Nas-Initiated Vpn - H3C SR6600 Configuration Manual

NAS-Initiated VPN

Network requirements
A VPN user accesses the corporate headquarters as follows:
1) The user dials in to the NAS.
2) The NAS determines whether the user is a valid VPN client. If so, it initiates a tunneling
request to the LNS.
3) After a tunnel is set up between the NAS and the LNS, the NAS transfers what it has
negotiated with the VPN user to the LNS.
4) The LNS decides whether to accept the connection request according to the negotiated
results.
5) The user communicates with the headquarters over the tunnel between the NAS and
the LNS.
Figure 4-8 Network diagram for the NAS-initiated VPN
PSTN/ISDN
Configuration procedure
1) LAC side configuration
Configure the NAS
# Configure IP addresses for the interfaces. (Omitted)
# Create a local user named vpdnuser, set the password, and enable PPP service.
<LAC> system-view
[LAC] local-user vpdnuser
[LAC-luser-vpdnuser] password simple Hello
[LAC-luser-vpdnuser] service-type ppp
[LAC-luser-vpdnuser] quit
# Configure interface Async 1/0/1.
[LAC] interface async 1/0/1
[LAC-Async1/0/1] ip address 1.1.1.1 255.255.255.0
[LAC-Async1/0/1] ppp authentication-mode chap
[LAC-Async1/0/1] quit
# Enable L2TP.
[LAC] l2tp enable
# Create an L2TP group and configure its attributes.
[LAC] l2tp-group 1
[LAC-l2tp1] tunnel name LAC
[LAC-l2tp1] start l2tp ip 1.1.2.2 fullusername vpdnuser
# Enable tunnel authentication and specify the tunnel authentication password.
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password simple aabbcc
2) Configure the LNS
GE1/0/1
Async1/0/1
1.1.2.1/24
1.1.1.1/24
Internet
L2TP tunnel
LAC
4-84
GE1/0/1
1.1.2.2/24
Corporate
network
LNS