CLI: Example for Configuring L2TP VPN (RADIUS Server Authentication) in the NAS-Initiated Scenario

This section provides an example for configuring L2TP VPN in the NAS-initiated scenario. In the scenario, PPPoE dialup users access intranet resources at the headquarters through the L2TP VPN tunnel between the NAS and LNS.

Networking Requirements

As shown in Figure 1, a dialup user accesses the Internet through PPPoE. The NAS is the PPPoE access server provided by the provider, and the LNS is the egress gateway of the enterprise. The device of the dialup user needs to establish a PPPoE connection with the NAS so that the user can access the enterprise intranet through the L2TP VPN tunnel between the NAS and LNS.

Figure 1 Networking diagram for configuring L2TP VPN in the NAS-initiated scenario

Data Planning

Item		Data
NAS	Interface	Interface ID: GigabitEthernet 0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust Interface ID: GigabitEthernet 0/0/2 IP address: 10.1.1.1/24 Security zone: DMZ Interface ID: GigabitEthernet 0/0/3 IP address: 10.1.3.1/24 Security zone: Trust
NAS	L2TP configuration	User name: user0001 Password: Password123 Local tunnel name: NAS Tunnel authentication password: Hello123 LNS server address: 2.2.2.2
LNS	Interface	Interface ID: GigabitEthernet 0/0/1 IP address: 2.2.2.2/24 Security zone: Untrust Interface ID: GigabitEthernet 0/0/2 IP address: 10.1.2.1/24 Security zone: DMZ Interface ID: GigabitEthernet 0/0/3 IP address: 192.168.0.1/24 Security zone: Trust
LNS	L2TP configuration	Peer tunnel name: NAS Tunnel authentication password: Hello123 User name: user0001 Password: Password123 User address pool: 10.2.1.2/24 to 10.2.1.100/24

Procedure

Configure the NAS.

Configure IP addresses for interfaces and assign the interfaces to security zones.

Set an IP address for GigabitEthernet 0/0/1 and assign the interface to the Untrust zone.

<sysname> system-view
[sysname] sysname NAS
[NAS] interface GigabitEthernet 0/0/1 
[NAS-GigabitEthernet0/0/1] ip address 1.1.1.1 24 
[NAS-GigabitEthernet0/0/1] quit
[NAS] firewall zone untrust
[NAS-zone-untrust] add interface GigabitEthernet 0/0/1
[NAS-zone-untrust] quit

Set an IP address for GigabitEthernet 0/0/2 and assign the interface to the DMZ.

[NAS] interface GigabitEthernet 0/0/2 
[NAS-GigabitEthernet0/0/2] ip address 10.1.1.1 24 
[NAS-GigabitEthernet0/0/2] quit
[NAS] firewall zone dmz
[NAS-zone-dmz] add interface GigabitEthernet 0/0/2
[NAS-zone-dmz] quit

Set an IP address for GigabitEthernet 0/0/3 and assign the interface to the Trust zone.

[NAS] interface GigabitEthernet 0/0/3 
[NAS-GigabitEthernet0/0/3] ip address 10.1.3.1 24 
[NAS-GigabitEthernet0/0/3] quit
[NAS] firewall zone trust
[NAS-zone-trust] add interface GigabitEthernet 0/0/3
[NAS-zone-trust] quit

Configure the authentication domain and user information.

Set parameters for interconnecting with the RADIUS server.

[NAS] radius-server template radius_nas 
[NAS-radius-radius_nas] radius-server shared-key cipher Testforser!12345
[NAS-radius-radius_nas] radius-server authentication 10.1.1.2 1812
[NAS-radius-radius_nas] quit

When RADIUS authentication is used, configure an authentication template. The authentication mode is RADIUS authentication.

[NAS] aaa
[NAS-aaa] authentication-scheme scheme_radius 
[NAS-aaa-authen-scheme_radius] authentication-mode radius
[NAS-aaa-authen-scheme_radius] quit

Configure the authentication domain and reference the RADIUS server template.
```
[NAS-aaa] domain default
[NAS-aaa-domain-default] service-type l2tp
[NAS-aaa-domain-default] authentication-scheme scheme_radius
[NAS-aaa-domain-default] radius-server radius_nas
```
To implement user name-based policy control on VPN access users, you must specify the internetaccess parameter.

Configure an L2TP group.

[NAS] l2tp enable
[NAS] l2tp-group 1
[NAS-l2tp-1] tunnel name NAS
[NAS-l2tp-1] start l2tp ip 2.2.2.2 domain default
[NAS-l2tp-1] tunnel authentication
[NAS-l2tp-1] tunnel password cipher Hello123
[NAS-l2tp-1] quit

Configure a VT interface.

[NAS] interface Virtual-Template 1
[NAS-Virtual-Template1] ip address 172.16.1.1 24
[NAS-Virtual-Template1] ppp authentication-mode chap
[NAS-Virtual-Template1] quit
[NAS] interface GigabitEthernet 0/0/3
[NAS-GigabitEthernet 0/0/3] pppoe-server bind virtual-template 1
[NAS-GigabitEthernet 0/0/3] quit
[NAS] firewall zone dmz
[NAS-zone-dmz] add interface Virtual-Template 1

Configure a default route to the Internet. It is assumed that the next-hop address of the route is 1.1.1.2.
```
[NAS] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
```

Configure interzone security policies on the NAS.

Because the PPPoE packets exchanged between the device of the dialup user and the NAS are not subject to any security policy, it is unnecessary to configure a security policy for the PPPoE packets on the NAS.

# Configure an interzone security policy from the Local zone to the Untrust zone to permit L2TP packets exchanged between the NAS and LNS.

[NAS] security-policy
[NAS-policy-security] rule name l2tp_lu
[NAS-policy-security-rule-l2tp_lu] source-zone local
[NAS-policy-security-rule-l2tp_lu] destination-zone untrust
[NAS-policy-security-rule-l2tp_lu] source-address 1.1.1.1 24
[NAS-policy-security-rule-l2tp_lu] destination-address 2.2.2.2 24
[NAS-policy-security-rule-l2tp_lu] action permit
[NAS-policy-security-rule-l2tp_lu] quit

# Configure a security policy for the NAS to communicate with the RADIUS server.

[NAS-policy-security] rule name radius_ld
[NAS-policy-security-rule-radius_ld] source-zone local
[NAS-policy-security-rule-radius_ld] destination-zone dmz
[NAS-policy-security-rule-radius_ld] source-address 10.1.1.1 24
[NAS-policy-security-rule-radius_ld] destination-address 10.1.1.2 24
[NAS-policy-security-rule-radius_ld] action permit
[NAS-policy-security-rule-radius_ld] quit

Configure the LNS.

Set IP addresses for interfaces.

Set an IP address for GigabitEthernet 0/0/1 and assign the interface to the Untrust zone.

<sysname> system-view
[sysname] sysname LNS
[LNS] interface GigabitEthernet 0/0/1 
[LNS-GigabitEthernet0/0/1] ip address 2.2.2.2 24 
[LNS-GigabitEthernet0/0/1] quit
[LNS] firewall zone untrust
[LNS-zone-untrust] add interface GigabitEthernet 0/0/1
[LNS-zone-untrust] quit

Set an IP address for GigabitEthernet 0/0/2 and assign the interface to the DMZ.

[LNS] interface GigabitEthernet 0/0/2 
[LNS-GigabitEthernet0/0/2] ip address 10.1.2.1 24 
[LNS-GigabitEthernet0/0/2] quit
[LNS] firewall zone dmz
[LNS-zone-dmz] add interface GigabitEthernet 0/0/2
[LNS-zone-dmz] quit

Set an IP address for GigabitEthernet 0/0/3 and assign the interface to the Trust zone.

[LNS] interface GigabitEthernet 0/0/3 
[LNS-GigabitEthernet0/0/3] ip address 192.168.0.1 24 
[LNS-GigabitEthernet0/0/3] quit
[LNS] firewall zone trust
[LNS-zone-trust] add interface GigabitEthernet 0/0/3
[LNS-zone-trust] quit

Configure L2TP access users and an authentication policy on the LNS.

Set parameters for interconnecting with the RADIUS server.

[LNS] radius-server template radius_lns 
[LNS-radius-radius_lns] radius-server shared-key cipher Testforser!12345
[LNS-radius-radius_lns] radius-server authentication 10.1.2.2 1812
[LNS-radius-radius_lns] quit

Configure RADIUS authentication for user identity authentication.

[LNS] aaa
[LNS-aaa] authentication-scheme scheme_radius 
[LNS-aaa-authen-scheme_radius] authentication-mode radius
[LNS-aaa-authen-scheme_radius] quit

Configure an address pool.
If the actual address pool addresses and headquarters addresses reside on the same network segment, you must enable the proxy ARP function on the LNS interface connecting to the headquarters to ensure that the LNS can respond to the ARP requests from the servers at the headquarters.
```
[LNS] ip pool pool
[LNS-ip-pool-pool] section 1 10.2.1.2 10.2.1.100
[LNS-ip-pool-pool] quit
```

Configure the service scheme used by access users.

[LNS] aaa
[LNS-aaa] service-scheme l2tp 
[LNS-aaa-service-l2tp] ip-pool pool
[LNS-aaa-service-l2tp] quit

Configure the authentication domain and reference the RADIUS server template and authentication scheme.
```
[LNS-aaa] domain default
[LNS-aaa-domain-default] service-type l2tp
[LNS-aaa-domain-default] authentication-scheme scheme_radius
[LNS-aaa-domain-default] radius-server radius_lns
```
To implement user name-based policy control on VPN access users, you must specify the internetaccess parameter.

Configure a VT interface.

[LNS] interface Virtual-Template 1
[LNS-Virtual-Template1] ip address 10.2.1.1 24
[LNS-Virtual-Template1] ppp authentication-mode chap
[LNS-Virtual-Template1] remote service-scheme l2tp
[LNS-Virtual-Template1] quit
[LNS] firewall zone dmz
[LNS-zone-dmz] add interface Virtual-Template 1
[LNS-zone-dmz] quit

Configure an L2TP group.

The tunnel authentication password on the LNS must be the same as that on the NAS.

[LNS] l2tp enable
[LNS] l2tp-group 2
[LNS-l2tp-2] allow l2tp virtual-template 1 remote NAS
[LNS-l2tp-2] tunnel authentication
[LNS-l2tp-2] tunnel password cipher Hello123
[LNS-l2tp-2] quit

Configure a route to the Internet. It is assumed that the next-hop address of the route from the LNS to the Internet is 2.2.2.1.
```
[LNS] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
```

Configure interzone security policies on the LNS.

# Configure an interzone security policy between the Trust zone and DMZ to permit the traffic sent by dialup users to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to dialup users.

[LNS] security-policy
[LNS-policy-security] rule name service_td
[LNS-policy-security-rule-service_td] source-zone trust
[LNS-policy-security-rule-service_td] destination-zone dmz
[LNS-policy-security-rule-service_td] source-address 192.168.1.0 24
[LNS-policy-security-rule-service_td] destination-address 10.2.1.0 24
[LNS-policy-security-rule-service_td] action permit
[LNS-policy-security-rule-service_td] quit
[LNS-policy-security] rule name service_dt
[LNS-policy-security-rule-service_dt] source-zone dmz
[LNS-policy-security-rule-service_dt] destination-zone trust
[LNS-policy-security-rule-service_dt] source-address 10.2.1.0 24
[LNS-policy-security-rule-service_dt] destination-address 192.168.1.0 24
[LNS-policy-security-rule-service_dt] action permit
[LNS-policy-security-rule-service_dt] quit

# Configure an interzone security policy from the Untrust zone to the Local zone to permit L2TP packets.

[LNS-policy-security] rule name l2tp_ul
[LNS-policy-security-rule-l2tp_ul] source-zone untrust
[LNS-policy-security-rule-l2tp_ul] destination-zone local
[LNS-policy-security-rule-l2tp_ul] source-address 1.1.1.0 24
[LNS-policy-security-rule-l2tp_ul] destination-address 2.2.2.0 24
[LNS-policy-security-rule-l2tp_ul] action permit
[LNS-policy-security-rule-l2tp_ul] quit

# Configure a security policy for the communication between the LNS and RADIUS server.

[LNS-policy-security] rule name radius_ld
[LNS-policy-security-rule-radius_ld] source-zone local
[LNS-policy-security-rule-radius_ld] destination-zone dmz
[LNS-policy-security-rule-radius_ld] source-address 10.1.2.1 24
[LNS-policy-security-rule-radius_ld] destination-address 10.1.2.2 24
[LNS-policy-security-rule-radius_ld] action permit
[LNS-policy-security-rule-radius_ld] quit

Configure a PPPoE connection on the PC of an individual user.

Verification

Dialup users perform PPPoE dialup successfully.

When a dialup user goes online, run the display l2tp tunnel command on the NAS and LNS to display established L2TP tunnels. The command output on the LNS is used as an example.

[LNS] display l2tp tunnel
L2TP::Total Tunnel: 1                                                           
                                                                                
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance    
 ------------------------------------------------------------------------------ 
 1        1         10.2.1.3         1701     1        NAS                    
 ------------------------------------------------------------------------------ 
  Total 1, 1 printed

Run the display l2tp session command to display established sessions. The command output on the LNS is used as an example.

[LNS] display l2tp session
L2TP::Total Session: 1                                                          
                                                                                
  LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance    
 ------------------------------------------------------------------------------ 
  55        3          1          1                  user0001                      
 ------------------------------------------------------------------------------ 
  Total 1, 1 printed

Configuration Scripts

Configuration script of the NAS

#
 sysname NAS
#
 l2tp enable
 l2tp domain suffix-separator @
#
radius-server template radius_nas
 radius-server shared-key cipher %@%@Bhr,Ij`8>9P)^"+#m\QFhif%%@%@
 radius-server authentication 10.1.1.2 1812
#
aaa
 authentication-scheme scheme_radius 
  authentication-mode radius
#
 domain default
  service-type l2tp
  authentication-scheme scheme_radius
  radius-server radius_nas
#
l2tp-group 1
 tunnel name NAS
 start l2tp ip 2.2.2.2 domain default
 tunnel authentication
 tunnel password cipher %$%$^-K[,X+KrHiUg"3=DoLNy:\g%$%$
#
interface Virtual-Template1
 ip address 172.16.1.1 24
 ppp authentication-mode chap
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.1.3.1 255.255.255.0
 pppoe-server bind virtual-template 1
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
  add interface Virtual-Template1
#
firewall zone untrust 
 add interface GigabitEthernet0/0/1
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
  rule name rule name l2tp_lu
    source-zone local
    destination-zone untrust
    source-address 1.1.1.1 24
    destination-address 2.2.2.2 24
    action permit
  rule name radius_ld
    source-zone local
    destination-zone dmz
    source-address 10.1.1.1 24
    destination-address 10.1.1.2 24
    action permit

Configuration script of the LNS

#
 sysname LNS
#
 l2tp enable
 l2tp domain suffix-separator @
#
radius-server template radius_lns
 radius-server shared-key cipher %@%@Bhr,Ij`8>9P)^"+#m\QFhif%%@%@
 radius-server authentication 10.1.2.2 1812
#
ip pool pool
 section 1 10.2.1.2 10.2.1.100
#
aaa
 authentication-scheme scheme_radius
  authentication-mode radius
# 
 service-scheme l2tp
  ip-pool pool
#
 domain default
  service-type l2tp
  authentication-scheme scheme_radius
  radius-server radius_lns
#
l2tp-group 2
 allow l2tp virtual-template 1 remote NAS
 tunnel password cipher %$%$^-K[,X+KrHiUg"3=DoLNy:\g%$%$
#
interface Virtual-Template1
 ip address 10.2.1.1 24
 ppp authentication-mode chap
 remote service-scheme l2tp
#
interface GigabitEthernet0/0/1
 ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 192.168.0.1 24
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone dmz 
 add interface GigabitEthernet0/0/2
 add interface Virtual-Template1 
#
firewall zone untrust 
 add interface GigabitEthernet0/0/1
#
 ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
#
security-policy
  rule name service_td
    source-zone trust
    destination-zone dmz
    source-address 192.168.1.0 mask 255.255.255.0
    destination-address 10.2.1.0 mask 255.255.255.0
    action permit
  rule name service_dt
    source-zone dmz
    destination-zone trust
    source-address 10.2.1.0 mask 255.255.255.0
    destination-address 192.168.1.0 mask 255.255.255.0
    action permit
  rule name l2tp_ul
    source-zone untrust
    destination-zone local
    source-address 1.1.1.0 mask 255.255.255.0
    destination-address 2.2.2.0 mask 255.255.255.0
    action permit
  rule name rule name radius_ld
    source-zone local
    destination-zone dmz
    source-address 10.1.2.1 mask 255.255.255.0
    destination-address 10.1.2.2 mask 255.255.255.0
    action permit