Support

Huawei-AR-Router-L2TP VPN

With enterprises developing and services increasing, many branches are set up in different locations. Some staffs often go on business trip, and some may work at home. They require fast, secure, and reliable network to connect with the headquarters. On traditional dial-up networks, they use phone lines leased by the Internet Service Provider (ISP) and apply for a dial string or IP addresses from the ISP. This results in high costs. Besides, leased lines cannot provide services for the off-site staffs, especially the staff on business trip. To use the PSTN or ISDN and make it easy for users at different locations to access the headquarters network, VPDN is necessary. VPDN establishes a transparent point-to-point virtual link between remote users and the headquarters gateway.

 

Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dial-up Network (VPDN) technology that enables users to dial up to establish tunnel connections with a remote end. L2TP depends on PSTN or ISDN and to establish tunnels based on PPP negotiation, which expand the application of the Point-to-Point Protocol (PPP) and plays an important role in VPDN technology that to access the network of headquarters by remotely dial-up users. While the PPP over Ethernet (PPPoE) technology expands the application of L2TP and establish L2TP tunnels between remote users and the headquarters over Ethernet and Internet.

 

L2TP tunnels are established between the L2TP Network Server (LNS) and the L2TP Access Concentrator (LAC), then remote users can access resources in the headquarters after L2TP tunnels are established.

 

The LAC is an L2TP client, and the LNS is an L2TP server. A device can be deployed as the LAC or the LNS.

 

Let’s talk about how to set L2TP server and L2TP client on Huawei AR2240C router.

Huawei AR2200.jpg

L2TP Server

An L2TP server is deployed in the headquarters and act as the gateway.

After receiving user information from an L2TP client, the L2TP server authenticates the user and responds to the L2TP tunnel setup request from the L2TP client. Then an L2TP connection is set up between the L2TP server and the L2TP client.

 

Procedure

Creating an L2TP server

 

1.Choose VPN > L2TP VPN > L2TP Server.

Figure 1 L2TP Server

image.png

 

2.In the Global Settings area, set L2TP status to Enable, and click Apply.

3.Click Create in the Service List area.

Figure 2 Create L2TP Server

image.png

 

4. In the Create L2TP Server dialog box, set parameters listed in Table 1 based on the site requirements.

5. Click OK.

The created L2TP server is displayed in the Service List area. Table 2 describes parameters in the service list.

Table 1 L2TP server parameters

Parameter Description
Default Tunnel Whether to configure a default L2TP tunnel.
When a default L2TP tunnel is used, any L2TP client can establish an L2TP connection with the L2TP server. The default L2TP tunnel cannot be changed to a non-default L2TP tunnel.
Tunnel name Tunnel name of an L2TP client that can access the L2TP server.
Tunnel authentication When this parameter is selected, the L2TP server authenticates the L2TP client that initiates the tunnel setup request. An L2TP tunnel can be set up only when tunnel authentication is enabled and the same tunnel password is set on the L2TP server and client.
Tunnel password If tunnel authentication is enabled, the tunnel password is required. An L2TP tunnel can be set up only when tunnel authentication is enabled and the same tunnel password is set on the L2TP server and client.
Confirm password To prevent you from entering an incorrect password, enter the password again in the Confirm password text box.
Authentication mode

Authentication mode for L2TP clients.

  • PAP: two-way handshake authentication protocol that transmits passwords in plain text. PAP is used on networks that do not require high security.

  • CHAP: three-way handshake authentication protocol that transmits passwords in cipher text. On networks requiring high security, CHAP authentication is used to establish a PPP connection. In practice, CHAP authentication is widely used.

AAA domain AAA domain. If you select a domain, the authentication mode of the domain is used.
By default, an AAA domain named default exists on the router, and the default domain uses the authentication mode nameddefault.
Gateway IP/Subnet mask Private IP address and address pool of the L2TP server.
In the Gateway IP/Subnet mask parameter, Gateway IPindicates the gateway address of the L2TP client, and Subnet mask indicates the IP address that is allocated to the L2TP client.
Server name Tunnel name of an L2TP server.
By default, no tunnel name is configured for the L2TP server. The device name is used as the tunnel name. To view or change the device name, see device information in Device Information.
Keepalive interval (seconds) Interval for sending Hello packets through the tunnel.
After a tunnel is set up between an L2TP client and the L2TP server, the L2TP server sends Hello packets to the L2TP client at a specified interval to check the connection. If the L2TP server receives no response from the L2TP client after sending 3 consecutive Hello packets, the tunnel connection between the L2TP client and L2TP server automatically terminates.
The default value is 60 seconds.
AVP data AVP parameter encryption in L2TP packets.
After setting this parameter, L2TP negotiation packets are encrypted during the L2TP session setup process, which improves security but increases the tunnel setup time. L2TP negotiation can be properly performed only when AVP parameter encryption is enabled on both the L2TP client and L2TP server.
By default, AVP parameters are not encrypted.
Mandatory LCP re-negotiation LCP renegotiation.
If mandatory LCP renegotiation is enabled, the L2TP performs second authentication after the first LCP negotiation is complete. The L2TP client needs to initiate the second negotiation, and the L2TP connection can be set up only after the second negotiation succeeds. Mandatory LCP renegotiation is applicable to scenarios that require high network security, and increases tunnel setup time.
By default, mandatory LCP renegotiation is disabled.
NOTE:
Some PPP clients may not support the second authentication. In this case, the L2TP connection fails when LCP renegotiation is enabled.
When LCP renegotiation and mandatory CHAP authentication are configured simultaneously in an L2TP group, the LCP renegotiation takes effect.
Mandatory CHAP authentication Mandatory CHAP authentication.
If mandatory CHAP authentication is enabled, the L2TP server performs only CHAP authentication on L2TP clients. If CHAP authentication fails, the session cannot be set up. Mandatory CHAP renegotiation is applicable to scenarios that require high network security, and increases tunnel setup time.
By default, mandatory CHAP authentication is disabled.
NOTE:
Some PPP clients may not support the second authentication. In this case, the L2TP connection fails when mandatory CHAP authentication is enabled.
When LCP renegotiation and mandatory CHAP authentication are configured simultaneously in an L2TP group, the LCP renegotiation takes effect.

 

Table 2 Parameters in the service list

Parameter Description
Tunnel Name Tunnel name of an L2TP client that can access the L2TP server.
You do not need to specify the tunnel name when configuring the default tunnel.
Connected User Quantity Number of access users on the L2TP server. You can click Details to manage access users.

AR3260-200E-AC.jpg

Modifying an L2TP server

0.Choose VPN > L2TP VPN > L2TP Server.

1.In the Service List area, select an L2TP server, and click on the right.

1586494097256433.png

 

2. In the Modify L2TP Server dialog box, modify parameters listed in Table 1.

3. Click OK to save the settings.

 

Deleting an L2TP server

 

0. Choose VPN > L2TP VPN > L2TP Server.

1. In the Service List area, select an L2TP server to delete, and click Restart to terminate the tunnel connection.

2. Click Delete.

3. In the dialog box that is displayed, click OK.

 

After the series procedures, the deleted L2TP server is not displayed in the Service List area.

 

Managing access users on the L2TP server

 

0.  Choose VPN > L2TP VPN > L2TP Server.

 

1.  Select an L2TP server and click Details next to the number of access users.

 

2.  In the Connected User window, view information about access users listed in Table 3. You can query access users by the user name or IP address, and select a user and click Disconnected Forcibly to terminate the L2TP connection.

 

Table 3 Parameters of access users

Parameter Description

User Name

Name of a remote user.

IP Address

IP address that the L2TP server allocates to a remote user.

 

L2TP Client

An L2TP client is deployed on the remote user side and connects to the L2TP server in automatic dialup mode.

 

An L2TP client initiates a virtual dialup request and sends information about itself to the L2TP server. The L2TP server authenticates L2TP client information and completes establishing the L2TP connection. Therefore, after a remote user can use an L2TP client access to connect to the L2TP server, the remote user can access resources in the headquarters where the L2TP server locates without any extra configuration.

 

Procedure

Creating an L2TP client

1.  Choose VPN > L2TP VPN > L2TP Client.

Figure 1 L2TP Client

image.png

 

2. In the Global Settings area, set L2TP status to Enable, and click Apply.

3. Click Create in the Client List area.

image.png

 

4. In the dialog box, set parameters listed in Table 1 based on the site requirements.

5. Click OK.

AR1220C.jpg

The created L2TP client is displayed in the Client List area. Table 2 describes parameters in the client list.

6. Select the new L2TP client in the Client List area, and click Enable Auto Dialing.

Table 1 L2TP client parameters

Parameter Description

Server IP address

Name of a remote user.

Server Domain

IP address that the L2TP server allocates to a remote user.

User name User name of an L2TP client. An L2TP tunnel can be set up only when the same L2TP user name and password are configured on the L2TP client and L2TP server.
You cannot set this parameter to the name of an online user.
Password Password of an L2TP client.
Destination IP/Subnet mask 1 Allowed IP address segments on the L2TP server. Data of users who access the L2TP server is forwarded through the L2TP tunnel.
An L2TP client supports a maximum of 10 IP address segments.
NAT status The value Yes indicates that the source IP address of the data flow forwarded through the L2TP tunnel is replaced with the IP address allocated to the L2TP client by the L2TP server.
By default, NAT is disabled.
Tunnel name Tunnel name of an L2TP client.
By default, the device name is used as the tunnel name. To view or change the device name, see device information in Device Information.
Tunnel authentication If tunnel authentication is enabled on the L2TP server, tunnel authentication must be enabled on the L2TP client.
By default, tunnel authentication is disabled.
Tunnel password Password for tunnel authentication.
The tunnel password set on the L2TP client must be the same as that set on the L2TP server; otherwise, the L2TP client cannot pass the authentication.
The value is a string of 1 to 16 case-sensitive characters without metacharacters, such as spaces and question marks.
By default, no tunnel password is set.
Keepalive interval (seconds) Interval for sending Hello packets through the tunnel.
After a tunnel is set up between an L2TP client and the L2TP server, the L2TP client sends Hello packets to the L2TP server at a specified interval to check the connection. If the L2TP client receives no response from the L2TP server after sending three consecutive Hello packets, the tunnel connection between the L2TP client and the L2TP server automatically terminates.
The default value is 60 seconds.
AVP data AVP parameter encryption in L2TP packets.
After setting this parameter, L2TP negotiation packets are encrypted during the L2TP session setup process, which improves security but increases the tunnel setup time. L2TP negotiation can be properly performed only when AVP parameter encryption is enabled on both the L2TP client and L2TP server.
By default, AVP parameters are not encrypted.
TCP-MSS (bytes) Maximum length of TCP packets on an interface.
The default value is 1460 bytes.
MTU(bytes) Maximum transmission unit (MTU) of an interface.
The default MTU of an interface 1500 bytes.

 

Table 2 Parameters in the client list

Parameter Description

Connection Status

Whether the L2TP tunnel between the L2TP client and the L2TP server is set up

Server Address

IP address of the L2TP server

Client IP Address IP address of an L2TP client.
Password User name of an L2TP client.

 

Modifying an L2TP client

 

1. Choose VPN > L2TP VPN > L2TP Client.

2. In the Client List area, select an L2TP client, and click Disable Auto Dialing. The L2TP client is in Down state.

3. Click Modify L2TP on the right.

4. In the Modify L2TP Client dialog box, set parameters listed in Table 1.

Figure 2 Modify L2TP Client

image.png

 

Click OK to make the settings take effect.

 

Deleting an L2TP client

1.  Choose VPN > L2TP VPN > L2TP Client.

2.  In the Client List area, select an L2TP client, and click Disable Auto Dialing. The L2TP client is in Down state.

3.  Click Delete.

4.  In the dialog box that is displayed, click OK.

After the series procedures, the deleted L2TP client is not displayed in the Client List area.

 

We are talking about the L2TP server and L2TP client in the article, after setting the L2TP VPN on Huawei AR series router, it’s more convenient for our working without the limitation of locations.

Related Posts