Method used to configure mutual access between remote clients of the L2TP VPN on the USG2000 and USG5000

1

The method used to configure mutual access between remote clients of the L2TP VPN on the USG2000 and USG5000 is as follows:

Problem description:
Simple networking:
(192.168.10.2) USG2000 (branch network 1)
USG5000 (HQ)
USG2000 (branch network 2) (192.168.157.1)

The address (192.168.10.2) of branch network 1 can be successfully pinged using the address (192.168.157.1) of branch network 2.

Implementation flow:
1. The key configuration is as follows:
Branch network 1:
interface Virtual-Template1
ppp authentication-mode chap
ppp chap user trustuser
ppp chap password cipher %$%$W# ip address 10.12.1.33 255.255.255.0
call-lns local-user trustuser

l2tp-group 1
tunnel password cipher %$%$3"9D>p2p!0JS[T*E/71$]C:1%$%$
tunnel name trust
start l2tp ip 222.240.248.210 fullusername trustuser

ip route-static 192.168.148.0 255.255.255.0 10.12.1.1
ip route-static 192.168.157.0 255.255.255.0 10.12.1.5 Route to branch network 2
ip route-static 192.168.173.0 255.255.255.0 10.12.1.1
ip route-static 192.168.174.0 255.255.255.0 10.12.1.1

Branch network 2:
interface Virtual-Template1
ppp authentication-mode chap
ppp chap user trustuser
ppp chap password cipher A!!
ip address 10.12.1.5 255.255.255.0
call-lns local-user trustuser

l2tp-group 1
tunnel password cipher -G=,LULZYDWJCK_%%<:`LQ!!
tunnel name trust
start l2tp ip 222.240.248.210 fullusername trustuser

ip route-static 0.0.0.0 0.0.0.0 218.76.73.1
ip route-static 192.168.10.0 255.255.255.0 10.12.1.33 Route to branch network 1
ip route-static 192.168.148.0 255.255.255.0 10.12.1.1 track ip-link 1

HQ network: No additional route is required.
interface Virtual-Template2
ppp authentication-mode chap
ppp chap user trustuser
ppp chap password cipher A!!
ip address 10.12.1.1 255.255.255.0
remote address pool 2

l2tp-group 2
allow l2tp virtual-template 2 remote trust
tunnel password cipher -G=,LULZYDWJCK_%%<:`LQ!!
tunnel name trustlns
aaa
ip pool 2 10.12.1.60 10.12.1.254
ip route-static 192.168.157.0 255.255.255.0 10.12.1.5 track ip-link 18

Other related questions:
Method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000
The method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000 is as follows: Most carriers adopt the MPLS VPN networking. However, the MPLS VPN cannot satisfy special requirements. For example: a. A user is served by a VPN and needs to access resources in another VPN. b. The carrier provides a shared LNS to enterprise users who use the MPLS VPN. Mobile users of the enterprise access the enterprise intranet over the LNS. The LNS is shared by multiple enterprise users. Therefore, the LNS needs to access different users to the corresponding VPNs. Procedure 1. Configure the LAC. a. Set the user name and password. b. Create two zones. c. Configure the domain name suffix separator. [LAC] l2tp domain suffix-separator @ d. Create the virtual interface template and bind it with the interface. e. Set two L2TP groups and configure the related attributes. 2. Configure the LNS. a. Create two VPN instances vpna and vpnb. b. Configure an interface connected to enterprise network A, and bind the interface with vpna. c. Configure an interface connected to enterprise network B, and bind the interface with vpnb. d. Create the authentication scheme. e. Configure the RADIUS template. f. Configure the domain name suffix separator. [LNS] l2tp domain suffix-separator @ g. Create two Virtual-Template templates bound with vpna and vpnb. h. Create two zones and bind the zones to the corresponding virtual templates and address pools. i. Create two L2TP groups.

Method used to configure the AVP hiding transmission for the L2TP VPN on the USG2000 or USG5000
The AVP hiding transmission scenarios and commands are as follows: Certain parameters of the L2TP are transmitted over AVP data. If a user has a higher requirement for the data security, the AVP data can be hidden during transmission. The AVP data hiding function takes effect only when both ends of a tunnel enable the tunnel verification. By default, the tunnel transmits AVP data in plaintext. tunnel avp-hidden Command function: The tunnel avp-hidden command is used to configure the system to transmit the AVP data in hidden mode. The undo tunnel avp-hidden command is used to restore the default transmission mode of AVP data. Command format: tunnel avp-hidden undo tunnel avp-hidden Use guide: By default, the tunnel transmits AVP data in plaintext. The AVP data hiding function takes effect only when both ends of a tunnel enable the tunnel verification. Certain parameters of the L2TP are transmitted over AVP data. If a user has a higher requirement for the data security, the AVP data can be hidden during transmission. Example: #Set the system to transmit the AVP data in hidden mode. system-view [sysname] l2tp-group 1 [sysname-l2tp-1] tunnel avp-hidden

Method used to configure L2TP parameters on the USG2000 and USG5000
The method used to configure L2TP parameters on the USG2000 and USG5000 is as follows: 1. allow l2tp The allow l2tp command is used to specify the name of the peer tunnel that accepts the call and the used Virtual-Template. allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] [ vpn-instance vpn-instance-name ] 2. call-lns local-user The call-lns local-user command is used to perform L2TP dialup on the LAC to access the LNS, so as to establish an L2TP tunnel. call-lns local-user username 3. l2tp domain suffix-separator The l2tp domain suffix-separator command is used to set the suffix separator. l2tp domain suffix-separator separator 4. l2tp match-order The l2tp match-order name is used to set the sequence of the called number and domain name used to search for the L2TP group. l2tp match-order { dnis | dnis-domain | domain | domain-dnis} 5. l2tp sendaccm enable The l2tp sendaccm enable command is used to enable the function of sending ACCM messages by the L2TP. By default, the function of sending ACCM messages by the L2TP is enabled. l2tp sendaccm enable 6. l2tp-group The l2tp-group command is used to create an L2TP group. l2tp-group group-number 7. l2tpmoreexam enable The l2tpmoreexam enable command is used to enable the LNS to accept L2TP connection requests initiated by different L2TP instances using the same tunnel name. l2tpmoreexam enable 8. l2tp up-down log enable The l2tp up-down log enable command is used to enable the function of sending logs upon L2TP user getting online or offline. l2tp up-down log enable 9. mandatory-chap The mandatory-chap command is used to forcibly perform the CHAP verification again between the LNS and the client. By default, the system does not re-verify the CHAP. mandatory-chap 10. mandatory-lcp The mandatory-lcp command is used to re-negotiate the Link Control Protocol (LCP) between the LNS and the client. By default, the system does not re-negotiate the LCP. mandatory-lcp 11. start l2tp The start l2tp command is used to specify the trigger conditions for originating calls when the local end serves as the L2TP LAC. start l2tp { lns-domain domain-name | ip ip-address &<1-5> } { domain domain-name |fullusername user-name } [ vpn-instance vpn-instance-name ] 12. tunnel authentication The tunnel authentication command is used to enable the L2TP tunnel verification. tunnel authentication 13. tunnel avp-hidden The tunnel avp-hidden command is used to configure the transmission mode in which the Attribute Value Pair (AVP) data is hidden. tunnel avp-hidden 14. tunnel name The tunnel name command is used to specify the local tunnel name. tunnel name tunnel-name 15. tunnel password The tunnel password command is used to specify the password used for tunnel verification. tunnel password cipher password 16. tunnel source The tunnel source command is used to configure the source tunnel interface used by the LAC to initiate a tunnel establishment request to the LNS. tunnel source loopback interface-number 17. tunnel timer hello The tunnel timer hello command is used to set the interval for sending Hello packets over the tunnel. tunnel timer hello interval 18. virtual-l2tpforward enable When the IP address used by the LNS to access the intranet and the IP address allocated by the LNS to the client are in the same network segment, you can use the virtual-l2tpforward enable and arp-proxy enable command together to enable the L2TP virtual forwarding function. virtual-l2tpforward enable

Configuration of the Client-Initialized VPN on the USG2000 and USG5000
The method used to configure the Client-Initialized VPN on the USG2000 and USG5000 is as follows: The LAC client can directly initiates a tunnel establishment request to the LNS bypassing the LAC. The LNS allocates an address to the LAC client. The HQ network can connect to the Internet through the LNS. An employee on a business trip can directly initiate a tunnel establishment request to the LNS by means of L2TP dialup. The L2TP client software must be installed on the PC of the employee. Configure the Client-Initialized VPN using the CLI: 1. Configure the LNS. a. Create and configure the virtual interface template. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit b. Enable the L2TP. [LNS] l2tp enable c. Create and configure the L2TP group. [LNS] l2tp-group 1 d. Configure local tunnel name on the LNS end and the received peer tunnel name. [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher Password123 Note: If you use the L2TP client software provided by the Windows system to dial up, you must disable the L2TP tunnel verification function. e. Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 192.168.0.2 192.168.0.100 f. Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit Note: Because the addresses in the IP address pool are not in the same network segment as the intranet addresses, you need to configure the route to network segment 192.168.0.0 on the HQ device, and set the next hop address to 192.168.1.1. g. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top