Method used to configure the L2TP VPN in transparent mode on the USG6000

In transparent mode, the USG6000 uses the IP address of the VLANIF interface as the address of the LNS server. The NAT server is configured on the access device. The IP address of the VLANIF interface is provided, as a public IP address, for users.
Configure the LNS as follows:
1. Configure the VLAN and VLANIF interface.
a. Create a VLAN with ID 10.
[LNS] vlan 10
[LNS-vlan10] quit
b. Add interfaces GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 to VLAN 10.
[LNS] interface GigabitEthernet 0/0/1
[LNS-GigabitEthernet0/0/1] portswitch
[LNS-GigabitEthernet0/0/1] port access vlan 10
[LNS-GigabitEthernet0/0/1] quit
[LNS] interface GigabitEthernet 0/0/2
[LNS-GigabitEthernet0/0/2] portswitch
[LNS-GigabitEthernet0/0/2] port access vlan 10
[LNS-GigabitEthernet0/0/2] quit
c. Create a VLANIF interface and configure an IP address.
[LNS] interface vlanif 10
[LNS-Vlanif10] ip address 10.2.1.3 255.255.255.0
[LNS-Vlanif10] quit
2. Configure a static route.
a. Configure a default route for the LNS, with the next hop address being the IP address of the access device interface that is directly connected to the LNS.
[LNS] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
b. Configure a route to the server network segment on the HQ intranet, with the next hop address being the IP address of the VLANIF interface in the VLAN where the intranet L3 switch interface that is directly connected to the LNS resides.
[LNS] ip route-static 10.4.1.0 255.255.255.0 10.2.1.2
3. Configure the L2TP.
a. Configure the local user and password.
[LNS] aaa
[LNS-aaa] local-user vpnuser@domain1.com password cipher Vpnuser@123
b. Configure the IP address pool and allocate an intranet IP address to the VPN user.
[LNS-aaa] domain domain1.com
[LNS-aaa-domain-domain1.com] ip pool 1 10.3.1.2 10.3.1.254
[LNS-aaa-domain-domain1.com] quit
[LNS-aaa] quit
c. Enable the L2TP.
[LNS] l2tp enable
d. Configure the suffix separator of the domain name. Only separator @ is supported when a user name containing a domain name requires a separator.
[LNS] l2tp domain suffix-separator @
e. Create the virtual interface template and configure the related parameters, including the IP address, PPP authentication mode, and address pool binding.
[LNS] interface virtual-template 1
[LNS-Virtual-Template1] ip address 10.3.1.1 255.255.255.0
[LNS-Virtual-Template1] ppp authentication-mode chap
[LNS-Virtual-Template1] remote address pool 1
[LNS-Virtual-Template1] quit
f. Create an L2TP group and configure the related parameters, including the local end name of the tunnel, bound virtual interface template, and password used for L2TP tunnel verification.
[LNS] l2tp-group 1
[LNS-l2tp1] tunnel name headquarter
[LNS-l2tp1] allow l2tp virtual-template 1
[LNS-l2tp1] tunnel password cipher Tunnel@123
[LNS-l2tp1] quit
4. Add the interface to the security zone and configure the inter-zone packet filter.
Note:
The Virtual-Template interface can be added to any security zone. If the security zone where the Virtual-Template interface resides is different from the security zone where the interface connecting the HQ LNS and the L3 switch resides, packet filter must be configured for two security zones, so that a dial-up user can access resources on the HQ intranet. Packet filter between the security zone where the interface connecting the LNS and the access device resides and the Local security zone must be enabled to accept tunnel negotiation requests initiated by the LAC, for example, the Untrust security zone where interface (5)GigabitEthernet 0/0/1 resides.
a. Add the interface to the security zone.
[LNS] firewall zone trust
[LNS-zone-trust] add interface Vlanif10
[LNS-zone-trust] add interface Virtual-Template 1
[LNS-zone-trust] quit
[LNS] firewall zone untrust
[LNS-zone-untrust] add interface GigabitEthernet 0/0/1
[LNS-zone-untrust] quit
[LNS] firewall zone dmz
[LNS-zone-dmz] add interface GigabitEthernet 0/0/2
[LNS-zone-dmz] quit

Scroll to top