Nortel Networks L2TP User Manual
Configuring L2TP Services
BayRS Version 13.00
Site Manager Software Version 7.00
Part No. 303532-A Rev 00
October 1998
4401 Great America Parkway 8 Federal Street
Santa Clara, CA 95054 Billerica, MA 01821
Copyright © 1998 Bay Networks, Inc.
All rights reserved. Pr inted in the USA. October 1998.
The information in this document is subject to change without notice. The statements, configurations, technical data,
and recomm endations in this document are believed to be accurate and reliable, but are presented without express or
implied warranty. Users must take full responsibility for their appli cations of any products s pecified in this document.
The information in this document is proprietary to Bay Networks, Inc.
The software described in this document is furnished under a license agreement and may only be used in accordance
with the te rms of that license. A summary of the S oftware License is included in this document.
Trademarks
ACE, AFN, AN, BCN, BLN, BN, BNX, CN, FRE, LN, Optivity, PPX, Quick2Conf ig, and Bay Networks are
registered tradema rks and Advanced Remote Node, ANH, ARN, ASN, BayRS, BaySecure, BayStack, BayStream,
BCC, BCNX, BLNX, EZ Install, EZ Internetwork, EZ LAN, FN, IPAutoLearn, PathMan, RouterMan, SN, SPEX,
Switch Node, System 5000, and the Bay Netw orks logo are trademarks of Bay Networks, Inc.
Microsoft , MS, MS-DOS, Win32, Windows, and W indows NT are r egistered tr ademarks of Microsoft Corporation.
All other trademarks and registered trademarks are the property of their respective owners.
Restricted Rights Legend
Use, duplication, or disclosure b y the United States Government is subject to restrict ions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement th at may pertain to, or accompany the delivery of, this com puter
software, the rights of the Unite d States Government regarding its use, reproduction, and disclosure are as set forth in
the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, Bay Networks, Inc. reserves the
right to make changes to the products described in this document with out notice.
Bay Networks, Inc. does not assume any liability that may occur due to the use or application of the product( s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Red istribution and use in source and binary forms of such portions are permit ted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
deve loped by the Uni versity of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIE D WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In additi on, the program and information contained herein are lice nsed only pursuant to a license agreement that
contains restrictions on use and discl osure (that may incorporate by reference certain limitations and notices imposed
by thir d pa rt ie s).
ii
303532-A Rev 00
Bay Networks, Inc. Software License Agreement
NOTICE: Please carefully read this license agreement before copying or using the accompanying software or
instal ling the hardware unit w ith pre-enabled software (each of w hich is referred to as “Software” in this Agree m ent).
BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF
THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS A GREEM ENT ARE THE ONLY TERMS
UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these
terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to
obtain a credit for the full purchase price.
1. License Grant. Bay Networks, Inc. (“Bay Networ ks”) grants the end user of the Softwar e (“Licensee”) a personal,
nonexcl usive, nontransferab le license: a) t o use the Software either on a singl e com puter or, if applicable, on a single
authori zed de vi ce ide ntified by hos t ID, fo r whi ch it wa s ori gi nal ly acq uir ed ; b) to cop y th e Sof tw ar e so lely f or bac kup
purposes in support of author ized use of the Software; and c) to use and copy the associated user manual solely i n
support of authorized use of the Software by Licensee. This license applies to the Software only and does not extend
to Bay Networks Agent softw are or other Bay Networks softw are products. Bay Networks Agent software or other
Bay Networks software products are licensed for use under the terms of the applicable Bay Networks, Inc. Software
License Agreement that accompanies such software and upon payment by the end user of the applicable licen se fees
for such software.
2. Restrictions on use; reservation of rights. The Software and user manuals are protected under copyright laws.
Bay Networks and/or its licensors retai n all title and ownership in bot h the Software and user manuals, including any
revis ions made by Bay Networks or its li censors. The copyright noti ce m ust be reproduced and included with any
copy of any por tion of the Sof tw are or use r manua ls . Licens ee may not modif y, trans late , dec ompi le, di sas semb le, use
for any compe ti ti v e an al ysis, r e v erse e ngi ne er , dis tr ib ute , o r c rea te der i vativ e w ork s fro m th e Sof twa re or u se r man ual s
or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or transfer
the Softw are or user manual s, in whole or in part. The Software and user manuals embody Bay Networks’ and its
licenso rs’ confident ial and proprietary intellectual property. Licensee shall not sublicense, assign, or other w ise
disclos e to any third pa rty the Software, or any information abou t the operation, design, performance, or
implementation of the Software and us er manuals that is confidential to Bay Networks and its li censors; how ever,
Licensee m ay grant permission to its consul tants, subcontractors , and agents to use the Software at License e’s facility,
provided they have agreed to use the Software only in accordance with the term s of this license.
3. Limited warranty. Bay Networks warrants each item of Softwa re, as delivered by Bay Networks and properly
installed and operated on Bay Networks har dw are or other equipment it is ori ginally licensed for, to function
substantially as descri bed in its accomp anying user manual during its warranty period, which begi ns on the date
Softwar e is fi r st shi pped to Licen see . If any it em of Soft war e fai ls to so func ti on du ring i ts warr anty pe ri od, as t he so le
remedy Bay Ne tworks will at its discretion provide a suitable fi x, patch, or workaround for the problem that may be
included in a future Software release. Bay Networks further warrants to Licensee that the media o n which the
Softwar e is provided will be free from defects in materials and workmans hip under norm al use for a period of 90 days
from the date Software is first shi pped to Licensee. B ay Networks will replace defectiv e media at no charge if it is
returned to Bay Networks during the warrant y period along with proof of the date of shipment. This w arranty d oes not
apply i f the media has been d amaged as a result of accident, misuse, or abuse. The Licens ee assumes all responsibility
for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained
from the Software. Bay Ne tworks does not warrant a) tha t the functions contained in the software will meet the
Licensee ’s requirements, b) that the Sof tware will operate in the hardware or software comb inations that the License e
may select, c) that the operation of the Software will b e uninterrupted or error free, or d) that all defects in the
operati on of the Softw are will be corrected. Bay Networks i s not obligated to remedy any Software defect that cannot
be repro duced with the latest Software release. These warranties do not apply to the Software if it has been (i) altered,
except by Bay Networks or in accordance with its instructions; (ii) used in conjunction with another vendor’s product,
resulting in the defect; or (iii) damaged by improper environment, abuse, mi suse, accident, or negligence. THE
FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL
OTHER WARRANTIES EXPRESS OR I MPLIED, INCLUDI NG WITHOUT LIMITATION ANY WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A P ARTICULAR PURPOSE. Licensee is responsible for the security of
303532-A Rev 00
iii
its own data and inform ation and for mai ntaining adequate procedures apart from the Software t o reconstruct lost or
altered files, data, or programs.
4. Limitation of liability. IN NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY
COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES ; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR
PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN
IF BAY NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT
SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT
EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LICENSE.
5. Governmen t L i c en s ees. This provisio n applies to all Software and docum entation acquired directly or indirectly
by or on behalf of the United States Government. The Software and documentation are commercial products, licensed
on the open market at market p rices, and were developed ent irely at pri vate expense and without the use of any U.S.
Government funds. The license to the U. S. Governmen t is granted only with restricted rights, and use, duplica tion, or
disclos ure by the U.S. Go vernment is subject to the restrictions set forth in subparagraph (c)(1) of the Comm ercial
Computer So ftware––Restricted Rights clause of FAR 52.227-19 and the limitations set out in this license for c ivilian
agencies , and subparagra ph (c)(1)(ii) of the Rights in Technical Data a nd C om p uter Software clause of DFARS
252.227-7013, for agencies of the Department of Defen se or their successors, whichever is applicable.
6. Use of Software in the European Communit y. This pr ovision applies to all Software acquired for use within the
European Comm unity. If Licensee uses the Software within a country in the European Com mu n ity, t he Software
Directive enacted by the Council of European Communities Directive dated 14 May , 1991, will apply to the
examination of the Softw are to facili tate interoperability. Licensee agrees to notify Bay Networks of any such
intended examination of the Software and may procure support and assis tance from Bay Networks.
7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to
Bay Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the
Bay Networks copyright; those restrictions relating to use and discl osure of Bay Networ ks’ confidential information
shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if
Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason,
Licensee will immediately destroy or return to Bay Networks the Software, user manuals, and all copies. Bay
Networks is not liable to Licensee for damages in any form so lely by reason of the terminati on of this license.
8. Export and Re-export. License e agrees not to export, directly or indirectly, the Software or related technical data
or information without first obtaining any required export licenses or other governmental approvals. Without limiting
the fore going, Licensee, on behalf of itself and its subsidiari es and affiliates, agrees that it wil l not, without first
obtaining all export licenses and appr ovals required by the U.S. Governmen t: (i) export, re-export, transfer, or divert
any such Sof tware or technical data, or an y direct product thereof, to any country to whi ch such exports or re-exports
are rest ricted or embargoed under United States ex port control laws and regu lations, or to any national or resident of
such rest ricted or embargoed countr ies; or (ii) provide the Software or related technical data or infor mation to any
military end user or for any m ilitary end use, including the design, development, or production of any chemical,
nuclear, or biological weapons.
9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent
jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement
will be governed by the laws of the state of California.
Should you have any quest ions concerning this Agreement, contact Bay Networks, Inc., 4401 Great America
Parkway, P.O. Box 58185, Santa Clara, California 95054-8185.
LICENSEE ACKNOW LEDGES THAT LICENSEE HAS READ THIS AGREEMENT , UNDERSTANDS IT, AND
AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FUR THER AGREES THAT THIS
AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND
LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND
COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS
AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST BAY
NETWORKS UNLESS BAY NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN
EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT.
iv
303532-A Re v 00
Contents
Preface
Before You Begin .............................................................................................................xiii
Text Convent io n s ..... ................................................ ........................................................xiv
Acronyms ......................................................................................................................... xv
Bay Networks Technical Publications ..............................................................................xvi
How to Get Help ..............................................................................................................xvi
Chapter 1
L2TP Overview
L2TP Benefits ................................................................................................................. 1-2
What Is Tunne ling? .........................................................................................................1-2
L2TP Sessions .........................................................................................................1-3
Components of an L2TP Network ..................................................................................1-4
Remote Host ............ ......................................................... .......................................1-4
L2TP Access Concentrator (LAC) ............................................................................1-5
Remote Access Server (RAS) ..................................................................................1-5
Tun nel Ma nagem ent Ser ver (TMS) ..........................................................................1-5
L2TP Network Server (LNS) ....................................................................................1-6
RADIUS Server ........................................................................................................1-6
Examples of L2TP Networks ....................................................................................1-7
L2TP Packet Encapsulation ............................................................................................1-8
Making a Connection Across an L2TP Network ......................................... ....... ....... ..... .1-9
Security in an L2TP Netw o rk ................ .................................................................. ......1-10
Bay Networks L2TP Implementation ............................................................................1-11
Tunnel Management ............................................................................................... 1 -12
Tunnel Authentication .............................................................................................1 -12
RADIUS User Authentication .................................................................................1-14
RADIUS Accounting ...............................................................................................1-15
303532-A Rev 00
v
L2TP IP Interface Addresses .................................................................................1-15
Remote Router Configuration ................................................................................ 1 -16
Where to Go Next .........................................................................................................1-17
Chapter 2
Starting L2TP
Planning Considerations for an L2TP Network .................................... .. ....... .......... ....... .2-2
Tun nel Authentication Passwords .............................................................................2-2
RADIUS Server Information .....................................................................................2-2
Preparing a Configuration File ........................................................................................2-3
Enabling L2TP on an Unconfigured WAN Interface ........................................................2-4
Enabling L2TP on an Existing PPP Interface .................................................................2-5
Enabling L2TP on an Existing Frame Relay Interface ....................................................2-7
Enabling L2TP on an Existing ATM Interface ................................................................. 2-9
Chapter 3
Customizing L2TP Services
Modifying the L2TP Protocol Configuration .................................................................... 3-2
Modifying RADIUS Server Information ........................................................................... 3-3
Changing the LNS System Name ...................................................................................3-4
Modifying the Number of L2TP Sessions Permitted .......................................................3-5
Keeping the Remote User’s Domain Name ....................................................................3-6
Changing the Domain Name Delimiter ...........................................................................3-7
Enabling Tunne l Authentication ...................................................................................... 3-8
Modifying L2TP IP Interface Addresses .........................................................................3-9
Disabling RIP ................................................................................................................3-10
Disabling L2TP .............................................................................................................3-10
Deleting L2TP from a PPP Interface .............................................................................3-11
Deleting L2TP from a Frame Relay Interface ...............................................................3-12
Deleting L2TP from an ATM Interface ...........................................................................3 -13
Appendix A
L2TP Parameters
L2TP Configuration Parameters ....................................................................................A-2
L2TP Tunnel Security Parameters ................................................................................. A-8
L2TP IP Interface Parameters .....................................................................................A-10
vi
303532-A Re v 00
Appendix B
Configurati on Exampl es
Example 1: Remote PC Calling the Corporate Network ................................................ B-1
Configuring the Remote Hosts ................................................................................ B-2
Configuring the LACs and the TMS ........................................................................B-3
Configuring the LNS ................................................................................................ B-3
Data Path Through the Network ..............................................................................B-4
Example 2: Remote Router Calling the Corporate Network .......................................... B-5
Configuring the Dial-on-Demand Circuit ................................................................. B-6
Configurin g the PPP Inte r face .................................. ...............................................B-6
Appendix C
Troubleshooting
Index
303532-A Rev 00
vii
Figures
Figure 1-1. L2TP Network Using a LAC .....................................................................1-7
Figure 1-2. L2TP Network Using a RAS .....................................................................1-7
Figure 1-3. Packet Encapsulation Process .................................................................1-8
Figure 1-4. Tunnel Authentication Control Messages ......................................... .. ....1-13
Figure 1-5. Remote Router Dialing the LNS .............................................................1-16
Figure A-1. L2TP Configuration List Window .............................................................A-2
Figure A-2. L2TP T unnel Security List Window .........................................................A-8
Figure A-3. L2TP IP Interface List Window .............................................................. A-10
Figure A-4. L2TP IP Interface Window ....................................................................A-10
Figure B-1. L2TP Network with PCs at the Remote Site ...........................................B-2
Figure B-2. L2TP Network with Routers at the Remote Site ..................................... B-5
303532-A Rev 00
ix
Tables
Table C-1. Common L2TP Network Problems and Solutions ..................................C-1
303532-A Rev 00
xi
This guide describes La yer 2 Tunneling Proto col (L2TP) and what you do to start
and customize L2TP services on a Bay Networks® router.
Before You Begin
Before using this guide, you must complete the following procedures. For a new
router:
• Ins ta ll the rout er (re fer t o the installation guide that came with your router).
• Connect the router to the network and create a configuration file (refer to
Quick-Starting Routers, Configuring BayStack Remote Access, or Connecting
ASN Routers to a Network).
Preface
303532-A Rev 00
Make sure that you are running the latest version of Bay Networks BayRS
Site Manager software. For information about upgrading BayRS and Site
Manager, see the upgrading guide for your version of BayRS.
™
and
xiii
Configuring L2TP Services
Text Conventions
This guide uses the following text conventions:
bold text
Indicates text tha t you need to enter and command
names and options.
Example: Enter
Example: Use the
show ip {alerts | routes
command.
dinfo
}
italic text Indicates file and directory names, new terms, book
titles, and variables in command syntax descriptions.
Where a variable is two or more words, the words are
connected by an underscore.
Example: If the command syntax is:
<
show at
valid_route
valid_route>
is one va riable and you subs titu te one value
for it.
screen text Indicates system output , fo r exa mple, prompts and
system messages.
Example:
Set Ba y Netw orks Tr ap Mo nito r Fil ters
separator ( > ) Shows menu paths.
Example: Protocol s > IP identifie s the IP option on the
Protocols menu.
|
vertical line (
) Separates choices for command keywords and
arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
Example: If the command syntax is:
xiv
show ip {alerts | rou tes
show ip alerts
or
show ip routes
, you enter either:
}
, but not both.
303532-A Re v 00
Acronyms
Preface
CHAP Challenge Handshake Authentication Protocol
IP Internet Protocol
ISDN Integra ted Services Digital Network
ISP Internet Servic e Provider
L2TP Layer 2 Tunneling Protocol
LAC L2TP access concentrat or
LAN local area network
LCP Link Control Protocol
LNS L2TP network server
MPPP Multilink Point-to-Point Protocol
PAP Password Authe ntication Protocol
PPP Point-to-Poi nt Protocol
303532-A Rev 00
RADIUS Remote Authentication Dial-In User Service
RAS remote access server
RIP Routing Informati on Protocol
SCCCN start control connection connected
SCCRP start control connection reply
SCCRQ start control connection request
TA terminal adapter
TCP/IP Tra nsmission Control Protocol/Internet Protocol
TMS tunnel management server
UDP User Datagram Protocol
VPN virtual private network
WAN wide area network
xv
Configuring L2TP Services
Bay Netwo rks Technical Publications
You can now print Bay Networks technical manuals and release notes free,
directly from the Int ernet. Go to support.bayn etworks.com/libr ary/tpubs/. Fi nd the
Bay Networks product for which you need doc umenta tion. Then locate the
specific category and model or version for your hardware or software product.
Using Adobe Acrobat Reader, you can open the manuals and release note s, sear ch
for the sections you need, and print them on most standard printers. You can
download Acrobat Reader free from the Adobe Systems Web site,
www.adobe.com.
You can purchase Bay Networks documentation sets, CDs, and selected technic al
publications through the Bay Networks Collateral Catalog. The catalog is loc ated
on the World Wide Web at support.baynetworks .c om/catalog.html and is divided
into sections arran ged alpha betically:
• The “CD ROMs” section lists available CDs.
• The “Guides/Books” section lists books on technical topics.
• The “Technical Manuals” section lists available printed documentati on sets.
Make a note of the part numbers and prices of the items that you want to order.
Use the “Marketing Collateral Catalog description” link to place an order and to
print the order form.
How to Get Help
For product assista nce, support contracts, or informati on abou t educational
services, go to the following URL:
http://www.baynetworks.com/corporate/contacts/
Or telephone the Bay Networks Technical Solutions Center at:
800-2LANWAN
xvi
303532-A Re v 00
Chapter 1
L2TP Overview
The Layer 2 Tunneling Protocol (L2TP) provides remote users, such as
telecommuters, mobile professionals, and personnel in remote branch offices,
with dial-in access to a corporate network. L2TP enables users to create a virtual
private network (VPN), whic h uses the existing physical infrastr ucture of a public
network, such as the Internet, but offers the security and exclusivit y of a private
network.
This chapter contains the following information:
303532-A Rev 00
Topic Page
L2TP Benefits
What Is Tunneling? 1-2
Components of an L2TP Network 1-4
L2TP Pac ket Encapsulation 1-8
Making a Connection Acro ss an L2TP Network 1-9
Security in an L2TP Network 1-10
Bay Networks L2TP Implementation 1-11
Where to Go Next 1-17
1-2
1-1
Configuring L2TP Services
L2TP Benefits
L2TP has seve ral advantages:
• Users and businesses can take adv antage of existing network equipment a nd
resources.
Corporations do not need to maintain a nd manage remo te access servers and
other special netw ork ing equipment for remote users. Instead, they c an use
their existin g Interne t leased c onnections a nd resources at the Interne t Service
Provider (ISP) ne twork, thereby significantly reducing corporate networking
and maintenance costs.
In addition, corporations do not need to provide technical support to the
remote users. Because the remote user is making a local call to the ISP, the
ISP provides technic al assistance if the user has trouble making connections.
• Re mo te users can place a free local call to thei r ISP for access to the Internet,
eliminating long-distance toll calls required to dial the corporate network
directly.
• ISPs earn more business from corporate customer s using the equipment,
thereby increasing the ISP’s revenues.
• L2TP is a standards-based protocol that provides greater interoperability with
networking equipment f rom other vendors.
What Is Tunneling?
Tun neling is a way of forwarding traffic from r e mote users to a corpora te network
through an IP network. A tunnel is a virtu al connection between two sites, for
example, an access concentrator at the ISP network and a router at the corporate
network. Tunneling across an existing public network such as the Internet creates
a virtual private network that offers corporate network access to a wider range of
remote users.
L2TP is a tunneling mechanism that extends the end point of the Point-to-Point
Protocol (PPP) connection f rom an L2TP access concentrator (LAC) or remote
access server (RAS) at the ISP network to an L2TP network server (LNS) at the
corporate site.
1-2
303532-A Re v 00
Multiple users can communicate thr ough a single tunnel between the same LAC
and LNS pair. Each user transmits and receives data in an individual L2TP
session.
The LAC brings down the tunnel for any one of the following rea sons:
• A network failure occurs.
• The LAC or other equipment at the ISP is not operating properly. If the LAC
• There are no active sessions inside the tunnel.
• The system administrator at the ISP terminates the user connection.
• The LAC is not responding to a Hello packet from the LNS.
For the LAC to rees tablish a tunnel, the remote user has to place a new call.
L2TP Sessions
L2TP Overview
fails, all tunnel users are disconnected.
An individual se ssion ends when a remote user disconnects the call, but
multiple sessions can ru n inside a single tunnel.
303532-A Rev 00
Packets are exchanged acr o ss an L2TP tunnel during an L2TP session. An L2TP
session is c reated whe n an e nd-to-e nd WAN connection is est ablished be twee n the
remote host and the LNS.
The L2TP portion of the packets sent thr ough the tunnel contains a header with a
call ID field (also called a session ID) and a tunnel ID field. The call ID field,
which indicate s the sess ion t hat the WAN packet belongs t o, is ne goti ated b etween
the LAC and the LNS when the L2TP call is set up. The tunnel ID specifies the
tunnel that the L2TP session is using.
In addition to the fi el ds in the header, the L2TP packet contain s a call serial
number, which is a unique number for each L2TP call. This number matches the
call to the L2TP session.
For an L2TP session, you can enable flow control. Flow control manages
congestion ac ross th e conn ection, ensures that pa cke ts a re not lo st, and m akes sur e
the device s at each end of the conne ction are communicating properly.
To enable flow control, se e Chapter 3
, “Customizing L2TP Services.”
1-3
Configuring L2TP Services
Components of an L2TP Network
The following sections describe the components of an L2TP network. For
illustrati ons of L2TP networks, see Figures 1-1 and 1-2 on page 1-7.
Remote Host
At the remote site is the user who wants to dial in to the corpor ate network. The
remote user can be located anywhere, provided that the user can dial into an ISP
network using a PC or a router. The ISP provides the connection to the Int ernet.
The host at the remote site can be a PC or router that uses PPP for dial-up
connections.
• If the PC or router does not have built-in L2TP software capabilities, it dia ls
into a LAC, which provides a tunnel across the Internet to the corpor at e LNS.
• If the PC or router is an L2TP client, that is, it has buil t-in L2TP func tionali ty,
the L2TP client software provides a tunnel through a RAS across the Internet
to the corporate LNS. A LAC is unnecessary with an L2TP client.
The main differe nce between connecting an L2TP client and a nonclient is the
starting point of the tunn el. For an L2TP client, the tunnel begins at the PC or
router; for a non-L2TP client, the tunnel beg ins at the LAC. All tunn el s end at the
LNS.
1-4
This guide’s primary focus is on an L2TP network between a remote
Note:
host that doe s not have built- in L2TP capabili ties a nd u ses a LAC, rather than a
RAS.
303532-A Re v 00
L2TP Access Concentrator (LAC)
The L2TP access concentrator (LAC) resides at the ISP network. The LA C
establishes the L2TP tunnel between itself and the LNS.
In this guide, the term LAC refers to a remote access server with L2TP
Note:
capabilitie s. The term RAS refers to a remote access server without L2TP
capabilities.
When the remote user places a call to the ISP network, this call goes to the LAC.
The LAC then ne gotiates the activ ation of an L2TP tunnel with the LNS. This
tunnel carries data from the remot e user to the corporate network.
For more information about the Bay Networks implementation of the LAC in an
L2TP network, see “Bay Networks L2TP Implem entation
Remote Access Server (RAS)
The remote access serve r (RAS) resides at the ISP network. If the remote host is
an L2TP client, the tunnel is established from the remote client through a RAS to
an LNS at the corporate network. In this situation, there is no need for a LAC.
L2TP Overview
” on page 1-11.
The RAS does not establish the tunnel; it only forwa rds already tunneled data to
the destination.
Tunnel Management Server (TMS)
At the ISP networ k, there needs to be a mechanism for identifying L2TP tunneled
users so that the LA C can constr uct the L2TP tunnel. Bay Networks uses a
mechanism called a tunnel manageme nt server (TMS); other vendors may use a
different method.
303532-A Rev 00
1-5
Configuring L2TP Services
L2TP Network Server (LNS)
The L2TP network server (LNS) is a router that resides at the corporate network
and serves as the termina tion point for L2TP tunnels and sessions.
The LNS authenticates the PPP connection r equest and allows the end-to-end PPP
tunneled connection. The LNS may also perfo rm user authentication with a
RADIUS server to prevent unauthorized users from access ing the network;
however, user authentication may also be done by the LNS itself.
An LNS can support multiple remote user s, each communic ating withi n their own
L2TP session. The L2TP session is the virtual e nd-to-end connection over which
the LAC sends dat a to the LNS.
The Bay Networks router is an LNS. For info rmation about the Bay Networks
LNS, see “Bay Networks L2TP Implementation
RADIUS Server
An L2TP network may include a Remote Authentication Dial-in User Service
(RADIUS) server. The RADIUS server has three main func tions in an L2TP
network:
” on page 1-11.
1-6
• Authenticating the remote users
• Assigning IP addresses to the remote users
• Providing accounting services for corporate billing
The RADIUS server database centr alizes the authentication function, eliminating
the need to configur e each LNS with user names and passwords. It also as signs an
IP address to a remote host to identify the host . Fi nally, the RADIUS server can
provide accounting services for the corporate network, calcula ting billing charges
for an L2TP session.
For informatio n about the Bay Networks implementation of RADIUS user
authentication and accounting, see “RADIUS User Authentication
and “RADIUS Accounting” on page 1-15.
” on page 1-14
303532-A Re v 00
Examples of L2TP Networks
Figure 1-1 shows an L2TP network that uses a LAC to connect to the LNS. The
tunnel is between the LAC and the LNS.
ISP network
L2TP Overview
Remote
host
PC
No L2TP
functionality
PPP
connection
LAC
T unnel
Data
TMS
Figure 1-1. L2TP Network Using a LAC
Figure 1-2 shows an L2TP network that use s a RAS to connect to the LNS. The
tunnel is between the PC (the L2TP client) and the LNS.
ISP network
Remote
host
PC
T unnel
RAS
Data
Frame rela y
connection
Frame rela y
connection
Corporate network
LNS
RADIUS
server
L2T0003A
Corporate network
LNS
L2TP
client
Figure 1-2. L2TP Network Using a RAS
303532-A Rev 00
RADIUS
server
L2T0004A
1-7
Configuring L2TP Services
L2TP Packet Encapsulation
The PC or router at the remote site sends PPP packets to the LAC. The LAC
encapsulates thes e incomi ng packets in an L2TP packet and sends it across an IP
network through a bidirectional tunnel. After the LNS receives the packets, it
decapsulates them and terminates the PPP connection.
Figure 1-3
network.
Layer 2
protocol
shows how data is encapsulated for transmission ove r an L2TP
Remote user places a call
PPP IP
IP/UDP
LAC
LNS
DATA
PPP
IPL2TP
DATA
1-8
IP DATA
Data packet moves to the corporate network
L2T0005A
Figure 1-3. Packet Encapsulation Process
303532-A Re v 00
Loading...