Configuring an L2TP VPN

This section describes how to configure an L2TP VPN.

Creating an L2TP VPN Instance

To create an L2TP VPN instance, take the following steps:

  1. On the Navigation pane, click Configuration > Network > L2TP VPN to visit the L2TP VPN page.
  2. Click New or click New L2TP VPN on the Task tab in the right auxiliary pane.
  3. In the Welcome page of the L2TP VPN Configuration dialog, type the name of the L2TP VPN instance into the L2TP VPN name box.
  4. Click Next. In the User page, specify the AAA server that is used for user authentication.
    1. Select an AAA server from the AAA server drop-down list.
    2. Type the domain name into the Domain box. The domain name is used to distinguish the AAA server.
    3. Click Add.
    4. Repeat the above steps to add more AAA servers. To delete an AAA server, select the AAA server you want to delete from the list, and click Delete.
  5. Click Next. In the Interface page, configure the access interface, tunnel interface, address pool and L2TP over IPSec of L2TP VPN.
    Option Description
    Access interface

    Specifies the L2TP VPN egress interface. This interface is used to listen to the requests from L2TP VPN clients. The options are:

    • Egress interface: Select an interface from the drop-down list.
    Tunnel interface

    Specifies the tunnel interface used to bind to the L2TP VPN tunnel. Tunnel interface transmits traffic to/from L2TP VPN tunnel. The options are:

    • Tunnel interface: Use one of the following ways to specify the tunnel interface:

    • Select the configured tunnel interface from the drop-down list.

      Click New from the drop-down list, and in the Interface Configuration dialog, configure a new tunnel interface.

      Select a configured tunnel interface from the drop-down list, and then click Modify to edit the selected tunnel interface in the Interface Configuration dialog.

      For more information about creating/editing tunnel interfaces, see Configuring an Interface.

    • Zone: Shows the zone of the selected tunnel interface.
    • IP address: Shows the IP address of the selected tunnel interface.
    • Netmask: Shows the netmask of the selected tunnel interface.
    Address pool

    Specifies the L2TP VPN address pool. The options are:

    • Address pool: Use one of the following ways to specify the address pool:

      Select a configured address pool from the drop-down list.

      Select New from the drop-down list, and in the Address Pool Configuration dialog, create a new address pool.

      Select a configured address pool from the drop-down list, and then click Modify to edit the selected address pool in the Address Pool Configuration dialog.

      For more information about creating/editing address pools, see Configuring an L2TP VPN Address Pool.

    • Start IP: Shows the start IP of the selected address pool.
    • End IP: Shows the end IP of the selected address pool.
    L2TP over IPSec Select a referenced IPSec tunnel from the drop-down list. L2TP does not encrypt the data transmitted through the tunnel, so it cannot assure security during the transmission. You can use L2TP in combination with IPSec, and encrypt data by IPsec, thus assuring the security for the data transmitted through the L2TP tunnel. Note that you cannot use L2TP in comnination with IPSec when using the security appliance designed for Russia market.
  6. If necessary, click Advanced to configure the advanced options, including security, client connection and PPP. For the detailed information, see Step 7.
  7. Click Parameters, and in the Parameters page, configure the parameters of security, client connection and PPP.
    Option Description
    Security

    Tunnel authentication: Click Enable to enable tunnel authentication to assure the security of the connection. The tunnel authentication can be launched by either LNS or LAC. The tunnel cannot be established unless the both ends are authenticated, i.e., the secret strings of the two ends are consistent.

    AVP hidden: Click Enable to enable AVP hidden. L2TP uses AVP (attribute value pair) to transfer and negotiate some L2TP parameters and attributes. By default AVP is transferred in plain text. For data security consideration, you can encrypt the data by the secret string to hide the AVP during the transmission.

    Secret: Specifies the secret string that is used for LNS tunnel authentication.

    Peer name: Specifies the host name of LAC. If multiple LACs are connected to LNS, you can specify different secret strings for different LACs by this parameter. Click Add to add the configured secret and peer name pair to the list, or click Delete to delete the selected pair.
    Client connection

    Accept client IP: Click Enable to allow to accept IP address specified by the client. By default the client IP is selected from the address pool, and allocated by LNS automatically. If this function is enabled, you can specify an IP address. However, this IP address must belong to the specified address pool, and be consistent with the username and role. If the specified IP is already in use, the system will not allow the user to log on.

    Multiple login: Click Enable to allow a user to log on and be authenticated on different hosts simultaneously.

    Hello interval: Specifies the interval at which Hello packets are sent. LNS sends Hello packets to the L2TP client or LAC regularly, and will drop the connection to the tunnel if no response is returned after the specified period.

    LNS name: Specifies the local name of LNS.

    Tunnel window: Specifies the window size for the data transmitted through the tunnel.

    Control packet transmit retry: Specifies the retry times of control packets. If no response is received from the peer after the specified retry times, the system will determine the tunnel connection is disconnected.
    PPP configuration

    LCP-echo: Specifies parameters for LCP Echo packets used for PPP negotiation. The options are:

    • Interval - Specifies the interval at which LCP Echo packets are sent.
    • Retry times - Specifies the retry times for sending LCP Echo packets. If LNS has not received any response after the specified retry times, it will determine the connection is disconnected.

    PPP authentication: Specifies a PPP authentication protocol. The options are:

    • PAP - Uses PAP for PPP authentication.
    • CHAP - Uses CHAP for PPP authentication. This is the default option.
    • Any - Uses CHAP for PPP authentication by default. If CHAP is not supported, then uses PAP.
  8. Click OK to save the settings.

Note: The Russia version does not support the IPSec protocol and the related L2TP over IPSec function.

Editing an L2TP VPN Instance

To edit an L2TP VPN instance, take the following steps:

  1. On the Navigation pane, click Configuration > Network > L2TP VPN to visit the L2TP VPN page.
  2. Select the L2TP VPN instance you want to edit from the list and click Edit.
  3. In the L2TP VPN Configuration dialog, modify according to your need.

Deleting an L2TP VPN Instance

To edit an L2TP VPN instance, take the following steps:

  1. On the Navigation pane, click Configuration > Network > L2TP VPN to visit the L2TP VPN page.
  2. Select the L2TP VPN instance you want to delete from the list and click Delete.

Viewing Online Users

To view the L2TP VPN online users, take the following steps:

  1. On the Navigation pane, click Configuration > Network > L2TP VPN to visit the L2TP VPN page.
  2. You can get the detailed information of the online users in the online user list.
    • Name: Shows the name of the online user.
    • Login time: Shows the time when the user logs in.
    • Public IP: Shows the public IP of the online user.
    • Private IP: Shows the IP allocated by the L2TP VPN server.
    • Action: Click Kick off to disconnect the L2TP VPN connection.
  3. To search a specific user, type the user name into the Online user box, and then click Search.