Juniper, underfix L2TP, mingdu Chen Cang

Source: Internet
Author: User

L2TP is an industrial standard Internet tunnel protocol with similar functions as PPTP. For example, it can also encrypt network data streams. However, there are also differences. For example, PPTP requires that the network be an IP network, while L2TP requires point-to-point connection for data packets. PPTP uses a single tunnel, while L2TP uses multiple tunnels. L2TP provides Header Compression and tunnel verification, PPTP does not.

The above information about L2TP comes from the Internet. Please respect copyright. To put it simply, the biggest difference between L2TP and vpn is that the former is mostly communication between a single user and a specific network, while the latter is communication between a specific network. There are many articles on how to configure L2TP on the Internet, but most of the L2TP configurations are incomplete. Therefore, in this article, I will stand on the shoulders of those giants and discuss the L2TP configuration issues with you. There are two parts in total, one is local authentication, the other is remote authentication, two Authentication servers are used, the other is cisco's acs, the other is the windows IAS authentication server. I declare in advance that the L2TP client and the firewall are in the same network range for ease of illustration.

1. Local authentication ConfigurationTutorial topology:

650) this. width = 650; "title =" top_local "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 363 "alt =" top_local "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335305-0.png "/>

1. Configure the address pool in firewall 1.1

650) this. width = 650; "title =" local.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 445 "alt =" local.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333S4-1.png "/> 650) this. width = 650; "title =" local.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 324 "alt =" local.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333558-2.png "/>

1.2 configure user attributes

650) this. width = 650; "title =" local.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 645 "alt =" local.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332K7-3.png "/> 650) this. width = 650; "title =" local.1.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 644 "alt =" local.1.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333119-4.png "/>

1.3 l2tp Configuration

For ease of configuration, You can first configure the default configuration 650) this. width = 650; "title =" local.1.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 591 "alt =" local.1.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335247-5.png "/> 650) this. width = 650; "title =" local.1.6 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 614 "alt =" local.1.6 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633A23-6.png "/>

1.4 policy configuration

650) this. width = 650; "title =" local.1.7 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 590 "alt =" local.1.7 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331132-7.png "/> 650) this. width = 650; "title =" local.1.8 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 629 "alt =" local.1.8 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334138-8.png "/> 650) this. width = 650; "title =" local.1.9 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 538 "alt =" local.1.9 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335629-9.png "/>

2. Configure client 2.1 to create a new network connection

650) this. width = 650; "title =" client.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 395 "alt =" client.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332C2-10.png & Quot;/> 650) this. width = 650; "title =" client.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 389 "alt =" client.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335L5-11.png & Quot;/> 650) this. width = 650; "title =" client.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 389 "alt =" client.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633IO-12.png & Quot;/> 650) this. width = 650; "title =" client.1.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 391 "alt =" client.1.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332502-13.png & Quot;/> 650) this. width = 650; "title =" client.1.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 391 "alt =" client.1.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332P4-14.png "/>

2.2 configure network Connection Properties

 

650) this. width = 650; "title =" client.1.6 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 470 "alt =" client.1.6 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63350B-15.png "/>

Check the unencrypted pap.

650) this. width = 650; "title =" client.1.7 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 450 "alt =" client.1.7 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333G4-16.png "/> 650) this. width = 650; "title =" client.1.8 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 448 "alt =" client.1.8 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332b3-17.png "/>

Modify the registry, located in"HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Service \ RasMan \ Parameters", Enter a new"Deword value ".,650) this. width = 650; "title =" l2tp_client1.9 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 477 "alt =" l2tp_client1.9 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335524-18.png "/> 650) this. width = 650; "title =" l2tp_client1.10 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 428 "alt =" l2tp_client1.10 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334947-19.png "/>

After modifying the registry, You need to restart the operating system.

3. Test

650) this. width = 650; "title =" test.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 374 "alt =" test.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332955-20.png "/>

View Connected Network Properties

650) this. width = 650; "title =" test.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 367 "alt =" test.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331N1-21.png "/> 650) this. width = 650; "title =" test.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 441 "alt =" test.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333W2-22.png "/>

Ii. Use the ACS server to authenticate the experiment topology:

650) this. width = 650; "title =" top_acs "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 431 "alt =" top_acs "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333X0-23.png "/>

1. Configure juniper firewall 1.1 to configure the address pool

650) this. width = 650; "title =" acs.1.0 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 255 "alt =" acs.1.0 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332M3-24.png "/>

1.2 configure a Custom Service

650) this. width = 650; "title =" acs.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 183 "alt =" acs.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332438-25.png "/>

650) this. width = 650; "title =" acs.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 615 "alt =" acs.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332Q3-26.png "/>
1.3 configure vpn

To facilitate vpn configuration, you can configure the default configuration first.650) this. width = 650; "title =" acs.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 382 "alt =" acs.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331236-27.png "/> 650) this. width = 650; "title =" acs.1.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 509 "alt =" acs.1.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63363c-28.png "/>

1.4 configure policies

650) this. width = 650; "title =" acs.1.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 249 "alt =" acs.1.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633L20-29.png "/> 650) this. width = 650; "title =" acs.1.6 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 563 "alt =" acs.1.6 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332Y9-30.png "/>

2. ACS server configuration 2.1 configure the client

650) this. width = 650; "title =" acs.2.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 547 "alt =" acs.2.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633BV-31.png "/>

2.2 configure group attributes

650) this. width = 650; "title =" acs.2.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 418 "alt =" acs.2.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331917-32.png "/> 650) this. width = 650; "title =" acs.2.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 545 "alt =" acs.2.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633L57-33.png "/> 650) this. width = 650; "title =" acs.2.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 568 "alt =" acs.2.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63310J-34.png "/>

2.3 configure user attributes

650) this. width = 650; "title =" acs.2.7 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 565 "alt =" acs.2.7 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63332P-35.png "/> 650) this. width = 650; "title =" acs.2.8 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 562 "alt =" acs.2.8 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335548-36.png "/>

3. Client Configuration

Create a new connection, which is the same as the local client configuration. Therefore, I will not repeat it too much.

4. Test

650) this. width = 650; "title =" test.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 374 "alt =" test.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333415-37.png "/> 650) this. width = 650; "title =" test.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 367 "alt =" test.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335312-38.png "/> 650) this. width = 650; "title =" test.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 441 "alt =" test.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633M04-39.png "/>

Iii. Use the Windows IAS authentication server to authenticate the experiment topology:

650) this. width = 650; "title =" top_acs "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 431 "alt =" top_acs "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633G45-40.png "/>

1. juniper Firewall Configuration

The configuration of the juniper firewall is the same as that of the server that uses the acs authentication.

2. Configure Windows IAS Authentication Server 2.1 to configure the user

650) this. width = 650; "title =" radius.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 423 "alt =" radius.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6336138-41.png "/> 650) this. width = 650; "title =" radius.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 392 "alt =" radius.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633F21-42.png "/>

2.2 configure the client

Create a new client and configure the corresponding address 650) this. width = 650; "title =" radius.1.11 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 499 "alt =" radius.1.11 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633N19-43.png "/>

2.3 configure policies

Create and configure a User Access Policy

2.4.1 Add a connection request650) this. width = 650; "title =" radius.1.12 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 503 "alt =" radius.1.12 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334559-44.png "/> 650) this. width = 650; "title =" radius.1.13 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 471 "alt =" radius.1.13 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333457-45.png "/>

2.4.2 edit the dial-in configuration file650) this. width = 650; "title =" radius.1.14 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 577 "alt =" radius.1.14 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63325H-46.png & Quot;/> 650) this. width = 650; "title =" radius.1.15 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 579 "alt =" radius.1.15 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334409-47.png & Quot;/> 650) this. width = 650; "title =" radius.1.16 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 452 "alt =" radius.1.16 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63362a-48.png & Quot;/> 650) this. width = 650; "title =" radius.1.17 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 455 "alt =" radius.1.17 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331326-49.png & Quot;/> 650) this. width = 650; "title =" radius.1.18 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 452 "alt =" radius.1.18 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335927-50.png "/>

2.4.3 configure the advanced access configuration file

Three important configuration attributes need to be added.

1) add service type attributes650) this. width = 650; "title =" radius.1.19 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 629 "alt =" radius.1.19 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63345O-51.png "/> 650) this. width = 650; "title =" radius.1.20 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 457 "alt =" radius.1.20 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6336346-52.png "/>2) Add frame Protocol attributes

650) this. width = 650; "title =" radius.1.21 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 553 "alt =" radius.1.21 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633AS-53.png "/> 

3) add an attribute that supports nas Performance

650) this. width = 650; "title =" radius.1.22 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 494 "alt =" radius.1.22 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332233-54.png "/> 650) this. width = 650; "title =" radius.1.23 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 462 "alt =" radius.1.23 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333113-55.png "/>

3. Client Configuration

Create a connection and configure relevant properties. This is the same as the local verification client configuration. Here, I will not talk too much about it.

4. Test

650) this. width = 650; "title =" test.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 374 "alt =" test.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633J53-56.png "/> 650) this. width = 650; "title =" test.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 367 "alt =" test.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633AA-57.png "/> 650) this. width = 650; "title =" test.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 441 "alt =" test.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633BK-58.png "/>

Iv. Summary

In general, l2tp configuration is not difficult, and the focus is on firewall configuration and server configuration. Here we will briefly describe the main error-prone areas.

4.1 Firewall Configuration

Pay attention to the following points for Firewall Configuration:

1. The server address must be specified correctly and the specified interface must be an interface connecting the firewall and the verification server.

2. Check the authentication type, including compatible rfc, to avoid errors.

3. The verification type, whether it is pap or chap, must be consistent with the client configuration.

4. When selecting a policy, you must note that the untrust end is directed to the target access end. For security purposes, do not specify the untrust end as any. Try to select a dial-up user.

4.2 acs Server Configuration

Note the following When configuring an acs Server:

1. the acs client can be compatible with the IETF protocol or the Radius Authentication Protocol of juniper. Note that if the juniper Radius Authentication Protocol is selected, the group management function of juniper is disabled. You must select the group management option of juniper in interface. Then, configure the group in group management.

2. for group management of acs, if it is an IETF, the session limit value must be controlled within 128, because the default session value of juniper is 128, and no restriction is allowed, other configurations are optional and can be left blank.

4.3 IAS Server Configuration

Pay attention to the following points when configuring the Windows IAS server:

1. The server's Radius client configuration should contain the defined groups and users.

2. In the policy settings of the server, the protocols used, whether pap or chap, must be consistent with the firewall configuration.

3. for advanced settings in Server policy configuration, you need to add three protocols. Pay attention to the vendor code and value.

This article is from the "pheonix" blog and will not be reproduced!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.