Alcatel-Lucent AOS-W 6.5.3.x - Configuring a Basic VPN for L2 Tp;Ipsec

To Next Page

To Previous Page

To configure VPN authentication via the command-line interface, access the CLI in config mode and issue the

following commands:

(host)(config) #aaa authentication vpn default

cert-cn-lookup

clone

default-role <role>

export-route

max-authentication-failure <number>

pan-integration

radius-accounting <server_group_name>

server-group <name>

user-idle-timeout <seconds>

Configuring a Basic VPN for L2TP/IPsec

The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) creates a highly-

secure technology that enables VPN connections across public networks such as the Internet. L2TP/IPsec

provides a logical transport mechanism on which to transmit PPP frames, tunneling, or encapsulation, so that

the PPP frames can be sent across an IP network. L2TP/IPsec relies on the PPP connection process to perform

user authentication and protocol configuration. With L2TP/IPsec, the user authentication process is encrypted

using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm.

L2TP/IPsec using IKEv1 requires two levels of authentication:

n Computer-level authentication with a preshared key to create the IPsec security associations (SAs) to

protect the L2TP-encapsulated data.

n User-level authentication through a PPP-based authentication protocol using passwords, SecureID, digital

certificates, or smart cards after successful creation of the SAs.

Note that only Windows 7 (and later versions), StrongSwan 4.3, and VIA clients support IKEv2. For additional

information on the authentication types supported by these clients, see Working with IKEv2 Clients on page 348.

Configuring a Basic L2TP VPN in the WebUI

Use the following procedures in the WebUI to configure a remote access VPN for L2TP IPsec for clients using

pre-shared keys, certificates, or EAP for authentication:

n Defining Authentication Method and Server Addresses on page 357

n Defining Address Pools on page 357

n Enabling Source NAT on page 357

n Selecting Certificates on page 358

n Defining IKEv1 Shared Keys on page 354

n Configuring IKE Policies on page 358

n Setting the IPsec Dynamic Map on page 359

n Finalizing WebUI changes on page 360

Defining Authentication Method and Server Addresses

1. Define the authentication method and server addresses.

2. Navigate to Configuration > Advanced Services > VPN Services and click the IPSECtab.

3. To enable L2TP, select Enable L2TP (this is enabled by default).

4. Select the authentication method for IKEv1 clients. Currently supported methods include:

l Password Authentication Protocol (PAP)

AOS-W 6.5.3.x | User Guide Virtual Private Networks | 352