< Home

Configuring the LNS

The section describes how to configure L2TP VPN on the device that serves as an LNS.

Procedure

  1. Enable L2TP.
    1. Choose Network > L2TP > L2TP.
    2. In Configure L2TP, select Enable and click Apply.

      If the Operation succeeded dialog box is displayed, L2TP is successfully enabled.

      When L2TP is disabled, L2TP configurations cannot take effect.

  2. Optional: Enable the function of aging out idle L2TP tunnels.

    Select Enable for Idle Tunnel Timeout, set the aging time, and click Enable.

    After the function is enabled, the LNS monitors the status of all L2TP tunnels. If no service packet (except Keepalive packets) is forwarded over an L2TP tunnel within the specified aging time, the LNS disconnects the L2TP tunnel.
    • If the idle time of only one L2TP session among the L2TP sessions carried by an L2TP VPN tunnel exceeds the aging time of idle L2TP tunnels, the system will delete only the session and will not tear down the tunnel.
    • The function takes effect only when the device functions as an LNS.

  3. Configure an L2TP group.

    An L2TP group is the basic unit for establishing an L2TP tunnel. The L2TP group defines parameters, such as the VT interfaces used for establishing a tunnel, tunnel name, and authorization domain for user identity authentication.

    By default, the system has an L2TP group named default-lns. The group type is LNS. The differences between L2TP group default-lns and manually created L2TP groups are as follows:
    • Peer Tunnel Name is not specified for L2TP group default-lns but is specified for manually created L2TP groups.

      During the L2TP VPN tunnel negotiation, the LNS verifies the tunnel name sent from the peer device. The devices of some third-party vendors do not provide any tunnel name. L2TP group default-lns can be used to establish tunnels with third-party devices that do not provide any tunnel name.

    • L2TP group default-lns can be modified but cannot be deleted. Manually created L2TP groups can be modified and deleted.
    You can use L2TP group default-lns or create an L2TP group to establish an L2TP VPN tunnel with the peer device.

    1. In L2TP Group List, click Add to create an L2TP group.
    2. Set required parameters.

      Parameter

      Description

      Group Name

      Indicates the name of an L2TP group.

      Group Type

      Determines whether the device serves as an LAC or LNS. In this section, the device serves as an LNS.

      Local Tunnel Name

      Identifies the LNS. If the parameter is not set, Peer Tunnel Name in the tunnel monitoring list of the LAC is displayed empty. If there are a large number of tunnels, it is difficult for the administrator to identify and maintain the tunnels whose peer name is empty. Therefore, you are advised to set the parameter for the LNS.

      Peer Tunnel Name

      When the LAC negotiates an L2TP VPN tunnel with the LNS, the SCCRQ packet sent by the LAC carries the tunnel name. The LNS uses Peer Tunnel Name to verify Local Tunnel Name of the LAC. If the verification succeeds, the L2TP VPN negotiation can continue. If the verification fails, the L2TP VPN negotiation stops, and the tunnel fails to be established.

      When L2TP group default-lns is used, the parameter is optional. When L2TP group default-lns is not used, the parameter is mandatory.

      Tunnel Password Authentication

      Indicates whether the tunnel password authentication function is enabled. If you select the item, the function is enabled; if you do not select the item, the function is disabled. Enabling the function enhances the tunnel security. You are advised to enable the function.

      The function configurations on the two ends of the tunnel must be consistent. Otherwise, the tunnel fails to be established.

      Password

      Indicates a tunnel password.

      When the LAC negotiates an L2TP VPN tunnel with the LNS, the SCCRQ packet sent by the LAC carries the tunnel password. The LNS uses its local Password to verify Password of the LAC. If the verification succeeds, the L2TP VPN negotiation can continue. If the verification fails, the L2TP VPN negotiation stops, and the tunnel fails to be established.

      The two ends of the tunnel must have the same Password.

      Confirm Password

      To prevent a password input error, enter the password again in Confirm Password.

      Authentication Domain

      Indicates the authentication domain to which the L2TP group corresponds. When a user in the authentication domain initiates a request for establishing an L2TP VPN tunnel, the LNS uses the parameters of the L2TP group to negotiate the tunnel with the LAC.

      The authentication domain needs to be created on the LNS in advance and must be consistent with that on the LAC. For more information, see Creating an Authentication Domain.

      If the authentication domain is set to None, any user can pass the authentication for L2TP access.

      Associated Zone

      Indicates the security zone where the VT interface of the tunnel resides.

      L2TP Authentication

      In PPP authentication, both ends must use the same authentication mode.

    3. Configure a user address pool to assign addresses to L2TP access users.

      In User Address Assignment Setting, set required parameters.

      • If an L2TP user is bound to an IP address, the user directly uses the bound IP address. The device does not need to assign an IP address in the address pool to the user.
      • When binding an L2TP user to an IP address, select Online behavior management and L2TP/L2TP over IPSec on the user management UI. Choose Add User > User Attributes, set the user and IP/MAC address binding mode to Bidirectional binding, and configure IP addresses.
      • On the User Management UI, you can configure a maximum of three IP/MAC addresses for a user. However, when you bind an L2TP user to an IP address, if multiple IP addresses are configured for an L2TP user, the L2TP user uses the first IP address for access by default.

      Parameter

      Description

      Server Address/Subnet Mask

      Indicates the IP address of the VT interface on the LNS.

      The IP address must reside on the same network segment as address pool addresses.

      In hot standby mode, the server IP address and subnet mask must be configured on both the active and standby devices.

      Address/Address Pool

      • IP Address Pool: indicates that user address pool is created to allocate IP addresses for multiple users.

      • PeerAddress: indicates that IP addresses can be assigned to only one L2TP access user.

      IP Address Pool

      This parameter can be set only when Address/Address Pool is set to IP Address Pool.

      You can create an address pool or reference a created address pool.

      To create a user address pool, you can use either of the following ways:
      • Select Add IP Pool from the drop-down list of this parameter.
      • Choose Object > IP Address Pool. Click Add to create an address pool.

      PeerAddress

      This parameter is set when Address/Address Pool is set to PeerAddress.

      After you can configure an IP address for the user, the user always uses the IP address for access.

    4. In Advanced, set required advanced parameters.

      Parameter

      Description

      Hello Packet Interval

      To ensure normal communication between the LNS and LAC, the LNS periodically sends hello packets to check whether the LAC is properly connected. If no response is received from the LAC after three consecutive Hello packets, the LNS automatically disconnects the tunnel.

      Hello Packet Interval indicates the interval at which the LNS sends two Hello packets. The smaller the value, the quicker the fault sensing; the larger the value, the lower the occupied bandwidths. In most cases, use the default value.

      AVP Hidden

      After you set the parameter, the LAC and LNS encrypt negotiation parameters when negotiating a tunnel. In this way, security is enhanced, but the tunnel establishment time is prolonged. The parameter needs to be set on both the LNS and the LAC.

      Renegotiate LCP Parameters Forcibly

      After you set the parameter, the LNS directly obtains certain information from the L2TP user after LCP negotiation is performed between the LAC and the L2TP user. In this way, security is enhanced, but the tunnel establishment time is prolonged.

      If the authentication on the LNS needs to be stricter than that on the LAC or the LNS needs to obtain information from a user (the LNS and LAC are from different vendors), configure LCP renegotiation on the LNS and user.

      Perform CHAP Authentication Forcibly

      When you set the parameter, the LNS performs CHAP authentication for the user after the LAC authenticates the user. If the authentication fails, the session cannot be established. Setting the parameter enhances the security but prolongs the tunnel establishment time.

      When CHAP authentication needs to be performed again on the user on the LNS, you can set the parameter. Compared with Renegotiate LCP Parameters Forcibly, Perform CHAP Authentication Forcibly sets the PPP authentication mode to CHAP.

      NOTE:

      If neither LCP re-negotiation nor forcible CHAP authentication is configured, the LNS performs proxy authentication over the user.

  4. Click OK.

    If the L2TP group is displayed in the L2TP group list, the L2TP group is created successfully.

Follow-up Procedure

If the LNS needs to establish tunnels with multiple LACs, repeat the preceding operations to create multiple L2TP groups. Ensure that Peer Tunnel Name is consistent with the tunnel name of each LAC.

Parent Topic: Web Configuration Reference
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >