to adjust the ICRQ packet processing rate limit.

Procedure

1.     Enter system view.

system-view

2.     Set the maximum number of ICRQ packets that the LNS can process per second.

l2tp icrq-limit number

By default, the maximum number of ICRQ packets that the LNS can process per second is not limited.

Configuring optional L2TP parameters

Configuring L2TP tunnel authentication

About this task

Tunnel authentication allows the LAC and LNS to authenticate each other. Either the LAC or the LNS can initiate a tunnel authentication request.

You can enable tunnel authentication on both sides or either side.

To ensure a successful tunnel establishment when tunnel authentication is enabled on both sides or either side, set the same non-null key on the LAC and the LNS. To set the tunnel authentication key, use the tunnel password command.

When neither side is enabled with tunnel authentication, the key settings of the LAC and the LNS do not affect the tunnel establishment.

Restrictions and guidelines

To ensure tunnel security, enable tunnel authentication.

Modifying the tunnel authentication key does not affect the normal communication of current tunnels. The tunnel authentication key change takes effect at next tunnel establishment.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3.     Enable L2TP tunnel authentication.

tunnel authentication

By default, L2TP tunnel authentication is enabled.

4.     Set the tunnel authentication key.

tunnel password { cipher | simple } string

By default, no key is set.

Setting the Hello interval

About this task

To check the connectivity of a tunnel, the LAC and LNS periodically send each other Hello packets. At receipt of a Hello packet, the LAC or LNS returns a response packet. If the LAC or LNS receives no response packets from the peer within the Hello interval, it retransmits the Hello packet. If it receives no response packets from the peer after transmitting the Hello packet five times, it considers the L2TP tunnel to be down.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3.     Set the Hello interval.

tunnel timer hello hello-interval

The default setting is 60 seconds.

Enabling session flow control

About this task

This feature adds sequence numbers to transmitted packets and uses them to reorder packets arriving out of order and to detect lost packets.

This feature takes effect on both sent and received L2TP data messages. The L2TP sessions support this feature if either the LAC or LNS is enabled with this feature.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3.     Enable the session flow control feature.

tunnel flow-control

By default, this feature is disabled.

Setting the DSCP value of L2TP packets

About this task

The DSCP field is the first 6 bits of the IP ToS byte. This field marks the priority of IP packets for forwarding. This feature sets the DSCP value for the IP packet when L2TP encapsulates a PPP frame into an IP packet.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3.     Set the DSCP value of L2TP packets.

ip dscp dscp-value

The default setting is 0.

Assigning a tunnel peer to a VPN

About this task

By default, the device transmits L2TP control messages and data messages over the public network. With this feature, the device transmits them in a VPN by searching the routing table in the VPN.

Restrictions and guidelines

When one L2TP endpoint is in a VPN, assign the peer endpoint to the VPN for correct packet forwarding between the two endpoints.

The tunnel peer and the physical port connecting to the tunnel peer must belong to the same VPN. The VPN to which this physical port belongs is configured by using the ip binding vpn-instance command.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3.     Assign the tunnel peer to a VPN.

vpn-instance vpn-instance-name

By default, a tunnel peer belongs to the public network.

Setting the TSA ID of the LTS

About this task

To detect loops, the LTS compares the configured TSA ID with each TSA ID AVP in a received ICRQ packet.

·     If a match is found, a loop exists. The LTS immediately tears down the session.

·     If no match is found, the LTS performs the following operations:

¡     Encapsulates the configured TSA ID into a new TSA ID AVP.

¡     Appends it to the packet.

¡     Sends the packet to the next hop LTS.

Restrictions and guidelines

To avoid loop detection errors, make sure the TSA ID of each LTS is unique.

Procedure

1.     Enter system view.

system-view

2.     Set the TSA ID of the LTS and enable L2TP loop detection on the LTS.

l2tp tsa-id tsa-id

By default, the TSA ID of the LTS is not configured, and L2TP loop detection is disabled on the LTS.

Setting the receiving window size for an L2TP tunnel

About this task

To enable the device to process a larger number of disordered packets, use this command to enlarge the receiving window size for an L2TP tunnel.

The device uses a receiving window to reorder disordered packets based on packet sequence numbers.

If the sequence number of a packet is within the receiving window but does not equal the minimum value of the window, the device performs the following operations:

1.     The device buffers the packet.

2.     The minimum value and maximum value of the receiving window increment by one.

3.     The device continues to check the next arriving packet.

If the sequence number of a packet equals the minimum value of the receiving window, the device performs the following operations:

1.     The device processes the packet.

2.     The minimum value and maximum value of the receiving window increment by one.

3.     The device checks buffered packets for a packet with the sequence number equal to the new minimum value of the receiving window.

4.     If no required packet is found, the device checks the next arriving packet.

If the sequence number of a packet is not within the receiving window, the device drops the packet.

Restrictions and guidelines

In the L2TP tunnel establishment process, the device uses the value specified in L2TP group view as the receiving window size.

Changing the receiving window size after an L2TP tunnel is established does not affect the established L2TP tunnel.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3.     Set the receiving window size for the L2TP group.

tunnel window receive size

By default, the receiving window size for an L2TP tunnel is 1024.

Setting the sending window size for an L2TP tunnel

About this task

The packet processing capability of a peer end might mismatch the receiving window size of the peer end in some networks. For example, the actual packet processing capability of the peer end is 10, but the receiving window size of the peer end is 20. To ensure stable L2TP services, you can adjust the sending window size for the device to match the actual packet processing capability of the peer end.

Restrictions and guidelines

The sending window size set in L2TP group view is obtained in the L2TP tunnel establishment process.

·     If the sending window size is 0, the device uses the default sending window size.

·     If the sending window size is not 0, the device uses the specified value as the sending window size.

Changing the sending window size after an L2TP tunnel is established does not affect the established L2TP tunnel.

Procedure

1.     Enter system view.

system-view

2.     Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3.     Set the sending window size for the L2TP group.

tunnel window send size

By default, the sending window size for an L2TP tunnel is 0, which means using the value of the receiving window size carried in messages sent by the peer end in the tunnel establishment process. If the messages from the peer end carry no receiving window size in the tunnel establishment process, the sending window size for the device is 4.

Enabling L2TP-based EAD

About this task

In some network environments that require high security, configure this feature and use the security policy server to perform further security check for users that pass the L2TP authentication. Users that pass EAD authentication can access network resources. Users that fail EAD authentication can only access the resources in the quarantine areas.

Restrictions and guidelines

EAD authentication fails if no or incorrect ACLs or rules are configured on the CAMS/IMC server even if EAD is enabled on the LNS.

The LNS can use different ACLs to filter packets from different iNode clients.

As a best practice, use EAD authentication for iNode clients on the Internet and use Portal authentication for iNode clients on a LAN.

Prerequisites

Make sure AAA, RADIUS, L2TP, Portal, and the security policy server are configured as required before you enable L2TP-based EAD.

For more information about AAA, RADIUS, and Portal, see Security Configuration Guide.

For more information about configuring the security policy server, see CAMS EAD Security Policy Manager Help and CAMS EAD Security Policy Manager Help.

Procedure

1.     Enter system view.

system-view

2.     Create a VT interface and enter its view

interface virtual-template interface-number

3.     Enable L2TP-based EAD.

ppp access-control enable

By default, L2TP-based EAD is disabled.

Configuring IMSI/SN binding authentication

Configuring IMSI/SN binding authentication on the LNS

About this task

This feature improves the security of 3G and 4G networks. After this feature is configured, the AAA server checks whether the username/password and IMSI/SN information received from the LNS matches the configuration on the AAA server. Users can come online only when the LNS passes both the username/password authentication and IMSI/SN information check. For more information about 3G and 4G, see "Managing a 3G/4G modem."

Restrictions and guidelines

Configure this feature on the LNS to initiate IMSI/SN binding authentication in either of the following conditions:

·     A 3G or 4G router acts as a LAC client and accesses the LNS in client-initiated mode.

·     A 4G router acts as an LAC and is automatically triggered to access the LNS in LAC-auto-initiated mode.

For an LNS to successfully negotiate the IMSI/SN information of an LAC client or LAC, configure this feature on the LAC client or LAC that establishes L2TP tunnels with the LNS.

Procedure

1.     Enter system view.

system-view

2.     Enter VT interface view.

interface virtual-template interface-number

3.     Configure IMSI/SN binding authentication information by using one of the following methods:

¡     Execute the following commands in sequence to enable the LNS to initiate IMSI/SN binding authentication requests.

ppp lcp imsi request

ppp lcp sn request

By default, the LNS does not initiate IMSI/SN binding authentication requests/

¡     Configure the separator for the received authentication information.

ppp user accept-format imsi-sn split splitchart

By default, no separator is configured for the received authentication information.

The negotiated IMSI/SN information takes precedence over the IMSI or SN information split from the received authentication information. If no IMSI or SN information is received from the peer during the authentication process, the IMSI or SN information split from the received authentication information is used.

4.     (Optional.) Replace the client username with the IMSI or SN information for authentication.

ppp user replace { imsi | sn }

By default, the client username is used for authentication.

Configuring IMSI/SN binding authentication on the LAC client

About this task

After this feature is configured, the LAC client performs one of the following operations during the authentication process:

·     If the LAC client receives binding authentication request from the LNS, the LAC client sends the local IMSI/SN information to the LNS through the reply messages.

·     If the client does not receive binding authentication request from the LNS, the LAC client includes the local IMSI/SN information in the username by using the rule configured by using the ppp user attach-format imsi-sn split command.

Restrictions and guidelines

This feature is supported only when the device acts as a 3G or 4G router. For more information about 3G and 4G routers, see "Managing a 3G/4G modem".

Procedure

1.     Enter system view.

system-view

2.     Enter serial interface view.

interface serial cellular-number:set-number

A serial interface is channelized form a cellular interface by using the serial-set command.

3.     Enable the LAC client to accept the IMSI binding authentication requests from the LNS.

ppp lcp imsi accept

By default, the LAC client does not accept IMSI binding authentication requests.

4.     Enable the LAC client to accept the SN binding authentication requests from the LNS.

ppp lcp sn accept

By default, the LAC client does not accept SN binding authentication requests.

5.     (Optional.) Configure the IMSI information on the LAC client.

ppp lcp imsi string imsi-info

By default, the LAC client automatically obtains the IMSI information from the device.

6.     (Optional.) Configure the SN information on the LAC client.

ppp lcp sn string sn-info

By default, the LAC client automatically obtains the SN information from the device.

7.     (Optional.) Configure the separator for the sent authentication information.

ppp user attach-format imsi-sn split splitchart

By default, no separator is configured for the sent authentication information.

Display and maintenance commands for L2TP

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display L2TP tunnel information.

display l2tp tunnel [ statistics ]

Display L2TP session information.

display l2tp session [ statistics ]

Display information about temporary L2TP sessions.

display l2tp session temporary

Display information about virtual PPP interfaces.

display interface [ virtual-ppp [ interface-number ] ] [ brief [ description | down ] ]

Display VA pool information for L2TP.

display l2tp va-pool

Display access control information for PPP sessions on a VT interface.

display ppp access-control interface virtual-template interface-number

Disconnect an L2TP tunnel.

reset l2tp tunnel { id tunnel-id | name remote-name }

Clear the statistics for virtual PPP interfaces.

reset counters interface [ virtual-ppp [ interface-number ] ]

L2TP configuration examples

Example: Configuring a NAS-initiated L2TP tunnel

Network configuration

As shown in Figure 11, a PPP user is connected to an LNS through an LAC.

Set up an L2TP tunnel between the LAC and LNS to allow the PPP user to access the corporate network.

Figure 11 Network diagram

Procedure

1.     Configure the LAC:

# Configure IP addresses for the interfaces. (Details not shown.)

# Create a local user named vpdnuser, set the password, and enable the PPP service.

<LAC> system-view

[LAC] local-user vpdnuser class network

[LAC-luser-network-vpdnuser] password simple Hello

[LAC-luser-network-vpdnuser] service-type ppp

[LAC-luser-network-vpdnuser] quit

# Configure local authentication for PPP users in ISP domain system.

[LAC] domain system

[LAC-isp-system] authentication ppp local

[LAC-isp-system] quit

# Configure CHAP authentication on interface Virtual-Template 1.

[LAC] interface virtual-template 1

[LAC-Virtual-Template1] ppp authentication-mode chap domain system

[LAC-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet1/0/2, and bind the interface to interface Virtual-Template 1.

[LAC] interface gigabitethernet 1/0/2

[LAC-GigabitEthernet1/0/2] pppoe-server bind virtual-template 1

[LAC-GigabitEthernet1/0/2] quit

# Enable L2TP.

[LAC] l2tp enable

# Create L2TP group 1 in LAC mode.

[LAC] l2tp-group 1 mode lac

# Configure the local tunnel name as LAC.

[LAC-l2tp1] tunnel name LAC

# Specify PPP user vpdnuser as the condition for the LAC to initiate tunneling requests.

[LAC-l2tp1] user fullusername vpdnuser

# Specify the LNS IP address as 1.1.2.2.

[LAC-l2tp1] lns-ip 1.1.2.2

# Enable tunnel authentication, and specify the tunnel authentication key as aabbcc.

[LAC-l2tp1] tunnel authentication

[LAC-l2tp1] tunnel password simple aabbcc

[LAC-l2tp1] quit

2.     Configure the LNS:

# Configure IP addresses for the interfaces. (Details not shown.)

# Create a local user named vpdnuser, set the password, and enable the PPP service.

<LNS> system-view

[LNS] local-user vpdnuser class network

[LNS-luser-network-vpdnuser] password simple Hello

[LNS-luser-network-vpdnuser] service-type ppp

[LNS-luser-network-vpdnuser] quit

# Configure local authentication for PPP users in ISP domain system.

[LNS] domain system

[LNS-isp-system] authentication ppp local

[LNS-isp-system] quit

# Enable L2TP.

[LNS] l2tp enable

# Create a PPP address pool.

[LNS] ip pool aaa 192.168.0.10 192.168.0.20

[LNS] ip pool aaa gateway 192.168.0.1

# Create Virtual-Template 1, specify its PPP authentication mode as CHAP, and use address pool aaa to assign IP addresses to the PPP users.

[LNS] interface virtual-template 1

[LNS-virtual-template1] ppp authentication-mode chap domain system

[LNS-virtual-template1] remote address pool aaa

[LNS-virtual-template1] quit

# Create L2TP group 1 in LNS mode.

[LNS] l2tp-group 1 mode lns

# Configure the local tunnel name as LNS.

[LNS-l2tp1] tunnel name LNS

# Specify Virtual-Template 1 for receiving calls from an LAC.

[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC

# Enable tunnel authentication, and specify the tunnel authentication key as aabbcc.

[LNS-l2tp1] tunnel authentication

[LNS-l2tp1] tunnel password simple aabbcc

[LNS-l2tp1] quit

3.     On the remote system, enter vpdnuser as the username and Hello as the password in the dial-up network window to dial a PPPoE connection.

Verifying the configuration

# After the dial-up connection is established, use the display ppp access-user command to display the online user information.

[LNS] display ppp access-user user-type lns

Interface Username MAC address    IP address      IPv6 address   IPv6 PDPrefix

VA0       vpdnuser -              192.168.0.10    -              -

# After the dial-up connection is established, the remote system can obtain an IP address and can ping the private IP address of the LNS.

# On the LNS, use the display l2tp tunnel command to check the established L2TP tunnels.

[LNS] display l2tp tunnel

LocalTID RemoteTID State         Sessions RemoteAddress    RemotePort RemoteName

196      3542      Established   1        1.1.2.1          1701       LAC

# On the LNS, use the display l2tp session command to check the established L2TP sessions.

[LNS] display l2tp session

LocalSID      RemoteSID      LocalTID      State

2041          64             196           Established

Example: Configuring a client-initiated L2TP tunnel

Network configuration

As shown in Figure 12, a PPP user directly initiates a tunneling request to the LNS to access the corporate network.

Figure 12 Network diagram

Procedure

1.     Configure the LNS:

# Configure IP addresses for the interfaces. (Details not shown.)

# Configure the route between the LNS and the remote host. (Details not shown.)

# Create a local user named vpdnuser, set the password, and enable the PPP service.

[LNS] local-user vpdnuser class network

[LNS-luser-network-vpdnuser] password simple Hello

[LNS-luser-network-vpdnuser] service-type ppp

[LNS-luser-network-vpdnuser] quit

# Configure local authentication for PPP users in ISP domain system.

[LNS] domain system

[LNS-isp-system] authentication ppp local

[LNS-isp-system] quit

# Enable L2TP.

[LNS] l2tp enable

# Create a PPP address pool.

[LNS] ip pool aaa 192.168.0.10 192.168.0.20

[LNS] ip pool aaa gateway 192.168.0.1

# Create Virtual-Template 1, specify its PPP authentication mode as CHAP, and use address pool aaa to assign IP addresses to the PPP users.

[LNS] interface virtual-template 1

[LNS-virtual-template1] ppp authentication-mode chap domain system

[LNS-virtual-template1] remote address pool aaa

[LNS-virtual-template1] quit

# Create L2TP group 1 in LNS mode.

[LNS] l2tp-group 1 mode lns

# Configure the local tunnel name as LNS.

[LNS-l2tp1] tunnel name LNS

# Specify Virtual-Template 1 for receiving calls.

[LNS-l2tp1] allow l2tp virtual-template 1

# Disable tunnel authentication.

[LNS-l2tp1] undo tunnel authentication

2.     Configure the remote host:

# Configure the IP address of the remote host as 2.1.1.1, and configure a route to the LNS (1.1.2.2).

# Create a virtual private L2TP network connection by using the Windows system, or install the L2TP LAC client software, such as WinVPN Client.

# Complete the following configuration procedure (the procedure depends on the client software):

¡     Specify the PPP username as vpdnuser and the password as Hello.

¡     Specify the Internet interface address of the security gateway as the IP address of the LNS. In this example, the Ethernet interface for the tunnel on the LNS has an IP address of 1.1.2.2.

¡     Modify the connection attributes: set the protocol to L2TP, the encryption attribute to customized, and the authentication mode to CHAP.

Verifying the configuration

# On the remote host, initiate the L2TP connection. After the dial-up connection is established, use the display ppp access-user command to display the online user information.

[LNS] display ppp access-user user-type lns

Interface Username MAC address    IP address      IPv6 address   IPv6 PDPrefix

VA0      vpdnuser -              192.168.0.10    -              -

# After the connection is established, the remote host can obtain the IP address 192.168.0.10 and ping the private IP address of the LNS (192.168.0.1).

# On the LNS, use the display l2tp session command to check the established L2TP session.

[LNS-l2tp1] display l2tp session

LocalSID      RemoteSID      LocalTID      State

89            36245          10878         Established

# On the LNS, use the display l2tp tunnel command to check the established L2TP tunnel.

[LNS-l2tp1] display l2tp tunnel

LocalTID RemoteTID State         Sessions RemoteAddress    RemotePort RemoteName

10878    21        Established   1        2.1.1.1          1701       PC

Example: Configuring an LAC-auto-initiated L2TP tunnel

Network configuration

As shown in Figure 13, configure the LAC to establish an L2TP tunnel with the LNS in LAC-auto-initiated mode. When the PPP user initiates a connection, it uses the established tunnel to access the corporate network.

Figure 13 Network diagram

Procedure

1.     Configure the LNS:

# Configure IP addresses for the interfaces. (Details not shown.)

# Create a local user named vpdnuser, set the password, and enable the PPP service.

<LNS> system-view

[LNS] local-user vpdnuser class network

[LNS-luser-network-vpdnuser] password simple Hello

[LNS-luser-network-vpdnuser] service-type ppp

[LNS-luser-network-vpdnuser] quit

# Create Virtual-Template 1, assign an IP address to it, specify its PPP authentication mode as PAP, and assign the IP address 192.168.0.10 to the PPP user.

[LNS] interface virtual-template 1

[LNS-virtual-template1] ip address 192.168.0.1 24

[LNS-virtual-template1] ppp authentication-mode pap

[LNS-virtual-template1] remote address 192.168.0.10

[LNS-virtual-template1] quit

# Configure local authentication for PPP users in ISP domain system.

[LNS] domain system

[LNS-isp-system] authentication ppp local

[LNS-isp-system] quit

# Enable L2TP, and create L2TP group 1 in LNS mode.

[LNS] l2tp enable

[LNS] l2tp-group 1 mode lns

# Configure the local tunnel name as LNS, and specify Virtual-Template 1 for receiving tunneling requests from an LAC.

[LNS-l2tp1] tunnel name LNS

[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC

# Enable tunnel authentication, and configure the authentication key as aabbcc.

[LNS-l2tp1] tunnel authentication

[LNS-l2tp1] tunnel password simple aabbcc

[LNS-l2tp1] quit

# Configure a static route whose next hop address is 192.168.0.10 (IP address that the LNS assigns to Virtual-PPP 1 of the LAC) so that packets destined for the PPP user will be forwarded through the L2TP tunnel.

[LNS] ip route-static 10.2.0.0 16 192.168.0.10

2.     Configure the LAC:

# Configure IP addresses for the interfaces. (Details not shown.)

# Enable L2TP.

<LAC> system-view

[LAC] l2tp enable

# Create L2TP group 1 in LAC mode.

[LAC] l2tp-group 1 mode lac

# Configure the local tunnel name as LAC, and specify the IP address of the tunnel peer (LNS).

[LAC-l2tp1] tunnel name LAC

[LAC-l2tp1] lns-ip 3.3.3.2

# Enable tunnel authentication, and configure the authentication key as aabbcc.

[LAC-l2tp1] tunnel authentication

[LAC-l2tp1] tunnel password simple aabbcc

[LAC-l2tp1] quit

# Create Virtual-PPP 1. Configure its username and password as vpdnuser and Hello and PPP authentication as PAP.

[LAC] interface virtual-ppp 1

[LAC-Virtual-PPP1] ip address ppp-negotiate

[LAC-Virtual-PPP1] ppp pap local-user vpdnuser password simple Hello

[LAC-Virtual-PPP1] quit

# Configure a static route so that packets destined for the corporate network will be forwarded through the L2TP tunnel.

[LAC] ip route-static 10.1.0.0 16 virtual-ppp 1

# Trigger the LAC to establish an L2TP tunnel with the LNS.

[LAC] interface virtual-ppp 1

[LAC-Virtual-PPP1] l2tp-auto-client l2tp-group 1

3.     On the remote host, configure the LAC as the gateway.

Verifying the configuration

# On the LNS, use the display l2tp session command to display the established L2TP session.

[LNS] display l2tp session

LocalSID      RemoteSID      LocalTID      State

21409         3395           4501          Established

# On the LNS, use the display l2tp tunnel command to display the established L2TP tunnel.

[LNS] display l2tp tunnel

LocalTID RemoteTID State         Sessions RemoteAddress    RemotePort RemoteName

4501     524       Established   1        3.3.3.1          1701       LAC

# On the LNS, verify that you can ping 10.2.0.1, a private network address on the LAC side. This indicates that hosts on 10.2.0.0/16 and those on 10.1.0.0/16 can communicate with each other through the L2TP tunnel.

[LNS] ping -a 10.1.0.1 10.2.0.1

Ping 10.2.0.1 (10.2.0.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.2.0.1: icmp_seq=0 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=1 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=2 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=3 ttl=128 time=1.000 ms

56 bytes from 10.2.0.1: icmp_seq=4 ttl=128 time=1.000 ms

 

--- Ping statistics for 10.2.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms

Troubleshooting L2TP

Failure to access the private network

Symptom

The remote system cannot access the private network.

Solution

To resolve the problem:

1.     Verify the following items to avoid tunnel setup failures:

¡     The address of the LNS is configured correctly on the LAC. For more information, see the lns-ip command.

¡     The LNS can accept L2TP tunneling requests from the LAC. For more information, see the allow command.

¡     Tunnel authentication is enabled on both the LAC and the LNS, and the tunnel authentication keys configured on the two sides match.

2.     Verify the following items to avoid PPP negotiation failures:

¡     Usernames and passwords are correctly configured on the LAC and LNS.

¡     IP address negotiation settings are correct on the remote system and LNS.

¡     The authentication type is consistent. For example, the default authentication type for a VPN connection created on Windows 2000 is MS-CHAP. If the peer does not support MS-CHAP, change the authentication type to CHAP on Windows 2000.

Data transmission failure

Symptom

Data transmission fails. A connection is established, but data cannot be transmitted. For example, the LAC and LNS cannot ping each other.

Solution

To resolve the problem:

1.     Use the display ip routing-table command on the LAC and LNS to verify that the LAC has a route to the private network behind the LNS, and vice versa. If no route is available, configure a static route or a dynamic routing protocol.

2.     Increase the link bandwidth to enhance the link availability.

Internet backbone congestion and high packet loss ratio might cause data transmission failures. L2TP data transmission is based on UDP, which does not provide the packet error control feature. If the line is unstable, the LAC and LNS might be unable to ping each other.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网