...
| Блок кода |
|---|
esr# clear remote-access session pptp username fedor esr# clear remote-access session pptp server remote-workers username fedor |
| Scroll Pagebreak |
|---|
...
L2TP (Layer 2 Tunneling Protocol) is a sophisticated tunneling protocol used to support virtual private networks. L2TP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. L2TP may be used for tunnel establishment between two local area networks. L2TP uses an additional UDP connection for tunnel handling. L2TP protocol does not provide data encryption, therefore it is usually combined with an IPsec protocol group that provides security on a packet level.
| Scroll Pagebreak |
|---|
Configuration algorithm
Step | Description | Command | Keys |
|---|---|---|---|
1 | Create L2TP server profile. | esr(config)# remote-access l2tp <NAME> | <NAME> – L2TP server profile name, set by the string of up to 31 characters. |
2 | Specify the description of the configured server (optional). | esr(config-l2tp-server)# description <DESCRIPTION> | <DESCRIPTION> – L2TP server description, set by the string of up to 255 characters. |
3 | Specify IP address that should be listened by L2TP server. | esr(config-l2tp-server)# outside-address | <OBJ-GROUP-NETWORK-NAME> – name of the profile having IP address that should be listened by L2TP server, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IF> – router interface type and identifier; <TUN> – router tunnel type and number. |
4 | Specify the IP address of the local gateway or disable firewall for the PPTP server | esr(config-l2tp-server)# local-address { object-group | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes local gateway IP address, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
5 | Specify IP addresses list from which dynamic IP addresses are leased to remote users by L2TP. | esr(config-l2tp-server)# remote-address | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes remote users IP addresses list, set by the string of up to 31 characters; <FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. |
6 | Select L2TP clients authentication mode. | esr(config-l2tp-server)# authentication mode |
|
7 | Allow necessary authentication methods for remote users | esr(config-l2tp-server)# authentication method <METHOD> | <METHOD> – authentication method, possible values: [chap, mschap, mschap-v2, eap, pap]. By default only chap is allowed. |
8 | Include the L2TP server in a security zone and configure interaction rules between zones (see section Firewall configuration). | esr(config-l2tp-server)# security-zone <NAME> | <NAME> – security zone name, set by the string of up to 31 characters. |
9 | Specify user name (when using local authentication base). | esr(config-l2tp-server) username < NAME > | <NAME> – user name, set by the string of up to 12 characters. |
10 | Specify user password (when using local authentication base). | esr(config-l2tp-user) password ascii-text | <PASSWORD> – user password, set by the string of up to 32 characters. |
11 | Enable user (when using local authentication base). | esr(config-l2tp-user) enable | |
12 | Select a key authentication method for IKE connection (optional). | esr(config-l2tp-server)# ipsec authentication method pre-shared-key | |
13 | Specify a shared secret authentication key that should be the same for both parties of the tunnel. | esr(config-l2tp-server)# ipsec authentication pre-shared-key | <TEXT> – string [1..64] ASCII characters; <HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...). <ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters. <ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters. |
| 14 | Restrict the authentication and encryption methods used for the IKE protocol (optional). | esr(config-l2tp-server)# ipsec ike proposal <NAME> | <NAME> – name of the previously created IKE profile, set by the string of up to 31 characters. |
| 15 | Restrict the authentication and encryption methods used for the IPsec protocol (optional). | esr(config-l2tp-server)# ipsec proposal <NAME> | <NAME> – name of the previously created IPsec profile, set by the string of up to 31 characters. |
16 | Enable server. | esr(config-l2tp-server)# enable | |
17 | Specify outgoing packets DSCP priority. | esr(config-l2tp-server)# dscp <DSCP> | <DSCP> – outgoing packets dscp priority [0..63]. |
18 | Specify MTU size (MaximumTransmissionUnit) for the server (optional). | esr(config-l2tp-server) mtu <MTU> | <MTU> – MTU value, takes values in the range of [1280..1500]. Default value: 1500. |
19 | Define the list of DNS servers that will be used by remote users (optional). | esr(config-l2tp-server)# dns-servers object-group | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required DNS servers addresses, set by the string of up to 31 characters. |
20 | Define the list of WINS servers that will be used by remote users (optional). | esr(config-l2tp-server)# wins-servers | <OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required WINS servers addresses, set by the string of up to 31 characters. |
...