Method used to configure the L2TP and IPSec VPN on the USG2000

3

The basic principle of the VPN is to encapsulate transmission packets using the tunneling technology and establish a special data transmission channel over the VPN backbone network, and therefore achieving security packet transmission. The tunneling technology can use a protocol to encapsulate a packet that adopts another protocol (generally the IP). The encapsulated packet can also be encapsulated by another protocol. For users, the tunnel is a logical extension of the network and provides the same functions as a physical link does. For details, see the L2TP and IPSec VPN configurations in the product documentation.

Other related questions:
Method used to configure the L2TP VPN on the USG6300
The L2TP is configured on the LAC side and the LNS side. The L2TP configuration on the LAC side is as follows: 1. Enable the L2TP. 2. Create the VT interface and access the VT interface view. interface virtual-template virtual-template-number 3. Configure the PPP authentication mode. ppp authentication-mode chap [ pap ] [ eap ], ppp authentication-mode pap [ eap ] or ppp authentication-mode eap 3. Bind the interface with the VT interface. interface interface-type interface-number pppoe-server bind virtual-template virtual-template-number 4. Add the VT interface to the security zone. The VT interface can be added to any security zone. When configuring the inter-zone relationship, to ensure that dial-up users can access the network normally, configure the packet filter for the security zone where the physical interface of the NGFW that receives and sends L2TP tunnel packets resides and the Local security zone. 5. Create the L2TP group, and access the L2TP group view. l2tp-group group-name 6. Specify the trigger conditions for originating calls when the local end serves as the L2TP LAC. Access based on domain names: start l2tp { lns-domain domain-name | ip ip-address &<1-5> } domain domain-name [ vpn-instance vpn-instance-name ]. Set the trigger condition to domain names. Access based on full names: start l2tp { lns-domain domain-name | ip ip-address &<1-5> } fullusername user-name [ vpn-instance vpn-instance-name ] The L2TP configuration on the LNS side is as follows: 1. Enable the L2TP. l2tp enable 2. Create the VT interface and access the VT interface view. interface virtual-template virtual-template-number 3. Configure the local IP address. ip address ip-address { mask | mask-length } [ sub ] 4. Configure the PPP authentication mode. ppp authentication-mode { chap | eap | pap } * 5. Configure the address allocated to the peer end or a service plan for allocating an address for the peer end. remote { address ip-address | service-scheme service-scheme } 6. Create the L2TP group, and access the L2TP group view. l2tp-group group-name 7. Configure the name for the peer end and the used virtual interface template. allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] [ vpn-instance vpn-instance-name ] 8. Configure the name of the local end of the tunnel. tunnel name tunnel-name

Method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000
The method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000 is as follows: Most carriers adopt the MPLS VPN networking. However, the MPLS VPN cannot satisfy special requirements. For example: a. A user is served by a VPN and needs to access resources in another VPN. b. The carrier provides a shared LNS to enterprise users who use the MPLS VPN. Mobile users of the enterprise access the enterprise intranet over the LNS. The LNS is shared by multiple enterprise users. Therefore, the LNS needs to access different users to the corresponding VPNs. Procedure 1. Configure the LAC. a. Set the user name and password. b. Create two zones. c. Configure the domain name suffix separator. [LAC] l2tp domain suffix-separator @ d. Create the virtual interface template and bind it with the interface. e. Set two L2TP groups and configure the related attributes. 2. Configure the LNS. a. Create two VPN instances vpna and vpnb. b. Configure an interface connected to enterprise network A, and bind the interface with vpna. c. Configure an interface connected to enterprise network B, and bind the interface with vpnb. d. Create the authentication scheme. e. Configure the RADIUS template. f. Configure the domain name suffix separator. [LNS] l2tp domain suffix-separator @ g. Create two Virtual-Template templates bound with vpna and vpnb. h. Create two zones and bind the zones to the corresponding virtual templates and address pools. i. Create two L2TP groups.

Method used to configure the L2TP VPN on the USG6000
The L2TP application scenarios on the USG6000 are as follows: 1. NAS-Initiated VPN A user accesses the LAC by means of PPPoE dialup, and a tunnel is established between the LAC and the LNS. A user accesses the LAC by means of PPPoE dialup. The LAC sends a tunnel establishment request to the LNS through Internet. The LNS allocates an address to the user. The user is authenticated by the proxy on the LAC side or by both the LAC and the proxy on the LAC side. When all L2TP users are offline, the tunnel is automatically released to save resources. The tunnel is re-established when a user is accessed. This networking is applicable to the following scenario: A branch office user initiates a request to connect to the HQ network, and generally, the branch office user does not frequently access the HQ network. 2. LAC autodial A permanent L2TP session is established between the LAC and the LNS. A client can transmit data over the tunnel by means of an IP connection without PPP dialup. The user can configure the trigger condition for establishing a permanent L2TP session between the LAC and the LNS. The LAC establishes a permanent L2TP tunnel with the LNS using the locally-stored user name. The L2TP tunnel serves as a physical connection. In this way, the connection between the user and the LAC is based on the IP connection instead of the PPP connection. The LAC can forward IP packets of the user to the LNS. 3. Client-Initiated VPN A client that supports L2TP dialup can directly initiate a tunnel establishment request to the LNS bypassing the LAC. The user can directly initiate the connection. Therefore, the user can directly initiate a tunnel establishment request to the LNS bypassing the LAC. The LNS allocates an address to the user. Since the LNS needs to establish a tunnel for each remote user, the LNS configuration is relative complex compared with that in the NAS-Initiated VPN scenario. However, the user access is not subject to geographical restrictions. This scenario is applicable to the mobile office. For example, an employee on a business trip can access the HQ server using PCs or mobile phones.

Method used to configure the AVP hiding transmission for the L2TP VPN on the USG2000 or USG5000
The AVP hiding transmission scenarios and commands are as follows: Certain parameters of the L2TP are transmitted over AVP data. If a user has a higher requirement for the data security, the AVP data can be hidden during transmission. The AVP data hiding function takes effect only when both ends of a tunnel enable the tunnel verification. By default, the tunnel transmits AVP data in plaintext. tunnel avp-hidden Command function: The tunnel avp-hidden command is used to configure the system to transmit the AVP data in hidden mode. The undo tunnel avp-hidden command is used to restore the default transmission mode of AVP data. Command format: tunnel avp-hidden undo tunnel avp-hidden Use guide: By default, the tunnel transmits AVP data in plaintext. The AVP data hiding function takes effect only when both ends of a tunnel enable the tunnel verification. Certain parameters of the L2TP are transmitted over AVP data. If a user has a higher requirement for the data security, the AVP data can be hidden during transmission. Example: #Set the system to transmit the AVP data in hidden mode. system-view [sysname] l2tp-group 1 [sysname-l2tp-1] tunnel avp-hidden

Method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000
The method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000 is as follows: Configure the L2TP over IPSec user address segment using the CLI: # Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 10.1.1.1 10.1.1.100 # Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit # Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit Configure the L2TP over IPSec user address segment using the web UI: Configure the L2TP parameters. 1. Choose Network > L2TP > L2TP. 2. In Configure L2TP, select Enable and click Apply. 3. In L2TP Group List, click New. 4. Set Group Type to LNS. 5. Configure the L2TP parameters. The server address shall be in the same network segment as the address in the address pool. In this way, you do not need to configure a route. Peer Tunnel Name must be consistent with Local Tunnel Name configured on the LAC. Group Type: LNS Peer Tunnel Name: LAC Tunnel Password Authentication: Enable Password Type: Ciphertext Tunnel password: Hello123 Confirm Tunnel password: Hello123 User Group: default Set the user address allocation parameters as follows: Server Address/Subnet Mask: 10.2.1.1/255.255.255.0 User Address Pool: 10.2.1.2-10.2.1.100 6. Click OK.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top