R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

261

262

263

264

265

266

267

268

269

270

254

Ste

Command

Remarks

2. Enter L2TP group view.

l2tp-group group-number N/A

3. Specify the virtual

template interface for

receiving calls, the

tunnel name on the

LAC, and the domain

name.

• If the L2TP group number is 1 (the

default):

allow l2tp virtual-template

virtual-template-number [ remote

remote-name ] [ domain domain-name ]

• If the L2TP group number is not 1:

allow l2tp virtual-template

virtual-template-number remote

remote-name [ domain domain-name ]

Use either command.

By default, an LNS denies all

incoming calls.

If the L2TP group number is 1, you

do not need to specify the LAC

side tunnel name. In L2TP group

1, the LNS allows the LAC to

initiate a tunneling request by

using any tunnel name.

NOTE:

• The start l2tp command and the allow l2tp command are mutually exclusive. Confi

urin

one of them

automatically disables the other one.

• The LAC side tunnel name configured on the LNS must be consistent with the local tunnel name

configured on the LAC.

Configuring user authentication on an LNS

An LNS may be configured to authenticate a user that has passed authentication on the LAC to increase

security. In this case, the user is authenticated twice, once on the LAC and once on the LNS. Only when

the two authentications succeed can an L2TP tunnel be set up. This helps raise security.

An LNS authenticates users by using one of the following methods:

• Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all

user authentication information from users and the authentication mode configured on the LAC itself.

The LNS then checks the user validity according to the received information and the locally

configured authentication method.

• Mandatory CHAP authentication—The LNS uses CHAP authentication to re-authenticate users who

have passed authentication on the LAC.

• LCP re-negotiation—The LNS ignores the LAC proxy authentication information and performs a

new round of LCP negotiation with the user.

The three authentication methods have different priorities, where LCP re-negotiation has the highest

priority and proxy authentication has the lowest priority. Which method the LNS uses depends on your

configuration:

• If you configure both LCP re-negotiation and mandatory CHAP authentication, the LNS uses LCP

re-negotiation.

• If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication of

users.

• If you configure neither LCP re-negotiation nor mandatory CHAP authentication, the LNS uses the

LAC for proxy authentication of users.

1. Configuring mandatory CHAP authentication:

With mandatory CHAP authentication configured, a VPN user that depends on a NAS to initiate

tunneling requests is authenticated twice: once by the NAS and once through CHAP on the LNS.

To configure mandatory CHAP authentication: