Configuring Mandatory Chap Authentication - 3Com MSR 50 Series Configuration Manual

Configuring Mandatory
CHAP Authentication
To do...
Return to user view
Disconnect the specified tunnel
by force
Note that:
With the L2TP multi-instance function enabled, a router can serve as LNS for
■
multiple enterprises. The implementation of L2TP multi-instance enriches VPN
network applications, especially in MPLS-VPN. In practice, private routes of
enterprises need the support of VPN instances. For VPN instance configuration,
refer to "MPLS Basics Configuration" on page
applications, VPN instances must be configured on the LNS.
The start l2tp and allow l2tp commands are mutually exclusive.
■
An L2TP group is intended to represent a group of parameters and is
■
corresponding to one or one group of VPN users. This not only allows for
flexible L2TP configuration on routers, but also facilitates one-to-one and
one-to-many networking applications between LAC and LNS. An L2TP group
has only local significance. However, you need to ensure that the relevant
settings of the corresponding L2TP groups on the LAC and LNS match
respectively. For example, the local tunnel name configured on the LAC must
match the remote tunnel name configured on the LNS.
You can specify whether tunnel authentication must be performed before a
■
tunnel is set up. Either of the LAC and the LNS can initiate a tunnel
authentication request. Whenever tunnel authentication is enabled on one
side, a tunnel can be set up successfully only if tunnel authentication is enabled
on the other side and the two sides are configured with the same password
that is not null. You are recommended to enable tunnel authentication for
tunnel security. You can change the password for tunnel authentication, but
your change takes effect for only tunnels established later.
To check the connectivity of a tunnel, the LAC and the LNS regularly send Hello
■
packets to each other. Upon receipt of a Hello packet, the LAC or LNS returns a
response packet. When the LAC or LNS fails to receive a Hello response packet
from the peer in a specified period of time, it retransmits the Hello packet. If it
receives no response packet from the peer after retransmitting the Hello packet
for three times, it considers that the L2TP tunnel is down and tries to
re-establish a tunnel with the peer.
If neither LCP re-negotiation nor mandatory CHAP authentication is
■
configured, an LNS performs proxy authentication of users. In this case, the
LAC sends to the LNS all authentication information from users as well as the
authentication mode configured on the LAC itself, and the LNS, by default,
accepts the authentication results from the LAC.
A tunnel will be disconnected when there is no more user online, a network
■
failure occurs, or a network administrator wants to tear it down. Either of the
LAC and the LNS can initiate a tunnel disconnection request. Once a tunnel is
disconnected, the control connection and all the sessions within the tunnel will
be removed. When a user dials in, a new tunnel will be established.
An LNS may be configured to authenticate a user that has passed authentication
on the LAC. In this case, the user is authenticated twice, once on the LAC and
Use the command...
quit
reset l2tp tunnel
{ remote-name | tunnel-id }
1311. In L2TP multi-instance
LNS Configuration 1611
Remarks
-
Optional