3com 3031 Instruccion De Instalación
894
C
HAPTER
63: C
ONFIGURATION
OF
L2TP
Perform the following configuration in L2TP group view.
If neither LCP re-negotiation nor forcibly CHAP authentication is configured, LNS
will perform agent authentication to the user. In this case, LAC sends LNS all
authentication information received from the user as well as authentication mode
configured on LAC side, and LNS side will accept the authentication result on LAC
side.
will perform agent authentication to the user. In this case, LAC sends LNS all
authentication information received from the user as well as authentication mode
configured on LAC side, and LNS side will accept the authentication result on LAC
side.
When LNS adopts agent authentication, if authentication mode configured on
virtual template is CHAP, and that configured on LAC side is PAP, authentication
fails and session cannot be correctly created as the CHAP authentication level
demanded by LNS is higher than PAP authentication supplied by LAC.
virtual template is CHAP, and that configured on LAC side is PAP, authentication
fails and session cannot be correctly created as the CHAP authentication level
demanded by LNS is higher than PAP authentication supplied by LAC.
Local end does not perform CHAP authentication by default.
Forcing LCP to
Re-negotiate
For NAS-Initialized VPN, the user first performs PPP negotiation with NAS when
PPP session starts. If the negotiation passes, NAS initializes L2TP tunnel
connection, and transmits user information to LNS so that LNS can judge whether
the user is legal or not according to received agent authentication information,
PPP session starts. If the negotiation passes, NAS initializes L2TP tunnel
connection, and transmits user information to LNS so that LNS can judge whether
the user is legal or not according to received agent authentication information,
But in some specific cases (e.g. authentication and accounting need performing
on LNS side simultaneously), required re-negotiation needs to be created between
LNS and the user, and agent authentication information on NAS side will be
ignored.
on LNS side simultaneously), required re-negotiation needs to be created between
LNS and the user, and agent authentication information on NAS side will be
ignored.
The configuration of forcing LCP to re-negotiate is optional on LNS side.
Perform the following configuration in L2TP group view.
By default, LCP re-negotiation is not performed.
After LCP re-negotiation is enabled, if authentication is not configured on related
virtual template, LNS will not perform second authentication to the user. In this
case, the user is only authenticated once on LAC side.
virtual template, LNS will not perform second authentication to the user. In this
case, the user is only authenticated once on LAC side.
Setting Local Address
and Assigning Address
Pool
After the L2TP tunnel connection between LAC and LNS is created, LNS should
assign IP addresses for VPN users from address pool. Before address pool is
specified, the
assign IP addresses for VPN users from address pool. Before address pool is
specified, the
ip pool
command needs to be used in system view to define an
address pool. For detailed description on the
ip pool
command, refer to the
command reference manual “Command section in security configuration”.
These configurations are optional on LNS side.
Table 964 Forcing local CHAP authentication
Operation
Command
Force local end to perform CHAP authentication.
mandatory-chap
Remove local end CHAP authentication
undo mandatory-chap
Table 965 Forcing/removing LCP re-negotiation
Operation
Command
Force LCP re-negotiation
mandatory-lcp
Remove LCP re-negotiation
undo mandatory-lcp