Enabling l2tp multi-instance, Specifying to send accm, Configuring l2tp connection parameters – H3C Technologies H3C SecPath F1000-E User Manual

Page 273: Configuring l2tp tunnel authentication

Advertising
background image

261

LNS side AAA configurations are similar to those on an LAC (see "

Configuring AAA authentication for

VPN users on LAC side

").

Enabling L2TP multi-instance

If multiple enterprises share the same LNS device and use the same name for the tunnel peers (LAC

devices), the LNS device is unable to differentiate which users belong to which enterprises. The L2TP

multi-instance function can solve this problem. With this function, an LNS can differentiate multiple VPN

domains and service users of different enterprises simultaneously.
In an L2TP multi-instance application, specify the domain to which VPN users belong by using the

domain keyword in the allow l2tp virtual-template command. After an L2TP tunnel is established, the

LNS obtains the domain name from the session negotiation packet and searches for the same domain

among those locally configured for VPN users. If an L2TP group’s tunnel peer name and domain name
match, the LNS establishes a session according to the group configuration. Thus, different sessions can

be established for VPN users of different domains.
To enable the L2TP multi-instance function:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable the L2TP multi-instance function.

l2tpmoreexam enable

Disabled by default

NOTE:

If multiple L2TP groups on the LNS are configured with the same remote tunnel name, make sure that their
tunnel authentication settings are the same. Mismatching tunnel authentication passwords will result in

tunnel establishment failure.

Specifying to send ACCM

According to RFC 2661, the Asynchronous Control Character Map (ACCM) AVP enables an LNS to

inform the LAC of the ACCM that the LNS has negotiated with the PPP peer.
Not every LAC supports ACCM. Therefore, an LNS needs to know whether it should send ACCM.
By default, an LNS sends ACCM. If the LAC does not support ACCM, configure the LNS not to send

ACCM.
To configure an LNS to send ACCM:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Specify to send ACCM.

l2tp sendaccm enable

By default, an LNS sends ACCM.

Configuring L2TP connection parameters

These L2TP connection parameter configuration tasks apply to both LACs and LNSs and are optional.

Configuring L2TP tunnel authentication

You can enable tunnel authentication to allow the LAC and LNS to authenticate each other. Either the

LAC or the LNS can initiate a tunnel authentication request. To implement tunnel authentication, enable

tunnel authentication on both the LAC and LNS, and configure the same non-null password on them.

Advertising