beautypg.com

Optional) configuring ipsec encryption – H3C Technologies H3C Intelligent Management Center User Manual

Page 70

background image

52

{

The authentication server IP and the accounting server IP, specified in the RADIUS scheme, must

be the IP address of the UAM server.

{

The shared key and authentication/accounting port specified in the RADIUS scheme must be
consistent with those configured for the access device on UAM.

2.

Create a domain.
When you configure a domain, follow these guidelines:

{

Specify the access mode as ppp access for endpoint users.

{

The RADIUS scheme used by the domain must be configured as explained in the previous topic.

3.

Configure a virtual template.
One end of an L2TP tunnel is the VPN virtual adapter on the PC, and the other end of the L2TP
tunnel is the virtual template configured on the VPN gateway.
When you configure a virtual template, you must specify these parameters:

{

Authentication method and domain for VPN users.

{

IP address of the virtual template.

{

IP address pool for VPN users. The IP address pool must be in the same subnet as the virtual
template's IP address. If existing IP address pools do not follow this requirement, you must

configure a proper IP address pool before configuring the virtual template.

4.

Configure an L2TP group.
Enable the L2TP function and configure an L2TP group. When you configure an L2TP group, you
must specify these parameters:

{

The virtual template used to respond VPN user authentication requests. (Specify the virtual
template configured in the previous step.)

{

The L2TP tunnel's name and password.

After you configure L2TP, the VPN gateway can perform L2TP VPN authentication for users. Such
authentication only provides basic security for user access. To improve access security, you can

configure the IPsec encryption function.

(Optional) Configuring IPsec encryption

1.

Create an IKE proposal.
You can create multiple IKE proposals at each end of an L2TP tunnel. The L2TP tunnel can be set
up as along as one IKE proposal matches the proposal of a remote end.
When you create an IKE proposal, follow these guidelines:

{

The negotiation mode selected for the VPN gateway must be consistent with that selected for the
iNode client. The negotiation modes that the VPN gateway can select include pre-shared key
and certificate.

{

To make sure an IKE proposal at one tunnel end matches one on the other end, the VPN
gateway must select the parameters that the iNode client supports. Take pre-shared key as an

example. You can specify only MD5 or SHA as the authentication algorithm, DES-CBC or

3DES-CBC as the encryption algorithm, and group1 or group2 as the DH group.

2.

Create an IPsec policy.
An IPsec policy can be configured manually or through IKE negotiation. The IKE negotiation mode
is used as an example.
In IKE negotiation mode, you only need to create an IPsec policy, and reference an existing IKE
peer, IPsec proposal, and ACL.

Table 6

shows the detailed configuration.

See also other documents in the category H3C Technologies Safety: