Remote Access Users Access Intranet Resources Using L2TP VPN

This section describes user management and authentication mechanisms when remote access users connect to a FW using L2TP VPN to access intranet resources.

The description in this section also applies to the scenario where remote access users connect to a FW using L2TP over IPSec VPN to access intranet resources.

A FW serves as the VPN access gateway of an enterprise. Remote access users connect to the FW using L2TP VPN and access intranet resources. The entire process involves the following phases:

Connection phase

The FW verifies the user identity, and an L2TP VPN tunnel is established.
Resource access phase

The user accesses intranet resources. The FW can control the accessible network resources based on the users.

Complete the following tasks to enable users to access intranet resources and implement access control on them:

Save user and user group information on a FW to ensure that the information can be referenced by security policies, policy-based routing, traffic policies, quota control policies, proxy policies, audit policies, and L2TP VPNs.
Configure user authentication for the connection phase to prevent unauthorized access. Configure a second authentication for the resource access phase based on network conditions and service needs.

The two phases of using an L2TP tunnel are described by tunnel establishment mode.

The following provides an example of local authentication in which users and user groups are created and passwords are specified on a FW, and the FW verifies user identities. The implementation of server authentication is the same except that users are authenticated by an authentication server instead of the FW.

Automatic LAC Dial-Up L2TP

As shown in Figure 1, an L2TP tunnel is established in automatic LAC dial-up mode between a branch office and the headquarters. In the connection phase, a FW (LNS) authenticates a LAC. After an L2TP tunnel is established, branch office users can access intranet resources at the headquarters.

In the connection phase, the FW verifies only the LAC identity. Therefore, in the resource access phase, the FW must implement a second authentication on branch office users. The FW records the mappings between the users and IP addresses after successful authentication. The FW controls user permissions and behaviors based on the policies specified for the remote access users or their groups.

Figure 1 User management and authentication when remote access users access intranet resources using automatic LAC dial-up L2TP VPN

NAS-Initiated or Client-Initiated L2TP

As shown in Figure 2, an L2TP tunnel is established in NAS-initiated mode between a branch office and the headquarters, and an L2TP tunnel is established in client-initiated mode between an employee on a business trip and the headquarters. In the connection phase, user names and passwords are used to trigger the establishment of both L2TP tunnels. During the establishment of an L2TP tunnel, a FW (LNS) assigns a private IP address to a remote access user and records the mapping between the user and the private IP address.

In the resource access phase, the FW controls user permissions and behaviors based on the recorded information. A second authentication on the user is not required.

Figure 2 User management and authentication when remote access users access intranet resources using NAS-initiated or client-initiated L2TP VPN

You can configure a second authentication on remote access users in the resource access phase to implement tougher user authentication.