Configuration example for NAS-initiated VPN

As shown in Figure 96, a VPN user accesses the corporate headquarters in the following procedure:

1. The user dials in to the NAS (LAC).

2. The NAS determines whether the user is a valid VPN client. If so, it initiates a tunneling request to the LNS.

3. After a tunnel is set up between the NAS and the LNS, the NAS transfers the results of its negotiation with the VPN user to the LNS.

4. The LNS decides whether to accept the connection request according to the negotiated results.

5. The user communicates with the headquarters over the tunnel between the NAS and the LNS.

1. Configure the LAC (NAS):

   # Configure IP addresses for interfaces. (Details not shown.)

   # Create a local user named vpdnuser, set the password, and enable the PPP service.

   <LAC> system-view
   [LAC] local-user vpdnuser
   [LAC-luser-vpdnuser] password simple Hello
   [LAC-luser-vpdnuser] service-type ppp
   [LAC-luser-vpdnuser] quit
   

   # Configure interface Async 1/0.

   [LAC] interface async 1/0
   [LAC-Async1/0] ip address 1.1.1.1 255.255.255.0
   [LAC-Async1/0] ppp authentication-mode chap
   [LAC-Async1/0] quit
   

   # Enable L2TP.

   [LAC] l2tp enable
   

   # Create an L2TP group and configure its attributes.

   [LAC] l2tp-group 1
   [LAC-l2tp1] tunnel name LAC
   [LAC-l2tp1] start l2tp ip 1.1.2.2 fullusername vpdnuser
   

   # Enable tunnel authentication and specify the tunnel authentication key.

   [LAC-l2tp1] tunnel authentication
   [LAC-l2tp1] tunnel password simple aabbcc
   

2. Configure the LNS:

   # Configure IP addresses for the interfaces. (Details not shown.)

   # Create a local user named vpdnuser, set the password, and enable the PPP service. The username and password must match those configured on the client.

   <LNS> system-view
   [LNS] local-user vpdnuser
   [LNS-luser-vpdnuser] password simple Hello
   [LNS-luser-vpdnuser] service-type ppp
   [LNS-luser-vpdnuser] quit
   

   # Configure local authentication for the VPN user.

   [LNS] domain system
   [LNS-isp-system] authentication ppp local
   [LNS-isp-system] ip pool 1 192.168.0.2 192.168.0.100
   [LNS-isp-system] quit
   

   # Enable L2TP.

   [LNS] l2tp enable
   

   # Configure the VT interface.

   [LNS] interface virtual-template 1
   [LNS-virtual-template1] ip address 192.168.0.1 255.255.255.0
   [LNS-virtual-template1] ppp authentication-mode chap domain system
   [LNS-virtual-template1] remote address pool 1
   [LNS-virtual-template1] quit
   

   # Create an L2TP group, specify the VT interface for receiving calls, and specify the name of the tunnel on the peer.

   [LNS] l2tp-group 1
   [LNS-l2tp1] tunnel name LNS
   [LNS-l2tp1] allow l2tp virtual-template 1 remote LAC
   

   # Enable tunnel authentication and specify the tunnel authentication key.

   [LNS-l2tp1] tunnel authentication
   [LNS-l2tp1] tunnel password simple aabbcc
   

3. Configure the user:

   In the dial-up network window, enter vpdnuser as the username and Hello as the password.

4. Verify the configuration:

   # After the dial-up connection is established, the user host can obtain an IP address (for example, 192.168.0.2) and can ping the private IP address of the LNS (192.168.0.1).

   # On the LNS, use the display l2tp tunnel command to check the established L2TP tunnels.

   [LNS] dis l2tp tunnel
   Total tunnel = 1
   
    LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
    1        1         1.1.2.1          1701   1        LAC
   

   # On the LNS, use the display l2tp session command to check the established L2TP sessions.

   [LNS] display l2tp session
    Total session = 1
   
    LocalSID  RemoteSID  LocalTID
     23142     729        1