Professional Documents
Culture Documents
(VPN Configuration Command) PDF
(VPN Configuration Command) PDF
Table of Contents
Table of Contents
Chapter 1 VPN Configuration Commands........................................................................... 1-1 1.1 accept dialin l2tp virtual-template ............................................................................... 1-1 1.2 clear vpdn tunnel l2tp................................................................................................ 1-2 1.3 force-local-chap........................................................................................................ 1-3 1.4 l2tp tunnel authentication........................................................................................... 1-3 1.5 l2tp tunnel password ................................................................................................. 1-4 1.6 lcp renegotiation ....................................................................................................... 1-5 1.7 local name................................................................................................................ 1-5 1.8 request dialin ............................................................................................................ 1-6 1.9 vpdn domain-delimiter prefix...................................................................................... 1-7 1.10 vpdn domain-delimiter suffix .................................................................................... 1-8 1.11 vpdn enable............................................................................................................ 1-9 1.12 vpdn search-order................................................................................................. 1-10 1.13 vpdn-group........................................................................................................... 1-11 1.14 show l2tp session.................................................................................................. 1-11 1.15 show l2tp tunnel.................................................................................................... 1-12 1.16 debug l2tp ............................................................................................................ 1-12 Chapter 2 GRE Configuration Commands........................................................................... 2-1 2.1 interface tunnel ......................................................................................................... 2-1 2.2 tunnel checksum....................................................................................................... 2-2 2.3 tunnel destination...................................................................................................... 2-2 2.4 tunnel key................................................................................................................. 2-3 2.5 tunnel mode gre ip .................................................................................................... 2-4 2.6 tunnel sequence-datagrams ...................................................................................... 2-5 2.7 tunnel source............................................................................................................ 2-6 2.8 show interface tunnel ................................................................................................ 2-6
Chapter 1
VPN Configuration Commands
Syntax Description
virtual-template-number Number of virtual template used for creating a new virtual access interface, ranging integer 1 to 25. remote-name Name of a remote end originating a tunnel connection request, case sensitive.
Default
no accept dialin l2tp virtual-template By default, virtual-template-number is 1.
1-1
Chapter 1
VPN Configuration Commands
Command Mode
VPDN group configuration mode
Usage Guideline
When VPDN group 1 (default VPDN group number) is used and configurations are made in group 1 without specifying remote-name, the format of this command is: accept dialin l2tp virtual-template virtual-template-number [remote remote-name ] If the remote name is specified in VPDN group 1 configuration, then VPDN group 1 does not serve as default VPDN group. In Windows 2000 beta 2, for example, the local name for the VPN connection is NONE, and the remote name received by the router is NONE. A default VPN group can be set in order to receive a tunnel connection request originated by an unknown remote end, or just for test purpose.
Example
! Accept L2PT tunnel connection request from a remote end whose name is A8010, and create the virtual-access interface according to virtual-template 1. Quidway(config-vpdn2)# accept dialin l2tp virtual-template 1 remote A8010 ! With VPDN group 1 as the default VPDN group, accept an L2TP tunnel connection request from any remote end, and create virtual-access interface according to virtualtemplate 1. Quidway(config)# vpdn-group 1 Quidway(config-vpdn1)# accept dialin l2tp virtual-template 1
Related Command
vpdn-group
Syntax Description
remote-name Name of the remote end of a tunnel.
Command Mode
Privileged user mode
Usage Guideline
This command is used to clear a tunnel connection by force. When a remote user dials in again, the tunnel connection can be set up again. You can determine the tunnel connection to be cleared by specifying the remote name of a tunnel. If no qualified tunnel connection exists, then the current tunnel connection is not affected. If multiple qualified tunnels (with the same name, but different IP addresses), the first qualified
1-2
Chapter 1
VPN Configuration Commands
tunnel connection is cleared. The sequence referred to here is the same as that shown after executing the show l2tp tunnel command.
Example
! Clear a tunnel connection whose remote end name is A8010. Quidway# clear vpdn tunnel l2tp A8010
1.3 force-local-chap
To perform forced CHAP re-authentication between LNS and Client, use the forcelocal-chap command. To return to the default, use the no form of this command. force-local-chap no force-local-chap
Default
no force-local-chap.
Command Mode
VPDN group configuration mode
Usage Guideline
After proxy authentication between LAC and Client, LNS re-authenticates Client to improve security. If this command is used, then the client of a VPN where the access server initializes the tunnel connection undergoes two rounds of authentication: one is by the access server, and the other is by LNS. If some PPP Clients don't support a second authentication, then the local CHAP authentication may fail.
Example
! Perform forced CHAP authentication. Quidway(config-vpdn1)# force-local-chap
Related Command
lcp renegotiation
1-3
Chapter 1
VPN Configuration Commands
Default
l2tp tunnel authentication.
Command Mode
VPDN group configuration mode
Usage Guideline
L2TP tunnel authentication is enabled by default. In general, both ends of a tunnel need to authenticate each other. Tunnel authentication can be skipped if network connectivity is being tested or a connection request is received from an unknown remote end.
Example
! Set no l2tp tunnel authentication. Quidway(config-vpdn1)# no l2tp tunnel authentication
Syntax Description
0 Password of the tunnel shown in plain text; 7 Password of the tunnel shown in ciphered text. password Password used for tunnel authentication.
Default
Password is the router name.
Command Mode
VPDN group configuration mode
Usage Guideline
When setting up a VPDN group, the local name and the tunnel password are both initialized to be the router name. For example, if the current router name is set to Quidway, then the local name is initialized to be Quidway, and the tunnel password is also Quidway. l2tp tunnel password is used to specify the password of the tunnel.
Example
! Set the password of the tunnel to yougotit.
1-4
Chapter 1
VPN Configuration Commands
Default
no lcp renegotiation
Command Mode
VPDN group configuration mode
Usage Guideline
As for the client of NAS-Initialized VPN, when a PPP session starts, the NAS (network access server) is PPP authenticated. If the authentication succeeds, the NAS will initialize the tunnel connection, and transfer to LNS the information received through negotiation with the client. LNS can check for the legality according to the received proxy authentication information. lcp renegotiation can be used to force LCP renegotiation between LNS and client, overlooking the proxy authentication information of NAS. Some PPP Clients may not support LCP re-negotiation, so LCP re-negotiation may fail.
Example
! Enable LCP re-negotiation Quidway(config-vpdn1)# lcp renegotiation
Related Command
force-local-chap
Syntax Description
name Local name of the tunnel.
1-5
Chapter 1
VPN Configuration Commands
Default
Default local name is the router name.
Command Mode
VPDN group configuration mode
Usage Guideline
When setting up a VPDN group, the name of the local tunnel is initialized to be the router name. For example, if the current router name is set to Quidway, then the local name is initialized to be Quidway, and the tunnel password of is also Quidway. local name is used to specify the local name of the tunnel.
Example
! Set the local name of the tunnel to itsme Quidway(config-vpdn1)# local name itsme
Related Command
hostname
Syntax Description
ip-address IP address of the remote end of the tunnel (LNS). Five IP addresses can be configured for LNS, and they are searched for in the order in which they are configured. domain-name Domain name of the user originating the connection request, case sensitive. dialed-number Dialed number originating the connection request. user-name the name of the user originating the connection request, case sensitive.
Default
no request dialin.
Command Mode
VPDN group configuration mode
1-6
Chapter 1
VPN Configuration Commands
Usage Guideline
This command is used to specify the IP address of LNS. It supports multiple methods for originating the connection request. l A tunnel connection request can be originated based on the domain name of the user. For example, if a user is from a company whose domain name is huawei.com.cn, then this user can be specified as a VPN user whose domain name is huawei.com.cn; l You can determine whether or not the user is VPN user according to the numbers that he dials. For example, if the string of 8810188 is specified as service number, then users dialing this numbers are VPN users; the LNS address is determined by the parameter of ip-address. l You can also specify whether or not a user is a VPN user through the user name. The LNS address is determined by the ip parameter. If the user is a VPN user, then the local end will send a L1TP tunnel connection request to the specified LNS. There may be conflict between these methods, for example, the LNS address specified through the dialer number is 1.1.1.1, while that specified through the domain name is 1.1.1.2. Therefore it is necessary to specify the order to search for VPN user. The order: first, check if there exists a VPDN group specified through this user name according to the complete user name; if it does not exist, then search according to the order of the specified dialed number and order of the domain name. The search order for the dialed number and domain name is set through the vpdn search-order command.
Example
! The domain name of the VPN user is huawei.com.cn; the IP address of the L2TP server of its headquarters is 202.38.168.1; this user needs to set up a VPN connection with 202.38.168.1: Quidway(config-vpdn2)# request dialin l2tp ip 202.38.168.1 domain huawei.com.cn ! A user dials a special number 8810188, and this indicates that this user is a VPN user; this user needs to set up a VPN connection with 129.102.1.1: Quidway(config-vpdn2)# request dialin l2tp ip 129.102.1.1 dnis 8810188 ! A user whose name is iamvpnuser is a VPN user; the IP address of its L2TP server is 172.168.10.3 , with 172.168.10.4 as its backup IP address; Quidway(config-vpdn2)# request fullusername iamvpnuser dialin l2tp ip 172.168.10.3 ip 172.168.10.4
Related Command
vpdn domain-delimiter prefix, vpdn domain-delimiter suffix, vpdn search-order
1-7
Chapter 1
VPN Configuration Commands
Syntax Description
prefix Prefix specified, like huawei.com.cn# yaoxin . prefix-delimiters Domain prefix delimiter; valid prefix delimiters include: '%', '@', '# ', and '/'.
Default
no vpdn domain-delimiter prefix.
Command Mode
Global configuration mode
Usage Guideline
This command is used to specify one or multiple domain prefix delimiters. Through a domain prefix delimiter, a domain name can be separated from the user name, so you can search in the domain specified through the request dialin command by VPDN to check if such a domain exists. If it exists, then this indicates that the user is a VPN user, so it is necessary to set up a VPN tunnel connection with the LNS of the user. A character serving as a suffix delimiter can not serve as a prefix delimiter. That is, a character can not serve as a prefix and suffix delimiter at the same time.
Example
! Domain serves a prefix; the prefix and the user name are separated by # : Quidway(config)# vpdn domain-delimiter prefix # ! The prefix can be separated by such delimiters as # , @, and %: Quidway(config)# vpdn domain-delimiter prefix # @%
Related Command
vpdn domain-delimiter suffix, request dialin
Syntax Description
suffix Suffix specified, like yaoxin@huawei.com.cn. suffix-delimiters Domain suffix delimiters; valid suffix delimiters include: '%', '@', '# ', and '/'.
1-8
Chapter 1
VPN Configuration Commands
Default
no vpdn domain-delimiter suffix.
Command Mode
Global configuration mode
Usage Guideline
This command is used to specify one or multiple domain suffix delimiters. Through a domain suffix delimiter, a domain name can be separated from the user name, so you can search in the domain specified through the request dialin command by VPDN to check if such a domain exists. If it exists, then this indicates that the user is a VPN user, so it is necessary to set up a VPN tunnel connection with the LNS of the user. A character serving as a suffix delimiter can not serve as a prefix delimiter. That is, a character can not serve as a prefix and suffix delimiter at the same time.
Example
! The domain name acts as a suffix; the suffix and user name are separated by @: Quidway(config)# vpdn domain-delimiter suffix @ ! The suffix can be separated by multiple delimiters such as @, and %: Quidway(config)# vpdn domain-delimiter suffix @%
Related Command
vpdn domain-delimiter prefix, request dialin
Default
no vpdn enable.
Command Mode
Global configuration mode
Usage Guideline
vpdn enable command is used to enable VPDN function for the router. By default, VPDN is disabled.
1-9
Chapter 1
VPN Configuration Commands
Example
! Disable VPDN Quidway(config)# no vpdn enable
Syntax Description
dnisdomain Searching for the VPDN group first by the dialed number, and then by the domain name. dnisonly Searching for the VPDN group by the dialed number only. domaindnis Searching for the VPDN group by the domain name first, and then by the dialed number. domainonly Searching for the VPDN group by the domain name only.
Default
Default search order is to search by the dialed number first, and then by the domain name.
Command Mode
Global configuration mode
Usage Guideline
When there are large number of L2TP access users, search for the user one by one is time consuming. So you need to set a search policy (like the prefix/suffix delimiter) to accelerate the search speed. There are two types of delimiters: prefix delimiter and suffix delimiter, including the following four special characters: @, # , &, and /. For example, a user with a prefix delimiter: huawei.com# vpdnuser; a user with a suffix delimiter: vpdnuser@ huawei.com. During the search, the username and the prefix/suffix delimiter will be separated, and the VPDN search is carried out according to the specified rules. This greatly improves the speed.
Example
! Search by the domain name only Quidway(config)# vpdn search-order domainonly
1-10
Chapter 1
VPN Configuration Commands
1.13 vpdn-group
To create a VPDN group and enter the VDPN group configuration, use the vpdn-group command. To delete the specified vpdn group, use the no form of this command. vpdn-group group-number no vpdn group group-number
Syntax Description
group-number VPDN group number, ranging 1 to 3000.
Default
no vpdn group.
Command Mode
Global configuration mode
Usage Guideline
This command is used to create a VPDN group. VPDN group 1 can act as default VPDN group.
Example
! Create VPDN group 2, and enter the configuration for VPDN group 2. Quidway(config)# vpdn-group 2
Related Command
accept dialin
Command Mode
Privileged user mode
Usage Guideline
The information output through this command helps the user with L2TP fault diagnosis.
Example
Quidway# show l2tp session
LocID RemID 1 1 Total session = 1 TunID 2
1-11
Chapter 1
VPN Configuration Commands
Command Mode
Privileged user mode
Usage Guideline
The information output through this command helps the user with L2TP fault diagnosis.
Example
Quidway# show l2tp tunnel
LocID RemID Remote Name 1 8 AS8010 Total tunnels = 1 Remote Address 172.168.10.2 Port 1701 Sessions 1
Syntax Description
all To enable all the L2TP information debugging. control To enable the control packet debugging. dump To enable the PPP packet debugging.
1-12
Chapter 1
VPN Configuration Commands
error To enable the L2TP error debugging. event To enable the L2TP event debugging. hidden To enable the information debugging with hidden AVP. payload To enable L2TP payload debugging. raw-dump To enable the L2TP raw-dump debugging. time-stamp To enable the L2TP time stamp debugging.
Command Mode
Privileged user mode
1-13
Chapter 2
GRE Configuration Commands
Syntax Description
number Specified tunnel interface number, ranging 0 to 4294967295; but the number of tunnels that can actually be set up are limited by the total number of interfaces and the size of memory .
Default
no interface tunnel.
Command Mode
Global configuration mode
Usage Guideline
This command is used to enter the configuration for a specified tunnel interface. This tunnel interface must be set up, first of all.
Example
! Set up tunnel0 in router A RouterA(config)# interface tunnel 0
Related Command
tunnel source, tunnel destination, tunnel key, tunnel checksum, tunnel sequence-datagrams
2-1
Chapter 2
GRE Configuration Commands
Default
no tunnel checksum.
Command Mode
Tunnel interface configuration mode
Usage Guideline
RFC 1701 provides that: if the Checksum bit is set in the GRE packet header, then Checksum is valid. The sender calculates the checksum based on the GRE header and payload, and the receiver calculates the checksum based on the received packet and compares it with the checksum contained in the packet. If they are the same, the packet will be further processed, otherwise it will be discarded. If the checksum is set at one end of the tunnel only, then no checksum-based check will be performed on the packet. Only when the checksum is set at both ends of a tunnel, will the packet be checked.
Example
! Set a tunnel between RouterA and RouterB, whose tunnel interfaces are tunnel0 and tunnel1 respectively. It is required to set tunnel checksum. Make the following configuration at tunnel0 in RouterA: RouterA(config-if-tunnel0)# tunnel checksum Make the following configuration at tunnel1 in RouterB: RouterB(config-if-tunnel1)# tunnel checksum
Related Command
interface tunnel
Chapter 2
GRE Configuration Commands
Syntax Description
ip-address IP address of the actual physical port at the remote tunnel interface.
Command Mode
tunnel interface configuration mode.
Usage Guideline
The specified remote address of the tunnel is input in the IP address format. It must be the same as the actual remote physical address and it should be guaranteed that the route to this port is reachable.
Example
! Set up a tunnel connection between Serial0 in RouterA and Serial1 in RouterB; the IP address of Serial0 in RouterA is 193.101.1.1, and that of Serial11 in RouterB is 192.100.1.1. Make the following configurations at tunnel0 in RouterA: RouterA(config)# interface tunnel 0 RouterA(config-if-tunnel0)# tunnel source 193.101.1.1 RouterA(config-if-tunnel0)# tunnel destination 192.100.1.1
Related Command
interface tunnel, tunnel source
Syntax Description
key-number Key IDs at both ends of the tunnel, ranging 0 to 4294967295.
Default
no tunnel key.
Command Mode
Tunnel interface configuration mode.
Usage Guideline
RFC 1701 provides that: if the KEY field in the GRE header is located, then both the receiver and sender will authenticate the tunnel key. Only when the tunnel keys set at
2-3
Chapter 2
GRE Configuration Commands
both ends of the tunnel are the same will the authentication succeed, otherwise the packet will be discarded.
Example
! Set up a tunnel between RouterA and RouterB, and the tunnel interfaces are tunnel0 and tunnel1, respectively. It is required that the tunnel key be set. Make the following configuration at tunnel0 in RouterA: RouterA(config)# interface tunnel 0 RouterA(config-if-tunnel0)# tunnel key 123456789 Make the following configuration at tunnel1 in RouterB: RouterB(config)# interface tunnel 1 RouterB(config-if-tunnel1)# tunnel key 123456789
Related Command
interface tunnel
Default
Default encapsulation protocol at the tunnel interface is GRE, and default transmission protocol is IP.
Command Mode
Tunnel interface configuration mode.
Usage Guideline
Select the same encapsulation protocol and transmission protocol at both ends of the tunnel.
Example
! Set up a tunnel between RouterA and RouterB, whose tunnel interfaces are tunnel0 and tunnel1, respectively. Configure the encapsulation protocol as GRE, and transmission protocol as IP. Make the following configuration at tunnel0 in RouterA: RouterA(config-if-tunnel0)# tunnel mode gre ip Make the following configuration at tunnel1 in RouterB: RouterB(config-if-tunnel1)# tunnel mode gre ip
2-4
Chapter 2
GRE Configuration Commands
Related Command
interface tunnel
Default
no tunnel sequence-datagrams
Command Mode
Tunnel interface configuration mode
Usage Guideline
RFC 1701 provides that: if sequence-datagram in the GRE header is located, then the receiver and sender will undergo sequence datagram synchronization. Only synchronous packets will be further processed, otherwise the packet will be discarded. The tunnel sequence provides unreliable but orderly packets. The receiver sequences the packets received locally and successfully de-capsulated (the sequence number 32 can be any integer, ranging 0 to 2 1, with that of the first packet being 0). When setting up the tunnel, the sequence numbers will be counted in an accumulative and cyclic manner. If the receiver receives a packet whose sequence number is less than or equal to that of the last packet, this packet is deemed to be an illegal packet. If a packet out of sequence is received, it will be discarded automatically. Only when tunnel sequence-datagrams or no tunnel sequence-datagrams is set at both ends of the tunnel can the tunnel be set up.
Example
! Set up a tunnel between RouterA and RouterB, whose interfaces are tunnel0 and tunnel1, respectively. It is required to set the tunnel sequence-datagrams. Make the following configuration at tunnel0 in RouterA: RouterA(config-if-tunnel0)# tunnel sequence-datagrams Make the following configuration at tunnel1 in RouterB: RouterB(config-if-tunnel1)# tunnel sequence-datagrams
Related Command
interface tunnel
2-5
Chapter 2
GRE Configuration Commands
Syntax Description
ip-address IP address of the actual physical interface at tunnel1.
Default
no tunnel source.
Command Mode
tunnel interface mode
Usage Guideline
The specified tunnel source address is input in the IP address format. It must be the same as the actual physical interface address.
Example
! Configure tunnel0 in the router: the actual exit for the packet encapsulated at this interface is Serial0. RouterA(config)# interface serial 0 RouterA(config-if-serial0)# ip address 192.100.1.1 255.255.255.0 RouterA(config)# interface tunnel 0 RouterA(config-if-tunnel0)# tunnel source 192.100.1.1
Related Command
interface tunnel, tunnel destination
Command Mode
Privileged user mode
2-6
Chapter 2
GRE Configuration Commands
Example
Quidway# show interface tunnel 1
Tunnel1 is up, line protocol is up Internet address is 3.1.1.1 255.255.255.0 10 packets input, 640 bytes 0 input errors, 0 broadcast, 0 drops 10 packets output, 640 bytes 0 output errors, 0 broadcast, 0 no protocol
The above information shows: the network address of Tunnel1 is 3.1.1.1; 0 packet is received; 0 error and broadcast packet is received; no packet is discarded; 0 packet is sent; 0 packet with output errors, 0 broadcast packet and 0 packet with unknown protocol.
2-7