Table of Contents 1 L2TP Configuration Commands 1-1 L2TP Configuration Commands 1-1 allow l2tp 1-1 display l2tp session 1-2 display l2tp tunnel 1-3 interface virtual-template 1-3 l2tp enable 1-4 l2tp sendaccm enable 1-5 l2tpmoreexam enable 1-5 l2tp-auto-client enable 1-6 l2tp-group 1-6 mandatory-chap 1-7 mandatory-lcp 1-7 reset l2tp tunnel 1-8 start l2tp 1-9 tunnel authentication 1-9 tunnel avp-hidden 1-10 tunnel flow-control 1-11 tunnel name 1-11 tunnel password 1-12 tunnel timer hello 1-12 i
1 L2TP Configuration Commands L2TP Configuration Commands allow l2tp allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ] undo allow virtual-template-number: Number of the virtual template interface for creating a virtual access (VA) interface, in the range of 0 to 1023. remote-name: Name of the tunnel peer initiating a connection request, a case sensitive string of 1 to 30 characters. domain-name: Name of the domain initiating a connection request, a case insensitive string of 1 to 30 characters. Use the allow l2tp command to specify the virtual template interface for receiving calls, the tunnel name on the LAC, and the domain name. Use the undo allow command to remove the configuration. By default, an LNS denies all incoming calls. The domain domain-name combination is required in L2TP multi-instance applications. The remote remote-name combination is optional for L2TP group 1, the default L2TP group. In other words, for L2TP group 1, the syntax of the command is allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ]. A peer with any name can initiate a tunneling request. If you specify the remote remote-name combination for L2TP group 1, L2TP group 1 will not serve as the default L2TP group. In Windows 2000 beta 2, if the local end name for the VPN connection is null, the peer name received by the device is null, too. You can configure a default L2TP group to test the connectivity and receive the tunneling request initiated by such an unknown remote end. The allow l2tp command is available for only LNSs. If the tunnel name on the LAC is specified, ensure that it is the same as the tunnel name configured on the LAC. Related commands: l2tp-group. 1-1
# Accept the L2TP tunneling request initiated by the peer (LAC) of aaa and create a virtual access interface according to virtual template 1. [Sysname] l2tp-group 2 [Sysname-l2tp2] allow l2tp virtual-template 1 remote aaa # Specify L2TP group 1 as the default L2TP group, accept the L2TP tunneling request initiated by any peer, and create a virtual access interface based on virtual template 1. [Sysname-l2tp1] allow l2tp virtual-template 1 display l2tp session display l2tp session Any view 1: Monitor level Use the display l2tp session command to display information about L2TP sessions. Related commands: display l2tp tunnel. # Display information about L2TP sessions. <Sysname> display l2tp session Total session = 1 LocalSID RemoteSID LocalTID 17922 12990 1 Table 1-1 display l2tp session command output description Field Total session LocalSID RemoteSID LocalTID Number of active sessions Unique ID of the session at the local end Unique ID of the session at the remote end Unique ID of the tunnel at the local end 1-2
display l2tp tunnel display l2tp tunnel Any view 1: Monitor level Use the display l2tp tunnel command to display information about L2TP tunnels. # Display information about L2TP tunnels. <Sysname> display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 20.1.1.2 1701 1 lns Table 1-2 display l2tp tunnel command output description Field Total tunnel LocalTID RemoteTID RemoteAddress Port Sessions RemoteName Number of active tunnels Unique ID of the tunnel at the local end Unique ID of the tunnel at the remote end IP address of the peer Port number of the peer Number of sessions within the tunnel Name of the tunnel at the peer interface virtual-template interface virtual-template virtual-template-number undo interface virtual-template virtual-template-number System view 1-3
virtual-template-number: Serial number for identifying the virtual template interface, in the range of 0 to 1023. Use the interface virtual-template command to create a virtual template interface and enter its view. Use the undo interface virtual-template command to remove a virtual template interface. By default, no virtual template interface exists. A virtual template interface is intended to provide parameters for virtual access interfaces to be dynamically created by the device, such as logical MP interfaces and logical L2TP interfaces. Related commands: allow l2tp. # Create virtual template interface 1 and enter virtual template interface view. [Sysname] interface virtual-template 1 [Sysname-Virtual-Template1] l2tp enable l2tp enable undo l2tp enable System view Use the l2tp enable command to enable the L2TP function. Use the undo l2tp enable command to disable the L2TP function. By default, the L2TP function is disabled. L2TP must be enabled for relevant L2TP configurations to take effect. Related commands: l2tp-group. # Enable the L2TP function. [Sysname] l2tp enable 1-4
l2tp sendaccm enable l2tp sendaccm enable undo l2tp sendaccm enable System view Use the l2tp sendaccm enable command to enable an LNS to send ACCM. Use the undo l2tp sendaccm enable command to disable an LNS from sending ACCM. By default, an LNS sends ACCM. # Disable the ACCM sending function. [Sysname] undo l2tp sendaccm enable l2tpmoreexam enable l2tpmoreexam enable undo l2tpmoreexam enable System view Use the l2tpmoreexam enable command to enable the L2TP multi-instance function. Use the undo l2tpmoreexam enable command to disable the L2TP multi-instance function. By default, the L2TP multi-instance function is disabled. This command is available for only LNSs. Related commands: l2tp enable. # Enable the L2TP multi-instance function for the LNS. 1-5
[Sysname] l2tpmoreexam enable l2tp-auto-client enable l2tp-auto-client enable undo l2tp-auto-client enable Virtual template interface view Use the l2tp-auto-client enable command to trigger an LAC to establish an L2TP tunnel. Use the undo l2tp-auto-client enable command to remove the established L2TP tunnel. By default, an LAC does not establish an L2TP tunnel. # Trigger the LAC to establish an L2TP tunnel. [Sysname] interface virtual-template 1 [Sysname-Virtual-Template1] l2tp-auto-client enable l2tp-group l2tp-group group-number undo l2tp-group group-number System view group-number: Number for identifying the L2TP group, in the range of 1 to 1000. Use the l2tp-group command to create an L2TP group and enter its view. Use the undo l2tp-group command to remove an L2TP group. By default, no L2TP group exists. When you use the undo l2tp-group command to remove an L2TP group, all configuration information associated with the group will be deleted. 1-6
Related commands: allow l2tp, start l2tp. # Create an L2TP group numbered 2 and enter its view. [Sysname] l2tp-group 2 [Sysname-l2tp2] mandatory-chap mandatory-chap undo mandatory-chap Use the mandatory-chap command to force the LNS to perform a CHAP authentication of the user. Use the undo mandatory-chap command to disable CHAP authentication on the LNS. By default, an LNS does not perform CHAP authentication of users. An LNS authenticates the client in addition to the proxy authentication that occurs at the LAC for higher security. If the mandatory-chap command is used, two authentications are performed for the clients connected to the VPN through an NAS-initialized tunnel: one on the NAS side and the other on the LNS side. Some PPP clients may not support the second authentication. In this case, the LNS-side CHAP authentication will fail. Related commands: mandatory-lcp. # Perform CHAP authentication by force. [Sysname-l2tp1] mandatory-chap mandatory-lcp mandatory-lcp undo mandatory-lcp 1-7
Use the mandatory-lcp command to force an LNS to perform LCP negotiation with users. Use the undo mandatory-lcp command to disable the LCP negotiation. By default, an LNS does not perform LCP negotiation with users. When starting a PPP session, a client of NAS-initialized VPN will first negotiate with the network access server (NAS) for LCP parameters. If the negotiation succeeds, the NAS initializes a tunnel and then transfers the negotiated results to the LNS. Then the LNS verifies whether the client is valid depending on the proxy authentication information. You can use the mandatory-lcp command to force the LNS to perform LCP re-negotiation for the client. In this case, the proxy authentication information of the NAS will be neglected. Some PPP clients may not support LCP re-negotiation. In this case, the LCP re-negotiation will fail. Related commands: mandatory-chap. # Perform LCP negotiation by force. [Sysname-l2tp1] mandatory-lcp reset l2tp tunnel reset l2tp tunnel { id tunnel-id name remote-name } User view tunnel-id: Local ID of the tunnel, in the range of 1 to 8191. remote-name: Name of the tunnel at the remote end, a case sensitive string of 1 to 30 characters. Use the reset l2tp tunnel command to disconnect one or more specified tunnels and all sessions of the tunnels. A tunnel disconnected by force can be re-established when a client makes a call. If you specify a tunnel name, all tunnels with the name will be disconnected. If no tunnel with the name exists, nothing happens. If you specify a tunnel ID, only the tunnel with the ID is disconnected. Related commands: display l2tp tunnel. 1-8
# Disconnect all tunnels with the remote name of aaa. <Sysname> reset l2tp tunnel name aaa start l2tp start l2tp { ip ip-address }&<1-5> { domain domain-name fullusername user-name } undo start { ip ip-address }&<1-5>: IP addresses of the tunnel peers (LNSs). &<1-5> means that you can specify up to five IP addresses. domain-name: Name of the domain initiating a connection request, a case insensitive string of 1 to 30 characters. user-name: Fully qualified name of the user initiating a connection request, a case sensitive string of 1 to 32 characters. Use the start l2tp command to enable the device to initiate tunneling requests to one or more IP addresses for one or more specified VPN users. Use the undo start to remove the configuration. The start l2tp command is available for only LACs. An LAC can initiate tunneling requests for users in a specified domain. For example, if the domain name of a company is aabbcc.net, users with such a domain name are considered VPN users. You can specify a single VPN user by giving the fully qualified name of the user. When an LAC detects a VPN user, it initiates an L2TP tunneling request to LNSs one by one in their configuration order until it receives the acknowledgement of an LNS, which is considered the tunnel peer. # Initiate L2TP tunneling requests to LNS 202.1.1.1 for users in domain aabbcc.net. [Sysname-l2tp1] start l2tp ip 202.1.1.1 domain aabbcc.net tunnel authentication tunnel authentication undo tunnel authentication 1-9
Use the tunnel authentication command to enable the L2TP tunnel authentication function. Use the undo tunnel authentication command to disable the L2TP tunnel authentication function. By default, L2TP tunnel authentication is enabled. Generally, authentication is required at both ends of a tunnel for the sake of security. However, you can disable the authentication when you check network connectivity or it is required to receive tunneling requests from unknown tunnel peers. # Disable L2TP tunnel authentication. [Sysname-l2tp1] undo tunnel authentication tunnel avp-hidden tunnel avp-hidden undo tunnel avp-hidden Use the tunnel avp-hidden command to specify to transfer attribute value pair (AVP) data in hidden mode. Use the undo tunnel avp-hidden command to restore the default. By default, AVP data is transferred over the tunnel in plain text mode. The tunnel avp-hidden command is available for only LACs. # Transfer AVP data in hidden mode. 1-10
[Sysname-l2tp1] tunnel avp-hidden tunnel flow-control tunnel flow-control undo tunnel flow-control Use the tunnel flow-control command to enable the L2TP tunnel flow control function. Use the undo tunnel flow-control command to disable the L2TP tunnel flow control function. By default, the L2TP tunnel flow control function is disabled. # Enable the L2TP tunnel flow control function. [Sysname-l2tp1] tunnel flow-control tunnel name tunnel name name undo tunnel name name: Name for the tunnel at the local end, a case sensitive string of 1 to 30 characters. Use the tunnel name command to specify the name of a tunnel at the local end. Use the undo tunnel name command to restore the default. By default, a tunnel takes the system name of the device as its name at the local end. Related commands: sysname in Basic System Configuration Commands of the System Volume. 1-11
# Specify the local name for a tunnel as itsme. [Sysname-l2tp1] tunnel name itsme tunnel password tunnel password { cipher simple } password undo tunnel password cipher: Displays the password in cipher text. simple: Displays the password in plain text. password: Password for tunnel authentication, case sensitive. If you specify the cipher keyword, you can enter a password in either plain text or cipher text. If you specify the simple keyword, you can enter a password only in plain text. A plain text password is a string of 1 to 16 characters, for example, aabbcc. A cipher text password consists of 24 characters, for example, _(TT8F)Y\5SQ=^Q`MAF4<1!!. Use the tunnel password command to specify the password for tunnel authentication. Use the undo tunnel password command to remove the configuration. By default, the password for tunnel authentication is null. # Set the password for tunnel authentication to yougotit, specifying to display the password in cipher text. [Sysname-l2tp1] tunnel password cipher yougotit tunnel timer hello tunnel timer hello hello-interval undo tunnel timer hello 1-12
hello-interval: Interval at which the LAC or the LNS sends Hello packets when receiving no packets, in the range of 60 to 1,000 seconds. Use the tunnel timer hello command to set the hello interval in sending hello packets in a tunnel. Use the undo tunnel timer hello command to restore the default. By default, the interval is 60 seconds. You can set different hello intervals for the LNS and LAC. # Set the hello interval to 99 seconds. [Sysname-l2tp1] tunnel timer hello 99 1-13