< Home

Configuring the LAC

This section describes the methods and precautions for configuring the LAC.

Context

Figure 1 shows the procedures for configuring L2TP VPN on the LAC and their referencing relationships, which helps you better understand and complete service configuration.

This figure provides only critical configuration procedures and their referencing relationships, not all procedures.

Figure 1 Flowchart for configuring L2TP VPN on the LAC

Procedure

  1. Configure an L2TP group.
    1. Enable L2TP in the system view.

      l2tp enable

    2. Create an L2TP group and access the view of the L2TP group.

      l2tp-group group-name

    3. Configure LNS addresses.

      start l2tp { lns-domain domain-name | ip ip-address &<1-5> } fullusername user-name [ vpn-instance vpn-instance-name ]

      Backup LNS addresses can be configured on the LAC. A maximum of five LNS addresses can be configured on the LAC. Specifically, an LAC can establish connections with a maximum of five LNSs. Normally, the LAC initiates L2TP connection requests to the LNSs based on the LNS configuration sequence until an LNS accepts the connection request.

      In the scenario where one LAC corresponds to multiple backup LNSs and uses RADIUS authentication, if the LNS IP address delivered by the RADIUS server is unreachable, no backup LNS IP address will be used to establish an L2TP tunnel.

    4. Optional: Configure a tunnel source interface.

      tunnel source loopback interface-number

      By default, the LAC uses the IP address of the interface that initiates the L2TP VPN tunnel negotiation as the source address.

      If no IP address is configured for the tunnel source interface, the IP address of the interface used to establish the L2TP VPN tunnel will be used as the source address. Only a loopback interface can be specified as a tunnel source interface.

    5. Optional: Configure the local tunnel name.

      tunnel name tunnel-name

      The tunnel name is a tunnel ID. When the LAC negotiates an L2TP VPN tunnel with the LNS, the SCCRQ packet sent by the LAC carries the tunnel name. The LNS will use the configured peer tunnel name to verify the local tunnel name sent from the LAC. If the verification succeeds, the L2TP VPN negotiation can continue. If the verification fails, the L2TP VPN negotiation stops, and the tunnel fails to be established. The local tunnel name on the LAC must be the peer tunnel name configured for the corresponding the L2TP group on the LNS. If tunnel-name is not set, the LAC uses the device name as the local tunnel name.

    6. Optional: Enable tunnel password authentication.

      tunnel authentication

      Enabling the function enhances the tunnel security. You are advised to enable the function. The function configurations on the two ends of the tunnel must be consistent. Otherwise, the tunnel fails to be established.

      To disable the function, run the undo tunnel authentication command.

    7. Optional: Configure a tunnel authentication password.

      tunnel password cipher password

      A tunnel authentication password needs to be configured only after the tunnel password authentication function is enabled.

      cipher indicates that the password is displayed in cipher text. password specifies a tunnel authentication password. The value is a string of case-sensitive characters, without command line-specific characters, such as spaces and question marks (?). The password can be 32-bit ciphertext password, such as _(TT8F] Y\5SQ=^Q`MAF4<1!! or an explicit-text password of 1 to 16 characters, such as Admin@123.

      The password must meet the minimum complexity requirement. That is, the password must contain at least three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, @, #, $, and %).

      To delete the configured tunnel authentication password, run the undo tunnel password command.

    8. Set the interval for sending tunnel Keepalive packets.

      tunnel timer hello interval

      Hello packets are sent to keep the tunnel alive.

  2. Configure VT interfaces.
    1. Create a VT interface in the system view and access the view of the VT interface.

      interface virtual-template virtual-template-number

      When L2TP VPN is configured on a virtual system, the VT interface cannot be directly configured on the virtual system. The VT interface must be configured through resource binding. Specifically, after a VT interface is configured on the root system, the virtual system administrator uses the assign interface command to bind the configured VT interface to the virtual system.

    2. Configure a user authentication mode.

      ppp authentication-mode { chap | pap } *

      When a user on the LAC establishes a PPP connection with the LAC, they will perform LCP negotiation. If multiple authentication modes are configured on the LAC, the LAC will prefer CHAP authentication. If the other party does not support CHAP authentication, the LAC will use PAP authentication. If the other party does not support the two authentication modes, the LCP negotiation fails.

      PAP is not a secure protocol. Therefore, CHAP is recommended. When an AD server is used to authenticate L2TP access users, only PAP authentication can be used.

    3. Configure a PPP user.

      The configured user name and password are sent to the LNS for verification during the tunnel negotiation. The user name and password must be the same as those on the LNS.

      • If the user authentication mode is CHAP authentication:

        1. Run the ppp chap user user-name command to configure a local user name.
        2. Run the ppp chap password cipher password command to configure a user password.
      • If the user authentication mode is PAP authentication, run the ppp pap local-user user-name password cipher password command to configure a local user name and password.

    4. Enable the IP address negotiation function on the VT interface.

      ip address ppp-negotiate

    5. Specify the user and L2TP group for LAC automatic dialup.

      call-lns local-user username [ binding l2tp-group group-name ]

      When multiple L2TP groups are configured on the LAC (for example, an LAC establishes tunnels with multiple LNSs), you need to set binding l2tp-group to bind the specified L2TP group.

    6. Assign the VT interface to a security zone.

      firewall zone [ name ] zone-name

      add interface virtual-template virtual-template-number

      The VT interface can be assigned to any security zone. The security zone where the VT interface resides affect the security policy on the LAC. For details, see Security Policy.

  3. Configure a source NAT policy.

    1. On the LAC, configure a static route to headquarters servers and set the outbound interface of the route to the VT interface.
    2. Configure source NAT with the VT interface as the outbound interface.

      After source NAT is configured on the LAC, the packets sent by the LNS to respond to employees in the branch can enter the L2TP VPN tunnel, ensuring normal service forwarding. For details, see Source NAT on the LAC.

Parent Topic: Configuring L2TP VPN in the Call-LNS Scenario
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >