R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
109
• Mandatory LCP re-negotiation authentication is configured on the LNS and the virtual interface
template requires authenticating PPP users.
After you configure AAA on the LNS, the LNS can authenticate the identities (usernames and passwords)
of VPN users for a second time. If a user passes the AAA authentication, the user can communicate with
the LNS. Otherwise, the L2TP session will be removed.
LNS side AAA configurations are similar to those on an LAC. For more information, see “Configuring
AAA a
uthentication of VPN users on LAC side.”
Enabling L2TP multi-instance
For a device to act as LNS for multiple VPN domains, you need to enable the L2TP multi-instance function
on it. In this case, multiple enterprises can share the same LNS device.
In an L2TP multi-instance application, you need to specify the domain to which the VPN users belong by
using the domain keyword in the allow l2tp virtual-template command. After an L2TP tunnel is
established, the LNS gets the domain name carried in the session negotiation packet and searches to
determine whether there is the same domain among those locally configured for VPN users. If there is an
L2TP group whose tunnel peer name and domain name match, the LNS will establish a session
according to the configuration of the group. In this way, different sessions will be established for VPN
users of different domains.
Follow these steps to enable the L2TP multi-instance function:
To do… Use the command…
Remarks
Enter system view system-view —
Enable the L2TP multi-instance
function
l2tpmoreexam enable
Required
Disabled by default
NOTE:
In L2TP multi-instance applications, if the same remote tunnel name is configured on the LNS for differen
t
L2TP groups, the tunnel authentication settings must also be the same respectively. Otherwise, the
expected tunnels and sessions cannot be established because the tunnel authentication passwords do no
t
match.
Specifying an LNS to send ACCM
According to RFC 2661, the Asynchronous Control Character Map (ACCM) AVP enables an LNS to
inform the LAC of the ACCM that the LNS has negotiated with the PPP peer.
Not every LAC supports ACCM. Therefore, an LNS needs to know whether it should send ACCM.
By default, an LNS sends ACCM. You can configure the LNS not to send ACCM if the LAC does not
support ACCM.
Follow these steps to configure an LNS to send ACCM:
To do… Use the command…
Remarks
Enter system view system-view —
Specify to send ACCM l2tp sendaccm enable
Required
By default, an LNS sends ACCM.