Enabling l2tp multi-instance – H3C Technologies H3C SecPath F1000-E User Manual
Page 48
15
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter L2TP group view
l2tp-group group-number
—
Specify the LNS to perform LCP
re-negotiation with users
mandatory-lcp
Required
By default, an LNS does not
perform LCP re-negotiation with
users.
Configuring AAA Authentication for VPN Users on LNS Side
You need to configure AAA on the LNS when either of the following is true:
•
Mandatory CHAP authentication is configured on the LNS
•
Mandatory LCP re-negotiation authentication is configured on the LNS and the virtual template
interface requires PPP user authentication.
After you configure AAA on the LNS, the LNS can authenticate the identities (usernames and passwords)
of VPN users for a second time. If a user passes AAA authentication, the user can communicate with the
LNS. Otherwise, the L2TP session will be removed.
LNS side AAA configurations are similar to those on an LAC. See
Configuring AAA Authentication for
for detailed information.
Enabling L2TP Multi-Instance
If multiple enterprises share the same LNS device and use the same name for the tunnel peers (LAC
devices), the LNS device is unable to differentiate which users belong to which enterprises. The L2TP
multi-instance function can solve this problem. With this function, an LNS can differentiate multiple VPN
domains and thus service users of different enterprises simultaneously.
In an L2TP multi-instance application, specify the domain to which VPN users belong by using the
domain keyword in the allow l2tp virtual-template command. After an L2TP tunnel is established,
the LNS obtains the domain name from the session negotiation packet and searches for the same domain
among those locally configured for VPN users. If there is an L2TP group whose tunnel peer name and
domain name match, the LNS establishes a session according to the group configuration. Thus, different
sessions can be established for VPN users of different domains.
Follow these steps to enable the L2TP multi-instance function:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable the L2TP multi-instance
function
l2tpmoreexam enable
Required
Disabled by default
NOTE:
If multiple L2TP groups on the LNS are configured with the same remote tunnel name, ensure that their
tunnel authentication settings are the same. Mismatching tunnel authentication passwords will result in
tunnel establishment failure.