Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-L2TP configuration | 425.37 KB |
Contents
L2TP message types and encapsulation structure
L2TP tunneling modes and tunnel establishment process
Configuring basic L2TP capabilities
Configuring an LAC to initiate tunneling requests for a user
Configuring the source IP address of L2TP tunnel packets
Enabling transferring AVP data in hidden mode
Configuring AAA authentication on an LAC
Configuring an LAC to automatically establish an L2TP tunnel
Configuring an LNS to accept L2TP tunneling requests from an LAC
Configuring user authentication on an LNS
Configuring AAA authentication on an LNS
Configuring optional L2TP parameters
Configuring L2TP tunnel authentication
Setting the DSCP value of L2TP packets
Assigning a tunnel peer to a VPN
Configuration restrictions and guidelines
Configuring IMSI/SN binding authentication
Displaying and maintaining L2TP
Configuration example for NAS-initiated L2TP tunnel
Configuration example for client-initiated L2TP tunnel
Configuration example for LAC-auto-initiated L2TP tunnel
Configuring L2TP
Overview
The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dialup Network (VPDN) tunneling protocol. L2TP sets up point-to-point tunnels across a public network (for example, the Internet) and transmits encapsulated PPP frames (L2TP packets) over the tunnels. With L2TP, remote users can access the private networks through L2TP tunnels after connecting to a public network by using PPP.
As a Layer 2 VPN technology, L2TP provides a secure, cost-effective solution for remote users to access private networks.
Typical L2TP networking
As shown in Figure 1, a typical L2TP network has the following components:
· Remote system—A remote system is usually a remote user's host or a remote branch's device that needs to access the private network.
· LAC—An L2TP access concentrator (LAC) is both PPP and L2TP capable. It is usually a network access server (NAS) located at a local ISP, which provides access services mainly for PPP users.
An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system by using L2TP and then sends the encapsulated packets to the LNS. It decapsulates packets received from the LNS and then sends the decapsulated packets to the intended remote system.
· LNS—An L2TP network server (LNS) is both PPP and L2TP capable. It is usually an edge device on an enterprise network.
An LNS is the other endpoint of an L2TP tunnel. It is the logical termination point of a PPP session tunneled by the LAC. L2TP extends the termination point of a PPP session from a NAS to an LNS by establishing a tunnel.
L2TP message types and encapsulation structure
L2TP uses the following types of messages:
· Control messages—Used to establish, maintain, and delete L2TP tunnels and sessions. Control messages are transmitted over a reliable control channel, which supports flow control and congestion control.
· Data messages—Used to encapsulate PPP frames, as shown in Figure 2. Data messages are transmitted over an unreliable data channel and are not retransmitted when packet loss occurs. Data messages can use sequence numbers to reorder packets that are disordered during transport.
As shown in Figure 3, both control messages and data messages are encapsulated in UDP datagrams.
Figure 3 L2TP encapsulation structure
L2TP tunnel and session
An L2TP tunnel is a virtual point-to-point connection between an LAC and an LNS. Multiple L2TP tunnels can be established between an LNS and an LAC. An L2TP tunnel can carry one or more L2TP sessions. Each L2TP session corresponds to a PPP session and is multiplexed on an L2TP tunnel. An L2TP session is established between the LAC and LNS when an end-to-end PPP session is established between a remote system and the LNS. Data frames for the PPP session are transmitted over the tunnel between the LAC and LNS.
L2TP tunneling modes and tunnel establishment process
L2TP tunneling modes include NAS-initiated, client-initiated, and LAC-auto-initiated.
NAS-initiated tunneling mode
As shown in Figure 4, a remote system dials in to the LAC through a PPPoE network. The LAC initiates a tunneling request to the LNS over the Internet.
Figure 4 NAS-initiated tunneling mode
A NAS-initiated tunnel has the following characteristics:
· The remote system only needs to support PPP, and it does not need to support L2TP.
· Authentication and accounting of the remote system can be implemented on the LAC or LNS.
Figure 5 NAS-initiated tunnel establishment process
As shown in Figure 5, the following workflow is used to establish a NAS-initiated tunnel:
1. A remote system (Host A) initiates a PPP connection to the LAC (Device A).
2. The remote system and LAC perform PPP LCP negotiation.
3. The LAC authenticates PPP user information of Host A by using PAP or CHAP.
4. The LAC sends the authentication information (username and password) to its RADIUS server (RADIUS server A) for authentication.
5. RADIUS server A authenticates the user and returns the result.
6. The LAC initiates an L2TP tunneling request to the LNS (Device B) when the following conditions exist:
¡ The user passes the authentication.
¡ The user is determined to be an L2TP user according to the username or the ISP domain to which the user belongs.
7. If tunnel authentication is needed, the LAC and LNS send CHAP challenge messages to authenticate each other before successfully establishing an L2TP tunnel.
8. The LAC and LNS negotiate to establish L2TP sessions.
9. The LAC sends PPP user information and PPP negotiation parameters to the LNS.
10. The LNS sends the authentication information to its RADIUS server (RADIUS server B) for authentication.
11. RADIUS server B authenticates the user and returns the result.
12. If the user passes the authentication, the LNS assigns a private IP address to the remote system (Host A).
13. The PPP user can access internal resources of the enterprise.
In steps 12 and 13, the LAC forwards packets for the remote system and LNS. Host A and LAC exchange PPP frames, and the LAC and LNS exchange L2TP packets.
Client-initiated tunneling mode
As shown in Figure 6, a remote system running L2TP (LAC client) has a public IP address to communicate with the LNS through the Internet. The LAC client can directly initiate a tunneling request to the LNS without any dedicated LAC devices.
Figure 6 Client-initiated tunneling mode
A client-initiated tunnel has the following characteristics:
· A client-initiated tunnel has higher security because it is established between a remote system and the LNS.
· The remote system must support L2TP and be able to communicate with the LNS. This causes poor expandability.
As shown in Figure 7, the workflow for establishing a client-initiated tunnel is similar to that for establishing a NAS-initiated tunnel. (Details not shown.)
Figure 7 Client-initiated tunnel establishment process
LAC-auto-initiated tunneling mode
In NAS-initiated mode, a remote system must successfully dial in to the LAC through PPPoE.
In LAC-auto-initiated mode, you can use the l2tp-auto-client command on the LAC to trigger the LAC to initiate a tunneling request to the LNS. When a remote system accesses the private network, the LAC forwards data through the L2TP tunnel.
Figure 8 LAC-auto-initiated tunneling mode
An LAC-auto-initiated tunnel has the following characteristics:
· The connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection.
· An L2TP session is established immediately after an L2TP tunnel is established. Then, the LAC and LNS, acting as the PPPoE client and PPPoE server, respectively, perform PPP negotiation.
· An L2TP tunnel can carry only one L2TP session.
· The LNS assigns a private IP address to the LAC instead of to the remote system.
As shown in Figure 9, the workflow for establishing an LAC-auto-initiated tunnel is similar to that for establishing a NAS-initiated tunnel. (Details not shown.)
Figure 9 Establishment process for LAC-auto-initiated tunnels
L2TP features
· Flexible identity authentication mechanism and high security—L2TP by itself does not provide security for connections. However, it has all the security features of PPP and allows for PPP authentication (CHAP or PAP). L2TP can also cooperate with IPsec to improve security for tunneled data.
· Multiprotocol transmission—L2TP tunnels PPP frames, which can be used to encapsulate packets of multiple network layer protocols.
· RADIUS authentication—An LAC or LNS can send the username and password of a remote user to a RADIUS server for authentication.
· Private address allocation—An LNS can dynamically allocate private addresses to remote users. This facilitates address allocation for private internets (RFC 1918) and improves security.
· Flexible accounting—Accounting can be simultaneously performed on the LAC and LNS. This allows bills to be generated on the ISP side and charging and auditing to be processed on the enterprise gateway. L2TP can provide accounting data, including inbound and outbound traffic statistics (in packets and bytes) and the connection's start time and end time. The AAA server uses these data for flexible accounting.
· Reliability—L2TP supports LNS backup. When the connection to the primary LNS is torn down, an LAC can establish a new connection to a secondary LNS. This redundancy enhances the reliability of L2TP services.
· Issuing tunnel attributes by RADIUS server to LAC—In NAS-initiated mode, the tunnel attributes can be issued by the RADIUS server to the LAC. For the LAC to receive these attributes, enable L2TP and configure remote AAA authentication for PPP users on the LAC.
When an L2TP user dials in to the LAC, the LAC as the RADIUS client sends the user information to the RADIUS server. The RADIUS server authenticates the PPP user, returns the result to the LAC, and issues L2TP tunnel attributes for the PPP user to the LAC. The LAC then sets up an L2TP tunnel and sessions based on the issued L2TP tunnel attributes.
Table 1 Tunnel attributes that can be issued by the RADIUS server
|
Attribute number |
Attribute name |
Description |
|
64 |
Tunnel-Type |
Tunnel type, which can only be L2TP. |
|
65 |
Tunnel-Medium-Type |
Transmission medium type for the tunnel, which can only be IPv4. |
|
67 |
Tunnel-Server-Endpoint |
IP address of the LNS. |
|
69 |
Tunnel-Password |
Key used to authenticate a peer of the tunnel. |
|
81 |
Tunnel-Private-Group-ID |
Group ID for the tunnel. The LAC sends this value to the LNS for the LNS to perform an operation accordingly. |
|
82 |
Tunnel-Assignment-ID |
Assignment ID for the tunnel. It is used to indicate the tunnel to which a session is assigned. L2TP users with the same Tunnel-Assignment-ID, Tunnel-Server-Endpoint, and Tunnel-Password attributes share an L2TP tunnel. |
|
90 |
Tunnel-Client-Auth-ID |
Tunnel name. It is used to indicate the local tunnel. |
The RADIUS server can issue only one set of the L2TP tunnel attributes in a RADIUS packet.
The RADIUS-issued tunnel attributes override the tunnel attributes manually configured on the LAC, but not vice versa.
· L2TP tunnel switching—Also called multihop L2TP tunneling. As shown in Figure 10, the Layer 2 tunnel switch (LTS) terminates L2TP packets from each LAC as an LNS. It then sends these packets to a destination LNS as an LAC.
L2TP tunnel switching has the following features:
¡ Simplified configuration and deployment—When LACs and LNSs are in different management domains:
- All LACs consider the LTS as an LNS and do not need to differentiate LNSs on the network.
- All LNSs consider the LTS as an LAC and are not affected by the addition or deletion of LACs.
¡ L2TP tunnel sharing—Different users can share the same L2TP tunnel between the LAC and the LTS. The LTS distributes data of different users to different LNSs.
Figure 10 L2TP tunnel switching network diagram
L2TP-based EAD
EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD authentication can access network resources. PPP users that fail EAD authentication can only access the resources in the quarantine areas.
EAD uses the following procedure:
1. The iNode client uses L2TP to access the LNS. After the client passes the PPP authentication, the CAMS/IMC server assigns isolation ACLs to the LNS. The LNS uses the isolation ACLs to filter incoming packets.
2. After the IPCP negotiation, the LNS sends the IP address of the CAMS/IMC server to the iNode client. The server IP address is permitted by the isolation ACLs.
3. The CAMS/IMC server authenticates the iNode client and performs security check for the iNode client. If the iNode client passes security check, the CAMS/IMC server assigns security ACLs for the iNode client to the LNS. The iNode client can access network resources.
Protocols and standards
· RFC 1661, The Point-to-Point Protocol (PPP)
· RFC 1918, Address Allocation for Private Internets
· RFC 2661, Layer Two Tunneling Protocol "L2TP"
· RFC 2868, RADIUS Attributes for Tunnel Protocol Support
L2TP configuration task list
When you configure L2TP, perform the following tasks:
1. Determine the network devices needed according to the networking environment.
¡ For NAS-initiated mode and LAC-auto-initiated mode, configure both the LAC and the LNS.
¡ For client-initiated mode, you only need to configure the LNS.
2. Configure the devices based on the intended role (LAC or LNS) on the network.
To configure a device as an LAC in NAS-initiated or LAC-auto-initiated mode, complete the following tasks:
|
Tasks at a glance |
Remarks |
|
(Required.) Configuring basic L2TP capabilities |
N/A |
|
· (Required.) Configuring an LAC to initiate tunneling requests for a user · (Required.) Specifying LNS IP addresses · (Optional) Configuring the source IP address of L2TP tunnel packets · (Optional.) Enabling transferring AVP data in hidden mode · (Required.) Configuring AAA authentication on an LAC · (Required.) Configuring an LAC to automatically establish an L2TP tunnel |
The first and fifth tasks are required for NAS-initiated mode and unnecessary for LAC-auto-initiated mode. The last task is required for LAC-auto-initiated mode and unnecessary for NAS-initiated mode. |
|
(Optional.) Configuring optional L2TP parameters: · Configuring L2TP tunnel authentication · Setting the DSCP value of L2TP packets |
N/A |
To configure a device as an LNS in NAS-initiated, client-initiated, or LAC-auto-initiated mode, complete the following tasks:
|
Tasks at a glance |
|
(Required.) Configuring basic L2TP capabilities |
|
· (Required.) Creating a VT interface · (Optional.) Configuring a VA pool · (Required.) Configuring an LNS to accept L2TP tunneling requests from an LAC · (Optional.) Configuring user authentication on an LNS · (Optional.) Configuring AAA authentication on an LNS |
|
(Optional.) Configuring optional L2TP parameters: · Configuring L2TP tunnel authentication · Setting the DSCP value of L2TP packets |
|
(Optional.) Enabling L2TP-based EAD |
|
(Optional.) Configuring IMSI/SN binding authentication |
Configuring basic L2TP capabilities
Basic L2TP capability configuration includes the following tasks:
· Enabling L2TP—L2TP must be enabled for L2TP configurations to take effect.
· Creating an L2TP group—An L2TP group is intended to represent a group of parameters. This enables not only flexible L2TP configuration on devices, but also one-to-one and one-to-many networking applications for LACs and LNSs. An L2TP group has local significance only. However, the relevant settings of the L2TP groups on the LAC and LNS must match. For example, the local tunnel name configured on the LAC must match the tunnel peer name configured on the LNS.
· Configuring the local tunnel name—The local tunnel name identifies the tunnel at the local end during tunnel negotiation between an LAC and an LNS.
To configure basic L2TP capabilities:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable L2TP. |
l2tp enable |
By default, L2TP is disabled. |
|
3. Create an L2TP group, specify its mode, and enter its view. |
l2tp-group group-number mode { lac | lns } |
By default, no L2TP group is created. Specify the mode as lac on the LAC side and as lns on the LNS side. |
|
4. Specify the local tunnel name. |
tunnel name name |
Optional. By default, the device name is used. |
Configuring an LAC
An LAC establishes tunnels with LNSs and forwards packets between LNSs and remote systems.
Configuring an LAC to initiate tunneling requests for a user
This task configures an LAC to initiate tunneling requests to an LNS for a user. When the PPP user information matches the specified user, the LAC determines that the PPP user is an L2TP user and initiates tunneling requests to the LNS.
You can specify a user by configuring one of the following items:
· Fully qualified name—The LAC initiates tunneling requests to the LNS only if the username of a PPP user matches the configured fully qualified name.
· Domain name—The LAC initiates tunneling requests to the LNS only if the ISP domain name of a PPP user matches the configured domain name.
To configure an LAC to initiate tunneling requests for a user:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view in LAC mode. |
l2tp-group group-number [ mode lac ] |
N/A |
|
3. Configure the LAC to initiate tunneling requests for a user. |
user { domain domain-name | fullusername user-name } |
By default, an LAC does not initiate tunneling requests for any users. |
Specifying LNS IP addresses
You can specify up to five LNS IP addresses. The LAC initiates an L2TP tunneling request to its specified LNSs consecutively in their configuration order until it receives an acknowledgment from an LNS. That LNS then becomes the tunnel peer.
To specify LNS IP addresses:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view in LAC mode. |
l2tp-group group-number [ mode lac ] |
N/A |
|
3. Specify LNS IP addresses. |
lns-ip { ip-address }&<1-5> |
By default, no LNS IP addresses are specified. |
Configuring the source IP address of L2TP tunnel packets
As a best practice to ensure high availability, use the IP address of a loopback interface as the source IP address of L2TP tunnel packets on the LAC. If equal cost routing paths exist between the LAC and LNS, you must use the IP address of a loopback interface as the source IP address of L2TP tunnel packets. To do so, use the source-ip command or use the RADIUS server to assign a loopback interface address.
To configure the source IP address of L2TP tunnel packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view in LAC mode. |
l2tp-group group-number [ mode lac ] |
N/A |
|
3. Configure the source IP address of L2TP tunnel packets. |
source-ip ip-address |
By default, the source IP address of L2TP tunnel packets is the IP address of the egress interface. |
Enabling transferring AVP data in hidden mode
L2TP uses Attribute Value Pairs (AVPs) to transmit tunnel negotiation parameters, session negotiation parameters, and user authentication information. Transferring AVP data in hidden mode can hide sensitive AVP data such as user passwords. This feature encrypts AVP data with the key configured by using the tunnel password command before transmission.
This configuration takes effect only when the tunnel authentication feature is enabled. For more information about configuring tunnel authentication, see "Configuring L2TP tunnel authentication."
To enable transferring AVP data in hidden mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view in LAC mode. |
l2tp-group group-number [ mode lac ] |
N/A |
|
3. Enable transferring AVP data in hidden mode. |
tunnel avp-hidden |
By default, AVP data is transferred in plain text. |
Configuring AAA authentication on an LAC
You can configure AAA authentication an LAC to authenticate the remote dialup users and initiate a tunneling request only for qualified users. A tunnel will not be established for unqualified users.
The device supports both local AAA authentication and remote AAA authentication.
· For local AAA authentication, create a local user and configure a password for each remote user on the LAC. The LAC then authenticates a remote user by matching the provided username and password with those configured locally.
· For remote AAA authentication, configure the username and password of each user on the RADIUS/HWTACACS server. The LAC then sends the remote user's username and password to the server for authentication.
For more information about configuring AAA authentication, see Security Configuration Guide.
To enable AAA authentication on an LAC, you also need to configure PAP or CHAP authentication for PPP users on the user access interfaces. For information about configuring PAP or CHAP, see "Configuring PPP and MP."
Configuring an LAC to automatically establish an L2TP tunnel
To configure an LAC to automatically establish an L2TP tunnel, perform the following tasks:
· Create a virtual PPP interface and configure an IP address for the interface.
· In virtual PPP interface view, use the ppp pap or ppp chap command to configure the side to be authenticated by PPP as follows:
¡ Specify the PPP authentication method for the PPP user.
¡ Configure the username and password of the PPP user.
The LNS then authenticates the PPP user. For more information, see "Configuring PPP and MP."
· Trigger the LAC to automatically establish an L2TP tunnel.
To configure an LAC to automatically establish an L2TP tunnel:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a virtual PPP interface and enter its view. |
interface virtual-ppp interface-number |
By default, no virtual PPP interface is created. |
|
3. Configure the IP address of the virtual PPP interface. |
· Assign an IP address to the virtual PPP
interface. · Enable IP address negotiation on the virtual PPP
interface. |
By default, no IP address is configured. |
|
4. Configure the peer to be authenticated. |
See "Configuring PPP and MP." |
N/A |
|
5. Configure the LAC to automatically establish an L2TP tunnel with the LNS. |
l2tp-auto-client l2tp-group group-number |
By default, an LAC does not establish an L2TP tunnel. An L2TP tunnel automatically established in LAC-auto-initiated mode exists until you remove the tunnel by using the undo l2tp-auto-client or undo l2tp-group group-number command. |
|
6. (Optional.) Set the description for the interface. |
description text |
By default, the description of an interface is in the format of interface-name Interface, for example, Virtual-PPP254 Interface. |
|
7. Set the MTU size of the interface. |
mtu size |
The default setting is 1500 bytes. |
|
8. (Optional.) Set the keepalive interval. |
timer-hold seconds |
The default setting is 10 seconds. |
|
9. (Optional.) Set the keepalive retry limit. |
timer-hold retry retries |
The default setting is 5. |
|
10. (Optional.) Specify a primary traffic processing slot for the interface. |
· In standalone mode: · In IRF mode: |
By default, no primary traffic processing slot is specified for an interface. |
|
11. (Optional.) Specify a backup traffic processing slot for the interface. |
· In standalone mode: · In IRF mode: |
By default, no backup traffic processing slot is specified for an interface. |
|
12. (Optional.) Set the expected bandwidth for the interface. |
bandwidth bandwidth-value |
By default, the expected bandwidth (in kbps) is interface baudrate divided by 1000. |
|
13. (Optional.) Restore the default settings for the interface. |
default |
N/A |
|
14. (Optional.) Bring up the interface. |
undo shutdown |
By default, an interface is up. |
Configuring an LNS
An LNS responds to the tunneling requests from an LAC, authenticates users, and assigns IP addresses to users.
Creating a VT interface
After an L2TP session is established, a virtual access (VA) interface is needed for data exchange with the peer. The system will dynamically create VA interfaces based on the parameters of the virtual template (VT) interface. To configure an LNS, first create a VT interface and configure the following parameters for it:
· Interface IP address.
· Authentication mode for PPP users.
· IP addresses allocated by the LNS to PPP users.
For information about configuring VT interfaces, see "Configuring PPP and MP" and Layer 3—IP Services Configuration Guide.
Configuring a VA pool
A VA pool contains a group of VA interfaces. You can configure a VA pool to improve the performance of establishing or terminating L2TP connections. The LNS selects a VA interface from the pool for a requesting user and releases the VA interface when the user goes offline. When a VA pool is exhausted, the system creates a VA interface for an L2TP connection and deletes it when the user goes offline.
Configuration guidelines
When you configure a VA pool, follow these guidelines:
· A VT interface can be associated with only one VA pool. To change the capacity of a VA pool, delete the previous configuration and reconfigure the VA pool.
· Creating or deleting a VA pool takes time. During the process of creating or deleting a VA pool, users can come online or go offline, but the VA pool does not take effect.
· The system might create a VA pool that contains VA interfaces less than the specified number because of insufficient resources. To view the number of available VA interfaces and the current state of the VA pool, use the display l2tp va-pool command.
· Create a VA pool with an appropriate capacity, because a VA pool occupies much system memory.
· Deleting a VA pool does not log off the users who are using VA interfaces in the VA pool.
Configuration procedure
To configure a VA pool:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a VA pool. |
l2tp virtual-template template-number va-pool va-volume |
By default, no VA pool is created. |
Configuring an LNS to accept L2TP tunneling requests from an LAC
When receiving a tunneling request, an LNS performs the following operations:
· Determines whether to accept the tunneling request by checking whether the name of the tunnel peer (LAC) matches the one configured.
· Determines the VT interface to be used for creating the VA interface.
To configure an LNS to accept L2TP tunneling requests from an LAC:
|
Step |
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
|
2. Enter L2TP group view in LNS mode. |
l2tp-group group-number [ mode lns ] |
N/A |
|
|
3. Configure the LNS to accept tunneling requests from an LAC and specify the VT interface to be used for tunnel setup. |
· If the L2TP group number is 1: · If the L2TP group number is not 1: |
By default, an LNS denies tunneling requests from any LAC. If the L2TP group number is 1, the remote remote-name option is optional. If you do not specify this option, the LNS accepts tunneling requests from any LAC. |
|
Configuring user authentication on an LNS
An LNS can be configured to authenticate a user that has passed authentication on the LAC to increase security. In this case, the user is authenticated once on the LAC and once on the LNS. An L2TP tunnel can be established only when both authentications succeed.
An LNS provides the following authentication methods in ascending order of priority:
· Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all user authentication information from users and the authentication method configured on the LAC itself. The LNS then checks the user validity according to the received information and the locally configured authentication method.
· Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate users who have passed authentication on the LAC.
· LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new round of LCP negotiation with the user.
The LNS chooses an authentication method depending on your configuration.
· If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP renegotiation.
· If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication for users after proxy authentication succeeds.
· If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the LAC for proxy authentication.
Configuring mandatory CHAP authentication
When mandatory CHAP authentication is configured, a user who uses an LAC to initiate tunneling requests is authenticated by both the LAC and the LNS. Some users might not support the authentication on the LNS. In this situation, do not enable this feature, because CHAP authentication on the LNS will fail.
For this feature to take effect, you must also configure CHAP authentication for the PPP user on the VT interface of the LNS.
To configure mandatory CHAP authentication:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view in LNS mode. |
l2tp-group group-number [ mode lns ] |
N/A |
|
3. Configure mandatory CHAP authentication. |
mandatory-chap |
By default, CHAP authentication is not performed on an LNS. This command is effective only on NAS-initiated L2TP tunnels. |
Configuring LCP renegotiation
To establish a NAS-initiated L2TP tunnel, a user first negotiates with the LAC at the start of a PPP session. If the negotiation succeeds, the LAC initiates an L2TP tunneling request and sends user information to the LNS. The LNS then authenticates the user according to the proxy authentication information received.
For the LNS not to accept LCP negotiation parameters, configure this feature to perform a new round of LCP negotiation between the LNS and the user. In this case, the LNS authenticates the user by using the authentication method configured on the corresponding VT interface.
If you enable LCP renegotiation but configure no authentication for the corresponding VT interface, the LNS does not perform an additional authentication for users.
To configure the LNS to perform LCP renegotiation with users:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view in LNS mode. |
l2tp-group group-number [ mode lns ] |
N/A |
|
3. Configure the LNS to perform LCP renegotiation with users. |
mandatory-lcp |
By default, an LNS does not perform LCP renegotiation with users. This command is effective only on NAS-initiated L2TP tunnels. |
Configuring AAA authentication on an LNS
After you configure AAA authentication on an LNS, the LNS can authenticate the usernames and passwords of remote access users. If a user passes AAA authentication, the user can communicate with the LNS to access the private network.
Configure AAA authentication on the LNS in one of the following cases:
· LCP renegotiation is not configured in NAS-initiated mode.
· The VT interface is configured with PPP user authentication and LCP renegotiation is configured in NAS-initiated mode.
· The VT interface is configured with PPP user authentication in client-initiated mode or LAC-auto-initiated mode.
LNS side AAA configurations are similar to those on an LAC (see "Configuring AAA authentication on an LAC").
Configuring optional L2TP parameters
The optional L2TP parameter configuration tasks apply to both LACs and LNSs.
Configuring L2TP tunnel authentication
Tunnel authentication allows the LAC and LNS to authenticate each other. Either the LAC or the LNS can initiate a tunnel authentication request.
You can enable tunnel authentication on both sides or either side.
To ensure a successful tunnel establishment when tunnel authentication is enabled on both sides or either side, set the same non-null key on the LAC and the LNS. To set the tunnel authentication key, use the tunnel password command.
When neither side is enabled with tunnel authentication, the key settings of the LAC and the LNS do not affect the tunnel establishment.
To ensure tunnel security, enable tunnel authentication.
For the tunnel authentication key change to take effect, change the tunnel authentication key before tunnel negotiation is performed.
To configure L2TP tunnel authentication:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view. |
l2tp-group group-number [ mode { lac | lns } ] |
N/A |
|
3. Enable L2TP tunnel authentication. |
tunnel authentication |
By default, L2TP tunnel authentication is enabled. |
|
4. Set the tunnel authentication key. |
tunnel password { cipher | simple } string |
By default, no key is set. |
Setting the Hello interval
To check the connectivity of a tunnel, the LAC and LNS periodically send each other Hello packets. At receipt of a Hello packet, the LAC or LNS returns a response packet. If the LAC or LNS receives no response packets from the peer within the Hello interval, it retransmits the Hello packet. If it receives no response packets from the peer after transmitting the Hello packet five times, it considers the L2TP tunnel to be down.
To set the Hello interval:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view. |
l2tp-group group-number [ mode { lac | lns } ] |
N/A |
|
3. Set the Hello interval. |
tunnel timer hello hello-interval |
The default setting is 60 seconds. |
Setting the DSCP value of L2TP packets
The DSCP field is the first 6 bits of the IP ToS byte. This field marks the priority of IP packets for forwarding. This feature sets the DSCP value for the IP packet when L2TP encapsulates a PPP frame into an IP packet.
To set the DSCP value of L2TP packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view. |
l2tp-group group-number [ mode { lac | lns } ] |
N/A |
|
ip dscp dscp-value |
The default setting is 0. |
Assigning a tunnel peer to a VPN
By default, the device transmits L2TP control messages and data messages over the public network. With this feature, the device transmits them in a VPN by searching the routing table in the VPN.
When one L2TP endpoint is in a VPN, assign the peer endpoint to the VPN for correct packet forwarding between the two endpoints.
To assign the tunnel peer to a VPN:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter L2TP group view. |
l2tp-group group-number [ mode { lac | lns } ] |
N/A |
|
3. Assign the tunnel peer to a VPN. |
vpn-instance vpn-instance-name |
By default, a tunnel peer belongs to the public network. The tunnel peer and the physical port connecting to the tunnel peer should belong to the same VPN. The VPN to which this physical port belongs is configured by using the ip binding vpn-instance command. |
Setting the TSA ID of the LTS
To detect loops, the LTS compares the configured TSA ID with each TSA ID AVP in a received ICRQ packet.
· If a match is found, a loop exists. The LTS immediately tears down the session.
· If no match is found, the LTS performs the following operations:
¡ Encapsulates the configured TSA ID into a new TSA ID AVP.
¡ Appends it to the packet.
¡ Sends the packet to the next hop LTS.
To avoid loop detection errors, make sure the TSA ID of each LTS is unique.
To set the TSA ID of the LTS:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the TSA ID of the LTS and enable L2TP loop detection on the LTS. |
l2tp tsa-id tsa-id |
By default, the TSA ID of the LTS is not configured, and L2TP loop detection is disabled on the LTS. |
Enabling L2TP-based EAD
Configuration restrictions and guidelines
Follow these restrictions and guidelines when you configure L2TP-based EAD:
· EAD authentication fails if no ACLs or rules are configured on the CAMS/IMC server even if EAD is enabled on the LNS.
· The LNS can use different ACLs to filter packets from different iNode clients.
· As a best practice, use EAD authentication for iNode clients on the Internet and use Portal authentication for iNode clients on a LAN.
Configuration prerequisites
Make sure Portal, AAA, RADIUS, and the security service server are configured as required before you enable L2TP-based EAD. For more information about AAA, RADIUS, and Portal, see Security Configuration Guide. For more information about the security service configuration, see CAMS EAD help and iMC EAD help.
Configuration procedure
To enable L2TP-based EAD:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a VT interface and enter its view |
interface virtual-template interface-number |
N/A |
|
3. Enable L2TP-based EAD. |
ppp access-control enable |
By default, L2TP-based EAD is disabled. |
Configuring IMSI/SN binding authentication
Perform this task on the LNS to initiate IMSI/SN binding authentication.
You must configure this feature on the LNS in either of the following conditions:
· A 3G or 4G router acts as a client and accesses the LNS in client-initiated mode.
· A 4G router acts as an LAC and is automatically triggered to access the LNS in LAC-auto-initiated mode.
To configure IMSI/SN binding authentication:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VT interface view. |
interface virtual-template interface-number |
N/A |
|
3. Configure IMSI/SN binding authentication information. |
· (Method 1) Enable the LNS to initiate IMSI/SN
binding authentication requests. · (Method 2) Configure the separator for
the received authentication information. |
Use one of the methods. By default, the LNS does not initiate IMSI/SN binding authentication requests.. By default, no separator is configured for the received authentication information |
|
4. (Optional.) Replace the client username with the IMSI or SN information for authentication. |
ppp user replace { imsi | sn } |
By default, the client username is used for authentication. |
Displaying and maintaining L2TP
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display L2TP tunnel information. |
display l2tp tunnel [ statistics ] |
|
Display L2TP session information. |
display l2tp session [ statistics ] |
|
Display information about temporary L2TP sessions. |
display l2tp session temporary |
|
Display information about virtual PPP interfaces. |
display interface [ virtual-ppp [ interface-number ] ] [ brief [ description | down ] ] |
|
Display information about L2TP VA pools. |
display l2tp va-pool |
|
Disconnect an L2TP tunnel. |
reset l2tp tunnel { id tunnel-id | name remote-name } |
|
Clear the statistics for virtual PPP interfaces. |
reset counters interface [ virtual-ppp [ interface-number ] ] |
L2TP configuration examples
Configuration example for NAS-initiated L2TP tunnel
Network requirements
As shown in Figure 11, a PPP user is connected to an LNS through an LAC.
Set up an L2TP tunnel between the LAC and LNS to allow the PPP user to access the corporate network.
Configuration procedure
1. Configure the LAC:
# Configure IP addresses for the interfaces. (Details not shown.)
# Create a local user named vpdnuser, set the password, and enable the PPP service.
<LAC> system-view
[LAC] local-user vpdnuser class network
[LAC-luser-network-vpdnuser] password simple Hello
[LAC-luser-network-vpdnuser] service-type ppp
[LAC-luser-network-vpdnuser] quit
# Configure local authentication for PPP users in ISP domain system.
[LAC] domain system
[LAC-isp-system] authentication ppp local
[LAC-isp-system] quit
# Create Virtual-Template 1 and specify its PPP authentication mode as CHAP.
[LNS] interface virtual-template 1
[LNS-virtual-template1] ppp authentication-mode chap domain system
[LNS-virtual-template1] quit
# Enable the PPPoE server on GigabitEthernet 1/1/0 and bind the interface to Virtual-Template 1.
[LAC] interface gigabitethernet 1/1/0
[LAC-GigabitEthernet1/1/0] pppoe-server bind virtual-template 1
[LAC-GigabitEthernet1/1/0] quit
# Enable L2TP.
[LAC] l2tp enable
# Create L2TP group 1 in LAC mode.
[LAC] l2tp-group 1 mode lac
# Configure the local tunnel name as LAC.
[LAC-l2tp1] tunnel name LAC
# Specify PPP user vpdnuser as the condition for the LAC to initiate tunneling requests.
[LAC-l2tp1] user fullusername vpdnuser
# Specify the LNS IP address as 1.1.2.2.
[LAC-l2tp1] lns-ip 1.1.2.2
# Enable tunnel authentication, and specify the tunnel authentication key as aabbcc.
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password simple aabbcc
[LAC-l2tp1] quit
2. Configure the LNS:
# Configure IP addresses for the interfaces. (Details not shown.)
# Create a local user named vpdnuser, set the password, and enable the PPP service.
<LNS> system-view
[LNS] local-user vpdnuser class network
[LNS-luser-network-vpdnuser] password simple Hello
[LNS-luser-network-vpdnuser] service-type ppp
[LNS-luser-network-vpdnuser] quit
# Configure local authentication for PPP users in ISP domain system.
[LNS] domain system
[LNS-isp-system] authentication ppp local
[LNS-isp-system] quit
# Enable L2TP.
[LNS] l2tp enable
# Create a PPP address pool.
[LNS] ip pool aaa 192.168.0.10 192.168.0.20
[LNS] ip pool aaa gateway 192.168.0.1
# Create Virtual-Template 1, specify its PPP authentication mode as CHAP, and use address pool aaa to assign IP addresses to the PPP users.
[LNS] interface virtual-template 1
[LNS-virtual-template1] ppp authentication-mode chap domain system
[LNS-virtual-template1] remote address pool aaa
[LNS-virtual-template1] quit
# Create L2TP group 1 in LNS mode.
[LNS] l2tp-group 1 mode lns
# Configure the local tunnel name as LNS.
[LNS-l2tp1] tunnel name LNS
# Specify Virtual-Template 1 for receiving calls from an LAC.
[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC
# Enable tunnel authentication, and specify the tunnel authentication key as aabbcc.
[LNS-l2tp1] tunnel authentication
[LNS-l2tp1] tunnel password simple aabbcc
[LNS-l2tp1] quit
3. On the remote system, enter vpdnuser as the username and Hello as the password in the dial-up network window to dial a connection.
Verifying the configuration
After the dial-up connection is established, the remote system can obtain an IP address and can ping the private IP address of the LNS.
# On the LNS, use the display l2tp tunnel command to check the established L2TP tunnels.
[LNS] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
196 3542 Established 1 1.1.2.1 1701 LAC
# On the LNS, use the display l2tp session command to check the established L2TP sessions.
[LNS] display l2tp session
LocalSID RemoteSID LocalTID State
2041 64 196 Established
Configuration example for client-initiated L2TP tunnel
Network requirements
As shown in Figure 12, a PPP user directly initiates a tunneling request to the LNS to access the corporate network.
Configuration procedure
1. Configure the LNS:
# Configure IP addresses for the interfaces. (Details not shown.)
# Configure the route between the LNS and the remote host. (Details not shown.)
# Create a local user named vpdnuser, set the password, and enable the PPP service.
[LNS] local-user vpdnuser class network
[LNS-luser-network-vpdnuser] password simple Hello
[LNS-luser-network-vpdnuser] service-type ppp
[LNS-luser-network-vpdnuser] quit
# Configure local authentication for PPP users in ISP domain system.
[LNS] domain system
[LNS-isp-system] authentication ppp local
[LNS-isp-system] quit
# Enable L2TP.
[LNS] l2tp enable
# Create a PPP address pool.
[LNS] ip pool aaa 192.168.0.10 192.168.0.20
[LNS] ip pool aaa gateway 192.168.0.1
# Create Virtual-Template 1, specify its PPP authentication mode as CHAP, and use address pool aaa to assign IP addresses to the PPP users.
[LNS] interface virtual-template 1
[LNS-virtual-template1] ppp authentication-mode chap domain system
[LNS-virtual-template1] remote address pool aaa
[LNS-virtual-template1] quit
# Create L2TP group 1 in LNS mode.
[LNS] l2tp-group 1 mode lns
# Configure the local tunnel name as LNS.
[LNS-l2tp1] tunnel name LNS
# Specify Virtual-Template 1 for receiving calls.
[LNS-l2tp1] allow l2tp virtual-template 1
# Disable tunnel authentication.
[LNS-l2tp1] undo tunnel authentication
2. Configure the remote host:
# Configure the IP address of the remote host as 2.1.1.1, and configure a route to the LNS (1.1.2.2).
# Create a virtual private network connection by using the Windows system, or install the L2TP LAC client software, such as WinVPN Client.
# Complete the following configuration procedure (the procedure depends on the client software):
¡ Specify the PPP username as vpdnuser and the password as Hello.
¡ Specify the Internet interface address of the security gateway as the IP address of the LNS. In this example, the Ethernet interface for the tunnel on the LNS has an IP address of 1.1.2.2.
¡ Modify the connection attributes: set the protocol to L2TP, the encryption attribute to customized, and the authentication mode to CHAP.
Verifying the configuration
# On the remote host, initiate the L2TP connection. After the connection is established, the remote host can obtain the IP address 192.168.0.10 and ping the private IP address of the LNS (192.168.0.1).
# On the LNS, use the display l2tp session command to check the established L2TP session.
[LNS-l2tp1] display l2tp session
LocalSID RemoteSID LocalTID State
89 36245 10878 Established
# On the LNS, use the display l2tp tunnel command to check the established L2TP tunnel.
[LNS-l2tp1] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
10878 21 Established 1 2.1.1.1 1701 PC
Configuration example for LAC-auto-initiated L2TP tunnel
Network requirements
As shown in Figure 13, configure the LAC to establish an L2TP tunnel with the LNS in LAC-auto-initiated mode. When the PPP user initiates a connection, it uses the established tunnel to access the corporate network.
Configuration procedure
1. Configure the LNS:
# Configure IP addresses for the interfaces. (Details not shown.)
# Create a local user named vpdnuser, set the password, and enable the PPP service.
<LNS> system-view
[LNS] local-user vpdnuser class network
[LNS-luser-network-vpdnuser] password simple Hello
[LNS-luser-network-vpdnuser] service-type ppp
[LNS-luser-network-vpdnuser] quit
# Create a PPP address pool.
[LNS] ip pool aaa 192.168.0.10 192.168.0.20
[LNS] ip pool aaa gateway 192.168.0.1
# Create Virtual-Template 1, specify its PPP authentication mode as PAP, and use address pool aaa to assign IP addresses to the PPP users.
[LNS] interface virtual-template 1
[LNS-virtual-template1] ppp authentication-mode pap
[LNS-virtual-template1] remote address pool aaa
[LNS-virtual-template1] quit
# Configure local authentication for PPP users in ISP domain system.
[LNS] domain system
[LNS-isp-system] authentication ppp local
[LNS-isp-system] quit
# Enable L2TP, and create L2TP group 1 in LNS mode.
[LNS] l2tp enable
[LNS] l2tp-group 1 mode lns
# Configure the local tunnel name as LNS, and specify Virtual-Template 1 for receiving tunneling requests from an LAC.
[LNS-l2tp1] tunnel name LNS
[LNS-l2tp1] allow l2tp virtual-template 1 remote LAC
# Enable tunnel authentication, and configure the authentication key as aabbcc.
[LNS-l2tp1] tunnel authentication
[LNS-l2tp1] tunnel password simple aabbcc
[LNS-l2tp1] quit
# Configure a static route so that packets destined for the PPP user will be forwarded through the L2TP tunnel.
[LNS] ip route-static 10.2.0.0 16 192.168.0.10
2. Configure the LAC:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable L2TP.
<LAC> system-view
[LAC] l2tp enable
# Create L2TP group 1 in LAC mode.
[LAC] l2tp-group 1 mode lac
# Configure the local tunnel name as LAC, and specify the IP address of the tunnel peer (LNS).
[LAC-l2tp1] tunnel name LAC
[LAC-l2tp1] lns-ip 3.3.3.2
# Enable tunnel authentication, and configure the authentication key as aabbcc.
[LAC-l2tp1] tunnel authentication
[LAC-l2tp1] tunnel password simple aabbcc
[LAC-l2tp1] quit
# Create Virtual-PPP 1. Configure its username and password as vpdnuser and Hello and PPP authentication as PAP.
[LAC] interface virtual-ppp 1
[LAC-Virtual-PPP1] ip address ppp-negotiate
[LAC-Virtual-PPP1] ppp pap local-user vpdnuser password simple Hello
[LAC-Virtual-PPP1] quit
# Configure a static route so that packets destined for the corporate network will be forwarded through the L2TP tunnel.
[LAC] ip route-static 10.1.0.0 16 virtual-ppp 1
# Trigger the LAC to establish an L2TP tunnel with the LNS.
[LAC] interface virtual-ppp 1
[LAC-Virtual-PPP1] l2tp-auto-client l2tp-group 1
3. On the remote host, configure the LAC as the gateway.
Verifying the configuration
# On the LNS, use the display l2tp session command to display the established L2TP session.
[LNS] display l2tp session
LocalSID RemoteSID LocalTID State
21409 3395 4501 Established
# On the LNS, use the display l2tp tunnel command to display the established L2TP tunnel.
[LNS] display l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
4501 524 Established 1 3.3.3.1 1701 LAC
# On the LNS, verify that you can ping 10.2.0.1, a private network address on the LAC side. This indicates that hosts on 10.2.0.0/16 and those on 10.1.0.0/16 can communicate with each other through the L2TP tunnel.
[LNS] ping -a 10.1.0.1 10.2.0.1
Ping 10.2.0.1 (10.2.0.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.2.0.1: icmp_seq=0 ttl=128 time=1.000 ms
56 bytes from 10.2.0.1: icmp_seq=1 ttl=128 time=1.000 ms
56 bytes from 10.2.0.1: icmp_seq=2 ttl=128 time=1.000 ms
56 bytes from 10.2.0.1: icmp_seq=3 ttl=128 time=1.000 ms
56 bytes from 10.2.0.1: icmp_seq=4 ttl=128 time=1.000 ms
--- Ping statistics for 10.2.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
Troubleshooting L2TP
Symptom 1: Failure to access the private network
The remote system cannot access the private network.
Analysis and solution
Possible reasons for the access failure include the following:
· Tunnel setup failure, which might occur in the following cases:
¡ The address of the LNS is set incorrectly on the LAC (see the lns-ip command).
¡ No L2TP group is configured on the LNS to receive tunneling requests from the tunnel peer (see the allow command).
¡ Tunnel authentication fails. Tunnel authentication must be enabled on both the LAC and the LNS, and the tunnel authentication keys configured on the two sides must match.
· PPP negotiation failure, which might occur for the following reasons:
¡ Usernames, passwords, or both are incorrectly configured on the LAC or are not configured on the LNS.
¡ The LNS cannot allocate addresses. In this case, check whether IP address negotiation settings are correct on the remote system and LNS.
¡ The authentication type is inconsistent. For example, if the peer does not support MS-CHAP (the default authentication type for a VPN connection created on Windows 2000), the PPP negotiation will fail. In this case, change the authentication type to CHAP on Windows 2000.
Symptom 2: Data transmission failure
Data transmission fails. A connection is established, but data cannot be transmitted. For example, the LAC and LNS cannot ping each other.
Analysis and solution
Possible reasons for the data transmission failure are as follows:
· No route is available. The LAC must have a route to the private network behind the LNS, and vice versa. Otherwise, data transmission fails. You can use the display ip routing-table command on the LAC and LNS to check whether the expected routes are present. If not, configure a static route or a dynamic routing protocol.
· Congestion occurs on the Internet backbone, and the packet loss ratio is high. L2TP data transmission is based on UDP, which does not provide the packet error control feature. If the line is unstable, the LAC and LNS might be unable to ping each other.
