Configuring an L2TP VPN

System > Network > VPN > L2TP VPN

By configuring an L2TP VPN, the Hillstone devices can act as LNS in the L2TP tunnel network.

In the L2TP VPN page, you can perform the following actions:

Click New to create a new L2TP VPN.
Click Edit to edit the selected L2TP VPN.
Click Delete to delete the selected L2TP VPNs.
In the table at the bottom, you can view the detailed information of all online users. To search the desired users, enter the username in the Online Users textbox and then click Search to view the detailed information of the users that meet the searching conditions.
Click Kick off to disconnect the L2TP VON connection.

Note: The Russia version does not support the IPSec protocol and the related L2TP over IPSec function.

Options in the L2TP VPN Configuration dialog:

Option	Description
Name/User
L2TP VPN Name	Specifies the name of the L2TP VPN name.
AAA Server/Domain/Verify User Domain Name	Configure the AAA server for user authentication: Select an AAA server from the AAA Server drop-down list. You can click View AAA Server to view AAA server details. Type the domain name of the AAA server into the Domain textbox. Verify User Domain Name: Select Enable to verify the user domain name when performing the user authentication. Click Add to add the configured AAA server. The added AAA server will display in the table at the bottom of this dialog. Repeat the steps above to add more AAA servers. To remove desired AAA servers, select them in the table and then click Delete.
Interface/Address Pool/IPSec Tunnel
Access Interface	Specifies the L2TP VPN egress interface. This interface is used to listen to the requests from L2TP VPN clients. The options are: Egress Interface: Select the L2TP VPN egress interface from the drop-down list.
Tunnel Interface	Specifies the tunnel interface used to bind to the L2TP VPN tunnel. Tunnel interface transmits traffic to/from L2TP VPN tunnel. The options are: Tunnel Interface: Use one of the following ways to specify the tunnel interface: Select the configured tunnel interface from the drop-down list; Click New from the drop-down list. In the Interface Configuration dialog, configure a new tunnel interface; Select a configured tunnel interface from the drop-down list, and then click Edit to edit the selected tunnel interface in the Interface Configuration dialog. For more information about creating/editing tunnel interfaces, see Configuring an Interface. Zone: Shows the zone of the selected tunnel interface. IP Address: Shows the IP address of the selected tunnel interface. Mask: Shows the netmask of the selected tunnel interface.
Address Pool	Specifies the L2TP VPN address pool. The options are: Address Pool: Use one of the following ways to specify the address pool: Select a configured address pool from the drop-down list; Select New from the drop-down list, and in the Address Pool Configuration dialog, create a new address pool; Select a configured address pool from the drop-down list, and then click Edit to edit the selected address pool in the Address Pool Configuration dialog; For more information about creating/editing address pools, see Configuring an L2TP VPN Address Pool. Start IP: Shows the start IP of the selected address pool. End IP: Shows the end IP of the selected address pool.
L2TP over IPSec	Select a referenced IPSec tunnel from the drop-down list. L2TP does not encrypt the data transmitted through the tunnel, so it cannot assure security during the transmission. You can use L2TP in combination with IPSec, and encrypt data by IPSec, thus assuring the security for the data transmitted through the L2TP tunnel. Note that you cannot use L2TP in comnination with IPSec when using the security appliance designed for Russia market.
Advanced
Security	Tunnel Authentication: Click Enable to enable tunnel authentication to assure the security of the connection. The tunnel authentication can be launched by either LNS or LAC. The tunnel cannot be established unless the both ends are authenticated, i.e., the secret strings of the two ends are consistent.
	AVP Hidden: Click Enable to enable AVP hidden. L2TP uses AVP (attribute value pair) to transfer and negotiate some L2TP parameters and attributes. By default AVP is transferred in plain text. For data security consideration, you can encrypt the data by the secret string to hide the AVP during the transmission.
	Secret: Specifies the secret string that is used for LNS tunnel authentication.
	Peer: Specifies the host name of LAC. If multiple LACs are connected to LNS, you can specify different secret strings for different LACs by this parameter. Click Add to add the configured secret and peer name pair to the list, or click Delete to delete the selected pair.
Client Connection	Accept Client IP: Click Enable to allow to accept IP address specified by the client. By default the client IP is selected from the address pool, and allocated by LNS automatically. If this function is enabled, you can specify an IP address. However, this IP address must belong to the specified address pool, and be consistent with the username and role. If the specified IP is already in use, the system will not allow the user to log on.
	Multiple Login: Click Enable to allow a user to log on and be authenticated on different hosts simultaneously.
	Hello Interval: Specifies the interval at which Hello packets are sent. LNS sends Hello packets to the L2TP client or LAC regularly, and will drop the connection to the tunnel if no response is returned after the specified period.
	LNS Name: Specifies the local name of LNS.
	Tunnel Window: Specifies the window size for the data transmitted through the tunnel.
	Control Packet Transmit Retry: Specifies the retry times of control packets. If no response is received from the peer after the specified retry times, the system will determine the tunnel connection is disconnected.
PPP Configuration	LCP-echo: Specifies parameters for LCP Echo packets used for PPP negotiation. The options are: Interval: Specifies the interval at which LCP Echo packets are sent. Transmit Retry: Specifies the retry times for sending LCP Echo packets. If LNS has not received any response after the specified retry times, it will determine the connection is disconnected.
PPP Configuration	PPP authentication: Specifies a PPP authentication protocol. The options are: PAP: Uses PAP for PPP authentication. CHAP: Uses CHAP for PPP authentication. This is the default option. Any: Uses CHAP for PPP authentication by default. If CHAP is not supported, then uses PAP.