tunnel authentication

Usage Scenario

For the sake of security, authentication needs to be performed on both ends of the tunnel.

In normal cases, both ends of an L2TP tunnel are verified by each other to ensure the security. If you want to test the connectivity of the network, or want to accept the connection initiated by an unknown peer, you may choose not to verify the tunnel.

The L2TP tunnel authentication can be initiated by any of the two ends, LAC or LNS. If the authentication is initiated by any of the two, the tunnel is authenticated in the tunnel establishment. The tunnel can be established only when the passwords of both sides are identical and not null. Otherwise, the tunnel is disconnected. If the tunnel authentication is disabled by both LAC and LNS, whether the passwords of both sides are identical takes no effect.

Configuration Impact

In the L2TP local tunnel authentication scenario, the tunnel authentication command can be used to allow an LAC to verify the tunnel name configured on the LNS.

The tunnel authentication strict command can only be enabled in the L2TP group on the LAC side. After configuration, LAC will check both tunnel name and password of LNS from the remote end. When the tunnel name and password of LNS delivered by the RADIUS server on the LAC side or the tunnel name and password of the local configured LNS are different from the tunnel name of LNS from the remote side, the check is invalid and the tunnel fails to be set up. After configuring tunnel authentication strict, based on network deployment, you can configure delivering the Tunnel-Server-Auth-ID attribute on the RADIUS server or LNS tunnel name in the local L2TP group on the LAC side.

Precautions

If you configure both local (strict) L2TP tunnel authentication and AAA authentication, the AAA mode takes effect while local (strict) authentication does not take effect.

After the L2TP tunnel authentication is enabled, you need to run the tunnel password command to configure the tunnel authentication password.