Method used to configure the L2TP user name and password on the USG6000

4

The L2TP user name and password can be configured as follows:

Configure the L2TP user name and password using the CLI:
1. Set the user name and password (consistent with those set on the LAC), and bind the user with the authentication domain.
a. Configure the authentication domain for the L2TP user.
[LNS] aaa
[LNS-aaa] domain domain1.com
[LNS-aaa-domain-domain1.com] quit
[LNS-aaa] quit
b. Configure the L2TP user.
[LNS] user-manage user vpdnuser domain domain1.com
[LNS-localuser-vpdnuser@domain1.com] password Password1
[LNS-localuser-vpdnuser@domain1.com] quit
2. Enable the L2TP.
[LNS] l2tp enable
3. Create and configure the L2TP group.
[LNS] l2tp-group 1
[LNS-l2tp1] tunnel name LNS
[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC
[LNS-l2tp1] tunnel authentication
[LNS-l2tp1] tunnel password cipher Password1
[LNS-l2tp1] quit
4. Configure the address pool allocated to the user.
[LNS] aaa
[LNS-aaa] domain domain1.com
[LNS-aaa-domain-domain1.com] ip pool 1 192.168.0.2 192.168.0.100
[LNS-aaa-domain-domain1.com] quit
[LNS-aaa] quit

Configure the L2TP user name and password using the web UI:
1. Configure the L2TP user.
a. Choose Object > User > User/Group.
b. Select the default authentication domain.
c. In Member Management, click New and select New User. Configure parameters as follows:
User name: pc1
Password: Password1
Confirm password: Password1
d. Click OK.
2. Configure the L2TP parameters.
a. Choose Network > L2TP > L2TP.
b. In Configure L2TP, select Enable and click Apply.
c. In L2TP Group List, click New.
d. Set Group Type to LNS.
e. Configure the L2TP parameters.
The server address shall be in the same network segment as the address in the address pool. In this way, you do not need to configure a route. Peer Tunnel Name must be consistent with Local Tunnel Name configured on the LAC.
Group Type: LNS
Peer Tunnel Name: LAC
Tunnel Password Authentication: Enable
Password Type: Ciphertext
Tunnel password: Hello123
Confirm Tunnel password: Hello123
User Group: default

Set the user address allocation parameters as follows:
Server Address/Subnet Mask: 10.2.1.1/255.255.255.0
User Address Pool: 10.2.1.2-10.2.1.100
f. Click OK.

Other related questions:
Method used to configure the default L2TP on the USG6000
You can configure the default L2TP on the USG6000 as follows: Enable the L2TP. Note: When the L2TP is disabled, you can still make the related configuration. However, the configuration does not take effect. Choose Network > L2TP > L2TP. In Configure L2TP, select Enable and click Apply. If the system displays information indicating a successful operation, the L2TP is normally enabled. Click New in L2TP Group List or select the default group. Note: By default, an L2TP group in LNS type exists. The default group can be modified instead of being deleted. Groups created by clicking New are not default groups. After selecting the default LNS group, if you do not specify Peer Tunnel Name, the group serves as the default LNS group. During tunnel negotiation, the LNS searches for Peer Tunnel Name of each non-default group based on the configured sequence, and matches Peer Tunnel Name with Local Tunnel Name on the LAC end. If Peer Tunnel Name of a certain L2TP group matches Local Tunnel Name on the LAC end, the L2TP group is used for negotiation and tunnel establishment. If Peer Tunnel Name of no L2TP group matches Local Tunnel Name, the default group is used for negotiation. If Peer Tunnel Name is specified for the default group, the default group becomes a non-default group. Then, the LNS has no default group. If Peer Tunnel Name of no L2TP group matches Local Tunnel Name, the LNS discards the negotiation packet and the tunnel fails to be established.

Whether a user can change the user name and password after L2TP over IPSec dialup on the USG2160
To change the user name and password, log in as the administrator.

Method used to configure the L2TP VPN on the USG6000
The L2TP application scenarios on the USG6000 are as follows: 1. NAS-Initiated VPN A user accesses the LAC by means of PPPoE dialup, and a tunnel is established between the LAC and the LNS. A user accesses the LAC by means of PPPoE dialup. The LAC sends a tunnel establishment request to the LNS through Internet. The LNS allocates an address to the user. The user is authenticated by the proxy on the LAC side or by both the LAC and the proxy on the LAC side. When all L2TP users are offline, the tunnel is automatically released to save resources. The tunnel is re-established when a user is accessed. This networking is applicable to the following scenario: A branch office user initiates a request to connect to the HQ network, and generally, the branch office user does not frequently access the HQ network. 2. LAC autodial A permanent L2TP session is established between the LAC and the LNS. A client can transmit data over the tunnel by means of an IP connection without PPP dialup. The user can configure the trigger condition for establishing a permanent L2TP session between the LAC and the LNS. The LAC establishes a permanent L2TP tunnel with the LNS using the locally-stored user name. The L2TP tunnel serves as a physical connection. In this way, the connection between the user and the LAC is based on the IP connection instead of the PPP connection. The LAC can forward IP packets of the user to the LNS. 3. Client-Initiated VPN A client that supports L2TP dialup can directly initiate a tunnel establishment request to the LNS bypassing the LAC. The user can directly initiate the connection. Therefore, the user can directly initiate a tunnel establishment request to the LNS bypassing the LAC. The LNS allocates an address to the user. Since the LNS needs to establish a tunnel for each remote user, the LNS configuration is relative complex compared with that in the NAS-Initiated VPN scenario. However, the user access is not subject to geographical restrictions. This scenario is applicable to the mobile office. For example, an employee on a business trip can access the HQ server using PCs or mobile phones.

Default administrator account of the USG6000 series
The NGFW provides two default accounts: - System administrator account: admin/Admin@123. For the first time, you can use this account to log in to the USG6000 through the console port or web UI. - Auditor account: audit-admin/Admin@123. This account can be used to configure audit policies and view audit logs.

Method used to configure L2TP users logout on the AR
The methods of enabling the L2TP users to logout are as follows: when all users of L2TP tunnel go offline, 1. Run the display l2tp tunnel [ tunnel-item | tunnel-name ] command in any view to check tunnel ID that needs to be disconnected or the remote tunnel name.2. Run the reset l2tp tunnel { peer-name | } command in the user view to disconnect the tunnel forcibly according to local tunnel ID or remote tunnel name. As a result, all users on the tunnel go offline.When a L2TP user goes offline, 1. Run the display l2tp session [ destination-ip | session-item | source-ip ] command in any view to check the local session ID that needs to be disconnected according to remote IP address. 2. Run the reset l2tp session session-id

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top