R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

111

112

113

114

115

116

117

118

119

120

106

NOTE:

• For successful authentication of users, you also need to perform PPP configurations on the correspondin

interface of the LAC, for example, the asynchronous serial interface connecting with users.

• You must confi

ure the authentication type for PPP users as PAP or CHAP on the user access interfaces.

• For information about AAA configuration commands and remote AAA authentication method

configuration, see

Access Control Configuration Guide

Configuring an LNS

An LNS responds the tunneling requests from an LAC, authenticates users, and assign IP addresses for

users.

Before configuring an LNS, you need to enable L2TP and create an L2TP group.

Creating a virtual interface template

A virtual interface template is intended to provide parameters for virtual access interfaces to be

dynamically created by the firewall, such as logical MP interfaces and logical L2TP interfaces.

After an L2TP session is established, a virtual access interface is needed for data exchange with the peer.

An LNS can use different virtual access (VA) interfaces to exchange data with different LACs. Hence, you

need to specify the virtual interface template for receiving calls. The system will dynamically create a VA

interface based on the configuration parameters in the specified virtual interface template.

Follow these steps to create a virtual interface template:

To do… Use the command…

Remarks

Enter system view system-view —

Create a virtual interface template

and enter its view

interface virtual-template

virtual-template-number

Required

By default, no virtual interface

template exists.

Configuring the local address and the address pool for allocation

After an L2TP tunnel is set up between an LAC and an LNS, the LNS needs to assign an IP address to a

VPN user. For this purpose, you can specify an IP address directly, or specify an address pool. Before

specifying an address pool, use the ip pool command in system view or ISP domain view to define the

address pool. For a VPN user to be authenticated, an IP address will be selected from the address pool

configured in ISP domain view; for a VPN user not to be authenticated, it will be selected from the global

address pool defined in system view.

Follow these steps to configure a local address and address pool:

To do… Use the command…

Remarks

Enter system view system-view —

Enter virtual interface template

view

interface virtual-template

virtual-template-number

—

Configure the local IP address

ip address ip-address { mask |

mask-length } [ sub ]

Required

Configure the authentication mode

for PPP users

ppp authentication-mode { chap |

pap } [ [ call-in ] domain isp-name ]

Optional

By default, no authentication is

performed for PPP users.