262Creating a VT interfaceAfter an L2TP session is established, a PPP session is needed for data exchange with the peer. Thesystem will dynamically create PPP sessions based on the parameters of the virtual template (VT)interface. To configure an LNS, first create a VT interface and configure the following parameters forit:• Interface IP address.• Authentication mode for PPP users.• IP addresses allocated by the LNS to PPP users.For information about configuring VT interfaces, see "Configuring PPP" and Layer 3—IP ServicesConfiguration Guide.Configuring an LNS to accept L2TP tunneling requests froman LACWhen receiving a tunneling request, an LNS performs the following operations:• Determines whether to accept the tunneling request by checking whether the name of thetunnel peer (LAC) matches the one configured.• Determines the VT interface to be used for creating the PPP session.To configure an LNS to accept L2TP tunneling requests from an LAC:Step Command Remarks1. Enter system view. system-view N/A2. Enter L2TP group view in LNSmode.l2tp-group group-number[ mode lns ] N/A3. Configure the LNS to accepttunneling requests from anLAC and specify the VTinterface to be used for tunnelsetup.• If the L2TP group numberis 1:allow l2tpvirtual-templatevirtual-template-number[ remote remote-name ]• If the L2TP group numberis not 1:allow l2tpvirtual-templatevirtual-template-numberremote remote-nameBy default, an LNS deniestunneling requests from any LAC.If the L2TP group number is 1, theremote remote-name option isoptional. If you do not specify thisoption, the LNS accepts tunnelingrequests from any LAC.Configuring user authentication on an LNSAn LNS can be configured to authenticate a user that has passed authentication on the LAC toincrease security. In this case, the user is authenticated once on the LAC and once on the LNS. AnL2TP tunnel can be established only when both authentications succeed.An LNS provides the following authentication methods in ascending order of priority:• Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends theLNS all user authentication information from users and the authentication method configured onthe LAC itself. The LNS then checks the user validity according to the received information andthe locally configured authentication method.• Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticateusers who have passed authentication on the LAC.