09 Command Manual VPN

Command Manual VPN VRP1.
Table of Contents
Table of Contents
Chapter 1 L2TP Configuration Commands..................................................................................1 1.1 L2TP Configuration Commands.........................................................................................1 1.1.1 allow l2tp virtual-template........................................................................................1 1.1.2 debugging l2tp.........................................................................................................2 1.1.3 display l2tp session.................................................................................................3 1.1.4 display l2tp tunnel....................................................................................................3 1.1.5 l2tp domain..............................................................................................................4 1.1.6 l2tp enable...............................................................................................................5 1.1.7 l2tp match-order......................................................................................................6 1.1.8 l2tp session-limit......................................................................................................7 1.1.9 l2tp-group................................................................................................................8 1.1.10 mandatory-chap.....................................................................................................8 1.1.11 mandatory-lcp........................................................................................................9 1.1.12 ppp l2tp-used.......................................................................................................10 1.1.13 reset l2tp tunnel...................................................................................................11 1.1.14 start l2tp...............................................................................................................11 1.1.15 tunnel authentication............................................................................................13 1.1.16 tunnel avp-hidden................................................................................................14 1.1.17 tunnel flow-control...............................................................................................15 1.1.18 tunnel name.........................................................................................................15 1.1.19 tunnel password..................................................................................................16 1.1.20 tunnel timer hello.................................................................................................17 Chapter 2 GRE Configuration Commands...................................................................................1 2.1 GRE Protocol Configuration Commands............................................................................1 2.1.1 destination ..............................................................................................................1 2.1.2 display interfaces ....................................................................................................2 2.1.3 gre checksum..........................................................................................................2 2.1.4 gre key ...................................................................................................................3 2.1.5 gre sequence-datagrams.........................................................................................4 2.1.6 interface tunnel........................................................................................................5 2.1.7 source.....................................................................................................................6 2.1.8 ip fast-forwarding (Tunnel Interface View) ...............................................................6
Huawei Technologies Proprietary i
Command Manual VPN VRP1.7
1L2TP Configuration Commands
Chapter 1 L2TP Configuration Commands

1.1 L2TP Configuration Commands
1.1.1 allow l2tp virtual-template
Syntax
allow l2tp virtual-template virtual-template-number [ remote remote-name ] undo allow
View
L2TP group view
Parameter
virtual-template-number: Number of the virtual template, which is an integer in the range from 1 to 25. remote-name: Name of a remote tunnel originating a tunnel connecting request. It is a case-sensitive character string with the length ranging from 1 to 30 characters.
Description
Using the allow l2tp virtual-template command, you can configure the name of the remote tunnel when accepting the call and the virtual template to be used. Using the undo allow command, you can cancel the name of the remote tunnel. By default, no call can be dialed in. This command can only be configured on LNS. It is a required configuration. When L2TP group 1 (default L2TP group number) is used, it is permitted to configure group 1 without specifying remote-name, and the format of this command is: allow l2tp virtual-template virtual-template-number [ remote remote-name ] If the remote name is specified in L2TP group 1 view, then L2TP group 1 does not serve as the default L2TP group. In Windows 2000 beta 2, for example, the local tunnel name for the VPN connection is NONE, and the peer name received by the router is NONE. A default L2TP group can be configured in order to receive a tunnel connecting request originated by an unknown peer-end, or just for test purpose. If the name of remote tunnel is configured, make sure that the name of remote tunnel is in accordance with the name of the local end configured on LAC. For related commands, see l2tp-group.
Huawei Technologies Proprietary 1
Example
# Allow a L2TP tunnel connecting request from the peer-end (LAC) named AS8010 on L2TP group 2, and creates a virtual-access interface on virtual-template 1.
[Router-l2tp2] allow l2tp virtual-template 1 remote AS8010
# Take L2TP group 1 as the default L2TP group to allow the L2TP tunnel connecting requests from any peer-end, and creates a virtual-access interface according to virtualtemplate 1.
[Router] l2tp-group 1 [Router-l2tp1] allow l2tp virtual-template 1
1.1.2 debugging l2tp

Syntax
debugging l2tp { all | control | error | event | hidden | payload | time-stamp } undo debugging l2tp { all | control | error | event | hidden | payload | time-stamp }
View
Any view
Parameter
all: Enable all the L2TP information debugging. control: Enable the control packet debugging. error: Enable the error information debugging. event: Enable the event debugging. hidden: Hide start information debugging of AVP. payload: Enable the L2TP datagram debugging. time-stamp: Enable the debugging for displaying time stamps.
Description
Using the debugging l2tp command, you can enable the L2TP information debugging. Using the undo debugging l2tp command, you can disable the L2TP information debugging.
Example
# Enable the L2TP control packet debugging.
[Router] debugging l2tp control
1.1.3 display l2tp session

Syntax
display l2tp session
View
Any view
Parameter
None
Description
Using the display l2tp session command, you can view the information about the current L2TP session. For related commands, see display l2tp tunnel.
Example
# Display the information of the current L2TP session.
[Router] display l2tp session LocoalID 1 RemoteID 1 TunnelID 2
Total session = 1
Table 1.1 Description of fields in display l2tp session Field Total session LocalID RemoteID TunnelID Description Number of sessions Local ID uniquely identifying a session Remote ID uniquely identifying a session Tunnel ID
1.1.4 display l2tp tunnel

Syntax
display l2tp tunnel
View
Any view
Parameter
None
Description
Using the display l2tp tunnel command, you can view the information about the current L2TP tunnel. For related commands, see display l2tp session.
Example
# Display the information of the current L2TP tunnel.
[Router] display l2tp tunnel LocalID 1 RemoteID 8 RemName AS8010 RemAddress 172.168.10.2 Sessions 1 Port 1701
Total tunnels = 1
Table 1.2 Description of the fields in display l2tp tunnel Field Total tunnels LocalID RemoteID RemName RemAddress Sessions Port Description Number of tunnels Local ID uniquely identifying a tunnel Remote ID uniquely identifying a tunnel Remote name Remote IP address Number of sessions at the tunnel port Remote port number
1.1.5 l2tp domain

Syntax
l2tp domain { prefix-separator | suffix-separator } delimiters undo l2tp domain { prefix-separator | suffix-separator } delimiters
View
System view
Parameter
prefix-separator: Indicate that the specified delimiter is a prefix, such as huawei.com#yaoxin.
suffix-separator: Indicate that the specified delimiter is a suffix, such as yaoxin@huawei.com. delimiters: Identify the domain delimiter; including '%', '@', '# ', and '/'. The string is of 1 to 4 characters.
Description
Using the l2tp domain command, you can configure the delimiter to be a prefix or suffix. Using the undo l2tp domain command, you can cancel the configured prefix or suffix delimiter. By default, no domain delimiters serving as prefixes or suffixes exist. This command is only used on LAC and it is an optional configuration. The l2tp domain prefix-separator command is used to specify one or multiple domain delimiters serving as prefix. Likewise, the l2tp domain suffix-separator command is used to specify one or multiple domain delimiters serving as suffix. Based on the first delimiter which makes the delimitation successfully, the domain name can be separated from the username through a domain delimiter. Thereby, you can search among the domain names specified by the VPDN using the start l2tp command to check if such a domain name exists. If yes, it indicates the user is a VPN user, so it is necessary to set up a VPN tunnel connection with the LNS to which the user belongs. A character serving as a prefix delimiter cannot serve as a suffix delimiter any longer and vice versa. More specifically, a character cannot serve as a prefix and a suffix delimiter at the same time. For related commands, see start l2tp.
Example
# Set the domain name to be the prefix that is separated from the username by the symbol #.
[Router] l2tp domain prefix-separator #
# Delimit the suffix by using multiple delimiters, such as @, and %.

[Router] l2tp domain suffix-separator @%
1.1.6 l2tp enable

Syntax
l2tp enable undo l2tp enable
View
System view
Parameter
None
Description
Using the l2tp enable command, you can enable the VPDN function. Using the undo l2tp enable command, you can disable the VPDN function. By default, the VPDN function is disabled. This command can be used on both LAC and LNS, which is a required configuration. The l2tp enable command is used to enable the VPDN function. The VPN services can only be carried out after this function is enabled. For related commands, see l2tp-group.
Example
# Enable the VPDN function on a router.
[Router] l2tp enable
1.1.7 l2tp match-order

Syntax
l2tp match-order { dnis-domain | dnis | domain-dnis | domain } undo l2tp match-order
View
System view
Parameter
dnis-domain: Search for the L2TP group according to the dialed number before according to the domain name. dnis: Search for the L2TP group according to the dialed number only. domain-dnis: Search for the L2TP group according to the domain name before according to the dialed number. domain: Search for the L2TP group according to the domain name only.
Description
Using the l2tp match-order command, you can configure the searching order of the dialed number and the domain name criteria. Using the undo l2tp match-order command, you can restore the default searching order. By default, the searching is carried out according to the dialed number before according
to the domain name, that is, the key word dnis-domain is adopted. This command is only used on LAC, and it is an optional configuration. When there are a large number of L2TP accessing users, searching for the user in order is time-consuming. In this case, necessary search policy should be set (like the prefix/suffix delimiter) through the l2tp match-order command to speed up the searching. In an actual searching process, the search is conducted according to the full username before according to the configuration order of this command. There are two types of delimiters: prefix delimiter and suffix delimiter, including the following four special characters: @, # , &, and /. For example, huawei.com#vpdnuser is a user with a prefix delimiter, and vpdnuser@huawei.com is a user with a suffix delimiter. During the searching, the username and the prefix/suffix delimiter will be separated, and the VPDN searching is only carried out according to the specified rules, which greatly improves the searching speed. For related commands, see l2tp domain.
Example
# Conduct the searching according to the domain name only.
[Router] l2tp match-order domain
1.1.8 l2tp session-limit

Syntax
l2tp session-limit session-number undo l2tp session-limit
View
System view
Parameter
session-number: The maximum number of L2TP sessions at the local end, which is an integer in the range from 1 to 2000. By default, the maximum number of sessions is 1000.
Description
Using the l2tp session-limit command, you can configure the maximum number of L2TP sessions at the local end. Using the undo l2tp session-limit command, you can restore the default maximum number of L2TP sessions at the local end. This command can be used on both LAC and LNS, and is an optional configuration. The maximum number of sessions at the local end can be configured on both LNS and
LAC, but the actually created number of session connections depends on the smaller one between them. For related commands, see display l2tp session.
Example
# Configure the maximum number of L2TP sessions on LNS to 1500.
[Router] l2tp session-limit 1500
1.1.9 l2tp-group
Syntax
l2tp-group group-number undo l2tp-group group-number
View
System view
Parameter
group-number: L2TP group number, which is an integer in the range from 1 to 1000.
Description
Using the l2tp-group command, you can create a L2TP group. Using the undo l2tpgroup command, you can cancel a L2TP group. By default, no L2TP group is created. This command can be used on both LAC and LNS,. It is a required configuration.. The l2tp-group command is used to create a L2TP group. L2TP group 1 can serve as the default L2TP group. After the L2TP group is deleted by using the undo l2tp-group command, all the configuration information of this group will be deleted. For related commands, see allow l2tp virtual-template, start l2tp.
Example
# Create L2TP group 2, and enters the L2TP group 2 view.
[Router] l2tp-group 2 [Router-l2tp2]
1.1.10 mandatory-chap
Syntax
mandatory-chap
undo mandatory-chap
View
L2TP group view
Parameter
None
Description
Using the mandatory-chap command, you can force the performing of the CHAP reauthentication between LNS and Client. Using the undo mandatory-chap command, you can disable the CHAP re-authentication. By default, the CHAP re-authentication is not performed. This command can only be used on LNS and is an optional configuration. After LAC implements the proxy authentication on Client, LNS re-authenticates the Client to improve the security. If the mandatory-chap command is used, the VPN clients that connect with access server via initial tunnel will undergo twice authentications: one is between clients and NAS (Network Access Server), and the other is between clients and LNS (L2TP Network Server). If some PPP Clients do not support re-authentication, the local CHAP authentication may fail. For related commands, see mandatory-lcp.
Example
# Force the performing of the CHAP re-authentication. in L2TP group 1.
[Router-l2tp1] mandatory-chap
1.1.11 mandatory-lcp
Syntax
mandatory-lcp undo mandatory-lcp
View
L2TP group view
Parameter
None
Description
Using the mandatory-lcp command, you can enable the LCP (Link Control Protocol)
re-negotiation between LNS and Client. Using the undo mandatory-lcp command, you can disable the LCP re-negotiation. By default, no LCP re-negotiation is conducted in the system. This command can be used on LNS only, and is an optional configuration. A Client of NAS-Initiated VPN will carry out the PPP negotiation with the NAS at the start of a PPP session. If the negotiation succeeds, the NAS will initialize the tunnel connection, and transfer to LNS the information received through negotiating with the client. LNS can judge the validity of the user according to the received proxy authentication information. The mandatory-lcp command can be used to force the LCP re-negotiation between LNS and Client, ignoring the proxy authentication information of NAS. If some PPP Clients do not support the LCP re-negotiation, the process of the LCP re-negotiation will fail. For related commands, see mandatory-chap.
Example
# Enable the LCP re-negotiation in L2TP group 1.
[Router-l2tp1] mandatory-lcp
1.1.12 ppp l2tp-used

Syntax
ppp l2tp-used undo ppp l2tp-used
View
Interface view
Parameter
None
Description
Using the ppp l2tp-used command, you can restrict the use of the PPP-encapsulated interface to L2TP application. Using the undo ppp l2tp-used command, you can disable the configuration. By default, the use of the interface is not restricted to L2TP application. You must use this command in conjunction with the start l2tp by-radius command. For the related command, see start l2tp by-radius.
Example
# Restrict the use of interface serial0 to L2TP application.
[Router] interface serial0 [Router-Serial0] ppp l2tp-used
1.1.13 reset l2tp tunnel

Syntax
reset l2tp tunnel remote-name
View
Any view
Parameter
remote-name: Name of the remote tunnel, which is a character string ranging from 1 to 30 characters.
Description
Using the reset l2tp tunnel command, you can reset the specified tunnel connection. Using the undo reset l2tp tunnel command, you can disconnect all the sessions in the tunnel. This command is used to reset a tunnel connection by force. When a remote user dials in again, the tunnel connection can be set up once more. You can decide the tunnel connection to be cleared by specifying the name of a remote tunnel. If no qualified tunnel connections that match the remote-name exist, the tunnel connections in operation will not be affected. If there are multiple qualified tunnels (with the same remote-name, but different IP addresses), the first qualified tunnel connection will be cleared. The matching sequence referred here is the same as the result of executing the display l2tp tunnel command. For related commands, see display l2tp tunnel.
Example
# Clear a tunnel connection whose peer-end name is AS8010.
[Router] reset l2tp tunnel AS8010
1.1.14 start l2tp

Syntax
start l2tp { by-radius | ip ip-address [ ip ip-address ] } { domain domain-name | dnis dialed-number | full username user-name }
undo start l2tp [ ip ip-address ]
View
L2TP group view
Parameter
by-radius: Allows to send usernames and domain names to RADIUS servers for authentication. ip ip-address: Identify the IP address of the remote tunnel (LNS). A maximum of five IP addresses can be configured, acting as the backup LNS for one another. domain domain-name: Domain name of the user triggering the connection request, which is a case-sensitive string of 1 to 30 characters. dnis dialed-number: Number dialed by the user triggering the connection request, which is a string of 1 to 64 characters. full username user-name: Full name of the user triggering the connection request, which is a case-sensitive string of 1 to 30 characters
Description
Using the start l2tp command, you can configure the triggering conditions for originating a call when the local end servers as L2TP LAC end. Using the undo start l2tp command, you can cancel the specified triggering conditions . This command can only be used on LAC, which is . This command is used to specify the IP address of LNS. It supports multiple methods of connection triggering request.
A tunnel connecting request can be originated based on the domain name of the user. For example, if the domain name of a company to which a user belongs is huawei.com, then the user who contains this domain name can be specified as a VPN user.
You can determine whether or not the user is a VPN user according to the dialed numbers. For example, if the number 8810188 is specified as the special service number, any accessing users dialing this number will be VPN users.
You can also specify a user to be a VPN user directly by the users full name. You can have the system send the username or domain name to RADIUS servers for authentication. If a delimiter is configured, only the domain name is sent. If the RADIUS authentication passes, the system initiates connection based on the properties delivered by the RADIUS server.
If the user is a VPN user, the local end (LAC) will send a L2TP tunnel connecting request to one of the LNSs according to the LNS sequence configured. Once LAC receives the response from LNS, this LNS will become the peer-end of the tunnel.
Otherwise, LAC will send the tunnel connecting request to the next LNS. There may be conflicts between these methods of identifying VPN users. For example, the LNS address specified based on full user names is 1.1.1.1, while that based on the domain names is 1.1.1.2. In this case, it is necessary to specify the order to search for VPN users. The searching sequence is as follow: First, check if there is a L2TP group specified according to the full user names. If not, search according to the order of the domain names. The searching order which bases on domain name is set by the l2tp match-order command. For related commands, see l2tp domain, l2tp match-order.
Note: You can configure the start l2tp by-radius command only on L2TP-group 1 (the default) and must use it in conjunction with the ppp l2tp-used command.
Example
# Identify VPN users in L2TP group 1 according to the domain name huawei.com. The IP address of the corresponding LNS at its headquarters is 202.38.168.1.
[Router-l2tp1] start l2tp ip 202.38.168.1 domain huawei.com
1.1.15 tunnel authentication

Syntax
tunnel authentication undo tunnel authentication
View
L2TP group view
Parameter
None
Description
Using the tunnel authentication command, you can enable the tunnel authentication. Using the undo tunnel authentication command, you can disable the tunnel authentication. By default, the system will authenticate the L2TP tunnel. This command can be used on both LAC and LNS, and is an optional configuration.
Normally, both ends of the tunnel need to authenticate each other for security. Tunnel authentication can be skipped in the case of testing network connectivity or receiving connection originated from an unknown peer-end. For related commands, see tunnel password, tunnel name.
Example
# Disable the authentication of the remote tunnel on L2TP group 1.
[Router-l2tp1] undo tunnel authentication
1.1.16 tunnel avp-hidden

Syntax
tunnel avp-hidden undo tunnel avp-hidden
View
L2TP group view
Parameter
None
Description
Using the tunnel avp-hidden command, you can enable hiding AV (attribute value) pairs. Using the undo tunnel avp-hidden command, you can disable hiding AV pairs. By default, hiding AV pairs is disabled. This command can be used on both LAC and LNS, and is an optional configuration. Upon configuration, the operation of hiding AV pairs makes sense only after tunnel authentication and tunnel password are configured. When AV pairs are hidden, L2TP hidden algorithm will be executed so that the username and password transmitted in plain text during proxy authentication will be encrypted into AV pairs. Hiding AV pairs in L2TP application is very useful when PAP or proxy authentication is used between LAC and LNS. In actual configuration, it is recommended to enable/disable hiding AV pairs on both LAC and LNS at the same time.
Example
# Enable hiding AV pairs on L2TP group 1.
[Router-l2tp1] tunnel avp-hidden
1.1.17 tunnel flow-control

Syntax
tunnel flow-control receive-window size undo tunnel flow-control receive-window
View
L2TP group view
Parameter
receive-window size: Specify the size of the receiving window of tunnel. It is an integer in the range from 0 to 128. By default, the size of the receiving window of tunnel flow control is 0, which means there is no flow control.
Description
Using the tunnel flow-control receive-window command, you can configure the size of the receiving window of the tunnel so as to control the flow. Using the undo tunnel flow-control receive-window command, you can restore the size of the receiving window of the tunnel to the default value. This command can be used on both LAC and LNS, and is an optional configuration. The tunnel flow-control receive-window command can be used to adjust the size of the receiving window of tunnel. When congestion occurs at the destination end, reduce the window size properly for the purpose of flow control.
Example
# Configure the tunnel receiving window of L2TP group 1 as 6.
[Router-l2tp1] tunnel flow-control receive-window 6
1.1.18 tunnel name

Syntax
tunnel name name undo tunnel name
View
L2TP group view
Parameter
name: Identify the name of local tunnel. It is a string of 1 to 30 characters.
Description
Using the tunnel name command, you can configure the name of the local tunnel. Using the undo tunnel name command, you can restore the local tunnel name to the default value. By default, the local tunnel name is the routers name. This command can be used on both LAC and LNS, and is an optional configuration. In the process of creating a L2TP group, the name of the local tunnel end will be initialized as the routers name. For related commands, see sysname, tunnel authentication, tunnel password.
Example
# Set the local tunnel name of L2TP group 1 to itsme.
[Router-l2tp1] tunnel name itsme
1.1.19 tunnel password

Syntax
tunnel password { simple | cipher } password undo tunnel password
View
L2TP group view
Parameter
simple: Password shown in plain text; cipher: Password shown in cipher text. password: Password used during the tunnel authentication, which is a character string of 1 to 16 characters.
Description
Using the tunnel password command, you can configure the password used during tunnel authentication. Using the undo tunnel password command, you can cancel the password of the tunnel authentication. By default, the password of tunnel authentication is the router name. This command can be used on both LAC and LNS, and is an optional configuration. When creating a L2TP group, the local tunnel name and the tunnel password are both initialized to be the routers name. For related commands, see tunnel authentication, tunnel name.
Example
# Set the tunnel password on L2TP group 1 to yougotit and make it shown in the form of cipher text.
[Router-l2tp1] tunnel password cipher yougotit
1.1.20 tunnel timer hello

Syntax
tunnel timer hello hello-interval undo tunnel timer hello
View
L2TP group view
Parameter
hello-interval: The interval that the LAC or LNS waits for sending Hello packets when there is no traffic over the tunnel, ranging from 60 to 1000, in second. By default, the Hello packets are sent every 60 seconds.
Description
Using the tunnel timer hello command, you can configure the interval for sending Hello packets over an L2TP tunnel. Using the undo tunnel timer hello command, you can restore the interval for sending Hello packets over an L2TP tunnel to the default value. This command can be used on both LAC and LNS, and is an optional configuration. The interval of sending Hello packets configured on LAC can be different from that on LNS. The undo tunnel timer hello command can be used to restore the interval to the default value.
Example
# Set the interval for sending Hello packets to 99 seconds.
[Router-l2tp1] tunnel timer hello 99
2GRE Configuration Commands
Chapter 2 GRE Configuration Commands

2.1 GRE Protocol Configuration Commands
2.1.1 destination
Syntax
destination ip-address undo destination
View
Tunnel interface view
Parameter
ip-address: IP address of the actual physical port at the remote tunnel interface.
Description
Using the destination command, you can configure IP address of remote tunnel interface. Using the undo destination command, you can cancel the IP address of remote tunnel interface. The specified remote tunnel address is input in format of the IP address. It must be the same as the actual physical address of the remote port attached and it should be guaranteed that the route to this port is reachable. Furthermore, the destination address of the tunnel configured at the local end must be consistent with the source address of the remote tunnel. For related commands, see interface tunnel, source.
Example
# Set up a tunnel connection between Serial0 in RouterA and Serial1 in RouterB; the IP address of Serial0 in RouterA is 10.110.1.1, and that of Serial1 in RouterB is 20.110.1.1. Make the following configurations at tunnel0 in RouterA:
[RouterA] interface tunnel 0 [RouterA-Tunnel0] source 10.110.1.1 [RouterA-Tunnel0] destination 20.110.1.1
2.1.2 display interfaces

Syntax
display interfaces [ tunnel tunnel-number ]
View
Any view
Parameter
tunnel-number: Tunnel interface number.
Description
Using the display interfaces command, you can view the status of the active tunnel interface.
Example
[Router] display interfaces tunnel 1 Tunnel0 current state:up, line protocol current state:down The Maximum Transmit Unit is 64000 Internet Address is 2.2.2.2(30) input packets:0, bytes:0 input errors:0, broadcast:0, drops:0 output packets:0, bytes:0 output errors:0, 0 broadcast, no protocol:0
The above information shows: Tunnel 1 interface is in up state, and MTU is 128 bytes. The network address of Tunnel1 is 3.1.1.1; 0 packet is received; 0 error packet and 0 broadcast packet is received; no packet is discarded; 0 packet is sent; 0 packet is output with errors, 0 broadcast packet and 0 packet with unknown protocol is output.
2.1.3 gre checksum

Syntax
gre checksum undo gre checksum
View
Parameter
None
Description
Using the gre checksum command, you can configure checksum-based end-to-end check at both ends of the tunnel. Using the undo gre checksum command, you can disable the checksum check on the tunnel interfaces. By default, checksum check is disabled on tunnel interface. RFC 1701 provides that: if the Checksum bit is set in the GRE packet header, then Checksum is valid. The sender calculates the checksum based on the GRE header and payload, and the receiver calculates the checksum based on the received packet and compares it with the checksum contained in the packet. If they are the same, the packet will be further processed, otherwise it will be discarded. If the checksum is set at one end of the tunnel only, then no checksum-based check will be performed on the packet. Only when the checksum is set at both ends of a tunnel, will the packet be checked. For related commands, see interface tunnel.
Example
# Set up a tunnel between RouterA and RouterB, whose tunnel interfaces are tunnel0 and tunnel1 respectively. It is required to enable the checksum check.
[RouterA-Tunnel0] gre checksum [RouterB-Tunnel1] gre checksum
2.1.4 gre key

Syntax
gre key key-number undo gre key
View
Parameter
key-number: Key IDs at both ends of the tunnel, ranging from 0 to 4294967295.
Description
Using the gre key command, you can configure the Key ID of the local tunnel interface. Using the undo gre key command, you can cancel the Key ID of the local tunnel interface. By default, no Key ID is set. RFC 1701 provides that: if the KEY field in the GRE header is set, then both the
receiver and sender will authenticate the gre key. Only when the gre keys set at both ends of the tunnel are the same will the authentication succeed, otherwise the packet will be discarded. For related commands, see interface tunnel.
Example
# Set up a tunnel between RouterA and RouterB, and the tunnel interfaces are tunnel0 and tunnel1, respectively. It is required that the gre key be set.
[RouterA] interface tunnel 0 [RouterA-Tunnel0] gre key 123456789 [RouterB] interface tunnel 1 [RouterB-Tunnel1] gre key 123456789
2.1.5 gre sequence-datagrams

Syntax
gre sequence-datagrams undo gre sequence-datagrams
View
Parameter
None
Description
Using the gre sequence-datagrams command, you can. configure sequence number synchronization of datagram on a tunnel interface. Using the undo gre sequencedatagrams command, you can disable sequence number synchronization. By default, tunnel interface datagram does not use sequence number synchronization. RFC 1701 provides that: if sequence-datagram in the GRE header is set, then the receiver and sender will undergo sequence number synchronization. Only synchronous packets will be further processed, otherwise the packet will be discarded. The tunnel sequence number provides unreliable but orderly packets. The receiver makes sequence numbers for the packets received locally and de-capsulated successfully (the sequence number can be any integer, ranging from 0 to 2 321, with that of the first packet being 0). After the tunnel is set up, the sequence numbers will be counted in an accumulative and cyclic manner. If the receiver receives a packet whose sequence number is less than or equal to the sequence number of the last packet, this packet is deemed to be an illegal packet. If a packet out of sequence is received, it will
be discarded automatically. Only when gre sequence-datagrams or undo gre sequence-datagrams is set at both ends of the tunnel with the same value can the tunnel be set up. For related commands, see interface tunnel.
Example
# Set up a tunnel between RouterA and RouterB, whose interfaces are tunnel0 and tunnel1, respectively. It is required to enable the check of packet sequence number.
[RouterA-Tunnel0] gre sequence-datagrams [RouterB-Tunnel1] gre sequence-datagrams
2.1.6 interface tunnel

Syntax
interface tunnel tunnel-number undo interface tunnel
View
Any view
Parameter
tunnel-number: Specified tunnel interface number, ranging from 0 to 4294967295.
Description
Using the interface tunnel command, you can create a tunnel interface and enter the tunnel view. Using the undo interface tunnel command, you can cancel a specified tunnel interface. By default, no tunnel interface is created. This command is used to enter a specified tunnel interface view. If the tunnel interface has not been created, create it first. The number of tunnels that can be created depends on the total number of interfaces as well as the memory condition. For related commands, see source, destination, gre key, gre checksum, gre sequence-datagrams.
Example
# Set up the interface tunnel0 in Router A.
[RouterA] interface tunnel 0 [RouterA-Tunnel0]
2.1.7 source
Syntax
source ip-address undo source
View
Parameter
ip-address: IP address of the actual physical port that uses tunnel interface.
Description
Using the source command, you can configure tunnel local address. Using the undo source command, you can cancel the configured local address. By default, no tunnel source address is specified. The specified tunnel source address is input in the IP address format. It must be the same as the actual physical port address. Furthermore, the source address of the tunnel configured at the local end must be consistent with the destination address of the remote tunnel. For related commands, see interface tunnel, destination.
Example
# Configure tunnel0 in the router: the actual exit for the packet encapsulated at this interface is Serial0.
[RouterA] interface serial 0 [RouterA-serial0] ip address 10.110.1.1 255.255.255.0 [RouterA] interface tunnel 0 [RouterA-Tunnel0] source 10.110.1.1
2.1.8 ip fast-forwarding (Tunnel Interface View)

Syntax
ip fast-forwarding [ inbound | outbound ] undo ip fast-forwarding
View
Parameter
inbound: Enable fast-forwarding only in the inbound direction of the tunnel interfaces. outbound: Enable fast-forwarding only in the outbound direction of the tunnel interface.
Description
Using ip fast-forwarding command, you can enable fast-forwarding on a tunnel. Using undo fast-forwarding command, you can disable fast-forwarding on the tunnel. By default, fast-forwarding is enabled two-way on the tunnel. In this command, the parameters inbound and outbound are mutually exclusive, and the newly configured parameter will replace the previous one. If you want to enable fast-forwarding on both the receiving and sending directions, you should not use any parameter in this command. Quidway series routers support the fast-forwarding on all high-speed link interface, including Ethernet, synchronous PPP, Frame Relay, HDLC, support the fast-forwarding when firewall and NAT are configured, and support the fast-forwarding on GRE virtual tunnel interface. Please note that when the fast-forwarding is configured on an interface, this interface will never send ICMP redirection packets.
Example
# Configure the interface tunnel 0 on the router and disable fast-forwarding on the interface.
[Router] interface tunnel 0 [Router-Tunnel0] undo ip fast-forwarding

09 Command Manual VPN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

09 Command Manual VPN

Uploaded by

Copyright:

Available Formats

Command Manual VPN VRP1.

Huawei Technologies Proprietary i

Command Manual VPN VRP1.7

1L2TP Configuration Commands

Chapter 1 L2TP Configuration Commands

Huawei Technologies Proprietary 1

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.2 debugging l2tp

Huawei Technologies Proprietary 2

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.3 display l2tp session

1.1.4 display l2tp tunnel

Huawei Technologies Proprietary 3

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.5 l2tp domain

Huawei Technologies Proprietary 4

Command Manual VPN VRP1.7

1L2TP Configuration Commands

# Delimit the suffix by using multiple delimiters, such as @, and %.

1.1.6 l2tp enable

Huawei Technologies Proprietary 5

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.7 l2tp match-order

Huawei Technologies Proprietary 6

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.8 l2tp session-limit

Huawei Technologies Proprietary 7

Command Manual VPN VRP1.7

1L2TP Configuration Commands

Huawei Technologies Proprietary 8

Command Manual VPN VRP1.7

1L2TP Configuration Commands

Huawei Technologies Proprietary 9

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.12 ppp l2tp-used

Huawei Technologies Proprietary 10

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.13 reset l2tp tunnel

1.1.14 start l2tp

Huawei Technologies Proprietary 11

Command Manual VPN VRP1.7

1L2TP Configuration Commands

undo start l2tp [ ip ip-address ]

Huawei Technologies Proprietary 12

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.15 tunnel authentication

Huawei Technologies Proprietary 13

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.16 tunnel avp-hidden

Huawei Technologies Proprietary 14

Command Manual VPN VRP1.7

1L2TP Configuration Commands

1.1.17 tunnel flow-control

1.1.18 tunnel name

Huawei Technologies Proprietary 15