3Com Router User Manual

							Basic Configuration at LAC607
Ta b l e 666   Create/Delete a L2TP Group
Originate L2TP 
Connection Request and 
Configure LNS AddressAfter a dial-up user passes VPN authentication successfully, LAC conveys the 
request of creating tunnel to a designated LNS. Besides the IP address of the LNS, 
LAC can fulfill authentication for 3 types (namely, 3 triggering conditions) of 
dial-up users based on this configuration: full user name (fullusername), user 
with a particular domain (domain) and called number (dnis). A maximum of 5 
LNSs can be configured and LNSs will be searched for according to the address 
order configured.
Perform the following configurations in L2TP group view.
Ta b l e 667   Originate L2TP Connection Request and LNS Address
There is no default value. One triggering condition must be configured.
Configure AAA and 
Local UsersWhen configuring the AAA at LAC side, the local user name and password should 
be configured at LAC side if the local (authenticating locally) mode is selected. 
LAC will authenticate remote dial-in user name and password to see whether they 
are compliant with the local registered user name and password, and hence to 
check whether these users are legal VPN users. Only after passing authentication 
successfully, can the request of establishing tunnel connection be processed, 
otherwise the user will be turned to services of other types except VPN.
When user ID authentication is implemented at LAC side, user name can be given 
in by the following means:
■Adopting the authentication based on particular domain (domain), the local 
user name and password configured are respectively the full user name and 
password registered. 
■Adopting the authentication based on full user name (fullusername), the local 
user name configured is the domain name of the VPN user and the users 
password. 
Perform the ppp authentication-mode configuration in interface view and make 
the other configurations in system view.
OperationCommand
Create a L2TP groupl2tp-group group-number
Delete a L2TP group.undo l2tp-group group-number
OperationCommand
Configure to authenticate whether the 
user is a VPN user and set the IP address of 
the corresponding LNSstart l2tp { ip ip-address [ ip 
ip-address … ] } { domain domain-name 
| dnis dialed-number | fullusername 
user-name }
Remove the connection request 
configurationundo start l2tp [ ip ip-address ] 
						

							608CHAPTER 43: CONFIGURING L2TP 
Ta b l e 668   Configure AAA and Local Users
By default, the local user name and password are not configured.
As the AAA attributes of L2TP are not standard attributes of RADIUS protocol, it is 
necessary to add the definition of L2TP attributes to the attribute set of RADIUS 
server.
Ta b l e 669   L2TP Attribute Table
Basic Configuration at 
LNSBasic configuration at LNS side includes:
■Enable L2TP
■Create a L2TP group
■Create a virtual template
■Configure the name of the receiving end of the tunnel
■Configure the local VPN user
Enable L2TPThe L2TP on a router can work normally only after it is enabled. If it is disabled, the 
router will not provide the related function even if the L2TP parameters are 
configured.
Perform the following configurations in system view.
Ta b l e 670   Enable/Disable L2TP
By default, L2TP is disabled.
OperationCommand
Enable AAA.aaa-enable
Configure the authentication method 
table of PPP user aaa authentication-scheme ppp { 
default | list-name } { method1} [ 
method2 ... ]
Specify accounting scheme configure 
informationaaa accounting-scheme optional
Configure to authenticate users.ppp authentication-mode { pap | chap 
}
Set user name and password.local-user username password { simple 
| cipher } password
Remove the user name and passwordundo local-user username 
Attribute valueNameDescription
100Tunnel-TypeTunnel type (L2TP=1)
101L2TP-Tunnel-PasswordL2TP tunnel password
102Local-NameLocal name of tunnel
103LNS-IP-AddressIP address of LNS
104Tunnel-Medium-TypeMedium type of the tunnel (IP=1)
105L2TP group NumberL2TP group number
OperationCommand
Enable L2TPl2tp enable
Disable L2TPundo l2tp enable 
						

							Basic Configuration at LNS609
Create an L2TP GroupTo configure related parameters of L2TP, L2TP group should be added. The L2TP 
group is used to configure the L2TP functions on the router and facilitate the 
networking applications of one-to-one, one-to-multiple, multiple-to-one and 
multiple-to-multiple connections between the LAC and LNS. L2TP group is 
numbered separately on the LAC and the LNS. Hence, it is only necessary to keep 
the corresponding relations between the related configurations of L2TP group at 
LAC and LNS side (e.g., the peer end name of the tunnel originating L2TP 
connection request and the LNS address). 
After a L2TP group is created, other configurations related to this L2TP group, 
such as local name, originating L2TP connection request and LNS address, can be 
performed in L2TP group view. L2TP group1 works as the default L2TP group.
Perform the following configurations in system view.
Ta b l e 671   Create/Delete L2TP Group
Create a Virtual 
Te m p l a t eVirtual template is mainly used to configure working parameters of the virtual 
interfaces dynamically created by the router in the process of operation, such as 
configuring MP-bounding logic interface and L2TP logic interface.
Perform the following configurations in system view.
Ta b l e 672   Create/Delete a Virtual Template
By far, the virtual template in L2TP application only supports one peer but does not 
support IP unnumbered, that is, the virtual template has to be configured with its 
own IP address.
Dial-up users should only be allocated with negotiation IP addresses by LNS 
dynamically, not be configured with fix addresses.
When using the ip pool command to configure the address allocated to the peer, 
the user should ensure that the virtual template address and the address pool are 
on the same segment. 
Configure the Name of 
the Receiving End of the 
TunnelThe LNS can receive the requests of establishing tunnels from different LACs using 
different virtual templates. After a request of this is received, the LNS will check 
whether the name of LAC is compliant with that of the legal remote end of the 
tunnel first, then decide whether the tunnel will be created.
Perform the following configurations in L2TP group view.
OperationCommand
Create a L2TP groupl2tp-group group-number
Delete a L2TP groupundo l2tp-group group-number
OperationCommand
Create a virtual templateinterface virtual-template 
virtual-template-number
Delete a virtual templateundo interface virtual-template 
virtual-template-number 
						

							610CHAPTER 43: CONFIGURING L2TP 
Ta b l e 673   Configure the Name of the Receiving End of the Tunnel
When the group number of L2TP is 1 (the default L2TP group number), it is 
unnecessary to specify the remote-name. If the name of remote end is still 
specified in the view of L2TP group 1, L2TP group 1 will not work as the default 
L2TP group.
Only L2TP group 1 can be set as the default group.
The start l2tp command and the allow l2tp command are mutually exclusive. 
That means after one is configured, the other will automatically become invalid. A 
L2TP group cannot serve LAC and LNS at the same time.
By default, receiving dial-in from LAC is disabled.
Configure the Local VPN 
UserIn the mode of “fullusername@domain” and password, LAC conveys these 
information input by VPN users to LNS for authentication, LNS will perform the 
local authentication first and then the RADIUS authentication to ensure these 
users are legal VPN users. The process of RADIUS authentication will be removed 
once users have passed local authentication. These VPN users can access internal 
resource after the authentication at LNS.
Perform the ppp authentication-mode configuration in interface view and make 
the other configurations in system view.
Ta b l e 674   Configure Local VPN Users
At LNS, local user name configured adopts the mode of “ fullusername@domain”
Advanced 
Configuration at LAC 
or LNSAdvanced configurations at LAC side includes:
■Configure the local name
■Enable tunnel authentication and set password
■Configure the interval for sending Hello messages
OperationCommand
Set the name of the receiving end of the 
tunnel.allow l2tp virtual-template 
virtual-template-number [ remote 
remote-name ]
Remove the name of the receiving end of 
the tunnel.undo allow
OperationCommand
Enable AAA.aaa-enable
Configure the authentication method 
table of PPP useraaa authentication-scheme ppp { 
default | list-name } { method1} [ 
method2 ... ]
Specify accounting scheme configure 
informationaaa accounting-scheme optional
Configure to authenticate users.ppp authentication-mode { pap | chap 
}
Set user name and password.local-user username password { simple 
| cipher } password 
						

							Advanced Configuration at LAC or LNS611
■Configure to disconnect tunnel by force
■Configure the receiving window size for controlling flow over tunnel
■Enable/Disable hiding AV pairs
■Configure the maximum number of L2TP sessions
■Configure domain delimiter and searching order
Advanced configurations at LNS side includes:
■Configure the local name
■Enable tunnel authentication and set password
■Configure the interval for sending Hello messages
■Configure to disconnect tunnel by force
■Configure the receiving window size for controlling flow over tunnel
■Enable/Disable hiding AV pairs
■Configure the maximum number of L2TP sessions
■Configure to force the local end to implement CHAP authentication
■Configure to force the LCP to renegotiate
■Configure the local address and address pool
Configure the Local 
NameThis configuration is applicable to LAC and LNS.
Users can configure the local tunnel name at both LAC and LNS. The tunnel name 
at LAC should keep consistent with the name of the receiving end of the tunnel 
configured at LNS.
Perform the following configurations in L2TP group view.
Ta b l e 675   Set Local Name 
By default, the local name is the host name of router.
The tunnel name configured through the tunnel name command at LAC side 
must be consistent with the name of the remote receiving tunnel configured 
through the 
allow l2tp command at LNS side.
Enable Tunnel 
Authentication and 
Setting PasswordThis configuration is applicable to LAC and LNS.
Before creating a tunnel connection, the users can decide, as needed, whether to 
enable tunnel authentication. There are three tunnel authentication modes as 
follows:
■LAC authenticates LNS.
■LNS authenticates LAC.
OperationCommand
Set the local name.tunnel name name
Restore the default value of the local 
name.undo tunnel name 
						

							612CHAPTER 43: CONFIGURING L2TP 
■LAC and LNS authenticate each other.
It can be found that either LAC or LNS can originate tunnel authentication 
request. However, if one side enables the tunnel authentication, the tunnel can be 
established only when the passwords on both ends of the tunnel are exactly the 
same. If tunnel authentication is disabled on both ends, whether or not the tunnel 
authentication passwords are the same will make no sense. 
Perform the following configurations in L2TP group view.
Ta b l e 676   Set Tunnel Authentication and Password
Tunnel authentication is enabled by default. If no tunnel authentication password 
is configured, the host name of the router will act as the tunnel authentication 
password. In order to ensure tunnel security, users are recommended not to 
disable tunnel authentication.
To ensure the tunnel security, it is recommended that the user should not disable 
tunnel authentication.
The tunnel authentication password is the router host name, so you must 
manually configure the tunnel authentication password after the authentication is 
enabled, and ensure that the password at the LAC side is the same as that at the 
LNS side.
Configure the Interval 
for Sending Hello 
MessagesThis configuration is available to LAC and LNS.
To detect the connectivity of the tunnel between LAC and LNS, both the LAC and 
the LNS will regularly send Hello messages to the peer and the receiving end will 
make responses upon receiving. If the LAC or LNS does not receive the Hello 
response within the specified interval, the Hello messages will be repeatedly sent. 
It no response message from the peer is received after three Hello messages are 
sent, the local end will assume the L2TP tunnel has already been disconnected. In 
order to restore connectivity between the LAC and LNS, a new tunnel will have to 
be established.
Perform the following configurations in L2TP group view.
Ta b l e 677   Set the Interval for Sending Hello Message
OperationCommand
Enable tunnel authenticationtunnel authentication
Disable tunnel authentication.undo tunnel authentication
Set the password of tunnel 
authentication.tunnel password { simple | cipher } 
password
Remove the password of tunnel 
authentication.undo tunnel password
OperationCommand
Set the interval for sending tunnel hello 
packet tunnel timer hello hello-interval
Restore the interval for sending tunnel 
hello packet undo tunnel timer hello 
						

							Advanced Configuration at LAC or LNS613
By default, the interval for sending the tunnel Hello message is 60 seconds. If this 
configuration is not implemented, LAC or LNS will adopt the default value as the 
interval to send the Hello message to the peer.
Configure Domain 
Delimiter and Searching 
OrderThis configuration is applicable to LAC only.
If there are a lot of users dialing in domain name mode, it is time-consuming to 
search users in sequence. Therefore, it is recommended to set the necessary 
searching policies (e.g., prefix and suffix delimiters) at LAC side to speed up the 
searching.
The delimiters fall into prefix delimiter and suffix delimiter, including @, # , & and /. 
The user with prefix delimiter can be “3Com.com#vpdnuser” and correspondingly 
the suffix delimiter will be “[email protected]”. During the searching, 
separating user name from prefix/suffix delimiter, based on the defined rules will 
greatly speed up the searching.
In domain name mode, there are four optional searching rules on condition that 
the prefix/suffix delimiter is set:
■dnis-domain (Search according to dialed number first, then according to 
domain name)
■dnis (Search according to dialed number only)
■domain-dnis (Search according to domain name first, then according to dialed 
number)
■domain (Search according to domain name only)
Perform the following configurations in system view.
Ta b l e 678   Set Domain Name Delimiter and Searching Order
The l2tp match-order command merely configures the order of dialed number 
and domain name for searching. In an actual searching process, the searching is by 
all means conducted according to the full user name first, and then the configured 
order of this command.
By default, search according to dialed number prior to domain name.
Disconnect Tunnel by 
ForceThis configuration is applicable to LAC and LNS.
When the number of users decreases to 0, or faults occur on the network, or 
administrator takes the initiative to disconnect the tunnel, the tunnel will be 
cleared. Either LAC or LNS can originate the request of clearing the tunnel. The 
end receiving the request of clearing should transmit acknowledgement 
OperationCommand
Set prefix/suffix delimiterl2tp domain { prefix-separator | 
suffix-separator } delimiters
Delete the prefix/suffix delimiter undo l2tp domain { prefix-separator | 
suffix-separator } delimiters
Set searching orderl2tp match-order { dnis-domain | dnis 
| domain-dnis | domain }
Restore the default searching orderundo l2tp match-order 
						

							614CHAPTER 43: CONFIGURING L2TP 
information (ACK) and wait for some time before clearing the tunnel, so that the 
request transmitted again from the peer can be properly received when ACK 
message is lost. After disconnecting the tunnel by force, all control connections 
and session connections on the tunnel will also be cleared. After tunnel 
disconnection, a new tunnel will be established again when new users dial in. 
Perform the following configuration in system view.
Ta b l e 679   Force to Disconnect Channel
Configure to Force the 
Local End to Implement 
CHAP AuthenticationThis configuration is applicable to LNS only.
After LAC performs the proxy authentication for dial-up users, LNS can 
authenticate these users again. In this case, the users will be authenticated twice, 
the first authentication being at LAC and the second one at LNS side. Only after 
passing both of the authentications can the L2TP tunnel be established. 
In actual L2TP application, there are three methods of authentication: proxy 
authentication, forcing CHAP authentication and LCP renegotiation.
■The priority of LCP renegotiation has the highest priority among the three 
types, which means if LCP renegotiation and forcing CHAP authentication are 
configured at LNS at the same time, L2TP will adopt LCP renegotiation first and 
then use authentication methods configured on corresponding virtual 
template. 
■If only forcing CHAP authentication is configured, LNS will authenticate users 
by means of CHAP. Only after user name, password and authentication are 
configured at LNS, and AAA function is enabled, can the process of forcing 
CHAP authentication locally take effect.
■If neither LCP renegotiation nor forcing CHAP authentication is configured, LNS 
will perform the proxy authentication for the users. In this case, LAC conveys all 
the authentication information received from users and the information 
configured at LAC itself to LNS, and LNS will authenticate users according to 
the information and authentication mode of LAC. When proxy authentication 
is used at LNS, if LAC is configured with PAP, while the virtual interface 
template at LNS is configured with CHAP, which is higher than PAP, the process 
of authentication fails all the time and no sessions can be created.
If the aaa authentication-scheme ppp default none is configured at LAC side, 
the AAA authentication will not be enabled, no matter whether PAP or CHAP 
authentication is adopted at LAC side. However, after the authentication mode is 
transmitted to LNS, LNS will still authenticate the user, no matter whether LNS is 
configured with 
aaa-enable command.
Perform the following configurations in L2TP group view.
OperationCommand
Force to disconnect tunnelreset l2tp tunnel remote-name 
						

							Advanced Configuration at LAC or LNS615
Ta b l e 680   Force Local End to Perform CHAP Authentication
Local CHAP authentication will not be carried out by default.
Configure to Force the 
LCP to RenegotiateThis configuration is applicable to LNS only.
For an NAS-originated VPN service request, at the beginning of PPP session, the 
user will first perform the PPP negotiation with the NAS. If the negotiation 
succeeds, the NAS will initiate the L2TP tunnel connection and transmit the user 
information to the LNS where the user will be checked based on the received 
proxy authentication information.
But in some specific cases (e.g., when it is necessary to authenticate and charge at 
LNS side), the LCP renegotiation between the LNS and the user will be 
implemented by force, at that time, the proxy authentication information at NAS 
side will be ignored.
Perform the following configurations in L2TP group view.
Ta b l e 681   Force LCP to Renegotiate
LCP does not renegotiate by default.
After LCP renegotiation is enabled, LNS will not reauthenticate users if there is no 
authentication information configured on the virtual template, then users are 
authenticated only once at LAC.
Configure the Local 
Address and Address 
PoolThis configuration is applicable to LNS only.
After the L2TP tunnel connection between LAC and LNS is established, the LNS 
should allocate the IP addresses in an address pool to the VPN users. Before 
selecting an address pool, the user should use the 
ip pool command in system 
view.
Perform the following configurations in Virtual template interface view.
Ta b l e 682   Set the Local Address and the Address Pool
OperationCommand
Force local end to perform CHAP 
authentication.mandatory-chap
Remove the local CHAP authentication.undo mandatory-chap
OperationCommand
Force LCP to renegotiate.mandatory-lcp
Disable LCP to renegotiate.undo mandatory-lcp
OperationCommand
Set the local IP addressip address ip-address netmask [ sub ]
Remove the local IP addressundo ip address [ ip-address netmask 
[ sub ] ]
Specify the address pool remote address { ip-address | pool [ 
pool-number ] }
Delete the address pool undo remote address 
						

							616CHAPTER 43: CONFIGURING L2TP 
By default, address pool 0 (the default one) will be used by the peer for allocating 
addresses.
When specifying the address pool from which addresses are allocated for users, 
the default address pool will be used for allocating addresses if no specific 
pool-number value is configured after the key word pool.
Configure the Receiving 
Window Size for 
Controlling Flow over 
TunnelThis configuration is applicable to LAC and LNS.
L2TP has simple flow control function. The users can specify the size of receiving 
window for controlling flow over tunnel.
Perform the following configurations in L2TP group view.
Ta b l e 683   Set the Size of Receiving Window for Controlling Flow Over Tunnel
By default, the  receiving window size for controlling flow on tunnel is 0 (no flow 
control). 
Enable/Disable Hiding 
Attribute Value Pairs (AV 
pairs)This configuration is used at the LAC and LNS sides.
L2TP enables hiding AV pairs, and it is very useful when PAP or proxy 
authentication is employed between LAC and LNS. Only after the tunnel 
authentication and tunnel password are configured first, can the AV pairs hiding 
be meaningful. After the AV pairs are hidden, the L2TP hiding algorithm will be 
implemented, so that the username and password transmitted in plaintext during 
proxy authentication can be encrypted in AV pairs.
Please perform the following configurations in L2TP group view.
Ta b l e 684   Enable/Disable Hiding AV Pairs
By default, AV pairs are hidden.
In actual configuration, it is recommended to enable hiding AV pairs at LAC and 
LNS sides at the same time, or disable hiding AV pairs at LAC and LNS sides at the 
same time
Configure the Maximum 
Number of L2TP SessionsThis configuration is applicable to LAC and LNS.
Users can configure the maximum number of sessions at local end as needed, so 
as to effectively control the quantity of VPN users who are accessing the network 
simultaneously and keep it within a reasonable range. Thereby, the service quality 
OperationCommand
Set the receiving window size for 
controlling flow over tunnel.tunnel flow-control receive-window 
size
Restore the receiving window size for 
controlling flow over tunnel to default 
value.undo tunnel flow-control 
receive-window 
OperationCommand
Enable hiding AV pairstunnel avp-hidden
Disable hiding AV pairsundo tunnel avp-hidden