Avaya Dial VPN DVS User Manual
Configuring and Troub leshooting Bay Dial VPN Services
BayRS Version 13.0 0
Site Manager Software Version 7.00
Part No. 303509-A Rev 00
October 1998
4401 Great America Parkway 8 Federal Street
Santa Clara, CA 95054 Billerica, MA 01821
Copyright © 1998 Bay Netw ork s, Inc.
All rights reserved. Pr inted in the USA. October 1998.
The information in this document is subject to change without notice. The statements, confi gurations, technica l data,
and recomm endations in this docum ent are believed to be accurate and reliable, but are presented without express or
implied warranty. U sers must take full respons ibility for their applications of any products specified in this do cum ent.
The information in this document is proprietary to Bay Networks, Inc.
The software described in this document is furnished under a license agreement and may only be used in accordance
with the te rms of that license. A summary of the Soft w are License is include d in this docum ent.
Trademarks
AN, BCN, BLN, BN, FRE, Optivity, PPX , and Bay Networks are registered trademarks a nd A dvanced Remote No de,
ANH, ARN, ASN, BayRS, BaySecur e, BayStac k, BaySt ream, BCC, SP EX, Syst em 5000, and th e Bay Netw ork s logo
are trademarks of Bay Net w orks, Inc.
Microsoft , MS, MS-DOS, Win32, Windows, Inter net Explorer, and Windows NT are reg istered trademarks of
Microsoft Corporation.
All other trademarks and registered trademarks are the property of their respective owners .
Restricted Rights Legend
Use, duplication, or disclosure by the United States Government is subject to restrict ions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement th at may pertain to, or accompany the delivery of, this computer
software, the ri ghts of the Un ited States Gove rnment re garding its use, reproduction, and disclosure are as set forth in
the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, Bay Networks, Inc. reserves the
right to make changes to the products described in this document without notice.
Bay Networks, Inc. does not assume an y liability that may occur due to the use or applic ation of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserve d. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragrap h are duplicated in all su ch forms and th at any docume ntation, adverti sing
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
deve loped by th e U niversity of California, Berkeley. The nam e of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LI MITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In additi on, the program and information contained herein are li censed only pursuant to a license agreement that
contains restrictions on use and disclosu re (that may incorporate by reference cert ain limitations and not ices imposed
by thir d pa rt ie s).
ii
303509-A Rev 00
Bay Networks, Inc. Software License Agreement
NOTICE: Please carefully read this license agreement before copying or using the acco m p anying software or
instal ling the hardware unit with pre-enabled software (e ach of whic h is referred to as “Software” in this Agreement).
BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF
THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS
UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these
terms and conditions , return the product, unu sed and in the original shi pping container, w ithin 30 days of purchase to
obtain a credit for the f ull purchase price.
1. License Grant. Bay Networks, Inc. (“Bay Networ ks”) grants the end user of the Software (“Lice nsee”) a personal,
nonexcl usive, nontransferable license: a) to use the Software either on a single computer or, if applicable, on a single
authori zed de vi ce ide ntified by hos t ID, fo r whi ch it was ori gi nally acq uir ed ; b) to cop y th e Sof tw are so le ly f or bac kup
purposes in support of authorized us e of the Software; and c) to use and copy the associat ed user manual solely in
support of authorized use of the Soft w are by Licensee. This li cense applies to the Software only and does not extend
to Bay Networks Agent software or other Bay Netw orks software products. Bay Networks Agent software or other
Bay Networks software products are licensed for use under the terms of the applicable Bay Networks, Inc. So ftware
License Agreement that accompanies such software and upon payment b y the end user of the applicable licen se fees
for such software.
2. Restrictions on use; reservation of rights. The Software and user manuals are prote cted under copyright laws.
Bay Networks and/or its licensors retain all title and ownership in both the Software and user manuals, including any
revis ions made by Bay N etworks or its licensors. The cop yright notice must be reproduced and included with any
copy of any por tion of the Sof tw are or use r manua ls . Licens ee may not modif y, transla te, dec ompi le , disas se mble , use
for any compe ti ti v e an al ysis, r e v erse e ngi ne er , dis tr ib ute , o r c rea te der i vati v e w ork s fro m the Sof twa re or u se r man uals
or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or transfer
the Softw are or user man uals, in whole or in part. The Software and user manuals embody Bay Ne tworks’ and its
licenso rs’ confidential and proprietary intell ectual property. Licensee shall not sublicense, assig n, or otherwise
disclos e to any third party the Software, or any informatio n about the operation, design, performance, or
implementation of the Software and user manuals that is confidential to Bay Networks and its li censors; howe ver,
Licensee m ay grant permission to its consul tants, subcontractors, and agents to use the Software at Licensee’ s facility,
provided they have agreed to use the Software only in accordance with the terms of t his license.
3. Limited warranty. Bay Networks warrants each item of Software, as d elivered by Bay Ne tw orks and properly
installed and operated on Bay Networks hardware or other equipment it is original ly licensed for, to function
substantially as described in i ts accompan ying user manual during its warranty period, wh ich begins on the date
Softwar e is fi r st shi pped to Licen see . If any it em of Soft war e fai ls to so func ti on du ring i ts warr anty pe ri od, as t he so le
remedy Bay Ne tworks wil l at its discretion provide a suitable f ix, patch, or workaround for the problem tha t m ay be
included in a future Softwar e releas e. Bay Networks further warrants to Licensee that the media on which the
Softwar e is provided will be fr ee from d efects in materials and workmanship under normal use for a period of 90 days
from the date Software is first shipped to Licensee. B ay Networks will replace defectiv e media at no charge if it is
returned to Bay Netw orks during the warra nty period along with proof of the date of shipmen t. This warran ty does not
apply i f the media has been damaged as a result of acci dent, mi suse, or abuse. The Licensee assumes all re sponsibility
for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained
from the Software. Bay Networks does not warrant a) that the functions cont ained in the software w ill meet the
Licensee ’s requirements, b) that the Software will operate in the har dw are or software combinat ions that the License e
may select, c) that the operati on of the Softw are will be uninterrupted or error free, or d) that all defects in the
operati on of the Software wi ll be corrected. Bay Network s is not obligated to remedy any Software defect that cannot
be repro duced with the latest Software release. Thes e warranties do not apply t o the Software if it has be en (i) altered,
except by Bay Networks or in accordance with its instructions; (ii) used in conjunction with another vendor’s product,
resulting in the defect; or (iii) damaged by im proper environment, abuse, misuse, accident , or neglige n ce. THE
FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL
OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMIT ATION ANY W ARRANTY OF
MERCHANTABILITY OR FITN ESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of
303509-A Rev 00
iii
its own data and information and for maint aining adequate procedures apa rt from the Software t o reconstruct lost or
altered files, data, or programs.
4. Limitation of liability. IN NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY
COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES ; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR
PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN
IF BAY NETWORKS HAS BEEN AD VISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT
SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT
EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LI CENSE.
5. Governmen t L icensees. This provision applies to all Softw are and documentation acquired directly o r indirectly
by or on behalf of the United States Government. The Software and documentation are commercial products, licensed
on the open market at market prices, and were developed entirely at private expense and without the use of an y U .S.
Government funds. The licens e to the U.S. Governmen t is granted only with restricted rights, and use, duplication, or
disclos ure by the U. S. Govern m ent is subject to the restricti ons set forth in subparagraph (c)(1) of the Comm ercial
Computer So ftware––Restricted Rights cla use of FAR 52.227-19 and the limitations set out in this license for civilian
agencies , and subpar agraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS
252.227-7013, for agencies of t he D e partmen t of Defense or their successors, whichever is applicable.
6. Use of Software in the European Communi ty. This provision applies to all Software acquired for use within the
European Comm unity. If Lice nsee uses the Software within a countr y in the European Community, the Software
Directive enacted by the Counc il of European Communities Dir ective dated 14 May, 1991, w ill apply to the
examination of the Software to facilitate interoperability. License e agrees to notify Bay Networks of any such
intended examination of the Software and may procure support and assistance from Bay Networks.
7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to
Bay Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the
Bay Networks copyright; those r estricti ons relatin g to use and disclosure of Bay Networks’ confidential info rm ation
shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if
Licensee fails to co m ply with an y of the terms and conditions of the license. Upon terminat ion for any reason,
Licensee will immediately destroy or return to Bay Networks the Software, user manuals, and all copies. Bay
Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license.
8. Export and Re-export. Licen see agrees not to export, directly or indirectly, the Software or related technical data
or information without first obtaining any required export licenses or other governmental approvals. Without limiting
the fore going, Licensee, on behalf of itself and its subsidia ries and affili ates, agrees that it will not, without fi rst
obtaining all export licenses and appro vals required by the U.S. Government: (i) export , re-export, trans fer, or d ivert
any such Sof tware or technical data, or any direct product thereof, to any coun try to which such exports or re-exports
are rest ricted or embargoed under United S tates export control laws and regulations, or to any national or resident of
such rest ricted or em bargoed countries; or (ii) provide the Software or related technical data or inf ormation to any
military end user or for any military end use, including the design, development, or prod uction of any chemical,
nuclear, or biological weapons.
9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent
jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement
will be governed by the laws of the state of California.
Should you have any questions concerning this Agreement, contact Bay Networks, Inc., 440 1 G reat Americ a
Parkway, P.O. Box 58185, Santa Clara, Califor nia 95054-8185.
LICENSEE ACKNOW LEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND
AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FUR THER AGREES THAT THIS
AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND
LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND
COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS
AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST BAY
NETWORKS UNLESS BAY NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN
EXPRESS WAIVER OF THE TERMS OF THIS A G REEMEN T.
iv
303509-A Rev 00
Contents
Preface
Before You Begin ............................................................................................................. xv
Text Convent ion s .......... ....................................................................... ............................xv
Acronyms ........................................................................................................................ x vi i
Bay Networks Technical Publications ..............................................................................xix
How to Get Help ..............................................................................................................xix
Chapter 1
Tunneling Overview
Bay Dial VPN Overview .................................................................................................. 1-1
What Is Tunneling? .........................................................................................................1-2
Layer 3 Tunneling ............................................................. .. .......... ....... ....... .. .......... ....... .1-4
Layer 2 Tunneling ............................................................. .. .......... ....... ....... .. .......... ....... .1-4
Comparing Layer 3 and Layer 2 Features ......................................................................1-4
How a Dial VPN Network Functions ...............................................................................1-5
Dial VPN Network Components .....................................................................................1-7
Remote Dial-In Nodes ..............................................................................................1-7
ISP Network Components for Layer 3 Tunnels ........................................................1-8
Network Access Server (NAS) ..........................................................................1-8
Gateway .............................................................................................................1-9
Tunnel Management Server (TMS) .................................................................1-10
ISP Network Components for Layer 2 Tunnels ......................................................1-10
L2TP Access Concentrator (LAC) ...................................................................1 -11
Remote Access Server (RAS) .........................................................................1-11
Tunnel Management Server (TMS) .................................................................1-11
Customer/Home/Internet Service Provider Network ..............................................1-11
Customer Premise Equipment (CPE) ..............................................................1-11
L2TP Network Server (LNS) ............................................................................1 -12
RADIUS Authentication Server ........................................................................ 1-12
303509-A Rev 00 v
RADIUS Accounting Server .............................................................................1-13
DHCP Server ............................... .................................................... ................1-14
Additional Planning Information .............................................................................1-14
Where to Go Next .........................................................................................................1-14
Chapter 2
Dial VPN Layer 2 Tunneling
Building a Network for Layer 2 Tunneling .............................................. ..... ....... ....... ..... .2-2
L2TP Packet Encapsulation ............................................................................................2-4
Bay Networks L2TP Implementation ..............................................................................2-5
Tunnel Management in L2TP Tunnels ............................................................................2-6
Security in an L2TP Netw o rk ...... ................................................................ ....................2-7
Tunnel Authentication ...............................................................................................2-7
RADIUS User Authentication ...................................................................................2-9
RADIUS Accounting .....................................................................................................2-10
L2TP IP Interface Addresses ........................................................................................ 2 -10
Remote Router Configuration ................................................................................2-11
Starting an L2TP Session .............................................................................................2-11
Examples of L2TP Tunnels ...........................................................................................2-12
Making a Connection Across an L2TP Network ........................... ....... ....... ....... ....... ....2-13
When Does Dial VPN Tear Down the Tunnel? ....................... ....... ....... ....... ....... ....2-14
Chapter 3
Dial VPN Layer 3 Tunneling
Building a Network for Layer 3 Tunneling .............................................. ..... ....... ....... ..... .3-2
How Tunnel M anagem ent Works .. ..................................................................................3-4
erpcd
Tunnel Management in an
-Based Network ....................................................3-4
Tunnel Management in an All-RADIUS Network ...... .... ..... ..... .. ..... .. ..... .. ..... ..... .. ..... .3-5
How the TMS Database Works ................................................................................ 3-6
Dynamically Allocating IP Addresses .............................................................................3-6
Using DHCP for Dynamic IP Address Allocation .....................................................3-7
How DHCP Works ....................................................................................................3-7
Using RADIUS for Dynamic IP Address Allocation ..................................................3-9
How Dynamic IP Address Allocation Works ...................................................................3-9
Assigning Addresses ..............................................................................................3-10
Starting the Connection ................................................................................................3-12
vi 303509-A Re v 00
A Day in the Life of a Layer 3 Packet ............................................................................3 -14
How a Packet Moves Through a Dial VPN Network ...............................................3-16
How a Packet Returns to the Remote Node ..........................................................3-17
When Does Dial VPN Tear Down the Tunnel? ....................... ....... ....... .. .......... ......3-19
Chapter 4
Configuring the Remote Access Concentrator
Installing and Configuring the RAC Software .................................................................4-1
Loading Software and Booting the RAC .........................................................................4-6
Configuring Active RIP ...................................................................................................4-7
Defining Routes ........................................................................................................4-7
Configuring the RAC to Advertise RIP 1 and/or RIP 2 Updates ...............................4-8
Chapter 5
erpcd
Configuring TMS and S ecurit y for
Networks
Managing TMS Using the TMS Default Database . .........................................................5-2
Using Tunnel Management Commands .........................................................................5-4
Tunnel Management Commands ....................................................................................5-4
Command Argumen ts ..................................................... ................................................5-6
Configuring Local Authentication Using the ACP .........................................................5-12
Alternatives to the Default Database ............................................................................5-13
TMS System Log (Syslog) Messages ..........................................................................5-13
Chapter 6
Configuring the TM S Us ing Loca l RADIUS
Managing RADIUS-Based TMS .................................. ..... .. ..... ..... .. ..... ..... .... ..... ..... .. ..... .6-1
Tunnel Negotiation Message Sequence .........................................................................6-2
Using RADIUS Accounting .............................................................................................6-4
Service Provider Accounting Messages ..................................................................6-4
RADIUS Attributes That Support Tunneling ....................................................................6-6
TMS Parameters for erpcd-Based and All-RADIUS Tunnels ..........................................6-8
TMS System Log (Syslog) Messages ............................................................................6-9
Chapter 7
Configuring the Layer 3 Gateway
Configuring the Gateway ................................................................................................7-1
Gateway Accounting Messages .....................................................................................7-5
303509-A Rev 00 vii
Chapter 8
Requirements Outside the ISP Network
Configuring a Static Route and an Adjacent Host ..........................................................8-2
Configuring a Bay Networks CPE Router Using Site Manager ......................................8-3
Configuring the Adjacent Host and Static Routes ....................................................8-5
How the Adjacent Host Entry and Static Routes Work Together .............................8-5
Configuring an Adjacent Host Between the CPE and the Gateway .........................8-6
Configuring a Static Route Between the CPE and the Gateway ..............................8-7
Configuring Frame Relay on the CPE Router .................................................................8-8
Configuring PPP on the CPE Router ..............................................................................8-9
Configuring the CPE Router for IPX Support (Layer 3 Only) ........................................8-10
Configurin g IPX on a PPP Connection ..................................................................8-10
Configuring IPX on a Frame Relay Connection . ....................................................8 -12
Configuring the CPE Router as a Layer 2 Tunnel End Point ..................................8-13
Enabling L2TP ........................................................................................................8 -13
Enabling L2TP on an Unconfigured WAN Interface ......................................................8-14
Enabling L2TP on an Existing PPP Interface ...............................................................8-15
Enabling L2TP on an Existing Frame Relay Interface ..................................................8-16
Installing and Configuring BSAC on the Home Network ..............................................8 -17
Configuring IPX on the Home Network RADIUS Server ..............................................8-18
Configuring DHCP Dynamic Address Assignment (Layer 3) .......... .......... ......... .......... .8-18
Defining Assignable DHCP Address Ranges ...................................... .. ... .. .. ................8-18
Creating Scopes and a Superscope ........................................ ....... ..... ....... ....... ....... ....8-20
Creating the Home Agent (RADIUS Client) Scope ................................................8-20
Creating the Scope of Assignable Addresses ........................................................8-21
Creating a Superscope ..........................................................................................8-21
Chapter 9
Managing a Dial VPN Network
Enabling and Activating Dial VPN ................................................................................... 9-2
Upgrading and Changing Y our Dial VPN Network ................................. ....... .......... ....... .9-2
Removing Dial VPN from Your Network .........................................................................9-2
viii 303509-A Re v 00
Appendix A
Planning Worksheet
BayDVS Network Planning Worksheet ..........................................................................A-1
At the BayDVS Service Provider’s Site ...................................................................A-2
For Each Destination Site .......................................................................................A-3
For Each Remote Node ..........................................................................................A-4
Appendix B
Syslog Messages
BayRS Messages ..........................................................................................................B-1
Remote Access Concentrator Syslog Messages ..........................................................B-1
TMS Syslog Messages ..................................................................................................B-4
Appendix C
Troubleshooting
What’s in This Appendix ................................................................................................C-1
Preventing Problems .....................................................................................................C-2
Preparing to T roubleshoot .............................................................. ....... ....... ..... ....... .....C-3
Troubleshooting Worksheet .................................................... ....... ....... .. .......... .......C-4
Using the System Logs (syslogs) to Diagnose Problems .......................................C-7
Getting a Snapshot of the Current Status on a BayRS Device ...............................C-8
Troubleshooting Specific Protocols ..............................................................................C-15
Troubleshooting a Site Manager Problem ....................................................................C-15
Troubleshooting Remote Access Concentrator Problems ........................................ ...C-15
Tracing a Packet’s Path at the Remote Access Concentrator ...............................C-22
Troubleshooting Tunnel Problems ................................................................................C-24
Operation and Troubleshooting Layer 2 Tunne ls .........................................................C-25
Troubleshooting the LAC ............. ....... ....... .......... .. ....... .......... ....... ....... ....... ....... ...C-25
Troubleshooting the LNS ............. ....... ....... .......... .. ....... .......... ....... ....... ....... ....... ...C-26
Troubleshooting the BSAC RADIUS Server ........................................... ..... ..... .. ...C-31
Activity L og ............................................................................... ......................C-31
Accounti ng Log ......... ................................................................ ......................C-32
Glossary
Index
303509-A Rev 00 ix
Figures
Figure 1-1. Dial VPN Network with Layer 3 and Layer 2 Tunnels ............................... 1-3
Figure 1-2. Dial VPN Network with Connections to Different Destination Types ........1-6
Figure 2-1. Layer 2 Tunnel Packet Path ......................................................................2-2
Figure 2-2. L2TP Packet Encapsulation Process .......................................................2-5
Figure 2-3. Tunnel Aut hentication Control Messages ................................................ .2-9
Figure 2-4. L2TP Network Using a LAC ................................................................... 2 -12
Figure 2-5. L2TP Network Using a RAS ...................................................................2-12
Figure 3-1. Layer 3 Tunnel Packet Path ......................................................................3-2
Figure 3-2. DHCP Operational Timeline .....................................................................3-8
Figure 3-3. Dial VPN Dynamic IP Address Management Sequence ........................3-11
Figure 3-4. Packet Encapsulation and Decapsulation Process . ...............................3-15
Figure 3-5. Sending a Packet to a Remote Node .....................................................3-17
Figure 3-6. Static Routes from a CPE Router to a Dial VPN Gateway ..................... 3 -18
Figure 6-1. Message Exchanges Support ing RADI US TMS Operations ...................6-3
Figure 8-1. Static Route Between the CPE Router and the Gateway ........................8-2
Figure C-1. Network Topology for ping -t Examples .................................................C-23
303509-A Rev 00 xi
Tables
Table 1-1. Layer 3 and Layer 2 Dial VPN Feature Implementation ........................... 1-5
Table 4-1. Where to Find Configuration Information .................................................4-1
Table 5-1. tms_dbm Tunnel Management Commands ............................................5-4
Table 5-2. tms_dbm Command Argume nts ............................................................. 5-6
Table 6-1. Service Provider User Start Accounting Messages . ...............................6-4
Table 6-2. Service Provider User Stop Accounting Messages ................................6-5
Table 6-3. General Tunneling Attributes ....................................................................6-6
Table 6-4. RADIUS Attributes That the Gateway Supports ......................... ....... ......6-7
Table 6-5. TMS Parameter Equivalents ...................................................................6-8
Table 7-1. Gateway Accounting Messages ...............................................................7-5
Table 8-1. IPX Encapsulation Types by Media ........................................................8-12
Table B-1. Remote Access Concentrator Syslog Messages ...................................B-2
Table B-2. TMS Syslog Messages ..........................................................................B-5
Table C-1. Problem Symptoms and Likely Causes .................................................C-6
Table C-2. Remote Access Concentrator Troubleshooting Chart ..........................C-16
303509-A Rev 00
xiii
This guide de scribes Bay Networks Dial Virtual Privat e Network (VPN) and what
you do to start and customize Bay Dial VPN services on a Bay Networ ks® router.
Before You Begin
Make sure that you are running the latest version of Bay Networks BayRS™ and
Site Manager software. For information about upgrading BayRS and Site
Manager, see the upgrading guide for your version of BayRS.
Preface
Text Con ve ntions
This guide uses the following text conventions:
angle brackets (< >) Indicate that you choose the text to enter based on the
bold text
303509-A Rev 00
description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is:
<ip_address>
ping
ping 192.32.10.12
Indicates text tha t you need to enter and command
names and options.
Example: Enter
Example: Use the
, you enter:
show ip {alerts | routes
command.
dinfo
}
xv
Configuring and Troubleshooting Bay Dial VPN Services
braces ({}) Indicate required elements in syntax descriptions
where there is more than one option. You must choose
only one of the options. Do not type the braces when
entering the command.
Example: If the command syntax is:
show ip {alerts | routes}
show ip alerts or show ip routes
, you must enter either:
.
brackets ([ ]) Indicate optional elements in syntax descriptions. Do
not type the brackets when entering the command.
Example: If the command syntax is:
show ip interfaces [-alerts]
show ip interfaces
or
, you can enter either:
show ip interfaces -alerts
.
ellipsis points (. . . ) Indicate that you repeat the last element of the
comman d as need ed .
Example: If the command syntax is:
ethernet/2/1 [<
ethernet/2/1
and as many parameter-value pairs as
parameter> <value>
] . . .
, you enter
needed.
italic text Indicates file and directory names, new terms, book
titles, and variables in command syntax descriptions.
Where a variable is two or more words, the words are
connected by an underscore.
Example: If the command syntax is:
show at <
valid_route
valid_route>
is one va riable and you subs titu te one value
for it.
xvi
screen text Indicates system output , fo r exa mple, prompts and
system messages.
Example:
Set Ba y Netw orks Tr ap Mo nito r Fil ters
303509-A Re v 00
Acronyms
separator ( > ) Shows menu paths.
Example: Protocol s > IP identifies the IP option on the
Protocols menu.
|
vertical line (
) Separates choices for command keywords and
arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
Example: If the command syntax is:
, you enter either:
show ip {alerts | rou tes
show ip alerts
or
}
show ip routes
, but not both.
ACP Access Control Protocol
BRI Basic Rate Interface
CHAP Challenge Handshake Authentication Protocol
Preface
CLI command line interface
CPE customer premise equipment
DLCI Data Link Control Interface
DNIS domain name information server
DTE data terminal equipment
erpcd expedited r emote procedure call daemon
FTP File Tra nsfer Protocol
GRE Generic Routing Encapsulation
GUI graphical user interface
IETF Internet Enginee ring T ask Force
IP Internet Protocol
IPCP Internet Protocol Control Protocol
IPX Internet Packe t Exchange
IPXCP Internet Packet Exchange Control Protocol
ISDN Integra ted Services Digital Network
303509-A Rev 00
xvii
Configuring and Troubleshooting Bay Dial VPN Services
ISO International Organization for Standardiza tion
ISP Internet Servic e Provider
LAC Layer 2 Tunneling Protocol access concentrator
L2TP Layer 2 Tunneling Protocol
LAN local area networ k
LNS Layer 2 Tunneling Protocol networ k server
MAC media access control
NAS network access server
OSI Open Systems Interconnection
PAP Password Authentica tion Protocol
POP point of presence
PPP Point-to-Point Protocol
PRI Primary Rate Interface
PSTN public-switche d telephone network
PVC permanent virtual c ircuit
xviii
RADIUS Remote Authentication Dial-In User Service
RIP Routi ng Information Protocol
SAP Service Advertising Protocol
SMDS Switched Multime gabit Data Service
SNMP Simple Network Management Protocol
SPB session parameter block
SPI security parameter index
TCP Tra nsmission Control Protocol
TMS tunnel management server
UNI user network interface
VPN virtual private network
WAN wide area network
303509-A Re v 00
Bay Netwo rks Technical Publicati o ns
You can no w print Bay Networks technical manuals and release notes free,
directly from the Int ernet. Go to support.bayn etworks.com/libr ary/tpubs/. Fi nd the
Bay Networks product for which you need doc umenta tion. Then locate the
specific category and model or version for your hardwa re or software product.
Using Adobe Acrobat Reader, you can open the manuals and re lease notes, search
for the sections you need, and print them on most standard printers. You can
download Acrobat Reader free from the Adobe Systems Web site,
www.adobe.com.
You can purchase Bay Networks documentation se ts, CDs, and selected technical
publications through the Bay Networks Collateral Catalog. The catalog is located
on the World Wi de W eb at support.baynetworks.com/c atalog.html and is divided
into sections arran ged alpha betically:
• The “CD ROMs” section lists available CDs.
• The “Guides/Books” section lis ts books on technical topics.
• The “Technical Manuals” section lists av ailable printed documentati on sets.
Preface
Make a note of the part numbers and prices of the items that you want to order.
Use the “Marketing Collateral Catalog description” link to place an order and to
print the order form.
How to Get Help
For product assista nce, support contracts, or information about educational
services, go to the following URL:
http://www.baynetworks.com/corporate/contacts/
Or telephone the Bay Networks Technical Solutions Center at:
800-2LANWAN
303509-A Rev 00
xix
Bay Networks Dial Virtual Private Network Services provides secure dial-access
services for corpora te telecommuters, mobile professionals, and users in remote
branch offices. Dial VPN provides switched connectivity to virtual private
networks (VPNs), based on Internet Engineering Task For ce (IETF)
specific ations. Corporate customers can subscribe to this service for remote dia l
access to virtual private net wor ks or to the Internet over tel ephone lines.
Bay Dial VPN Overview
Chapter 1
Tunneling Overview
Dial VPN offers remote users simple and secure access to virtual private networks
and the Internet through a mechani sm kno wn as a tunnel. A tunnel is a secure,
virtual, direct path between two end points. The process of encapsul ating,
sending, and decapsulating the datagram is called tunnel ing, and the encapsulator
and decapsulator are considered the end points of the tunnel. Dial VPN
dynamically establ ishe s and removes tunnels as needed. Dial VPN supports both
Layer 3 and Layer 2 tunneling (referring to the ISO model) on the same Internet
Service Provider (ISP) network.
Dial VPN lets ISPs offer a remote acce ss outsourcing service to their ent erprise
customers. Multiple enterprise customers share the same resources in the service
provider’s networ k or Internet. Because a given user’s data is tunneled, it is
inherently secured from the ISP’s other customers, similar to PVCs in a frame
relay network. Each enterprise customer is responsible fo r authenticating
individual dial-in users and assigning network addresses.
Using Dial VPN, an ISP’ s enterprise customers can dial in to a loca l ISP
point-of-prese nce (POP) rather than potentiall y making a long dist ance call to a
Remote Access Concentrator located at the home network. Dial VPN can also
eliminate costs asso ciated with maintaining the remote access equipment.
303509-A Rev 00 1-1
Configuring and Troubleshooting Bay Dial VPN Services
Dial VPN encapsulates multiprotoc ol data within an IP datagram. It then sends the
encapsulated packets through bidirectional IP tunnels over the service provider’s
IP routed backbone to the user’s home network.
Dial VPN implements concepts from IETF working groups, draft specifications,
and standards such as Mobile IP and Remote Authentication Dial-In User Service
(RADIUS), in addition to IP routing, frame relay, and Point-to-Point Protocol
(PPP).
Dial VPN runs on a variety of Bay Networks hardware platforms. The Dial VPN
network access server (NAS) function runs on the Remote Access Concentrator
(RAC) Model 8000, and the 5399 RAC module for the System 5000™ MSX™.
Platforms running BayRS, such as the Access St ack Node (ASN™), the
Backbone Node (BN
BLN-2, and BCN®), and the Model 5380 module for the System 5000 MSX, can
function as the Dial VPN gate way (for Layer 3 Dial VPN), or as the L2TP
network server (LNS, for Layer 2 Dial VPN) or CPE (Layer 3) router on the
customer’s home network.
You configure Dial VPN using the same tools that you use to configure the
Remote Access C oncentrator and the BayRS platf or m (that is, the Remote Access
Concentrator comma nd line interface, CLI, and Site Manager). All the features of
Remote Access Concentrators and of BayRS are a vailable on your Dial VPN
system.
What Is Tunneling?
Tunneling is a way of f orwarding multiprot ocol traffic and addresses fr om remote
nodes to a corporate network thr ough a n Internet Service Provider ’s IP backbone
network. Encapsulation is the tunneling mechanism. It takes an incoming packet
of any protocol, wraps that packet’s contents in a tunnel packet, then routes the
encapsulated packe t over the Dial VPN IP network.
®
) family of high performanc e switch/routers (BLN®,
1-2 303509-A Re v 00
Tunneling Overview
Dial VPN dynamically creates a tunnel whe n it conn ects to the remote node’ s
home network. One end point of the tunnel is the acc ess concentrator. The other
end point is either the gateway router on the ISP’s network (for a Layer 3 tunnel)
or the L2TP network serve r (fo r a Layer 2 tunnel). Once the tunnel is created,
packets from the remote node and the corpor ate home network flow through the
tunnel. In a Layer 3 connection, each tunn el supports one user . The tunnel exists
as long as the user remains connected. In a Layer 2 connection, each user is a
session. A tunnel is established only once between a LAC and an LNS.
After establishing a conne ct ion, the N AS receives a PPP packet (or payload) fr om
the remote node. The packet mo ves fr om the N AS, through the tunnel to the home
network.
Dial VPN supports both Layer 3 and Layer 2 tunnels on the same ISP network.
Figure 1-1
shows a Dial VPN network with both Layer 3 and Layer 2 (L2TP)
tunnels.
WAN
(PPP or
Frame rela y)
Remote
node
PPP
Remote
node
PPP
RAC
Layer 3 Tunnel
IP Network
L2TP T unnel
GW
Customer Premise
Router
Authentication
Accounting
Authorization
IP Management
Server
Customer Premise
TMS
Router
Authentication
Accounting
Authorization
IP Management
Server
Figure 1-1. Dial VPN Network with Layer 3 and Layer 2 Tunnel s
303509-A Rev 00 1-3
Configuring and Troubleshooting Bay Dial VPN Services
Layer 3 Tunneling
In Layer 3 tunneling , the tunnel exi sts between t he Net work Ac cess S erve r (N AS ),
which is a Remote Access Concentrator (RAC), and a gateway router. Both end
points of the tunnel are withi n the ISP netw ork.
Layer 2 Tunneling
In Layer 2 tunneling, the tunnel exists between the Layer 2 Tunneling Protocol
(L2TP) access concentra tor (LAC), usually a remote access concentrator on the
ISP network, and the L2TP network server (LNS), a router or extrane t access
switch on the customer’s home network. Rather than terminating at the remote
access concentrator, the IP tunnel extends the PPP session to the LNS, which acts
as a virtual remote access conc ent rator.
In this guide, the term LAC refers to a remote access server with L2TP
Note:
capabilitie s. The term RAS refers to a remote access server without L2TP
capabilities.
Other features of L2TP include using the In ternet infrastructur e to support
multiple protoc ols a nd unre giste red IP addre sses. Because the dia l-in user ’s data i s
tunneled at Layer 2 and above (in the ISO model), the L2TP protocol is
independent of Layer 3 information. Enterprise customers with unregistered IP
addressing schemes can also use L2TP to reach their home network.
Comparing Layer 3 and Layer 2 Features
Dial VPN supports both Layer 3 and Layer 2 tunneling on the same ISP network.
Both provide secur e network access for dial-in users to their home net works.
Table 1-1
Layer 2 tunneling.
1-4 303509-A Re v 00
briefly compares the most significant features of both Layer 3 and
Tunneling Overview
Table 1-1. Layer 3 and Layer 2 Dial VPN Feature Implementation
Dial VPN Feature Layer 3 Layer 2
erpcd
Tunnel management
Protocol Mobile IP L2TP
Encapsulation GRE L2TP
Tunnel end points NAS and gateway LAC and LNS
Dynamic IP address
allocation
Layer 3 protocols
supported
, ACP, or
RADIUS (BSAC)
IP pooling or DHCP IP pooling
IP, IP X IP
How a Dial VPN Network Functions
Any authorized remote user (u sing a PC or dial-up router) who has access to a
phone line and a modem can dial into your network through Dial VPN. A remote
node can be an individua l user dia ling in or a dial-up router (using IP) through a
public-switche d telephone network (PSTN) or an ISDN connection. A remote
user can dial in to a Dial VPN network to connect either to a corporate or home
network or to a third-party ISP. Dial VPN regar ds these as function ally equivalent.
Figure 1-2
configura tion. In reality, a Dial VPN service pro vide r’s network might include
seve ral remote access servers to service a variety of dial-in users, with both Layer
3 and Layer 2 tunnels serving dif ferent types of net works. You can configure Dial
VPN so that its operation is transparent both to users and applications. You may
find it useful to dr aw a map of your own configuration and label the interfaces
with their IP and, if appropriate , frame relay Data Link Connection Identifier
(DLCI) addresses.
is a simplified ill ustration of one possible Layer 3 Dial VPN
erpcd
, ACP, or RADIUS
(BSAC)
303509-A Rev 00 1-5
Configuring and Troubleshooting Bay Dial VPN Services
Tunnel
domain
Service
provider network
data
Third-party
Internet
service
provider
network
Customer
network
CPE
CPE
LAN
Customer
RADIUS
Internet
CPE
Third-party
server
Remote
node
PPP
connection
PSTN
Network
access
server (NAS
TMS /erpcd
server
Gateway
T unnel
Frame relay
or PPP
Figure 1-2. Dial VPN Network with Connections to Different Destination Types
Figure 1-2 shows a Dial VPN service provide r netw ork with a Layer 3 tunnel. The
gateway provides connection services both to a corporate LAN and to a
third-party ISP netw ork. This figure shows only one tunnel, but in reality Dial
VPN creates one tunnel for each dial-in connection.
User
data
ISP
RADIUS
server
DVS0012A
In this illustration, a user at a remote node can dial in to a corporate or home
network or a third-par ty ISP b y calling a local phone number associated with that
destination networ k. The network access server handles the call. The service
provider’s networ k uses a standard IP connection between the network access
server, shown here as a 5399 module in a 5000 MSX chassis, and the gateway. A
PPP connection or a frame relay PVC and a static route must exist between the
gatew ay and the customer premise equipment (CPE) router to provide a path for
packets to return to the remote node.
1-6 303509-A Re v 00
For Bay Networks route rs used with a Layer 3 Dial VPN tunnel, you must specify
an adjacent host and a static rout e betwe en the gateway and the CPE, and also
between the CPE router and the remot e node. (The adjacent host and static rout es
do not appear in this diagram.) For an illustration of Layer 3 tunneli ng, se e
Chapter 3.
The rest of this guide describ es ho w to install and configur e a Dial VPN service
provider network. It also indicates the requirements for the remote node and the
RADIUS and DHCP servers, with references to the documentation that explains
how to do the configuration.
Dial VPN Network Components
Installing and configuring a Dial VPN service provider network involves several
tasks, some of which you may already have completed. You must:
• Plan the network.
• Install and connect the networ k hardware.
• Install and configure the network software.
Tunneling Overview
• Verify that the elements outsi de the Dial VPN network, specifically the
remote server or servers, the router on the home network, and the remote
dial-in nodes, are proper ly configured.
• Power up, test, and troubleshoot your network.
See the documentation for each of these entities for information on how to install
and configure the m.
This guide deals specifically with how you combine these elements into a Bay
Dial VPN network. The following sections summarize the ele ments of Dial VPN
networks.
Remote Dial-In Nodes
Remote nodes can be PCs (portable hosts) or dial-up routers, using PPP for
dial-up connections. The portable host must hav e PPP client sof tware and a
TCP/IP or IPX protocol stack loaded.
Dial VPN supports dial-up IP (and, for Laye r 3, IPX) over PPP for dial-in PC
clients and IP ove r PPP for dial-in routers connected to LANs.
303509-A Rev 00 1-7
Configuring and Troubleshooting Bay Dial VPN Services
The following considerations apply only to Layer 2 (L2TP) tunnels:
• If the PC or router does not have built-in L2TP software capabilities, it dials
into a LAC, which provides a tunnel across the Internet to the c orporate LNS.
This type of connection is the primary focus of this guide.
• If the PC or router is an L2TP client, that is, it has built-in L2TP capability,
the L2TP client software provides a tunnel through a network access server
across the Interne t to the corpora te LNS. A LA C is unnec essary with an L2TP
client.
The main differe nce between connecting an L2TP client and a nonclient is the
starting point of the tunn el. For an L2TP client, the tunnel begins at the PC or
router; for a non-L2TP client, the tunnel be gins at the LAC. All tunnels end at the
LNS.
ISP Network Components for Layer 3 Tunnels
The device s that make up the Dial VPN service provider network can be all at the
same site or can be separated by several “hops” within the same network. A
network with Layer 3 Dial VPN tunnels can consist of a network access server
(NAS), a gateway router that serves as the tunnel end point, and a tunnel
management server.
Network Access Server (NAS)
A network access serv er ( NAS) can be a Remote Access Concentrator
Model 8000 or a System 5000 chassis with one or more Model 5399 Remote
Access Concentra tor modules. Each module is c onfigured with a network address
belonging to the service provider’s address domain. The Remote Access
Concentrator 8000/5 399 includes a dual WAN server, which can support both
analog calls and digita l calls carried over ISDN. The N AS receives and processes
calls from remote nodes and routes data to remote nodes.
This guide uses the term network access server (NAS) to refer to the
Note:
device that performs network access functions, such as answering dial-in user
calls, authenticating tunnel users, building tunnels, and so on. In the Dial VPN
context, this device is usually a Remote Access Conce ntrator (RAC). Other
documents may refer to this same device as a remote access server (RAS).
Essentially, all three terms (NAS, RAS, and RAC) refer to functionally the
same device.
1-8 303509-A Re v 00
Tunneling Overview
Gateway
Used only in Layer 3 networks, the gateway can be an ASN, BLN, BLN-2, BCN,
or System 5000 MSX equipped with a Model 5380 module running BayRS
software.
The gateway connects the Dial VPN service provider’s network and the CPE
router on the remote user’s home networ k. The gateway performs con ventional IP
routing functions con figured on interfaces connected to the IP network, through
which the network access servers can be reached.
The gatewa y is the end point of the IP-routed tunnels that tra nsport packets
originated by remo te nodes an d encapsulated by the NAS. The gateway also
connects to the CPE router on the user’s home network. The gateway is the data
terminal equipment (DTE) for frame relay PVCs or PPP connections connecting
to multive ndor RFC 1490-compliant routers on the custo mer premises.
For a frame relay network, the connection is through a frame relay user network
interface (UNI). The gateway forwards traffic between a remote node and the
corresponding node in its home net work by forwar ding packet s ove r a frame relay
PVC connecting the UNI to the IP tunnel. Thus, the gateway uses the IP tunnel
and the frame relay PVC as two links through which it can send the user traffic
from one side to the other.
The PPP connection between the gateway and the customer’s home network
functions in a sim ilar way, except that the co nn ecti on i s thro ugh a PPP int erfac e
instead of a frame relay interface.
In Layer 3 tunneli ng, the gateway may al so act as a RADIUS cli ent to a uthenti cate
the remote user based on information provided from the NAS. The RADIUS
client on the gateway se nds an a uthent ication r eque st to t he RADIUS serv er on the
home network, which either grants or denies the request in a message to the
gatew ay. The gateway then returns this information to the NAS to continue the
process.
303509-A Rev 00 1-9
Configuring and Troubleshooting Bay Dial VPN Services
Tunnel Management Server (TMS)
The mechanism for identifyi ng tunneled users is the tunnel management server
(TMS) that resides on a tunnel management server.
For Layer 3 tunne ls, the NAS retr ieves the tunnel configur ation attributes from its
TMS database resid ing on the tunnel management se rver and uses them to build a
tunnel into the customer’s network. Once the tunnel is open, the user can be
authenticated at the customer’s network. Tunnel management can be either
RADIUS or erpcd-based.
• In the RADIUS method, a RADIUS server resides at the service provider site
and manages the TMS database. The NAS and the RADIUS server
communicate using IP over the service provider network. Only Layer 3
tunnels can use this method.
• In the erpcd-based method, the TMS hosts a database application (the Tunnel
Management System) that controls the IP tunnel establishment attempt f rom
the NAS. The TMS runs on the same UNIX host as the Access Control
Protocol (ACP) softwar e. The NAS and the TMS communicate using the Bay
Networks proprietary Expedited Remote Procedure Call Daemon (erpcd or
Secure erpcd). Both Layer 3 and Layer 2 tunnels can use this method.
In either method, the NAS queries the TMS database for the addressing
information it needs to constr uct the IP tunnel. This query is based on the user
domain name and on the policy and state information of the enterprise customer
account when the r emote user dials in. As a Dial VPN networ k a dministrator, you
must provide the user domai n and tunnel ad dressing information to the TMS
database for each enterprise customer. Chapter 5 and Chapter 6 describe the
commands you can use to provision the default TMS database.
ISP Network Components for Layer 2 Tunnels
The followin g sections describe the components of a network with Layer 2
tunnels. A network with Layer 2 Dial VPN tunnels also has a NAS (which may
function as either a LAC or a RAS) and a tunnel management server. The edge
router, however, does not functio n as a ga teway; rather, the tunnel end point is the
CPE router on the customer’s home network. The network itself can have
additional comp onents. This description pertains only to those relevant to Layer 2
tunneling.
1-10 303509-A Re v 00
Loading...