Configuring the LAC

The section describes how to configure L2TP VPN on the device that serves as an LAC.

Procedure

Enable L2TP.
1. Choose Network > L2TP > L2TP.
2. In Configure L2TP, select Enable and click Apply.
  If the Operation succeeded dialog box is displayed, the function is successfully enabled.
  
  When L2TP is disabled, L2TP configurations cannot take effect.

Configure an L2TP group.

An L2TP group is the basic unit for establishing an L2TP tunnel. The L2TP group defines parameters, such as the VT interfaces used for establishing a tunnel, tunnel name, and authorization domain for user identity authentication.

In L2TP Group List, click Add.

Set required parameters.

Parameter	Description
Group Name	Indicates the name of an L2TP group.
Group Type	Determines whether the device serves as an LAC or LNS. In this section, the device serves as an LAC.
Local Tunnel Name	The tunnel name is a tunnel ID. When the LAC negotiates an L2TP VPN tunnel with the LNS, the SCCRQ packet sent by the LAC carries the tunnel name. The LNS uses Peer Tunnel Name to verify Local Tunnel Name of the LAC. If the verification succeeds, the L2TP VPN negotiation can continue. If the verification fails, the L2TP VPN negotiation stops, and the tunnel fails to be established. Local Tunnel Name on the LAC must be consistent with Peer Tunnel Name specified for an L2TP group on the LNS. If the parameter is not set, the LAC uses the device name as the local tunnel name.
Tunnel Password Authentication	Indicates whether the tunnel password authentication function is enabled. If you select the item, the function is enabled; if you do not select the item, the function is disabled. Enabling the function enhances the tunnel security. You are advised to enable the function. The function configurations on the two ends of the tunnel must be consistent. Otherwise, the tunnel fails to be established.
Password	Indicates a tunnel password. When the LNS negotiates an L2TP VPN tunnel with the LNS, the SCCRQ packet sent by the LAC carries the tunnel password. The LNS uses its local Password to verify Password of the LAC. If the verification succeeds, the L2TP VPN negotiation can continue. If the verification fails, the L2TP VPN negotiation stops, and the tunnel fails to be established. The two ends of the tunnel must have the same Password.
Confirm Password	To prevent a password input error, enter the password again in Confirm Password.
Server Address Type	Indicates the LNS address type, which can be an IP address or a domain name.
Server Address	Indicates the IP address of the LNS server. The parameter can be set only when Server Address Type is set to IP Address. When the LNS has multiple IP addresses, click at the right side to enter multiple IP addresses. You can delete the new IP addresses by clicking at the right side.
Server Domain	Indicates the domain name of the LNS server. The parameter can be set only when Server Address Type is set to Domain. The domain name must be a genuine and reliable domain name on the Internet. Only one domain name can be specified.
LAC (Call-LNS)	Enables the automatic LAC dialup function. After the function is enabled, the LAC and LNS can establish tunnels. Users can access the intranet connected to the LNS, without performing the PPP dialup. When LAC (Call-LNS) is selected, Password and Tunnel Route need to be set.
Bound User Type	The users in the L2TP group can be specified through Authentication Domain and User.
Authentication Domain	This parameter can be configured only when Bound User Type is set to Authentication Domain. This parameter specifies the authentication domain to which the L2TP group corresponds. When a user in the authentication domain initiates a request for establishing an L2TP VPN tunnel, the LAC uses the parameters of the L2TP group to negotiate the tunnel with the LNS. The authentication domain needs to be created on the device in advance and must be consistent with that on the LNS. For more information, see Creating an Authentication Domain.
User	When LAC (Call-LNS) is selected, the LAC uses the user name to initiate a request to the LNS for establishing an L2TP VPN tunnel. After authenticating the dialup user, the LNS establishes the L2TP tunnel and session with the LAC.
Password	After you select LAC(Call-LNS), set the password for the user.
Tunnel Route	When LAC (Call-LNS) is selected, a static route to the enterprise headquarters needs to be configured for the LAC. The destination address of the static route is the IP address of the intranet server to which the LNS is connected. After you set the parameter, the device automatically creates a VT interface and diverts traffic to the interface so that packets can be properly forwarded to the destination address.
Associated Zone	Indicates the security zone where the VT interface of the tunnel resides.

Optional: Set Advanced for the L2TP group.

Click Advanced and specify advanced parameters.

Parameter	Description
Hello Packet Interval	To ensure normal communication between the LNS and LAC, the LAC periodically sends Hello packets to check whether the LNS is properly connected. If no response is received from the LNS after three consecutive Hello packets, the LAC automatically disconnects the tunnel. Hello Packet Interval indicates the interval at which the LAC sends two Hello packets. The smaller the value, the quicker the fault sensing; the larger the value, the lower the occupied bandwidths. In most cases, use the default value.
AVP Hidden	After you set the parameter, the LAC and LNS encrypt negotiation parameters when negotiating a tunnel. In this way, security is enhanced, but the tunnel establishment time is prolonged.
Outgoing Interface	Select a loopback interface from the drop-down list. The loopback interface needs to be created in advance. For details on how to create a loopback interface, see Configuring a Loopback Interface. By default, the LAC uses the IP address of the physical interface used for establishing a connection with the LNS as the source tunnel IP address to initiate a request for establishing a tunnel. If multiple interfaces are connected to the LNS for backup or the preceding interface IP address is not fixed, you can use a loopback interface as a virtual source interface. The IP address of the loopback interface is the IP address of the source tunnel interface. In this way, the source tunnel IP address can be fixed, and the source interface is always Up.

Parameter

Description

Hello Packet Interval

To ensure normal communication between the LNS and LAC, the LAC periodically sends Hello packets to check whether the LNS is properly connected. If no response is received from the LNS after three consecutive Hello packets, the LAC automatically disconnects the tunnel.

Hello Packet Interval indicates the interval at which the LAC sends two Hello packets. The smaller the value, the quicker the fault sensing; the larger the value, the lower the occupied bandwidths. In most cases, use the default value.

AVP Hidden

After you set the parameter, the LAC and LNS encrypt negotiation parameters when negotiating a tunnel. In this way, security is enhanced, but the tunnel establishment time is prolonged.

Outgoing Interface

Select a loopback interface from the drop-down list. The loopback interface needs to be created in advance. For details on how to create a loopback interface, see Configuring a Loopback Interface.

By default, the LAC uses the IP address of the physical interface used for establishing a connection with the LNS as the source tunnel IP address to initiate a request for establishing a tunnel.

If multiple interfaces are connected to the LNS for backup or the preceding interface IP address is not fixed, you can use a loopback interface as a virtual source interface. The IP address of the loopback interface is the IP address of the source tunnel interface. In this way, the source tunnel IP address can be fixed, and the source interface is always Up.

Click OK.
If the L2TP group is displayed in the L2TP group list, the L2TP group is created successfully.

Follow-up Procedure

Multiple L2TP groups can be created on an LAC. When the LAC needs to establish multiple L2TP VPN tunnels with multiple LNSs, repeat the preceding operations to create multiple L2TP groups.