CLI: Example for Configuring L2TP VPN (RADIUS Authentication) in the Client-Initiated Scenario

This section provides an example for configuring L2TP VPN in the client-initiated scenario. In the client-initiated scenario, the LNS works with the RADIUS server to perform identity authentication for mobile users.

Networking Requirements

On the enterprise network shown in Figure 1, mobile users access intranet resources through L2TP VPN tunnels. The enterprise deploys a RADIUS server to perform identity authentication for the mobile users.

Figure 1 Networking where mobile users access intranet resources through L2TP VPN tunnels

Data Planning

Item		Data
LNS	Interface	Interface ID: GigabitEthernet 0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust Interface ID: GigabitEthernet 0/0/2 IP address: 10.1.1.1/24 Security zone: Trust Interface ID: GigabitEthernet 0/0/3 IP address: 10.1.3.1/24 Security zone: DMZ
	L2TP configuration	User name: user0001 Password: Password123 Peer tunnel name: client Tunnel authentication password: Hello123 Address pool: 172.16.1.2 to 172.16.1.100 NOTE: If the intranet server IP address and address pool addresses are on different network segments, configure a route on the intranet server to an address in the address pool.
	Parameters for interconnection with the RADIUS server	RADIUS server address: 10.1.3.2/24 Shard key: Radius123
Mobile user		User name: user0001 Password: Password123 Tunnel name: client Tunnel authentication password: Hello123

Procedure

Configure the LNS.

Set IP addresses for interfaces and assign the interfaces to security zones.

# Configure IP addresses for interfaces.

<LNS> system-view
[LNS] sysname LNS
[LNS] interface GigabitEthernet 0/0/1
[LNS-GigabitEthernet0/0/1] ip address 1.1.1.1 24 
[LNS-GigabitEthernet0/0/1] quit
[LNS] interface GigabitEthernet 0/0/2
[LNS-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[LNS-GigabitEthernet0/0/2] quit
[LNS] interface GigabitEthernet 0/0/3
[LNS-GigabitEthernet0/0/3] ip address 10.1.3.1 24
[LNS-GigabitEthernet0/0/3] quit

# Assign the interfaces to security zones.

[LNS] firewall zone untrust
[LNS-zone-untrust] add interface GigabitEthernet 0/0/1
[LNS-zone-untrust] quit
[LNS] firewall zone trust 
[LNS-zone-trust] add interface GigabitEthernet 0/0/2
[LNS-zone-trust] quit
[LNS] firewall zone dmz 
[LNS-zone-dmz] add interface GigabitEthernet 0/0/3
[LNS-zone-dmz] quit

Configure L2TP access users and an authentication policy on the LNS.

Set parameters for interconnecting with the RADIUS server.

[LNS] radius-server template radius_lns 
[LNS-radius-radius_lns] radius-server shared-key cipher Radius123
[LNS-radius-radius_lns] radius-server authentication 10.1.3.2 1645
[LNS-radius-radius_lns] quit

Configure RADIUS authentication for user identity authentication.

[LNS] aaa
[LNS-aaa] authentication-scheme scheme_radius 
[LNS-aaa-authen-scheme_radius] authentication-mode radius
[LNS-aaa-authen-scheme_radius] quit

Configure an address pool.
If the actual address pool addresses and headquarters addresses reside on the same network segment, you must enable the proxy ARP function on the LNS interface connecting to the headquarters to ensure that the LNS can respond to the ARP requests from the servers at the headquarters.
```
[LNS] ip pool pool
[LNS-ip-pool-pool] section 1 172.16.1.2 172.16.1.100
[LNS-ip-pool-pool] quit
```

Configure the service scheme used by access users.

[LNS] aaa
[LNS-aaa] service-scheme l2tp 
[LNS-aaa-service-l2tp] ip-pool pool
[LNS-aaa-service-l2tp] quit

Configure the authentication domain and reference the RADIUS server template and authentication scheme.
```
[LNS-aaa] domain default
[LNS-aaa-domain-default] service-type l2tp
[LNS-aaa-domain-default] authentication-scheme scheme_radius
[LNS-aaa-domain-default] radius-server radius_lns
```
To implement user name-based policy control on VPN access users, you must specify the internetaccess parameter.

Configure a VT interface.

[LNS] interface Virtual-Template 1
[LNS-Virtual-Template1] ip address 172.16.1.1 24
[LNS-Virtual-Template1] ppp authentication-mode pap
[LNS-Virtual-Template1] remote service-scheme l2tp
[LNS-Virtual-Template1] quit
[LNS] firewall zone dmz
[LNS-zone-dmz] add interface Virtual-Template 1
[LNS-zone-dmz] quit

Configure an L2TP group.

The tunnel authentication password on the LNS must be the same as that on the SecoClient.

[LNS] l2tp enable
[LNS] l2tp-group 1
[LNS-l2tp-1] allow l2tp virtual-template 1 remote client domain default
[LNS-l2tp-1] tunnel authentication
[LNS-l2tp-1] tunnel password cipher Hello123
[LNS-l2tp-1] quit

Configure a default route to the Internet. It is assumed that the next-hop address of the route is 1.1.1.2.
```
[LNS] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
```

Configure interzone security policies on the LNS.

# Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by mobile users to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to mobile users.

[LNS] security-policy
[LNS-policy-security] rule name service_td
[LNS-policy-security-rule-service_td] source-zone trust
[LNS-policy-security-rule-service_td] destination-zone dmz
[LNS-policy-security-rule-service_td] source-address 10.1.2.0 24
[LNS-policy-security-rule-service_td] destination-address 172.16.1.0 24
[LNS-policy-security-rule-service_td] action permit
[LNS-policy-security-rule-service_td] quit
[LNS-policy-security] rule name service_dt
[LNS-policy-security-rule-service_dt] source-zone dmz
[LNS-policy-security-rule-service_dt] destination-zone trust
[LNS-policy-security-rule-service_dt] source-address 172.16.1.0 24
[LNS-policy-security-rule-service_dt] destination-address 10.1.2.0 24
[LNS-policy-security-rule-service_dt] action permit
[LNS-policy-security-rule-service_dt] quit

# Configure an interzone security policy from the Untrust zone to the Local zone to permit L2TP packets.

[LNS-policy-security] rule name l2tp_ul
[LNS-policy-security-rule-l2tp_ul] source-zone untrust
[LNS-policy-security-rule-l2tp_ul] destination-zone local
[LNS-policy-security-rule-l2tp_ul] destination-address 1.1.1.0 24
[LNS-policy-security-rule-l2tp_ul] action permit
[LNS-policy-security-rule-l2tp_ul] quit

# Configure a security policy for the communication between the LNS and RADIUS server.

[LNS-policy-security] rule name radius_ld
[LNS-policy-security-rule-radius_ld] source-zone local
[LNS-policy-security-rule-radius_ld] destination-zone dmz
[LNS-policy-security-rule-radius_ld] source-address 10.1.3.0 24
[LNS-policy-security-rule-radius_ld] action permit
[LNS-policy-security-rule-radius_ld] quit

Configure a RADIUS server. For how to configure a RADIUS server, see the documents of the RADIUS server.
Configure the SecoClient at the mobile user side.
1. Open the SecoClient and access the home page.
  Select New Connection from the Connect drop-down list.
2. Set L2TP VPN connection parameters.
  In the New Connection navigation tree, select L2TP/IPSec. Set connection parameters and click OK.
  
  The tunnel authentication password is Hello123.
3. Log in to the L2TP VPN gateway.
  1. Select the created L2TP VPN connection from the Connect drop-down list and click Connect.
  2. On the login page, enter the user name and password.
  3. Click Login to initiate a VPN connection request.
    A message on a VPN access success will be displayed on the web UI.
    
    After the connection is established, mobile users can access intranet resources as intranet users.

Verification

Mobile users can properly access intranet servers of the headquarters.

Check the L2TP tunnel establishment on the LNS.

Run the display l2tp tunnel command to check L2TP tunnel information. According to the command output, an L2TP tunnel is established successfully.

[LNS] display l2tp tunnel
L2TP::Total Tunnel: 1 
                      
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance   
 ------------------------------------------------------------------------------
 2        1         2.2.2.2          61535   1         client                   
 ------------------------------------------------------------------------------
  Total 1, 1 printed

Run the display l2tp session command to check L2TP session information. According to the command output, an L2TP session is established successfully.

[LNS] display l2tp session
L2TP::Total Session: 1
                      
  LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance   
 ------------------------------------------------------------------------------
  119       32         2           1         9689    user0001                     
 ------------------------------------------------------------------------------
  Total 1, 1 printed

Configuration Scripts

#
sysname LNS
#
 l2tp enable
 l2tp domain suffix-separator @
#
radius-server template radius_lns
 radius-server shared-key cipher %^%#Dx7bUW}UNDmwB'U[]_M>CpAHG[Cu:R:B{b#o(n3~%^%#
 radius-server authentication 10.1.3.2 1645
#
ip pool pool
 section 0 172.16.1.2 172.16.1.100
#
aaa
 authentication-scheme scheme_radius
  authentication-mode radius
 service-scheme l2tp
  ip-pool pool
 domain default
  authentication-scheme scheme_radius
  radius-server radius_lns
  service-type l2tp
#
l2tp-group 1
 tunnel password cipher %$%$)Ev%*KV_Q1qLG11R-<t%nU]<%$%$
 allow l2tp virtual-template 1 remote client domain default
#
interface Virtual-Template 1
 ppp authentication-mode pap
 remote service-scheme l2tp
 ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/3
 add interface Virtual-Template1
#  
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name service_td
  source-zone trust
  destination-zone dmz
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  action permit
 rule name service_dt
  source-zone dmz
  destination-zone trust
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name l2tp_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name radius_ld
  source-zone local
  destination-zone dmz
  source-address 10.1.3.0 mask 255.255.255.0
  action permit