Configuration of the NAS-Initialized VPN on the USG2000 and USG5000

The method used to configure the NAS-Initialized VPN (local authentication) on the USG2000 and USG5000 is as follows:
The PC is connected to the LAC by means of PPP dialup. The LAC and LNS communicate over a tunnel on a WAN. The user accesses the network using the domain name. The user name and password are authenticated on the LAC and LNS in local authentication mode.
1. Configure the LAC.
a. Create the virtual interface template and bind it with the interface.
system-view
[LAC] interface Virtual-Template 1
[LAC-Virtual-Template1] ppp authentication-mode chap
[LAC-Virtual-Template1] quit
[LAC] interface GigabitEthernet 0/0/1
[LAC-GigabitEthernet0/0/1] pppoe-server bind virtual-template 1
[LAC-GigabitEthernet0/0/1] quit
b. Enable the L2TP.
[LAC] l2tp enable
c. Create and configure the L2TP group.
[LAC] l2tp-group 1
[LAC-l2tp1] tunnel name LAC
[LAC-l2tp1] start l2tp ip 202.38.163.1 domain domain1.com
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password cipher Password1
[LAC-l2tp1] quit
d. Configure the domain name suffix separator.
[LAC] l2tp domain suffix-separator @
e. Set the user name and password (consistent with those configured on the user side).
[LAC] aaa
[LAC-aaa] local-user vpdnuser@domain1.com password cipher Hello123
f. Configure the domain accessed by the user.
[LAC-aaa] domain domain1.com
2. Configure the LNS.
a. Create virtual template Virtual-Template and configure the related information.
[LNS] interface virtual-template 1
[LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0
[LNS-Virtual-Template1] ppp authentication-mode chap
[LNS-Virtual-Template1] quit
b. Enable the L2TP.
[LNS] l2tp enable
c. Create and configure the L2TP group.
[LNS] l2tp-group 1
[LNS-l2tp1] tunnel name LNS
[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC
[LNS-l2tp1] tunnel authentication
[LNS-l2tp1] tunnel password cipher Password1
e. Configure forcible CHAP verification on the local end.
[LNS-l2tp1] mandatory-chap
[LNS-l2tp1] quit
f. Configure the domain name suffix separator.
[LNS] l2tp domain suffix-separator @
g. Set the user name and password (consistent with those configured on the LAC).
[LNS] aaa
[LNS-aaa] local-user vpdnuser@domain1.com password cipher Hello123
h. Configure the domain name accessed by the user.
[LNS-aaa] domain domain1.com
i. Configure the address pool allocated to the user.
[LNS-aaa-domain-domain1.com] ip pool 1 192.168.0.2 192.168.0.100
[LNS-aaa-domain-domain1.com] quit
[LNS-aaa] quit
Note:
Because the addresses in the IP address pool are not in the same network segment as the intranet addresses, you need to configure the route to network segment 192.168.0.0 on the HQ device, and set the next hop address to 192.168.1.1.
j. Allocate an address in the IP address pool to the peer interface.
[LNS] interface virtual-template 1
[LNS-Virtual-Template1] remote address pool 1
[LNS-Virtual-Template1] quit

Scroll to top