3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

111

112

113

114

115

116

117

118

119

120

120 CHAPTER 8: CONFIGURATION OF L2TP

If neither LCP re-negotiation nor mandatory CHAP authentication is configured,

LNS will perform agent authentication on the user. In this case, LAC sends LNS all

authentication information received from the user as well as authentication mode

configured on LAC side. If you do not configured authentication mode for the

virtual template interface, the LNS side will accept the authentication result on

LAC side.

When LNS adopts agent authentication, session is allowed to be created if

authentication mode configured on virtual template interface is PAP and the

authentication succeeds. If authentication mode configured in virtual template

interface is CHAP and that configured on LAC side is PAP, authentication fails and

session cannot be correctly created as the CHAP authentication level demanded by

LNS is higher than PAP authentication supplied by LAC.

Local end does not perform CHAP authentication by default.

Forcing LCP to

Re-negotiate

For NAS-Initialized VPN, the user first performs PPP negotiation with NAS when

PPP session starts. If the negotiation passes, NAS initializes L2TP Tunnel

connection, and transmits user information to LNS so that LNS can judge whether

the user is legal or not according to the received agent authentication information,

But in some cases (e.g. authentication and accounting need performing on LNS

side simultaneously), required re-negotiation needs to be created between LNS

and the user, and agent authentication information on NAS side will be ignored.

The configuration of mandatory LCP re-negotiation is optional on LNS side.

Perform the following configuration in L2TP group view.

By default, LCP re-negotiation is not performed.

Despite LCP re-negotiation is enabled, LNS will not perform authentication on the

user if authentication is not configured in the associated virtual template interface.

In this case, the user is only authenticated once on LAC side, and the address from

the global address pool is assigned to the client directly.

Setting Local Address

and Assigning Address

Pool

After the L2TP Tunnel connection between LAC and LNS is created, LNS should

assign IP addresses for VPN users from address pool. Before address pool is

specified, you must use the ip pool command in system view or domain view to

define an address pool. For detailed description about the ip pool command, refer

to the "Security" part of this manual. If LNS adopts agent authentication or

Tabl e 111 Enable mandatory local CHAP authentication

Operation Command

Enable mandatory local CHAP authentication mandatory-chap

Disable local CHAP authentication undo mandatory-chap

Tabl e 112 Enable/disable mandatory LCP re-negotiation

Operation Command

Enable mandatory LCP re-negotiation mandatory-lcp

Disable mandatory LCP re-negotiation undo mandatory-lcp