L2TP Security

Overview

The Layer 2 Tunneling Protocol (L2TP) is a type of technology that supports the tunneling of PPP packets. It applies to remote access scenarios for mobile employees to access intranet resources.

The device provides local authentication and server authentication for L2TP VPN users. L2TP access authentication is implemented through PPP authentication which comprises PAP and CHAP authentication. PAP is a two-way handshake authentication protocol, which transmits use names and passwords in plaintext. CHAP is a challenge-response authentication protocol. It uses three-way handshake for identity authentication and transmits passwords in ciphertext.

Peer Spoofing Prevention
By default, the system verifies the L2TP tunnel. The tunnel verification request can be initiated by the L2TP access concentrator (LAC) or L2TP network server (LNS). Identity authentication is implemented during tunnel establishment as long as one end enables tunnel authentication. The tunnel can be set up only when the passwords (not empty) on the two ends are the same. Otherwise, the local end automatically removes the tunnel. For security, identity authentication needs to be implemented on both ends.
Anti-repudiation
The device can record such information as the time when the connection is set up and removed, tunnel address, tunnel name, and user name for future auditing and fault locating.
DoS
The device restricts the rate of negotiation packets by discarding excess negotiation packets, preventing resource exhaustion by DoS attacks.
Password Security
In local authentication authentication, you can set whether users are forced to change passwords upon their first login. The device also supports password validity period reminder and expiration reminder in local authentication. When a password is about to expire, the system prompts the user to change the password. Passwords of local users are encrypted using PBKDF2 and then stored in a database.
- To ensure security, both ends of the tunnel need to authenticate each other. To carry out network connectivity tests or receive connections initiated by unknown peers, the tunnel authentication is not required.
- L2TP does not provide encryption function and is usually used together with IPSec. The device uses L2TP over IPSec to enhance data transmission security.

Impact on the System

None

Procedure

Enter the system view.
```
system-view
```

Configure the PPP authentication method. CHAP is recommended.

interface Virtual-Template 1
ppp authentication-mode chap
quit

Configure the password policy.
Set the password strength to high (when changing a password, a user has to comply with the requirement), require that a user must change the password upon first login (only for local authentication), set the password validity period and expiry reminder.
```
password-policy
level high
firstmodify enable
lefttime 60 alarmtime 15
quit
```
Create an L2TP group and enter the L2TP group view.
```
l2tp-group group-name
```
Enable tunnel authentication and set the password. By default, tunnel authentication is enabled and the password is null.
```
tunnel authentication
```
Set the password for the tunnel authentication.
```
tunnel password cipher password
```
cipher specifies a password in cipher text. password specifies the password of tunnel authentication. It is a string that is case sensitive. The password cannot contain any special character (such as space and question mark) used in command lines. It can be either in the encrypted text with 32 characters, such as (TT8F ] Y\5SQ=^Q`MAF4<1!! or in the explicit text with 1 to 16 characters, such as Test@123.

For safety, the password of tunnel authentication needs to contain at least three types out of capital uppercase and lowercase letters, numbers (0 to 9), and special characters, such as the exclamatory mark (!), at sign (@), pound sign (#), dollar sign ($), and percent sign (%).

To cancel the tunnel authentication password, run the undo tunnel authentication command.

Checking the Security Hardening Result

Run the display l2tp-group command to check the L2TP groups configuration on the device.
Run the display l2tp tunnel command to check the L2TP tunnels configuration on the device.