R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

251

252

253

254

255

256

257

258

259

260

250

Ste

Command

1. Enter system view.

system-view

2. Enter L2TP group view.

l2tp-group group-number

3. Enable the firewall to initiate tunneling

requests to one or more IP addresses for one

or more specified VPN users.

start l2tp { ip ip-address }&<1-5> { domain domain-name |

fullusername user-name }

NOTE:

Up to five LNSs can be configured. The LAC initiates an L2TP tunneling request to its specified LNSs

consecutively in their configuration order until it receives an acknowledgement from an LNS, which then

becomes the tunnel peer.

Configuring an LAC to transfer AVP data in hidden mode

With L2TP, some parameters are transferred as attribute value pair (AVP) data. To improve security, you

can configure an LAC to transfer AVP data in hidden mode—to encrypt AVP data before transmission.

To configure an LAC to transfer AVP data in hidden mode:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter L2TP group view.

l2tp-group group-number N/A

3. Specify that AVP data be

transferred in hidden mode.

tunnel avp-hidden

Optional.

By default, AVP data is transferred in

plain text.

Configuring AAA authentication for VPN users on LAC side

You can configure an LAC to perform AAA authentication for VPN users and initiate a tunneling request

only for qualified users. No tunnel will be established for unqualified users.

The firewall supports both local AAA authentication and remote AAA authentication:

• For local AAA authentication, create a local user and configure a password for each remote user

on the LAC. The LAC authenticates a remote user by matching the provided username and

password against those configured locally.

• For remote AAA authentication, configure the username and password of each user on the

RADIUS/HWTACACS server. The LAC sends the remote user's username and password to the

server to authenticate.

To configure local authentication, authorization, and accounting:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a local user and enter

its view.

local-user username

By default, no local user or

password is configured on an LAC.

3. Configure a password for the

local user.

password { simple | cipher }

password