Broadband VPDN test notes

Author: Tan Zhigang

With the gradual maturity of VPN technology, VPN circuits have been widely used in many places.
The difference between VPN and the traditional cross-Wan Private network is that the traditional cross-Wan Private Network
The network is achieved by renting a leased line, while the VPN uses public networks such as the INTERNET,
Remote wide-area connections are achieved through the ATM network and the Group network. Technically, VPDN adopts Tunnel

From the Access Server to the gateway of the enterprise, access the tunnel to let the data flow
Separate from Internet traffic, users can log on to the enterprise's intranet through tunnel,
At the same time, the data transmitted through the tunnel is encrypted to ensure that only the specified sender and
The receiver understands that data transmission is private and secure. The so-called "Tunnel"
This is an encapsulation technology that uses a network transmission protocol to generate
Packets are encapsulated in their own packets and transmitted over the network. The second tunnel is
The second layer (data link layer) frame is encapsulated in the network layer message to form an IP packet.
Transmission in the Internet.
In the first half of this year, when our county medical insurance center proposed network transformation with our Bureau, we
We recommend that you enable the broadband VPDN circuit. We have the following reasons for this: 1. network use
Most of the users are self-owned medical stores, and the network cost cannot be too much. VPDN circuit fee
Low Cost, suitable for such consumer groups. 2. The VPDN circuit has a simple network structure. Users do not need
To purchase a new device, you only need to go to the Telecommunications Board to apply for broadband network installation.
. The most pleasant thing is the medical insurance center. Opening the VPDN circuit can save their router investment.
. In the past, when using the DDN circuit, one router can connect only 12 users (CISCO 2611,
This depends on what Wide Area Network Card is used, but it seems that only 16 ports can be provided at most .)
The number of users must be at least five to six vrouters, while the number of VPDN circuit is only one
The generator is enough. It is also convenient for them to maintain. A lot of DDN circuit racks used in the past
Cable. Now, there are only two or three network cables, one pair of optical cables. The rack is refreshing. 3,
The network speed has been greatly improved. In the past, the DDN circuit was 9.6 K/s, and now the user side uses ADSL access.
The downstream reach 2 Mb/s, And the upstream reach 640 Mb/s. The relay to the medical center also mentions 100 Mbit/s from 2 Mbit/s. 4,
In the future, every time an access point is added, just like installing a broadband ADSL access user
Simple! It is convenient for both Telecom and medical insurance centers, saving manpower and material resources.
Next I will describe the test process of the open broadband VPDN circuit as follows. For everyone
Refer:
Networking Overview:

LAC (L2TP access center) we use the convergence device of the existing broadband network-Huawei's
MA5200.
LNS (L2TP network server) we use the Cisco 2611 router.
We also tried the Huawei 2630 vro in the process. The following describes the two vrouters.
Test separately.
Before testing, we need to understand the call establishment process of the L2TP tunnel. Remote use
When users access the enterprise INTRANET, the process of creating an L2TP tunnel is the establishment of VPDN.
Process. This process is as follows: a. Remote users use adsl Broadband dial-up to call local
ISP to establish a PPP connection. B. the ISP's L2TP access center LAC accepts this
Establish a PPP link. C. establish a connection between the user and LNS through the LCP.
In the process, the L2TP access center uses CHAP or PAP to partially demonstrate the user,
This includes user name and password verification to determine whether the user is a VPDN customer.
If the user is not a VPDN user, continue the authentication to check whether the user can access the INTERNET.
Or other related services. If the user is a VPDN customer, it is mapped to a specific named
Terminal Point (L2TP network server LNS ). D. Channel Terminal Point, L2TP access center, LAC
And LNS authenticate each other and establish a tunnel. Alternatively, LNS does not recognize the LAC tunnel.
To directly accept the request to establish a tunnel. Then, the system creates an L2TP
Sessions; the L2TP access center will selectively disseminate CHAP/PAP-authenticated information to L2TP
The network server LNS, LNS will filter these agreed options and send them and authentication information directly
To the virtual access interface. E. If the selected item and L2TP access are configured on the virtual template interface
If the agreed options of the central LAC do not match, the connection fails and the link is sent to the L2TP access center LAC.
The disconnection signal. If you configure the option and L2TP access on the vro virtual template interface
If the agreed options of the central LAC match, the connection is successful, the VPDN is established, and the user dials
An exclusive exchange process exists between the vertex and LNS. That is, it seems that the dial has been directly called to LNS.
The LAC does not exist.
The configuration on LAC (MA5200) is as follows:
Interface loopback 1 // configure the loopback1 address
Ip address X. X
Vpdn-group 1
Accept dialin pppoe authentication pap
L2tp enable // enable the L2TP Function
L2tp-group 1

Start l2tp ip x. x // specify the LNS address
Tunnel timeout 8 // use the default/set the L2TP tunnel Hello message sending Interval

Domain bydx
L2tp 1 // enable the L2TP function of the current domain
Set state active
Exit
Add a user
When configuring AAA authentication in MA5200, if local authentication is selected,
You need to configure the local user name and password in MA5200. We use the local
Authentication method. MA5200 check whether the dial user name and password are registered with the local user name
/Verify the user identity with the password to check whether the user is a valid VPN user.
After the authentication is passed, you can initiate a channel connection request. Otherwise, the user will be transferred to other classes.
Type of service.
Perform User Authentication on MA5200. the user name is the full name of the VPN user and the password is VPN.
User Registration password.

Note: L2TP on MA5200 is handled by the SPU board. Please confirm before activating the L2TP Service
Whether you have a SPU board. It is a must for L2TP implementation.
LNS Configuration
1. CISCO 2611 Configuration
Bydx-vpdn # show run & nbsp;
Building configuration...

Current configuration: 1309 bytes
!
Version 12.1:
Service timestamps debug uptime
Service timestamps log uptime
No service password-encryption & nbsp;
! & N