Avaya Bay Dial VPN User Manual
BayRS Version 14.00
Part No. 308606-14.00 Rev 00
September 1999
4401 Great America Parkway
Santa Clara, CA 95054
Configuring and Troubleshooting Bay Dial VPN Services
Copyright © 1999 Nortel Networks
All rights reserved. Printed in the USA. September 1999.
The information in this document is subject to change without notice. The statements, configurations, technical data,
and recommendations in this document are believed to be accurate and reliable, but are presented without express or
implied warranty. Users must take full responsibility for their a pplic a tions o f any products specifi ed in th is d ocum ent .
The information in this document is proprietary to Nortel Networks NA Inc.
The software described in this document is furnished under a license agreement and may only be used in accordance
with the terms of that license. A summary of the Software License is included in this document.
NORTEL NETWORKS is a trademark of Nortel Networks.
Bay Networks, BCN, BLN, and BN are registered trademarks and Advanced Remote Node, ANH, ARN, ASN,
Baystream, BayRS, BaySecure Access Control, and System 5000 are trademarks of Nortel Networks.
Microsoft, MS, MS-DOS, Win32, Windows, and Windows NT are registered trademarks of Microsoft Co rporation.
All other trademarks and registered trademarks are t he property of their respective owners.
Restricted Rights Legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Sof tware clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer
software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in
the Commercial Computer Software-Restricted Rights cl ause at FAR 52.227-19.
Statement of Conditions
In the interest of improvi ng internal design, operational func tion , an d/o r re lia bi lity, Nortel Ne tworks NA Inc. re serv e s
the right to make changes to the products described in this document without notice.
Nortel Networks NA Inc. does not assume any liability that may occur due to the use or application of the product(s)
or circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any docu mentation, advertising
materials, and other materials related to such distribution and use acknowledge that su ch portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information containe d herein are licensed only pursuant to a license agreement that
contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed
by third parties).
ii
308606-14.00 Rev 00
Nortel Networks NA Inc. Software License Agreement
NOTICE: Please carefully read this license agre ement before copying or using the accompanying software or
installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement).
BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF
THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS
UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept
these terms and conditions, return the product, unused and in the original shipping container, within 30 days of
purchase to obtain a credit for the full purchase price.
1. License Grant. Nortel Networks NA Inc. (“Nortel Networks”) grants the end user of the Software (“Licensee”) a
personal, nonex clusive, nontransferable license: a) to use the Softw are eit her on a single compute r or, if applicable, on
a single authorized device identified by host ID, for which it was originally acquired; b) to copy the Software solely
for backup purposes in support of authorized use of t he Software; and c) to use and copy the associated user manual
solely in support of authoriz ed use of th e Softwa re b y Licen see. Thi s license applies t o the So ftware o nly and d oes not
extend to Nortel Networks Agent software or other Nortel Networks software products. Nortel Networks Agent
software or other Nortel Networks software products are licensed for use under the terms of the applicable Nortel
Networks NA Inc. Software License Agreement that accompanies such software and upon payment by the end user of
the applicable license fees for such software.
2. Restrictions on use; reservation of rights. The Software and user manuals are protected und er copyright laws.
Nortel Networks and/or its licensors retain all title and ownership in both the Software and user manuals, including
any revisions made by Nortel Networks or it s licensors. The copyright notice must be repr oduced and included wit h
any copy of any portion of the Software or user manuals. Licensee may not modify, translate, decompile, disassemble,
use for any competitive analysis, reverse engineer, distribute, or create derivative works from the Software or user
manuals or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or
transfer the Software or user manuals, in whole or in part. The Software and user manuals embody Nortel Networks’
and its licensors’ confidential and proprietary inte lle ctu al pro p erty. Licensee shall not sublicense, assign, or otherwise
disclose to any third party the Software, or any information about the operation, design, performance, or
implementation of the Software and user manuals that is confidential to Nortel Networks and its licensors; however,
Licensee may grant permission to its consultants, subcontractors, a nd agents to use the Softw are at Licensee’s facility,
provided they have agreed to use the Software only in accordance with the terms of this license.
3. Limited warranty . Nortel Networks warrants each item of Software, as delivered by Nortel Networks and properly
installed and operated on Nortel Networks hardware or other equipment it is originally licensed for, to function
substantially as described in its accompanying user manual during its warranty period, which begins on the date
Software is first shipped to Licensee. If an y item of S oftware f ails to so function d uring its w arranty period, as the sole
remedy Nortel Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be
included in a future Software release. Nortel Networks further warrants to Licensee that the media on which the
Software is provided will be free from defec ts in materials and wo rkman ship under no rmal use for a peri od of 90 da ys
from the date Software is first shipped to Licensee. Nortel Networks will replace defective media at no charge if it is
returned to Nortel Netw orks during the warranty period along with proof of the date of ship ment. This warranty does
not apply if the media has been damaged as a result of accident, misuse, or abuse. The Licensee assumes all
responsibility for selection of the Software to achieve Licensee’s intended results and for the installation, use, and
results obtained from the Software. Nortel Networks does not warrant a) that the functions contained in the software
will meet the Licensee’s requirements, b) that the Software will operate in the hardware or software combinations that
the Licensee may select, c) that the operation of the Software will be uninterrupted or error free, or d) that all defects
in the operation of the Softw are will be corrected . Nortel Network s is not obligated to remedy any Software de fect that
cannot be reproduced with the latest Software release. These warranties do not apply to the Software if it has been (i)
altered, except by Nortel Networks or in accordance with i ts instructions; (ii) used in conjunction with another
vendor’s product, resulting in the de fect; or (iii) damage d by improper environment, abuse, misuse, accident, or
negligence. THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE
IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible
308606-14.00 Rev 00
iii
for the security of its own data and information and for maintaining adequate procedures apart from the Software to
reconstruct lost or altered files, data, or programs.
4. Limitation of liability. IN NO EVENT WILL NORTEL NETWORKS OR ITS LICENSORS BE LIABLE FOR
ANY COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR
PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN
IF NORTEL NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT
SHALL THE LIABILITY OF NORTEL NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT
EXCEED THE PRICE PAID TO NORTEL NETWORKS FOR THE SOFTWARE LICENSE.
5. Government Licensees. This provision applies to a ll Softwa re and docum entation acquired d irectly or i ndirectly by
or on behalf of the United States Government. The Software and documentation are commercial products, licensed on
the open market at market prices, and were developed entirely at private expense and without th e use of any U.S.
Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or
disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial
Computer Software––Restricte d Rig hts cla u se o f FAR 52.227-19 and the limitations se t o ut in thi s license for civilian
agencies, and subparagraph (c)(1)(ii ) of the Rights in Technical Data and Computer Software clause of DFARS
252.227-7013, for agencies of t he Department of Defense or their successors, whichever is applicable.
6. Use of Software in the European Community. This provision applies to all Software acquired for use within the
European Community. If Licensee uses the Software within a country in the European Community, the Software
Directive enacted by the Council of European Communities Directive dated 14 May, 1991, will apply to the
examination of the Software to facilitate interoperability. Licensee agrees to notify Nortel Networks of any such
intended examination of the Software an d may procure support and assistance from Nortel Networks.
7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to
Nortel Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the
Nortel Networks copyright; those restrictions relating to use and disclosure of Nortel Networks’ confidential
information shall continue in effect. Licensee may terminate this license at any time. The license will automatically
terminate if Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any
reason, Licensee will immediat ely destroy or return to Nortel Networks the Software, user manuals, and all copies.
Nortel Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license.
8. Export and Re-export. Licensee agrees not to export, directly or indirectly, the Software or related technical data
or information without first obtaining any required export licenses or other governmental approvals. Without limiting
the foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first
obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert
any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports
are restricte d or em b argoed under United States export con tr o l la w s an d r egulations, or to an y national or resident of
such restricted or embargoed countries; or (ii) provide the Software or related technical data or information to any
military end user or for any military end use, including the design, development, or production of any chemical,
nuclear, or biological weapons.
9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent
jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement
will be governed by the laws of the state of California.
Should you have any questions concerning this Agreement, contact Nortel Networks, 4401 Great America Par kwa y,
P.O. Box 58185, Santa Clara, California 95054-8185.
LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND
AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS
AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN NORTEL NETWORKS AND
LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND
COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS
AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST NORT EL
NETWORKS UNLESS NORTEL NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN
EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT.
iv
308606-14.00 Rev 00
Contents
Preface
Before You Begin ............................................................................................................. xv
Text Conventions .............................................................................................................xvi
Acronyms ........................... .......................... .......................... ......................... ................xvii
Related Publications ........................................................................................................xix
How to Get Help ..............................................................................................................xix
Chapter 1
Tunneling Overview
Bay Dial VPN Overview .................. ...... ....... ...... ....... ...... ....... ...... ...................................1-1
What Is Tunneling? .........................................................................................................1-2
Layer 3 Tunneling ............................................................................................................1-4
Layer 2 Tunneling ............................................................................................................1-4
Comparing Layer 3 and Layer 2 Features ......................................................................1-4
How a Dial VPN Network Functions ............................................ ...... ....... ...... ................1-5
Dial VPN Network Components .....................................................................................1-7
Remote Dial-In Nodes ........................... ...... ....... ...... ....... ...... ...... ....... ......................1-7
ISP Network Components for Layer 3 Tunnels .........................................................1-8
Network Access Server (NAS) ..........................................................................1-8
Gateway .................................................................... ................................ ......... 1-9
Tunnel Management Server (TMS) ..................................................................1-10
ISP Network Components for Layer 2 Tunnels .......................................................1-10
L2TP Access Concentrator (LAC) ...................................................................1-11
Remote Access Server (RAS) .........................................................................1-11
Tunnel Management Server (TMS) ..................................................................1-11
Customer/Home/Internet Service Provider Network ..............................................1-11
Customer Premise Equipment (CPE) ..............................................................1-11
L2TP Network Server (LNS) ............................................................................1-12
RADIUS Authentication Server .......................... ....... ...... ...... ....... ...... ....... .......1 -1 2
308606-14.00 Rev 00
v
RADIUS Accounting Server ............................... ....... .......................................1-13
DHCP Server ...................................................................................................1-14
Additional Planning Information .............................................................................1-14
Where to Go Next .........................................................................................................1-14
Chapter 2
Dial VPN Layer 2 Tunneling
Building a Network for Layer 2 Tunneling .......................................................................2-2
L2TP Packet Encapsulation ............................................................................................2-4
Nortel Networks L2TP Implementation ...........................................................................2-5
Tunnel Management in L2TP Tunnels ............................................................................2-6
Security in an L2TP Network ..........................................................................................2-7
Tunnel Authentication ...............................................................................................2-7
RADIUS User Authentication ...................................................... ....... ...... ................2-9
RADIUS Accounting ... ....... ...... ....... ...... ....... ...... ............................................. ....... ...... .2-1 0
L2TP IP Interface Addresses ........................................................................................2-10
Remote Router Configuration .................................. ....... ...... ...... ....... ....................2-11
Starting an L2TP Session .............................................................................................2-11
Examples of L2TP Tunnels ...........................................................................................2-12
Making a Connection Across an L2TP Network ...........................................................2-13
When Does Dial VPN Tear Down the Tunnel? .......................................................2-14
Chapter 3
Dial VPN Layer 3 Tunneling
Building a Network for Layer 3 Tunneling .......................................................................3-2
How Tunnel Management Works ....................................................................................3-5
Tunnel Management in an
-Based Network ....................................................3-5
erpcd
Tunnel Management in an All-RADIUS Network ......................................................3-6
How the TMS Database Works ................................................................................3-6
Dynamically Allocating IP Addresses .............................................................................3-7
Using DHCP for Dynamic IP Address Allocation .....................................................3-7
How DHCP Works ....................................................................................................3-8
Using RADIUS for Dynamic IP Address Allocation ................................................3-10
How Dynamic IP Address Allocation Works .................................................................3-10
Assigning Addresses ..............................................................................................3-11
vi
308606-14.00 Rev 00
Using Secondary Gateways .........................................................................................3-13
Using a Backup Gateway .......................................................................................3-15
Using Load Distribution ..........................................................................................3-15
Configuring Secondary Gateways ..........................................................................3-15
Starting the Connection ................................................................................................3-16
A Day in the Life of a Layer 3 Packet ............................................................................3-18
How a Packet Moves Through a Dial VPN Network ...............................................3-20
How a Packet Returns to the Remote Node ..........................................................3-21
When Does Dial VPN Tear Down the Tunnel? .......................................................3-23
Chapter 4
Configuring the Remote Access Concentrator
Installing and Configuring the RAC Software .................................................................4-1
Loading Software and Booting the RAC .........................................................................4-6
Configuring Active RIP ...................................................................................................4-7
Defining Routes ........................................................................................................4-7
Configuring the RAC to Advertise RIP 1 and/or RIP 2 Updates ...............................4-8
Chapter 5
Configuring TMS and Security for
erpcd
Networks
Managing TMS Using the TMS Default Database .................................... ...... ................5-2
Using Tunnel Management Commands ..........................................................................5-4
Tunnel Management Commands ....................................................................................5-4
Command Arguments .....................................................................................................5-6
Configuring Local Authentication Using the ACP .........................................................5-12
Alternatives to the Default Database ............................................................................5-13
TMS System Log (Syslog) Messages ..........................................................................5-13
Chapter 6
Configuring the TMS Using RADIUS
Managing RADIUS-Based TMS .....................................................................................6-1
Tunnel Negotiation Message Sequence .........................................................................6-2
Using RADIUS Accounting .............................................................................................6-4
Service Provider Ac co unti ng Mess ages ..... ....... ...... ....... ...................................... ...6-4
RADIUS Attributes That Support Tunneling ....................................................................6-7
RADIUS Attributes for Backup and Distributed Gateways ..... ...... ...... ....... ...... ....... ...... ...6- 9
Configuring Secondary Gateways ................................................................................6-12
308606-14.00 Rev 00
vii
TMS Parameters for erpcd-Based and All-RADIUS Tunnels ........................................6-14
TMS System Log (Syslog) Messages ..........................................................................6-15
Chapter 7
Configuring Layer 3 Gateways
Configuring the Gateway ................................................................................................7-1
Gateway Accounting Messages .....................................................................................7-5
Chapter 8
Requirements Outside the ISP Network
Configuring a Static Route and an Adjacent Host ..........................................................8-2
Configuring a Nortel Networks CPE Router Using Site Manager ...................................8-3
Configuring the Adjacent Host and Static Routes ....................................................8-5
How the Adjacent Host Entry and Static Routes Work Together .............................8-5
Configuring an Adjacent Host Between the CPE and the Gateway .........................8-6
Configuring a Static Route Between the CPE and the Gateway ..............................8-7
Configuring Frame Relay on the CPE Router .................................................................8-8
Configuring PPP on the CPE Router ..............................................................................8-9
Configuring the CPE Router for IPX Support (Layer 3 Only) ........................................8-10
Configuring IPX on a PPP Connection ..................................................................8-10
Configuring IPX on a Frame Relay Connection .....................................................8-12
Configuring the CPE Router as a Layer 2 Tunnel End Point ..................................8-13
Enabling L2TP ........................................................................................................8-13
Enabling L2TP on an Unconfigured WAN Interface ......................................................8-14
Enabling L2TP on an Existing PPP Interface ...............................................................8-15
Enabling L2TP on an Existing Frame Relay Interface ..................................................8-16
Installing and Configuring BSAC on the Home Network ..............................................8-17
Configuring IPX on the Home Network RADIUS Server ..............................................8-18
Configuring DHCP Dynamic Address Assignment (Layer 3) ........................................8-18
Defining Assignable DHCP Address Ranges ...............................................................8-19
Creating Scopes and a Superscope .............................................................................8-20
Creating the Home Agent (RADIUS Client) Scope ................................................8-20
Creating the Scope of Assignable Addresses ........................................................8-21
Creating a Superscope ..........................................................................................8-21
viii
308606-14.00 Rev 00
Chapter 9
Managing a Dial VPN Network
Enabling and Activating Dial VPN ...................................................................................9-2
Upgrading and Changing Your Dial VPN Network ..........................................................9-2
Removing Dial VPN from Your Network .........................................................................9-2
Appendix A
Planning Worksheet
Dial VPN Network Planning Worksheet ......................................................................... A-1
At the Dial VPN Service Provider’s Site ................................................... ....... ...... .. A-2
For Each Destination Site ....................................................................................... A-3
For Each Remote Node .......................................................................................... A-4
Appendix B
Syslog Messages
BayRS Messages .......................................................................................................... B-1
Remote Access Concentrator Syslog Messages .......................................................... B-1
TMS Syslog Messages .................................................................................................. B-4
Appendix C
Troubleshooting
What’s in This Appendix .................................... ....... ...... ....... ...... ...... ....... ...... ....... ...... .. C-1
Preventing Problems ......................................................................................................C-2
Preparing to Troubleshoot .............................................................................................. C-3
Troubleshooting Worksheet ................... ...... ....... ...... ....... ...... .................................. C-4
Using the System Logs (syslogs) to Diagnose Problems ....................................... C-7
Getting a Snapshot of the Current Status on a BayRS Device ...............................C-8
Troubleshooting Specific Protocol s . ...... ....... ...... ....... ...... ....... ...... ...... ....... ...... .............C-15
Troubleshooting a Site Manager Problem .................................................................... C-15
Troubleshooting Remote Access Concentrator Problems ........................................... C-15
Tracing a Packet’s Path at the Remote Access Concentrator ...............................C-22
Troubleshooting Tunnel Problems ................ ...... ....... ............................................. ...... C-24
308606-14.00 Rev 00
ix
Operation and Troubleshooting Layer 2 Tunnels .......................................................... C-25
Troubleshooting the LAC ....................................................... ...... ....... ...... ....... ...... C-25
Troubleshooting the LNS ....................................................... ...... ....... ...... .............C-26
Troubleshooting the BSAC RADIUS Server ....................................... ...... ....... ...... C-31
Activity Log .....................................................................................................C-31
Accounting Log ............................................................................................... C-32
Appendix D
Tips and Techniques
Configuring Cisco Routers for Dial VPN CPE Equipment .............................................D-1
Dial-In Network Access Examples .. ...... ....... ...... ....... ...... ............................................. .. D-4
Configuration ..................... ....................................... ....................................... ........D-4
Example 1 ......................................................................................................... D-4
Dial-In Router Configuration .............................. ............................................. .. D-5
CPE Router Configuration ................................................................................ D-6
RADIUS Configuration ................................. ...... ....... ...... .................................. D-6
Gateway .................................................................... ................................ ........ D-7
Example 2 ......................................................................................................... D-7
Estimating the Feasible Number of Dial VPN Users ......................................................D-8
Glossary
Index
x
308606-14.00 Rev 00
Figures
Figure 1-1. Dial VPN Network with Layer 3 and Layer 2 Tunnels ...............................1-3
Figure 1-2. Dial VPN Network with Connections to Different Destination Types ........1-6
Figure 2-1. Layer 2 Tunnel Packet Path ......................................................................2-2
Figure 2-2. L2TP Packe t Encapsulation Process .......................................................2-5
Figure 2-3. Tunnel Authentication Control Messages .................................................2-9
Figure 2-4. L2TP Network Using a LAC ...................................................................2-12
Figure 2-5. L2TP Network Using a RAS ...................................................................2-12
Figure 3-1. Layer 3 Tunnel Packet Path ......................................................................3-2
Figure 3-2. DHCP Operational Timeline .....................................................................3-9
Figure 3-3. Dial VPN Dynamic IP Address Management Sequence ........................3-12
Figure 3-4. Dial VPN Network with Secondary Gateways on the
Frame Relay Connection .......................................................................3-14
Figure 3-5. Packet Encapsulation and Decapsulation Process ................................3-19
Figure 3-6. Sending a Packet to a Remote Node .....................................................3-21
Figure 3-7. Static Routes from a CPE Router to a Dial VPN Gateway .....................3-22
Figure 6-1. Message Exchanges Supporting RADIUS TMS Operations ...................6-3
Figure 8-1. Static Route Between the CPE Router and the Gateway ........................8-2
Figure C-1. Network Topology for ping -t Examples ................................................. C-23
Figure D-1. ASN with one subnet as Dial-in Client .................................................... D-5
308606-14.00 Rev 00
xi
Tables
Table 1-1. Layer 3 and Layer 2 Dial VPN Feature Implementation ...........................1-5
Table 4-1. Where to Find Configuration Information .................................................4-1
Table 5-1. tms_dbm Tunnel Management Commands .............................................5-4
Table 5-2. tms_dbm Command Arguments ..............................................................5-6
Table 6-1. Service Provider User Start Accounting Messages .................................6-5
Table 6-2. Service Provider User Stop Accounting Messages .................................6-6
Table 6-3. General Tunneling Attributes ....................................................................6-7
Table 6-4. RADIUS Attributes That the Gateway Supports ......................................6-8
Table 6-5. BSAC TMS Attributes for Secondary Gateways ....................................6-10
Table 6-6. TMS Parameter Equivalents ..................................................................6-14
Table 7-1. Gateway Accounting Messages ...............................................................7-5
Table 8-1. IPX Encapsulation Types by Media ........................................................8-12
Table B-1. Remote Access Concentrator Syslog Messages .................................... B-1
Table B-2. TMS Syslog Messages ........................................................................... B-5
Table C-1. Problem Symptoms and Likely Causes .................................................. C-6
Table C-2. Remote Access Concentrator Troubleshooting Chart ...........................C-16
308606-14.00 Rev 00
xiii
This guide describes Bay Networ ks Dial Virtual Private Network (VPN) and what
you do to start and customize Bay Dial VPN services on a Nortel Networks
router.
Before You Begin
Before using this guide, you must complete the following procedures. For a new
router:
• Install the router (see the installation guide that came with your router).
Preface
™
• Connect the router to the network and create a pilot configuration file (see
Make sure that you are runni ng the lates t versio n of Nortel Netw orks BayRS
Site Manager software. For information about upgrading BayRS and Site
Manager, see the upgrading guide for your version of BayRS.
308606-14.00 Rev 00
Quick-Starti ng Router s, Configuring BaySt ac k Remo te Access
ASN Routers to a Network)
.
, or
Connecting
™
and
xv
Configuring and Troubleshooting Bay Dial VPN Services
Text Con ventions
This guide uses the following text conventions:
angle brackets (< >) Indicate that you choose the text to enter based on the
description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is:
ping
<
ip_address
ping 192.32.10.12
>, you enter:
bold text
Indicates command names and options and text that
you need to enter.
Example: Enter
show ip {alerts | routes
Example: Use the
dinfo
command.
}.
braces ({}) Indicate required elements in syntax descriptions
where there is more than one option. You must choose
only one of the options. Do not type the braces when
entering the command.
Example: If the command syntax is:
show ip {alerts | routes
show ip alerts or show ip routes
}
, you must enter either:
, but not both.
brackets ([ ]) Indicate optional elements in syntax descriptions. Do
not type the brackets when entering the command.
Example: If the command syntax is:
show ip interfaces [-alerts
show ip interfaces
or
]
, you can enter either:
show ip interfaces -alerts
.
ellipsis points (. . . ) Indicate that you repeat the last element of the
command as needed.
xvi
Example: If the command syntax is:
ethernet/2/1
ethernet/2/1
[<
parameter> <value
and as many parameter-value pairs as
needed.
. . .
>]
, you enter
308606-14.00 Rev 00
Preface
italic text Indicates file and directory names, new terms, book
titles, and variables in command syntax descriptions.
Where a variable is two or mor e words, the words are
connected by an underscore.
Example: If the command syntax is:
show at
valid_route
<
valid_route
>
is one variable and you substitute one value
for it.
screen text Indicates system output, for example, prompts and
system messages.
Acronyms
Example:
Set Trap Monitor Filters
separator ( > ) Shows menu paths.
Example: Protocols > I P ide nti fies the IP option on the
Protocols menu.
vertical line (
) Separates choices for command keywords and
|
arguments. Enter only one of the choices. Do not type
the vertical line when enteri ng the command.
Example: If the command syntax is:
show ip {alerts | routes
show ip alerts
or
}
, you enter either:
show ip routes
, but not both.
ACP Access Control Protocol
BRI Basic Rate Interface
CHAP Challenge Handshake Authentication Protocol
CLI command line interface
CPE customer premise equipment
DLCI Data Link Control Interface
DNIS domain name information server
DTE data terminal equipment
308606-14.00 Rev 00
xvii
Configuring and Troubleshooting Bay Dial VPN Services
erpcd expedited remote procedure call daemon
FTP File Transfer Protocol
GRE Generic Routing Encapsulation
GUI graphical user interface
IETF Internet Engineering Task Force
IP Internet P rotocol
IPCP Internet Protocol Control Protocol
IPX Internet Packet Exchange
IPXCP Internet Packet Exchange Control Protocol
ISDN Integrated Services Digital Network
ISO International Organization for Standardization
ISP Internet Service Provid er
LAC Layer 2 Tunneling Protocol access concentrator
L2TP Layer 2 Tunneling Protocol
LAN local area network
xviii
LNS Layer 2 Tunneling Protocol network server
MAC media access control
NAS network access server
OSI Open Systems Interconnection
PAP Password Authentication Protocol
POP point of presence
PPP Point-to-Point Protocol
PRI Primary Rate Inter face
PSTN public-switched telephone network
PVC permanent virtual circuit
RADIUS Remote Authentication Dial-In User Service
RIP Routing Information Protocol
SAP Service Advertising Protocol
SMDS Switched Multimegabit Data Se rvice
308606-14.00 Rev 00
SNMP Simple Network Management Protocol
SPB session parameter block
SPI security parameter index
TCP Transmission Control Protocol
TMS tunnel management server
UNI user netw ork interface
VPN virtual private ne twork
WAN wide area network
Hard-Copy Technical Manuals
You can print selected technical manuals and release notes free, directly from the
Internet. Go to support.baynetworks.com/library/tpubs/. Find the product for
which you need documentation. Then locate the specific category and model or
version for your hardw are or soft ware product . Usi ng Adobe Ac robat Re ader, you
can open the manuals and releas e notes, search for the sections you ne ed, and print
them on most standard printers. You can download Acrobat Reader free from the
Adobe Systems Web site, www.adobe.com.
Preface
You can purchase selected documentation sets, CDs, and technical publications
through the collateral catalog. The catalog is located on the World Wide Web at
support.baynetworks.com/catalog.html and is divided into sections arranged
alphabetically:
• The “CD ROMs” section lists available CDs.
• The “Guides/Books” section lists books on technical topics.
• The “Technical Manuals” section lists available printed documentation sets.
308606-14.00 Rev 00
xix
Configuring and Troubleshooting Bay Dial VPN Services
How to Get Help
If you purchased a service contract for your Nortel Networks product from a
distributor or authorized reseller, contact the technical support staff for that
distributor or reseller for assistance.
If you purchased a Nort el Net wor ks s ervice pr ogram, c ontact one of the f ollowing
Nortel Networks Technical Solutions Centers:
Technical Solutions Center Telephone Number
Billerica, MA 800-2LANWAN (800-252-6926)
Santa Clara, CA 800-2LANWAN (800-252-6926)
Valbonne, France 33-4-92-96-69-68
Sydney, Australia 61-2-9927-8800
Tokyo, Japan 81-3-5402-7041
xx
308606-14.00 Rev 00
Bay Networks Dial Virtual Private Network Services provides secure dial-access
services for corporate telecommuters, mobile professionals, and users in remote
branch offices. Dial VPN provides switched connectivity to virtual private
networks (VPNs), based on Internet Engineering Task Force (IETF)
specifications. Corporate customers can subscribe to this service for remote dial
access to virtual private networks or to the Internet over telephone lines.
Bay Dial VPN Overview
Chapter 1
Tunneling Overview
Dial VPN offers remot e users si mple and secu re access to virtual pr ivate net works
and the Internet through a mechanism known as a tunnel. A tunnel is a secure,
virtual, direct path between two end points. The process of encapsulating,
sending, and decapsulating the datagram is called tunneling, and the encapsulator
and decapsulator are considered the end points of the tunnel. Dial VPN
dynamically establishes and removes tunnels as needed. Dial VPN supports both
Layer 3 and Layer 2 tunneling (referring to the ISO model) on the same Internet
Service Provider (ISP) network.
Dial VPN lets ISPs offer a remote access outsourcing service to their enterprise
customers. Multiple enterprise customers share the same resources in the service
provider’s network or Internet. Because a given user’s data is tunneled, it is
inherently secured from the ISP’s other customers, similar to PVCs in a frame
relay netw ork. Each en terprise customer is responsible for authenticat ing
individual dial-in users and assigning network addresses.
Using Dial VPN, an ISP’s enterprise customers can dial in to a local ISP
point-of-presence (POP) rather than potentially making a long distance call to a
Remote Access Concentrator located at the home network. Dial VPN can also
eliminate costs associated with maintaining the remote access equipment.
308606-14.00 Rev 00
1-1
Configuring and Troubleshooting Bay Dial VPN Services
Dial VPN encapsulates multiprotocol data within an IP datagram. It then sends the
encapsulated packets through bidirectional IP tunnels over the service provider’s
IP routed backbone to the user’s home network.
Dial VPN implements concepts from IETF working groups, draft specifications,
and standards such as Mobile IP and Remote Authe ntica tion Dial -In User Servi ce
(RADIUS), in addition to IP routing, frame relay, and Point-to-Point Protocol
(PPP).
Dial VPN runs on a variety of Nortel Networks hardware platforms. The Dial
VPN network access server (NAS) function runs on the Remote Access
Concentrator (RAC) Model 8000, and the 5399 RAC module for the System
5000™ MSX™.
Platforms running BayRS, such as the Access Stack Node (ASN™), the
Backbone Node (BN
BLN-2, and BCN
function as the Dial VPN gateway (for Layer 3 Dial VPN), or as the L2TP
network server (LNS, for Layer 2 Dial VPN) or CPE (Layer 3) router on the
customer’s home network.
You configure Dial VPN using the same tools that you use to configure the
Remote Access Concentrato r and t he BayRS pl atfor m (that is, th e Remote Ac cess
Concentrator command l i ne i nt erface, CLI, and Site Manag er) . Al l t he fe at ure s of
Remote Access Concentrators and of BayRS are available on your Dial VPN
system.
What Is Tunneling?
Tunneling is a way of for w ar di ng mul ti pr oto col traffic and a ddr esses from remote
nodes to a corporate network through an Internet Service Provider’s IP backbone
network. Encapsulation is the tunneling mechanism. It takes an incoming packet
of any protocol, wraps that packet’s contents in a tunnel packet, then routes the
encapsulated packet over the Dial VPN IP network.
®
) family of high performance switch/routers (BLN®,
®
), and the Model 5380 module for the System 5000 MSX, can
1-2
308606-14.00 Rev 00
Tunneling Overview
Dial VPN dynamically creates a tunnel when it connects to the remote node’s
home network. One end point of the tunnel is the access concentrator. The other
end point is either the gateway router on the ISP’s network (for a Layer 3 tunnel)
or the L2TP network server (for a Layer 2 tunnel). Once the tunnel is created,
packets from the remote node and the corporate home network flow through the
tunnel. In a Layer 3 connection, each tunnel supports one user. The tunnel exists
as long as the user remains connected. In a Layer 2 connection, each user is a
session. A tunnel is established only once between a LAC and an LNS.
After establishing a conne ction, the NAS rece ives a PPP packet (o r payload) fr om
the remote node. The packet moves fr om the NAS, through t he tunnel to t he home
network.
Dial VPN supports both Layer 3 and Layer 2 tunnels on the same ISP network.
Figure 1-1
shows a Dial VPN network with both Layer 3 and Layer 2 (L2TP)
tunnels.
WAN
(PPP or
Frame rela y)
Remote
node
PPP
Remote
node
PPP
RAC
Layer 3 tunnel
IP Network
L2TP tunnel
GW
Customer Premise
Router
Authentication
accounting
Authorization
IP management
Server
Figure 1-1. Dial VPN Network with Layer 3 and Layer 2 Tunnels
308606-14.00 Rev 00
TMS
Customer Premise
Router
Authentication
Accounting
Authorization
IP Management
Server
DVS0017A
1-3
Configuring and Troubleshooting Bay Dial VPN Services
Layer 3 Tunneling
In Layer 3 tunneling, the tunnel exists between the Network Access Server
(NAS), which is a Remote Access Concentrator (RAC), and a gateway router.
Both end points of the tunnel are within th e ISP network.
Layer 2 Tunneling
In Layer 2 tunneling, the tunnel exists between the Layer 2 Tunneling Protocol
(L2TP) access concentrator (LAC), usually a remote access concentrator on the
ISP network, and the L2TP network server (LNS), a router or extranet access
switch on the customer’s home network. Rath er than terminating at the remote
access concentrator, the IP tunnel extends the PPP session to the LNS, which acts
as a virtual remote access concentrator.
Note:
In this guide, the term LAC refers to a remote access server with L2TP
capabilities. The term RAS refers to a remote access server without L2TP
capabilities.
Other features of L2TP include using the Internet infrastructure to support
multiple protocols a nd unregistered IP addresses. Be cause the dia l-in user’ s data is
tunneled at Layer 2 and above (in the ISO model), the L2TP protocol is
independent of Layer 3 information. Enterprise customers with unregistered IP
addressing schemes can also use L2TP to reach their home network.
Comparing Layer 3 and Layer 2 Features
Dial VPN supports both Layer 3 and Layer 2 tunneling on the same ISP network.
Both provide secure network access for dial-in users to their home networks.
Table 1-1
Layer 2 tunneling.
1-4
briefly compares the most significant features of both Layer 3 and
308606-14.00 Rev 00
Tunneling Overview
Table 1-1. Layer 3 and Layer 2 Dial VPN Feature Implementation
Dial VPN Feature Layer 3 Layer 2
Tunnel management
Protocol Mobile IP L2TP
Encapsulation GRE L2TP
Tunnel end points NAS and gateway LAC and LNS
Dynamic IP address
allocation
Layer 3 protocols
supported
, ACP, or
erpcd
RADIUS (BSAC)
IP pooling or DHCP IP pooling
IP, IPX IP
How a Dial VPN Network Functions
Any authorized remote user (using a PC or dial-up router) who has access to a
phone line and a modem can dial into your network through Dial VPN. A remote
node can be an individual user dialing in or a dial-up router (using IP) through a
public-switched telephone network (PSTN) or an ISDN connection. A remote
user can dial in to a Dial VPN network to connect either to a corporate or home
network or to a third-pa rty ISP. Dial VPN regards these as functionally equival ent.
Figure 1-2
configuration. In reality, a Dial VPN service provider’s network might include
several remote acce ss se rvers to service a va ri ety of dial-in users , wit h both Layer
3 and Layer 2 tunn els s erv ing different types of networks. You can configure Di al
VPN so that its operation is transparent both to users and applications. You may
find it useful to draw a map of your own configuration and label the interfaces
with their IP and, if appropriate, frame relay Data Link Connection Identifier
(DLCI) addresses.
is a simplified illustration of one possible Layer 3 Dial VPN
, ACP, or RADIUS
erpcd
(BSAC)
308606-14.00 Rev 00
1-5
Configuring and Troubleshooting Bay Dial VPN Services
Tunnel
domain
Service
provider network
data
Third-party
Internet
service
provider
network
Customer
network
Internet
CPE
CPE
LAN
CPE
Customer
RADIUS
server
Remote
node
PPP
connection
PSTN
Network
access
server (NAS)
TMS /erpcd
server
Gateway
T unnel
Frame relay
or PPP
Figure 1-2. Dial VPN Network with Connections to Different Destination Types
Figure 1-2 shows a Dial VPN serv ice provider network wit h a Layer 3 t unnel. The
gateway provides connection services both to a corporate LAN and to a
third-party ISP network. This figure shows only one tunnel, but in reality Dial
VPN creates one tunnel for each dial-in connection.
User
data
Third-party
ISP
RADIUS
server
DVS0012A
In this illustration, a user at a remote node can dial in to a corporate or home
network or a third-party ISP by calling a local phone number associated with that
destination network. The network access server handles the call. The service
provider’s network uses a standard IP connection between the network access
server, shown here as a 5399 module in a 5000 MSX chassis, and the gateway. A
PPP connection or a frame relay PVC and a static route must exist between the
gateway and the customer premise equipment (CPE) router to provide a path for
packets to return to the remote node.
1-6
308606-14.00 Rev 00
For Nortel Networks routers used with a Layer 3 Dial VPN tunnel, you must
specify an adjacent host and a static route between the gateway and the CPE, and
also between the CPE router and the remote node. (The adjacent host and static
routes do not appear in this diagram.) For an illustration of Layer 3 tunneling, see
Chapter 3
The rest of this guide describes how to install and configure a Dial VPN service
provider network. It also indicates the requirements for the remote node and the
RADIUS and DHCP servers, with references to the documentation that explains
how to do the configuration.
.
Dial VPN Network Components
Installing and configuring a Dial VPN service provider network involves several
tasks, some of which you may already have completed. You must:
• Plan the network.
• Install and connect the network hardware.
• Install and configure the network software.
Tunneling Overview
• Verify that the elements outside the Dial VPN networ k, specifica lly the
remote server or servers, the router on the home network, and the remote
dial-in nodes, are properly configured.
• Power up, test, and troubleshoot your network.
See the docu mentation for each of these en tities for information on how to install
and configure them.
This guide deals specifically with how you combine these elements into a Bay
Dial VPN network. The following sections summarize the elements of Dial VPN
networks.
Remote Dial-In Nodes
Remote nodes can be PCs (portable hosts) or dial-up routers, using PPP for
dial-up connections. The portable host must have PPP client software and a
TCP/IP or IPX protocol stack loaded.
Dial VPN supports dial-up IP (and, for Layer 3, IPX) over PPP for dial-in PC
clients and IP over PPP for dial-in routers connected to LANs.
308606-14.00 Rev 00
1-7
Configuring and Troubleshooting Bay Dial VPN Services
The following considerations apply only to Layer 2 (L2TP) tunnels:
• If the PC or router does not have built-in L2TP software capabilities, it dials
into a LAC, which provi des a tunnel across the Internet to the cor por at e LNS.
This type of connection is the primary focus of this guide.
• If the PC or router is an L2TP client, that is, it has built-in L2TP capability,
the L2TP client software provides a tunnel through a network access server
across the Internet to the corporat e LNS. A LAC is unnecessar y with an L2TP
client.
The main difference between connecting an L2TP client and a nonclient is the
starting point of the tunnel. For an L2TP client, the tunnel begins at the PC or
router; for a non-L2TP client, the tunnel be gins at t he LAC. Al l tunnels end at the
LNS.
ISP Network Components for Layer 3 Tunnels
The devices that make up t he Dial VPN service provider network can be all at the
same site or can be separated by several “hops” within the same network. A
network with Layer 3 Dial VPN tunnels can consist of a network access server
(NAS), a gateway router that serves as the tunnel end point, and a tunnel
management server.
Network Access Server (NAS)
A network access server (NAS) can be a Remote Access Concentrator
Model 8000 or a System 5000 chassis with one or more Model 5399 Remote
Access Concentrator modules . Each module is configur ed with a net work addre ss
belonging to the service provider’s address domain. The Remote Access
Concentrator 8000/5399 includes a dual WAN server, which can support both
analog calls and digital calls carried over ISDN. The NAS receives and processes
calls from remote nodes and routes data to remote nodes.
Note:
This guide uses the term network access server (NAS) to refer to the
device that performs network access functions, such as answering dial-in user
calls, authenticat ing tunne l user s, build ing tunn els, and so on. In the Dial VPN
context, this device is usually a Remote Access Concentrator (RAC). Other
documents may refer to this same device as a remote access server (RAS).
Essentially, all three terms (NAS, RAS, and RAC) refer to functionally the
same device.
1-8
308606-14.00 Rev 00
Tunneling Overview
Gateway
Used only in Layer 3 networks, the gateway can be an ASN, BLN, BLN-2, BCN,
or System 5000 MSX equipped with a Model 5380 module running BayRS
software.
The gateway connects the Dial VPN service provider’s network and the CPE
router on the remot e user’s home network. The gateway performs convent ional IP
routing functions configured on interfaces connected to the IP network, through
which the network access servers can be reached.
The gateway is the end point of the IP-routed tunnels that transport packets
originated by remote nodes and encapsulated by the NAS. The gateway also
connects to the CPE router on the user’s home network. The gateway is the data
terminal equipment (DTE) for frame relay PVCs or PPP connections connecting
to multivendor RFC 1490-compliant routers on the customer premises.
For a frame relay network, the connection is through a frame relay user network
interface (UNI). The gateway forwards traffic between a remote node and the
corresponding node in its h ome network by f orward ing pa ckets over a f rame relay
PVC connecting the UNI to the IP tunnel. Thus, the gateway uses the IP tunnel
and the frame relay PVC as two links through which it can send the user traffic
from one side to the other.
With a frame relay connection, you can also configure up to 10 secondary
gateways for use as backup gateways or as a load-balancing mechanism.
The PPP connection between the gateway and the customer’s home network
functions in a similar way, except that the connection is through a PPP interface
instead of a frame relay interface.
The gateway may also act as a RADIUS client to authenticate the remote user
based on information provi ded from the NAS. The RADIUS client on the gateway
sends an authentication request to the RADIUS server on the home network,
which either grants or denies the request in a message to the gateway. The
gateway the n returns this information to the NAS to continue the proc ess.
308606-14.00 Rev 00
1-9
Configuring and Troubleshooting Bay Dial VPN Services
Tunnel Management Server (TMS)
The mechanism for identifying tunneled users is the tunnel management server
(TMS) that resides on a tunnel management server.
For Layer 3 tunnels, the NAS re tr ieves t he tunne l confi gurat ion a ttri butes f rom its
TMS database residing o n t he t unnel management server and uses them to build a
tunnel into the customer’s network. Once the tunnel is open, the user can be
authenticated at the customer’s network. Tunnel management can be either
RADIUS or erpcd-based.
• In the RADIUS method, a RADIUS server resid es at the service provider site
and manages the TMS database. The NAS and the RADIUS server
communicate using IP over the service provider network. Backup gateways
and load distribution mode require the use of the RADIUS method.
•In the erpcd-based method, the TMS hosts a datab ase appl ic ati on (the Tunnel
Management System) that controls the IP tunnel establishment attempt from
the NAS. The TMS runs on the same UNIX host as the Access Control
Protocol (ACP) software. The NAS and the TMS communicate using the
Nortel Networks proprietary Expedited Remote Procedure Call Daemon
(erpcd or Secure erpc d). Both Layer 3 and Layer 2 tunnels can use this
method.
In either method, the NAS queries the TMS database for the addressing
information it needs to construct the IP tunnel. This query is based on the user
domain name and on the policy and state information of the enterprise customer
account when the r emot e u ser di al s in. As a Dial VPN network administrator, you
must provide the user domain and tunnel addressing information to the TMS
database for each enterprise customer. Chapter 5
commands you can use to provision the default TMS database.
ISP Network Components for Layer 2 Tunnels
The following sections describe the components of a network with Layer 2
tunnels. A network with Layer 2 Dial VPN tunnels also has a NAS (which may
function as either a LAC or a RAS) and a tunnel management server. The edge
router, however, doe s not function as a ga tewa y; ra ther, the t unne l end point is the
CPE router on the customer’s home network. The network itself can have
additional components. Thi s descr iptio n pertains only to tho se rele vant to Lay er 2
tunneling.
1-10
and Chapter 6 describe the
308606-14.00 Rev 00
Loading...