R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

111

112

113

114

115

116

117

118

119

120

107

To do… Use the command…

Remarks

Specify the address pool for

allocating an IP address to a VPN

user, or assign an IP address to the

user directly

remote address { pool

[ pool-number ] | ip-address }

Optional

By default, address pool 0 (the

default address pool) is used.

Configuring an LNS to grant certain L2TP tunneling requests

Upon receiving a tunneling request, an LNS determines whether to grant the tunneling request by

checking whether the tunnel name of the LAC matches that configured, and determines the virtual

interface template to be used to create the VA interface.

Follow these steps to configure an LNS to grant certain L2TP tunneling requests:

To do… Use the command…

Remarks

Enter system view

system-view —

Enter L2TP group view l2tp-group group-number —

Specify the

virtual interface

template for

receiving calls,

the tunnel name

on the LAC, and

the domain

name

If the L2TP group

number is not 1

allow l2tp virtual-template

virtual-template-number remote

remote-name [ domain

domain-name ]

Required

Use either command.

By default, an LNS denies all

incoming calls.

If the L2TP group

number is 1 (the

default)

allow l2tp virtual-template

virtual-template-number [ remote

remote-name ] [ domain

domain-name ]

NOTE:

• The start l2tp command and the allow l2tp command are mutually exclusive. Confi

urin

one of them

automatically disables the other one.

• The LAC side tunnel name configured on the LNS must be consistent with the local tunnel name

configured on the LAC.

Configuring user authentication on an LNS

An LNS may be configured to authenticate a user that has passed authentication on the LAC to increase

security. In this case, the user is authenticated twice, once on the LAC and once on the LNS. Only when

the two authentications succeed can an L2TP tunnel be set up. This helps in providing higher security.

On an L2TP network, an LNS authenticates users in three ways: proxy authentication, mandatory CHAP

authentication, and LCP re-negotiation.

If neither LCP re-negotiation nor mandatory CHAP authentication is configured, an LNS performs proxy

authentication of users. In this case, the LAC sends to the LNS all authentication information from users as

well as the authentication mode configured on the LAC itself.

Among these three authentication methods, LCP re-negotiation has the highest priority. If both LCP

re-negotiation and mandatory CHAP authentication are configured, an LNS uses LCP re-negotiation and

the authentication mode configured on the corresponding virtual interface template. If only mandatory

CHAP authentication is configured, an LNS will perform CHAP authentication of users.

1. Configuring mandatory CHAP authentication