L2TP is an industrial standard Internet tunnel protocol with similar functions as PPTP. For example, it can also encrypt network data streams. However, there are also differences. For example, PPTP requires that the network be an IP network, while L2TP requires point-to-point connection for data packets. PPTP uses a single tunnel, while L2TP uses multiple tunnels. L2TP provides Header Compression and tunnel verification, PPTP does not.
The above information about L2TP comes from the Internet. Please respect copyright. To put it simply, the biggest difference between L2TP and vpn is that the former is mostly communication between a single user and a specific network, while the latter is communication between a specific network. There are many articles on how to configure L2TP on the Internet, but most of the L2TP configurations are incomplete. Therefore, in this article, I will stand on the shoulders of those giants and discuss the L2TP configuration issues with you. There are two parts in total, one is local authentication, the other is remote authentication, two Authentication servers are used, the other is cisco's acs, the other is the windows IAS authentication server. I declare in advance that the L2TP client and the firewall are in the same network range for ease of illustration.
1. Local authentication ConfigurationTutorial topology:
650) this. width = 650; "title =" top_local "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 363 "alt =" top_local "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335305-0.png "/>
1. Configure the address pool in firewall 1.1
650) this. width = 650; "title =" local.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 445 "alt =" local.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333S4-1.png "/> 650) this. width = 650; "title =" local.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 324 "alt =" local.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333558-2.png "/>
1.2 configure user attributes
650) this. width = 650; "title =" local.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 645 "alt =" local.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332K7-3.png "/> 650) this. width = 650; "title =" local.1.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 644 "alt =" local.1.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333119-4.png "/>
1.3 l2tp Configuration
For ease of configuration, You can first configure the default configuration 650) this. width = 650; "title =" local.1.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 591 "alt =" local.1.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335247-5.png "/> 650) this. width = 650; "title =" local.1.6 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 614 "alt =" local.1.6 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633A23-6.png "/>
1.4 policy configuration
650) this. width = 650; "title =" local.1.7 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 590 "alt =" local.1.7 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331132-7.png "/> 650) this. width = 650; "title =" local.1.8 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 629 "alt =" local.1.8 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334138-8.png "/> 650) this. width = 650; "title =" local.1.9 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 538 "alt =" local.1.9 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335629-9.png "/>
2. Configure client 2.1 to create a new network connection
650) this. width = 650; "title =" client.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 395 "alt =" client.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332C2-10.png & Quot;/> 650) this. width = 650; "title =" client.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 389 "alt =" client.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335L5-11.png & Quot;/> 650) this. width = 650; "title =" client.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 389 "alt =" client.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633IO-12.png & Quot;/> 650) this. width = 650; "title =" client.1.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 391 "alt =" client.1.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332502-13.png & Quot;/> 650) this. width = 650; "title =" client.1.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 391 "alt =" client.1.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332P4-14.png "/>
2.2 configure network Connection Properties
650) this. width = 650; "title =" client.1.6 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 470 "alt =" client.1.6 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63350B-15.png "/>
Check the unencrypted pap.
650) this. width = 650; "title =" client.1.7 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 450 "alt =" client.1.7 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333G4-16.png "/> 650) this. width = 650; "title =" client.1.8 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 448 "alt =" client.1.8 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332b3-17.png "/>
Modify the registry, located in"HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Service \ RasMan \ Parameters", Enter a new"Deword value ".,650) this. width = 650; "title =" l2tp_client1.9 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 477 "alt =" l2tp_client1.9 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335524-18.png "/> 650) this. width = 650; "title =" l2tp_client1.10 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 428 "alt =" l2tp_client1.10 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334947-19.png "/>
After modifying the registry, You need to restart the operating system.
3. Test
650) this. width = 650; "title =" test.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 374 "alt =" test.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332955-20.png "/>
View Connected Network Properties
650) this. width = 650; "title =" test.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 367 "alt =" test.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331N1-21.png "/> 650) this. width = 650; "title =" test.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 441 "alt =" test.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333W2-22.png "/>
Ii. Use the ACS server to authenticate the experiment topology:
650) this. width = 650; "title =" top_acs "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 431 "alt =" top_acs "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333X0-23.png "/>
1. Configure juniper firewall 1.1 to configure the address pool
650) this. width = 650; "title =" acs.1.0 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 255 "alt =" acs.1.0 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332M3-24.png "/>
1.2 configure a Custom Service
650) this. width = 650; "title =" acs.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 183 "alt =" acs.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332438-25.png "/>
650) this. width = 650; "title =" acs.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 615 "alt =" acs.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332Q3-26.png "/>
1.3 configure vpn
To facilitate vpn configuration, you can configure the default configuration first.650) this. width = 650; "title =" acs.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 382 "alt =" acs.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331236-27.png "/> 650) this. width = 650; "title =" acs.1.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 509 "alt =" acs.1.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63363c-28.png "/>
1.4 configure policies
650) this. width = 650; "title =" acs.1.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 249 "alt =" acs.1.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633L20-29.png "/> 650) this. width = 650; "title =" acs.1.6 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 563 "alt =" acs.1.6 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332Y9-30.png "/>
2. ACS server configuration 2.1 configure the client
650) this. width = 650; "title =" acs.2.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 547 "alt =" acs.2.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633BV-31.png "/>
2.2 configure group attributes
650) this. width = 650; "title =" acs.2.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 418 "alt =" acs.2.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331917-32.png "/> 650) this. width = 650; "title =" acs.2.4 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 545 "alt =" acs.2.4 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633L57-33.png "/> 650) this. width = 650; "title =" acs.2.5 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 568 "alt =" acs.2.5 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63310J-34.png "/>
2.3 configure user attributes
650) this. width = 650; "title =" acs.2.7 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 565 "alt =" acs.2.7 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63332P-35.png "/> 650) this. width = 650; "title =" acs.2.8 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 562 "alt =" acs.2.8 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335548-36.png "/>
3. Client Configuration
Create a new connection, which is the same as the local client configuration. Therefore, I will not repeat it too much.
4. Test
650) this. width = 650; "title =" test.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 374 "alt =" test.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333415-37.png "/> 650) this. width = 650; "title =" test.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 367 "alt =" test.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335312-38.png "/> 650) this. width = 650; "title =" test.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 441 "alt =" test.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633M04-39.png "/>
Iii. Use the Windows IAS authentication server to authenticate the experiment topology:
650) this. width = 650; "title =" top_acs "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 431 "alt =" top_acs "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633G45-40.png "/>
1. juniper Firewall Configuration
The configuration of the juniper firewall is the same as that of the server that uses the acs authentication.
2. Configure Windows IAS Authentication Server 2.1 to configure the user
650) this. width = 650; "title =" radius.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 423 "alt =" radius.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6336138-41.png "/> 650) this. width = 650; "title =" radius.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 392 "alt =" radius.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633F21-42.png "/>
2.2 configure the client
Create a new client and configure the corresponding address 650) this. width = 650; "title =" radius.1.11 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 499 "alt =" radius.1.11 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633N19-43.png "/>
2.3 configure policies
Create and configure a User Access Policy
2.4.1 Add a connection request650) this. width = 650; "title =" radius.1.12 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 503 "alt =" radius.1.12 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334559-44.png "/> 650) this. width = 650; "title =" radius.1.13 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 471 "alt =" radius.1.13 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333457-45.png "/>
2.4.2 edit the dial-in configuration file650) this. width = 650; "title =" radius.1.14 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 577 "alt =" radius.1.14 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63325H-46.png & Quot;/> 650) this. width = 650; "title =" radius.1.15 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 579 "alt =" radius.1.15 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6334409-47.png & Quot;/> 650) this. width = 650; "title =" radius.1.16 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 452 "alt =" radius.1.16 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63362a-48.png & Quot;/> 650) this. width = 650; "title =" radius.1.17 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 455 "alt =" radius.1.17 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6331326-49.png & Quot;/> 650) this. width = 650; "title =" radius.1.18 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 452 "alt =" radius.1.18 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6335927-50.png "/>
2.4.3 configure the advanced access configuration file
Three important configuration attributes need to be added.
1) add service type attributes650) this. width = 650; "title =" radius.1.19 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 629 "alt =" radius.1.19 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I63345O-51.png "/> 650) this. width = 650; "title =" radius.1.20 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 457 "alt =" radius.1.20 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6336346-52.png "/>2) Add frame Protocol attributes
650) this. width = 650; "title =" radius.1.21 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 553 "alt =" radius.1.21 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633AS-53.png "/>
3) add an attribute that supports nas Performance
650) this. width = 650; "title =" radius.1.22 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 494 "alt =" radius.1.22 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6332233-54.png "/> 650) this. width = 650; "title =" radius.1.23 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 462 "alt =" radius.1.23 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I6333113-55.png "/>
3. Client Configuration
Create a connection and configure relevant properties. This is the same as the local verification client configuration. Here, I will not talk too much about it.
4. Test
650) this. width = 650; "title =" test.1.2 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 374 "alt =" test.1.2 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633J53-56.png "/> 650) this. width = 650; "title =" test.1.1 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 367 "alt =" test.1.1 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633AA-57.png "/> 650) this. width = 650; "title =" test.1.3 "style =" border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px "height =" 441 "alt =" test.1.3 "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0I633BK-58.png "/>
Iv. Summary
In general, l2tp configuration is not difficult, and the focus is on firewall configuration and server configuration. Here we will briefly describe the main error-prone areas.
4.1 Firewall Configuration
Pay attention to the following points for Firewall Configuration:
1. The server address must be specified correctly and the specified interface must be an interface connecting the firewall and the verification server.
2. Check the authentication type, including compatible rfc, to avoid errors.
3. The verification type, whether it is pap or chap, must be consistent with the client configuration.
4. When selecting a policy, you must note that the untrust end is directed to the target access end. For security purposes, do not specify the untrust end as any. Try to select a dial-up user.
4.2 acs Server Configuration
Note the following When configuring an acs Server:
1. the acs client can be compatible with the IETF protocol or the Radius Authentication Protocol of juniper. Note that if the juniper Radius Authentication Protocol is selected, the group management function of juniper is disabled. You must select the group management option of juniper in interface. Then, configure the group in group management.
2. for group management of acs, if it is an IETF, the session limit value must be controlled within 128, because the default session value of juniper is 128, and no restriction is allowed, other configurations are optional and can be left blank.
4.3 IAS Server Configuration
Pay attention to the following points when configuring the Windows IAS server:
1. The server's Radius client configuration should contain the defined groups and users.
2. In the policy settings of the server, the protocols used, whether pap or chap, must be consistent with the firewall configuration.
3. for advanced settings in Server policy configuration, you need to add three protocols. Pay attention to the vendor code and value.
This article is from the "pheonix" blog and will not be reproduced!