Table of Contents 1 L2TP Configuration Commands 1-1

Similar documents
L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

PPP configuration commands

Table of Contents 1 PPP Configuration Commands PPPoE Configuration Commands 2-1

HP VSR1000 Virtual Services Router

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

H3C MSR Series Routers

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

HPE FlexNetwork MSR Router Series

HP A-MSR Router Series Layer 2 - WAN. Command Reference. Abstract

RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values

thus, the newly created attribute is accepted if the user accepts attribute 26.

RADIUS Attributes. RADIUS IETF Attributes

H3C SR6602-X Routers. Comware 7 Layer 2 WAN Access. Command Reference. Hangzhou H3C Technologies Co., Ltd.

RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values

H3C WA Series WLAN Access Points. Layer 2 WAN Command Reference. Hangzhou H3C Technologies Co., Ltd.

thus, the newly created attribute is accepted if the user accepts attribute 26.

L2TP Network Server. LNS Service Operation

PPP Configuration Options

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

H3C MSR Router Series

Configuring Client-Initiated Dial-In VPDN Tunneling

Loopback detection configuration commands

L2TP Access Concentrator

Configuring L2TP over IPsec

RADIUS Tunnel Attribute Extensions

QoS: Classification, Policing, and Marking on LAC Configuration Guide, Cisco IOS Release 12.4T

Operation Manual Security. Table of Contents

Per VRF AAA. Finding Feature Information. Last Updated: January 18, 2012

Command Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Controlled/uncontrolled port and port authorization status

H3C MSR Router Series

Configuring Virtual Private Networks

RWL Tech Note Comware Routers with L2TP VPN

ppp accounting through quit

Operation Manual User Access. Table of Contents

Portal configuration commands

VPDN Tunnel Management

virtual-template virtual-template template-number no virtual-template Syntax Description

ND1009:2002/05 PNO-ISC/SPEC/009

Operation Manual Login and User Interface. Table of Contents

RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements

RADIUS Logical Line ID

Configuring the Physical Subscriber Line for RADIUS Access and Accounting

Operation Manual 802.1x. Table of Contents

Configuring Resource Pool Management

Understanding and Troubleshooting Idle Timeouts

Table of Contents. 2 Static Route Configuration Commands 2-1 Static Route Configuration Commands 2-1 delete static-routes all 2-1 ip route-static 2-1

HP 5920 & 5900 Switch Series

Configuring Security on the GGSN

IP Tunneling. GRE Tunnel IP Source and Destination VRF Membership. Tunnel VRF CHAPTER

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

The router sends hello keepalive packets at 60 second intervals.

H3C SecBlade FW/VPN Cards. Operation Manual. Hangzhou H3C Technologies Co., Ltd. Manual Version: T R C-1.

Table of Contents 1 WLAN Security Configuration Commands 1-1

Operation Manual Security. Table of Contents

Table of Contents X Configuration 1-1

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

HP FlexFabric 5700 Switch Series

Login management commands

RADIUS Commands. Cisco IOS Security Command Reference SR

Session Recovery. How Session Recovery Works

Configuring TACACS+ Authentication for VPDNs

H3C SecPoint User Manual

H3C S12500 Series Routing Switches

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)

HP Unified Wired-WLAN Products

L2TP IPsec Support for NAT and PAT Windows Clients

Autosense for ATM PVCs and MUX SNAP Encapsulation

H3C S5830V2 & S5820V2 Switch Series

Virtual Private Networks.

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

L2TP Tunnel Setup and Teardown

Service Managed GatewayTM. Configuring MLPPP using Expert View

Configuring the Physical Subscriber Line for RADIUS Access and Accounting

IP Router Command Reference

Configuring NAS-Initiated Dial-In VPDN Tunneling

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

ip mobile mobile-networks through multi-path (mobile router)

VPLS configuration commands

PPPoE Session Limit per NAS Port

Table of Contents X Configuration 1-1

Provisioning Flows Topics

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

HWTACACS Technology White Paper

Understanding the authentication imsi-auth msisdn-auth Configuration for Corporate L2TP APNs

Introduction Overview of L2TP Support for L2TP Configuration Examples Simple Dial-In System...

Session Recovery. How Session Recovery Works

RADIUS Logical Line ID

IPv6 and xdsl. Athanassios Liakopoulos Slovenian IPv6 Training, Ljubljana, May 2010

Configuring the PPPoE Client

HP Unified Wired-WLAN Products

Provisioning Broadband Aggregators Topics

JunosE Software for E Series Broadband Services Routers

Contents. BGP commands 1

Table of Contents 1 AAA Overview AAA Configuration 2-1

Dialog Box Displaying the VPN Connection Status.

TSIN02 - Internetworking

Transcription:

Table of Contents 1 L2TP Configuration Commands 1-1 L2TP Configuration Commands 1-1 allow l2tp 1-1 display l2tp session 1-2 display l2tp tunnel 1-3 interface virtual-template 1-3 l2tp enable 1-4 l2tp sendaccm enable 1-5 l2tpmoreexam enable 1-5 l2tp-auto-client enable 1-6 l2tp-group 1-6 mandatory-chap 1-7 mandatory-lcp 1-7 reset l2tp tunnel 1-8 start l2tp 1-9 tunnel authentication 1-9 tunnel avp-hidden 1-10 tunnel flow-control 1-11 tunnel name 1-11 tunnel password 1-12 tunnel timer hello 1-12 i

1 L2TP Configuration Commands L2TP Configuration Commands allow l2tp allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ] undo allow virtual-template-number: Number of the virtual template interface for creating a virtual access (VA) interface, in the range of 0 to 1023. remote-name: Name of the tunnel peer initiating a connection request, a case sensitive string of 1 to 30 characters. domain-name: Name of the domain initiating a connection request, a case insensitive string of 1 to 30 characters. Use the allow l2tp command to specify the virtual template interface for receiving calls, the tunnel name on the LAC, and the domain name. Use the undo allow command to remove the configuration. By default, an LNS denies all incoming calls. The domain domain-name combination is required in L2TP multi-instance applications. The remote remote-name combination is optional for L2TP group 1, the default L2TP group. In other words, for L2TP group 1, the syntax of the command is allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ]. A peer with any name can initiate a tunneling request. If you specify the remote remote-name combination for L2TP group 1, L2TP group 1 will not serve as the default L2TP group. In Windows 2000 beta 2, if the local end name for the VPN connection is null, the peer name received by the device is null, too. You can configure a default L2TP group to test the connectivity and receive the tunneling request initiated by such an unknown remote end. The allow l2tp command is available for only LNSs. If the tunnel name on the LAC is specified, ensure that it is the same as the tunnel name configured on the LAC. Related commands: l2tp-group. 1-1

# Accept the L2TP tunneling request initiated by the peer (LAC) of aaa and create a virtual access interface according to virtual template 1. [Sysname] l2tp-group 2 [Sysname-l2tp2] allow l2tp virtual-template 1 remote aaa # Specify L2TP group 1 as the default L2TP group, accept the L2TP tunneling request initiated by any peer, and create a virtual access interface based on virtual template 1. [Sysname-l2tp1] allow l2tp virtual-template 1 display l2tp session display l2tp session Any view 1: Monitor level Use the display l2tp session command to display information about L2TP sessions. Related commands: display l2tp tunnel. # Display information about L2TP sessions. <Sysname> display l2tp session Total session = 1 LocalSID RemoteSID LocalTID 17922 12990 1 Table 1-1 display l2tp session command output description Field Total session LocalSID RemoteSID LocalTID Number of active sessions Unique ID of the session at the local end Unique ID of the session at the remote end Unique ID of the tunnel at the local end 1-2

display l2tp tunnel display l2tp tunnel Any view 1: Monitor level Use the display l2tp tunnel command to display information about L2TP tunnels. # Display information about L2TP tunnels. <Sysname> display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 20.1.1.2 1701 1 lns Table 1-2 display l2tp tunnel command output description Field Total tunnel LocalTID RemoteTID RemoteAddress Port Sessions RemoteName Number of active tunnels Unique ID of the tunnel at the local end Unique ID of the tunnel at the remote end IP address of the peer Port number of the peer Number of sessions within the tunnel Name of the tunnel at the peer interface virtual-template interface virtual-template virtual-template-number undo interface virtual-template virtual-template-number System view 1-3

virtual-template-number: Serial number for identifying the virtual template interface, in the range of 0 to 1023. Use the interface virtual-template command to create a virtual template interface and enter its view. Use the undo interface virtual-template command to remove a virtual template interface. By default, no virtual template interface exists. A virtual template interface is intended to provide parameters for virtual access interfaces to be dynamically created by the device, such as logical MP interfaces and logical L2TP interfaces. Related commands: allow l2tp. # Create virtual template interface 1 and enter virtual template interface view. [Sysname] interface virtual-template 1 [Sysname-Virtual-Template1] l2tp enable l2tp enable undo l2tp enable System view Use the l2tp enable command to enable the L2TP function. Use the undo l2tp enable command to disable the L2TP function. By default, the L2TP function is disabled. L2TP must be enabled for relevant L2TP configurations to take effect. Related commands: l2tp-group. # Enable the L2TP function. [Sysname] l2tp enable 1-4

l2tp sendaccm enable l2tp sendaccm enable undo l2tp sendaccm enable System view Use the l2tp sendaccm enable command to enable an LNS to send ACCM. Use the undo l2tp sendaccm enable command to disable an LNS from sending ACCM. By default, an LNS sends ACCM. # Disable the ACCM sending function. [Sysname] undo l2tp sendaccm enable l2tpmoreexam enable l2tpmoreexam enable undo l2tpmoreexam enable System view Use the l2tpmoreexam enable command to enable the L2TP multi-instance function. Use the undo l2tpmoreexam enable command to disable the L2TP multi-instance function. By default, the L2TP multi-instance function is disabled. This command is available for only LNSs. Related commands: l2tp enable. # Enable the L2TP multi-instance function for the LNS. 1-5

[Sysname] l2tpmoreexam enable l2tp-auto-client enable l2tp-auto-client enable undo l2tp-auto-client enable Virtual template interface view Use the l2tp-auto-client enable command to trigger an LAC to establish an L2TP tunnel. Use the undo l2tp-auto-client enable command to remove the established L2TP tunnel. By default, an LAC does not establish an L2TP tunnel. # Trigger the LAC to establish an L2TP tunnel. [Sysname] interface virtual-template 1 [Sysname-Virtual-Template1] l2tp-auto-client enable l2tp-group l2tp-group group-number undo l2tp-group group-number System view group-number: Number for identifying the L2TP group, in the range of 1 to 1000. Use the l2tp-group command to create an L2TP group and enter its view. Use the undo l2tp-group command to remove an L2TP group. By default, no L2TP group exists. When you use the undo l2tp-group command to remove an L2TP group, all configuration information associated with the group will be deleted. 1-6

Related commands: allow l2tp, start l2tp. # Create an L2TP group numbered 2 and enter its view. [Sysname] l2tp-group 2 [Sysname-l2tp2] mandatory-chap mandatory-chap undo mandatory-chap Use the mandatory-chap command to force the LNS to perform a CHAP authentication of the user. Use the undo mandatory-chap command to disable CHAP authentication on the LNS. By default, an LNS does not perform CHAP authentication of users. An LNS authenticates the client in addition to the proxy authentication that occurs at the LAC for higher security. If the mandatory-chap command is used, two authentications are performed for the clients connected to the VPN through an NAS-initialized tunnel: one on the NAS side and the other on the LNS side. Some PPP clients may not support the second authentication. In this case, the LNS-side CHAP authentication will fail. Related commands: mandatory-lcp. # Perform CHAP authentication by force. [Sysname-l2tp1] mandatory-chap mandatory-lcp mandatory-lcp undo mandatory-lcp 1-7

Use the mandatory-lcp command to force an LNS to perform LCP negotiation with users. Use the undo mandatory-lcp command to disable the LCP negotiation. By default, an LNS does not perform LCP negotiation with users. When starting a PPP session, a client of NAS-initialized VPN will first negotiate with the network access server (NAS) for LCP parameters. If the negotiation succeeds, the NAS initializes a tunnel and then transfers the negotiated results to the LNS. Then the LNS verifies whether the client is valid depending on the proxy authentication information. You can use the mandatory-lcp command to force the LNS to perform LCP re-negotiation for the client. In this case, the proxy authentication information of the NAS will be neglected. Some PPP clients may not support LCP re-negotiation. In this case, the LCP re-negotiation will fail. Related commands: mandatory-chap. # Perform LCP negotiation by force. [Sysname-l2tp1] mandatory-lcp reset l2tp tunnel reset l2tp tunnel { id tunnel-id name remote-name } User view tunnel-id: Local ID of the tunnel, in the range of 1 to 8191. remote-name: Name of the tunnel at the remote end, a case sensitive string of 1 to 30 characters. Use the reset l2tp tunnel command to disconnect one or more specified tunnels and all sessions of the tunnels. A tunnel disconnected by force can be re-established when a client makes a call. If you specify a tunnel name, all tunnels with the name will be disconnected. If no tunnel with the name exists, nothing happens. If you specify a tunnel ID, only the tunnel with the ID is disconnected. Related commands: display l2tp tunnel. 1-8

# Disconnect all tunnels with the remote name of aaa. <Sysname> reset l2tp tunnel name aaa start l2tp start l2tp { ip ip-address }&<1-5> { domain domain-name fullusername user-name } undo start { ip ip-address }&<1-5>: IP addresses of the tunnel peers (LNSs). &<1-5> means that you can specify up to five IP addresses. domain-name: Name of the domain initiating a connection request, a case insensitive string of 1 to 30 characters. user-name: Fully qualified name of the user initiating a connection request, a case sensitive string of 1 to 32 characters. Use the start l2tp command to enable the device to initiate tunneling requests to one or more IP addresses for one or more specified VPN users. Use the undo start to remove the configuration. The start l2tp command is available for only LACs. An LAC can initiate tunneling requests for users in a specified domain. For example, if the domain name of a company is aabbcc.net, users with such a domain name are considered VPN users. You can specify a single VPN user by giving the fully qualified name of the user. When an LAC detects a VPN user, it initiates an L2TP tunneling request to LNSs one by one in their configuration order until it receives the acknowledgement of an LNS, which is considered the tunnel peer. # Initiate L2TP tunneling requests to LNS 202.1.1.1 for users in domain aabbcc.net. [Sysname-l2tp1] start l2tp ip 202.1.1.1 domain aabbcc.net tunnel authentication tunnel authentication undo tunnel authentication 1-9

Use the tunnel authentication command to enable the L2TP tunnel authentication function. Use the undo tunnel authentication command to disable the L2TP tunnel authentication function. By default, L2TP tunnel authentication is enabled. Generally, authentication is required at both ends of a tunnel for the sake of security. However, you can disable the authentication when you check network connectivity or it is required to receive tunneling requests from unknown tunnel peers. # Disable L2TP tunnel authentication. [Sysname-l2tp1] undo tunnel authentication tunnel avp-hidden tunnel avp-hidden undo tunnel avp-hidden Use the tunnel avp-hidden command to specify to transfer attribute value pair (AVP) data in hidden mode. Use the undo tunnel avp-hidden command to restore the default. By default, AVP data is transferred over the tunnel in plain text mode. The tunnel avp-hidden command is available for only LACs. # Transfer AVP data in hidden mode. 1-10

[Sysname-l2tp1] tunnel avp-hidden tunnel flow-control tunnel flow-control undo tunnel flow-control Use the tunnel flow-control command to enable the L2TP tunnel flow control function. Use the undo tunnel flow-control command to disable the L2TP tunnel flow control function. By default, the L2TP tunnel flow control function is disabled. # Enable the L2TP tunnel flow control function. [Sysname-l2tp1] tunnel flow-control tunnel name tunnel name name undo tunnel name name: Name for the tunnel at the local end, a case sensitive string of 1 to 30 characters. Use the tunnel name command to specify the name of a tunnel at the local end. Use the undo tunnel name command to restore the default. By default, a tunnel takes the system name of the device as its name at the local end. Related commands: sysname in Basic System Configuration Commands of the System Volume. 1-11

# Specify the local name for a tunnel as itsme. [Sysname-l2tp1] tunnel name itsme tunnel password tunnel password { cipher simple } password undo tunnel password cipher: Displays the password in cipher text. simple: Displays the password in plain text. password: Password for tunnel authentication, case sensitive. If you specify the cipher keyword, you can enter a password in either plain text or cipher text. If you specify the simple keyword, you can enter a password only in plain text. A plain text password is a string of 1 to 16 characters, for example, aabbcc. A cipher text password consists of 24 characters, for example, _(TT8F)Y\5SQ=^Q`MAF4<1!!. Use the tunnel password command to specify the password for tunnel authentication. Use the undo tunnel password command to remove the configuration. By default, the password for tunnel authentication is null. # Set the password for tunnel authentication to yougotit, specifying to display the password in cipher text. [Sysname-l2tp1] tunnel password cipher yougotit tunnel timer hello tunnel timer hello hello-interval undo tunnel timer hello 1-12

hello-interval: Interval at which the LAC or the LNS sends Hello packets when receiving no packets, in the range of 60 to 1,000 seconds. Use the tunnel timer hello command to set the hello interval in sending hello packets in a tunnel. Use the undo tunnel timer hello command to restore the default. By default, the interval is 60 seconds. You can set different hello intervals for the LNS and LAC. # Set the hello interval to 99 seconds. [Sysname-l2tp1] tunnel timer hello 99 1-13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback