Enabling l2tp multi-instance, Specifying to send accm, Configuring l2tp connection parameters – H3C Technologies H3C SecPath F1000-E User Manual
Page 273: Configuring l2tp tunnel authentication
261
LNS side AAA configurations are similar to those on an LAC (see "
Configuring AAA authentication for
").
Enabling L2TP multi-instance
If multiple enterprises share the same LNS device and use the same name for the tunnel peers (LAC
devices), the LNS device is unable to differentiate which users belong to which enterprises. The L2TP
multi-instance function can solve this problem. With this function, an LNS can differentiate multiple VPN
domains and service users of different enterprises simultaneously.
In an L2TP multi-instance application, specify the domain to which VPN users belong by using the
domain keyword in the allow l2tp virtual-template command. After an L2TP tunnel is established, the
LNS obtains the domain name from the session negotiation packet and searches for the same domain
among those locally configured for VPN users. If an L2TP group’s tunnel peer name and domain name
match, the LNS establishes a session according to the group configuration. Thus, different sessions can
be established for VPN users of different domains.
To enable the L2TP multi-instance function:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the L2TP multi-instance function.
l2tpmoreexam enable
Disabled by default
NOTE:
If multiple L2TP groups on the LNS are configured with the same remote tunnel name, make sure that their
tunnel authentication settings are the same. Mismatching tunnel authentication passwords will result in
tunnel establishment failure.
Specifying to send ACCM
According to RFC 2661, the Asynchronous Control Character Map (ACCM) AVP enables an LNS to
inform the LAC of the ACCM that the LNS has negotiated with the PPP peer.
Not every LAC supports ACCM. Therefore, an LNS needs to know whether it should send ACCM.
By default, an LNS sends ACCM. If the LAC does not support ACCM, configure the LNS not to send
ACCM.
To configure an LNS to send ACCM:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Specify to send ACCM.
l2tp sendaccm enable
By default, an LNS sends ACCM.
Configuring L2TP connection parameters
These L2TP connection parameter configuration tasks apply to both LACs and LNSs and are optional.
Configuring L2TP tunnel authentication
You can enable tunnel authentication to allow the LAC and LNS to authenticate each other. Either the
LAC or the LNS can initiate a tunnel authentication request. To implement tunnel authentication, enable
tunnel authentication on both the LAC and LNS, and configure the same non-null password on them.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS