HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

251

252

253

254

255

256

257

258

259

260

243

Ste

Command

Remarks

3. Configure mandatory

CHAP authentication.

mandatory-chap

By default, CHAP authentication

is not performed on an LNS.

2. Configuring LCP renegotiation

In a NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session.

If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information

to the LNS. The LNS then determines whether the user is valid according to the proxy

authentication information received.

Under some circumstances, for example, when authentication and accounting are needed on the

LNS, a new round of LCP negotiation is required between the LNS and the user, and the LNS

authenticates the user by using the authentication method configured on the corresponding VT

interface.

If you enable LCP renegotiation but configure no authentication for the corresponding VT interface,

the LNS does not perform an additional authentication of users. Instead, the LNS directly allocates

addresses from the global address pool to PPP users authenticated by the LAC.

To specify the LNS to perform LCP renegotiation with users:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter L2TP group view.

l2tp-group group-number N/A

3. Specify the LNS to perform

LCP renegotiation with

users.

mandatory-lcp

By default, an LNS does not

perform LCP renegotiation with

users.

Configuring AAA authentication for VPN users on an LNS

Configure AAA on the LNS in the following cases:

• Proxy authentication is configured on the LNS

• Mandatory CHAP authentication is configured on the LNS

• Mandatory LCP renegotiation authentication is configured on the LNS and the VT interface requires

PPP user authentication.

After you configure AAA on the LNS, the LNS can authenticate the identities (usernames and passwords)

of VPN users for a second time. If a user passes AAA authentication, the user can communicate with the

LNS. Otherwise, the L2TP session will be removed.

LNS side AAA configurations are similar to those on an LAC (see "Configuring AAA authentication for

VPN users on LA

C side").

Enabling L2TP for VPNs

If multiple enterprises share the same LNS device and use the same name for the tunnel peers (LAC

devices), the LNS device is unable to differentiate which users belong to which enterprises. The L2TP

support for VPNs function can solve this problem. With this function, an LNS can differentiate multiple

VPN domains and service users of different enterprises simultaneously.

In an L2TP VPN application, specify the domain to which VPN users belong by using the domain

keyword in the allow l2tp virtual-template command. After an L2TP tunnel is established, the LNS

obtains the domain name from the session negotiation packet and searches for the same domain among