The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dialup Network (VPDN) tunneling protocol. L2TP sets up point-to-point tunnels across a public network (for example, the Internet) and transmits encapsulated PPP frames (L2TP packets) over the tunnels. With L2TP, remote users can access the private networks through L2TP tunnels after connecting to a public network by using PPP.

As a Layer 2 VPN technology, L2TP provides a secure, cost-effective solution for remote users to access private networks.

Typical L2TP networking

Figure 1 L2TP network diagram

‌

As shown in Figure 1, a typical L2TP network has the following components:

· Remote system—A remote system is usually a remote user's host or a remote branch's device that needs to access the private network.

· LAC—An L2TP access concentrator (LAC) is both PPP and L2TP capable. It is usually a network access server (NAS) located at a local ISP, which provides access services mainly for PPP users.

An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system by using L2TP and then sends the encapsulated packets to the LNS. It decapsulates packets received from the LNS and then sends the decapsulated packets to the intended remote system.

· LNS—An L2TP network server (LNS) is both PPP and L2TP capable. It is usually an edge device on an enterprise network.

An LNS is the other endpoint of an L2TP tunnel. It is the logical termination point of a PPP session tunneled by the LAC. L2TP extends the termination point of a PPP session from a NAS to an LNS by establishing a tunnel.

L2TP message types and encapsulation structure

L2TP uses the following types of messages:

· Control messages—Used to establish, maintain, and delete L2TP tunnels and sessions. Control messages are transmitted over a reliable control channel, which supports flow control and congestion control.

· Data messages—Used to encapsulate PPP frames, as shown in Figure 2. Data messages are transmitted over an unreliable data channel and are not retransmitted when packet loss occurs. Data messages can use sequence numbers to reorder packets that are disordered during transport.

Figure 2 Data message format

As shown in Figure 3, both control messages and data messages are encapsulated in UDP datagrams.

Figure 3 L2TP encapsulation structure

‌

L2TP tunnel and session

An L2TP tunnel is a virtual point-to-point connection between an LAC and an LNS. Multiple L2TP tunnels can be established between an LNS and an LAC. An L2TP tunnel can carry one or more L2TP sessions. Each L2TP session corresponds to a PPP session and is multiplexed on an L2TP tunnel. An L2TP session is established between the LAC and LNS when an end-to-end PPP session is established between a remote system and the LNS. Data frames for the PPP session are transmitted over the tunnel between the LAC and LNS.

L2TP tunneling modes and tunnel establishment process

L2TP tunneling modes include NAS-initiated and client-initiated.

NAS-initiated tunneling mode

As shown in Figure 4, a remote system dials in to the LAC through a PPPoE network. The LAC initiates a tunneling request to the LNS over the Internet.

Figure 4 NAS-initiated tunneling mode

‌

A NAS-initiated tunnel has the following characteristics:

· The remote system only needs to support PPP, and it does not need to support L2TP.

· Authentication and accounting of the remote system can be implemented on the LAC or LNS.

Figure 5 NAS-initiated tunnel establishment process

‌

As shown in Figure 5, the following workflow is used to establish a NAS-initiated tunnel:

1. A remote system (Host A) initiates a PPP connection to the LAC (Device A).

2. The remote system and LAC perform PPP LCP negotiation.

3. The LAC authenticates PPP user information of Host A by using PAP or CHAP.

4. The LAC sends the authentication information (username and password) to its RADIUS server (RADIUS server A) for authentication.

5. RADIUS server A authenticates the user and returns the result.

6. The LAC initiates an L2TP tunneling request to the LNS (Device B) when the following conditions exist:

¡ The user passes the authentication.

¡ The user is determined to be an L2TP user according to the username or the ISP domain to which the user belongs.

7. If tunnel authentication is needed, the LAC and LNS send CHAP challenge messages to authenticate each other before successfully establishing an L2TP tunnel.

8. The LAC and LNS negotiate to establish L2TP sessions.

9. The LAC sends PPP user information and PPP negotiation parameters to the LNS.

10. The LNS sends the authentication information to its RADIUS server (RADIUS server B) for authentication.

11. RADIUS server B authenticates the user and returns the result.

12. If the user passes the authentication, the LNS assigns a private IP address to the remote system (Host A).

13. The PPP user can access internal resources of the enterprise.

In steps 12 and 13, the LAC forwards packets for the remote system and LNS. Host A and LAC exchange PPP frames, and the LAC and LNS exchange L2TP packets.

Client-initiated tunneling mode

As shown in Figure 6, a remote system running L2TP (LAC client) has a public IP address to communicate with the LNS through the Internet. The LAC client can directly initiate a tunneling request to the LNS without any dedicated LAC devices.

Figure 6 Client-initiated tunneling mode

‌

A client-initiated tunnel has the following characteristics:

· A client-initiated tunnel has higher security because it is established between a remote system and the LNS.

· The remote system must support L2TP and be able to communicate with the LNS. This causes poor expandability.

As shown in Figure 7, the workflow for establishing a client-initiated tunnel is similar to that for establishing a NAS-initiated tunnel. (Details not shown.)

Figure 7 Client-initiated tunnel establishment process

‌

L2TP features

· Flexible identity authentication mechanism and high security—L2TP by itself does not provide security for connections. However, it has all the security features of PPP and allows for PPP authentication (CHAP or PAP). L2TP can also cooperate with IPsec to improve security for tunneled data.

· Multiprotocol transmission—L2TP tunnels PPP frames, which can be used to encapsulate packets of multiple network layer protocols.

· RADIUS authentication—An LAC or LNS can send the username and password of a remote user to a RADIUS server for authentication.

· Private address allocation—An LNS can dynamically allocate private addresses to remote users. This facilitates address allocation for private internets (RFC 1918) and improves security.

· Flexible accounting—Accounting can be simultaneously performed on the LAC and LNS. This allows bills to be generated on the ISP side and charging and auditing to be processed on the enterprise gateway. L2TP can provide accounting data, including inbound and outbound traffic statistics (in packets and bytes) and the connection's start time and end time. The AAA server uses these data for flexible accounting.

· Reliability—L2TP supports LNS backup. When the connection to the primary LNS is torn down, an LAC can establish a new connection to a secondary LNS. This redundancy enhances the reliability of L2TP services.

· Issuing tunnel attributes by RADIUS server to LAC—In NAS-initiated mode, the tunnel attributes can be issued by the RADIUS server to the LAC. For the LAC to receive these attributes, enable L2TP and configure remote AAA authentication for PPP users on the LAC.

When an L2TP user dials in to the LAC, the LAC as the RADIUS client sends the user information to the RADIUS server. The RADIUS server authenticates the PPP user, returns the result to the LAC, and issues L2TP tunnel attributes for the PPP user to the LAC. The LAC then sets up an L2TP tunnel and sessions based on the issued L2TP tunnel attributes.

Table 1 Tunnel attributes that can be issued by the RADIUS server

Attribute number	Attribute name	Description
64	Tunnel-Type	Tunnel type, which can only be L2TP.
65	Tunnel-Medium-Type	Transmission medium type for the tunnel, which can only be IPv4.
67	Tunnel-Server-Endpoint	IP address of the LNS.
69	Tunnel-Password	Key used to authenticate a peer of the tunnel.
81	Tunnel-Private-Group-ID	Group ID for the tunnel. The LAC sends this value to the LNS for the LNS to perform an operation accordingly.
82	Tunnel-Assignment-ID	Assignment ID for the tunnel. It is used to indicate the tunnel to which a session is assigned. L2TP users with the same Tunnel-Assignment-ID, Tunnel-Server-Endpoint, and Tunnel-Password attributes share an L2TP tunnel.
90	Tunnel-Client-Auth-ID	Tunnel name. It is used to indicate the local tunnel.

‌

The RADIUS server can issue only one set of the L2TP tunnel attributes in a RADIUS packet.

The RADIUS-issued tunnel attributes override the tunnel attributes manually configured on the LAC, but not vice versa.

· L2TP tunnel switching—Also called multihop L2TP tunneling. As shown in Figure 8, the Layer 2 tunnel switch (LTS) terminates L2TP packets from each LAC as an LNS. It then sends these packets to a destination LNS as an LAC.

L2TP tunnel switching has the following features:

¡ Simplified configuration and deployment—When LACs and LNSs are in different management domains:

- All LACs consider the LTS as an LNS and do not need to differentiate LNSs on the network.

- All LNSs consider the LTS as an LAC and are not affected by the addition or deletion of LACs.

¡ L2TP tunnel sharing—Different users can share the same L2TP tunnel between the LAC and the LTS. The LTS distributes data of different users to different LNSs.

Figure 8 L2TP tunnel switching network diagram

‌

L2TP-based EAD

EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD authentication can access network resources. PPP users that fail EAD authentication can only access the resources in the quarantine areas.

EAD uses the following procedure:

1. The iNode client uses L2TP to access the LNS. After the client passes the PPP authentication, the CAMS/IMC server assigns isolation ACLs to the LNS. The LNS uses the isolation ACLs to filter incoming packets.

2. After the IPCP negotiation, the LNS sends the IP address of the CAMS/IMC server to the iNode client. The server IP address is permitted by the isolation ACLs.

3. The CAMS/IMC server authenticates the iNode client and performs security check for the iNode client. If the iNode client passes security check, the CAMS/IMC server assigns security ACLs for the iNode client to the LNS. The iNode client can access network resources.

Protocols and standards

· RFC 1661, The Point-to-Point Protocol (PPP)

· RFC 1918, Address Allocation for Private Internets

· RFC 2661, Layer Two Tunneling Protocol "L2TP"

· RFC 2868, RADIUS Attributes for Tunnel Protocol Support

Restrictions: Hardware compatibility with L2TP

Hardware series	Models	Product code	L2TP compatibility
WX1800H series	WX1804H-PWR	EWP-WX1804H-PWR-CN	Yes
WX2500H series	WX2508H-PWR-LTE WX2510H-PWR WX2510H-F-PWR WX2540H WX2540H-F WX2560H	EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H	Yes
MAK series	MAK204 MAK206	EWP-MAK204 EWP-MAK206	Yes
WX3000H series	WX3010H WX3010H-X-PWR WX3010H-L-PWR WX3024H WX3024H-L-PWR WX3024H-F	EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F	Yes: · WX3010H · WX3010H-X-PWR · WX3024H · WX3024H-F No: · WX3010H-L-PWR · WX3024H-L-PWR
WX3500H series	WX3508H WX3508H WX3510H WX3510H WX3520H WX3520H-F WX3540H WX3540H	EWP-WX3508H EWP-WX3508H-F EWP-WX3510H EWP-WX3510H-F EWP-WX3520H EWP-WX3520H-F EWP-WX3540H EWP-WX3540H-F	Yes
WX5500E series	WX5510E WX5540E	EWP-WX5510E EWP-WX5540E	Yes
WX5500H series	WX5540H WX5560H WX5580H	EWP-WX5540H EWP-WX5560H EWP-WX5580H	Yes
Access controller modules	LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F	LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F	Yes

‌

Hardware series	Models	Product code	L2TP compatibility
WX1800H series	WX1804H-PWR WX1810H-PWR WX1820H WX1840H	EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL	Yes
WX3800H series	WX3820H WX3840H	EWP-WX3820H-GL EWP-WX3840H-GL	No
WX5800H series	WX5860H	EWP-WX5860H-GL	No

‌

Restrictions: Command and hardware compatibility

The WX1800H series, WX2500H series, and WX3000H access controllers do not support parameters or commands that are available only in IRF mode.

Prerequisites for L2TP

When you configure L2TP, perform the following tasks:

1. Determine the network devices needed according to the networking environment.

¡ For NAS-initiated mode and LAC-auto-initiated mode, configure both the LAC and the LNS.

¡ For client-initiated mode, you only need to configure the LNS.

2. Configure the devices based on the intended role (LAC or LNS) on the network.

L2TP tasks at a glance

LNS tasks at a glance

1. Configuring basic L2TP capabilities

2. Configuring an LNS

¡ Creating a VT interface

¡ (Optional.) Configuring a VA pool

¡ Configuring an LNS to accept L2TP tunneling requests from an LAC

¡ (Optional.) Configuring user authentication on an LNS

¡ (Optional.) Configuring AAA authentication on an LNS

3. (Optional) Configuring optional L2TP parameters

¡ Configuring L2TP tunnel authentication

¡ Setting the Hello interval

¡ Enabling session flow control

¡ Setting the DSCP value of L2TP packets

¡ Setting the TSA ID of the LTS

4. Enabling L2TP-based EAD

Perform this task to use the security policy server to perform further security check for users that pass the L2TP authentication.

Configuring basic L2TP capabilities

About this task

Basic L2TP capability configuration includes the following tasks:

· Enabling L2TP—L2TP must be enabled for L2TP configurations to take effect.

· Creating an L2TP group—An L2TP group is intended to represent a group of parameters. This enables not only flexible L2TP configuration on devices, but also one-to-one and one-to-many networking applications for LACs and LNSs. An L2TP group has local significance only. However, the relevant settings of the L2TP groups on the LAC and LNS must match. For example, the local tunnel name configured on the LAC must match the tunnel peer name configured on the LNS.

· Configuring the local tunnel name—The local tunnel name identifies the tunnel at the local end during tunnel negotiation between an LAC and an LNS.

Procedure

1. Enter system view.

system-view

2. Enable L2TP.

l2tp enable

By default, L2TP is disabled.

3. Create an L2TP group, specify its mode, and enter its view.

l2tp-group group-number mode { lac | lns }

Specify the mode as lac on the LAC side and as lns on the LNS side.

4. Specify the local tunnel name.

tunnel name name

By default, the device name is used.

The local tunnel name configured on the LAC must match the tunnel peer name configured on the LNS.

Configuring an LNS

Creating a VT interface

After an L2TP session is established, a virtual access (VA) interface is needed for data exchange with the peer. The system will dynamically create VA interfaces based on the parameters of the virtual template (VT) interface. To configure an LNS, first create a VT interface and configure the following parameters for it:

· Interface IP address.

· Authentication mode for PPP users.

· IP addresses allocated by the LNS to PPP users.

For information about configuring VT interfaces, see PPP configuration and IP addressing configuration in Network Connectivity Configuration Guide.

Configuring a VA pool

About this task

A VA pool contains a group of VA interfaces. You can configure a VA pool to improve the performance of establishing or terminating L2TP connections. The LNS selects a VA interface from the pool for a requesting user and releases the VA interface when the user goes offline. When a VA pool is exhausted, the system creates a VA interface for an L2TP connection and deletes it when the user goes offline.

Restrictions and guidelines

A VT interface can be associated with only one VA pool. To change the capacity of a VA pool, delete the previous configuration and reconfigure the VA pool.

Creating or deleting a VA pool takes time. During the process of creating or deleting a VA pool, users can come online or go offline, but the VA pool does not take effect.

The system might create a VA pool that contains VA interfaces less than the specified number because of insufficient resources. To view the number of available VA interfaces and the current state of the VA pool, use the display l2tp va-pool command.

Create a VA pool with an appropriate capacity, because a VA pool occupies much system memory.

Deleting a VA pool does not log off the users who are using VA interfaces in the VA pool.

Procedure

1. Enter system view.

system-view

2. Create a VA pool.

l2tp virtual-template template-number va-pool va-volume

By default, no VA pool exists.

Configuring an LNS to accept L2TP tunneling requests from an LAC

About this task

When receiving a tunneling request, an LNS performs the following operations:

· Determines whether to accept the tunneling request by checking whether the name of the tunnel peer (LAC) matches the one configured.

· Determines the VT interface to be used for creating the VA interface.

Procedure

1. Enter system view.

system-view

2. Enter L2TP group view in LNS mode.

l2tp-group group-number [ mode lns ]

3. Configure the LNS to accept tunneling requests from an LAC and specify the VT interface to be used for tunnel setup.

¡ If the L2TP group number is 1:

allow l2tp virtual-template virtual-template-number [ remote remote-name ]

¡ If the L2TP group number is not 1:

allow l2tp virtual-template virtual-template-number remote remote-name

By default, an LNS denies tunneling requests from any LAC.

If the L2TP group number is 1, the remote remote-name option is optional. If you do not specify this option, the LNS accepts tunneling requests from any LAC.

Configuring user authentication on an LNS

About this task

An LNS can be configured to authenticate a user that has passed authentication on the LAC to increase security. In this case, the user is authenticated once on the LAC and once on the LNS. An L2TP tunnel can be established only when both authentications succeed.

An LNS provides the following authentication methods in ascending order of priority:

· Proxy authentication—The LNS uses the LAC as an authentication proxy. The LAC sends the LNS all user authentication information from users and the authentication method configured on the LAC itself. The LNS then checks the user validity according to the received information and the locally configured authentication method.

· Mandatory CHAP authentication—The LNS uses CHAP authentication to reauthenticate users who have passed authentication on the LAC.

· LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new round of LCP negotiation with the user.

The LNS chooses an authentication method depending on your configuration.

· If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP renegotiation.

· If you configure only mandatory CHAP authentication, the LNS performs CHAP authentication for users after proxy authentication succeeds.

· If you configure neither LCP renegotiation nor mandatory CHAP authentication, the LNS uses the LAC for proxy authentication.

Restrictions and guidelines for user authentication on an LNS

This mandatory CHAP authentication and LCP renegotiation methods are effective only on NAS-initiated L2TP tunnels.

For mandatory CHAP authentication to take effect, you must also configure CHAP authentication for the PPP user on the VT interface of the LNS.

For the LNS not to accept LCP negotiation parameters, configure this feature to perform a new round of LCP negotiation between the LNS and the user. In this case, the LNS authenticates the user by using the authentication method configured on the corresponding VT interface.

Configuring mandatory CHAP authentication

1. Enter system view.

system-view

2. Enter L2TP group view in LNS mode.

l2tp-group group-number [ mode lns ]

3. Configure mandatory CHAP authentication.

mandatory-chap

By default, CHAP authentication is not performed on an LNS.

Some users might not support the authentication on the LNS. In this situation, do not enable this feature, because CHAP authentication on the LNS will fail.

4. Return to system view.

quit

5. Enter VT interface view and set the authentication type of PPP users to CHAP.

For more information about VT interfaces, see PPP configuration in Network Connectivity Configuration Guide.

Configuring LCP renegotiation

1. Enter system view.

system-view

2. Enter L2TP group view in LNS mode.

l2tp-group group-number [ mode lns ]

3. Configure the LNS to perform LCP renegotiation with users.

mandatory-lcp

By default, an LNS does not perform LCP renegotiation with users.

This command is effective only on NAS-initiated L2TP tunnels.

If you enable LCP renegotiation but configure no authentication for the corresponding VT interface, the LNS does not perform an additional authentication for users.

Configuring AAA authentication on an LNS

After you configure AAA authentication on an LNS, the LNS can authenticate the usernames and passwords of remote access users. If a user passes AAA authentication, the user can communicate with the LNS to access the private network.

Configure AAA authentication on the LNS in one of the following cases:

· LCP renegotiation is not configured in NAS-initiated mode.

· The VT interface is configured with PPP user authentication and LCP renegotiation is configured in NAS-initiated mode.

· The VT interface is configured with PPP user authentication in client-initiated mode or LAC-auto-initiated mode.

Configuring optional L2TP parameters

Configuring L2TP tunnel authentication

About this task

Tunnel authentication allows the LAC and LNS to authenticate each other. Either the LAC or the LNS can initiate a tunnel authentication request.

You can enable tunnel authentication on both sides or either side.

To ensure a successful tunnel establishment when tunnel authentication is enabled on both sides or either side, set the same non-null key on the LAC and the LNS. To set the tunnel authentication key, use the tunnel password command.

When neither side is enabled with tunnel authentication, the key settings of the LAC and the LNS do not affect the tunnel establishment.

Restrictions and guidelines

To ensure tunnel security, enable tunnel authentication.

Modifying the tunnel authentication key does not affect the normal communication of current tunnels. The tunnel authentication key change takes effect at next tunnel establishment.

Procedure

1. Enter system view.

system-view

2. Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3. Enable L2TP tunnel authentication.

tunnel authentication

By default, L2TP tunnel authentication is enabled.

4. Set the tunnel authentication key.

tunnel password { cipher | simple } string

By default, no key is set.

Setting the Hello interval

About this task

To check the connectivity of a tunnel, the LAC and LNS periodically send each other Hello packets. At receipt of a Hello packet, the LAC or LNS returns a response packet. If the LAC or LNS receives no response packets from the peer within the Hello interval, it retransmits the Hello packet. If it receives no response packets from the peer after transmitting the Hello packet five times, it considers the L2TP tunnel to be down.

Procedure

1. Enter system view.

system-view

2. Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3. Set the Hello interval.

tunnel timer hello hello-interval

The default setting is 60 seconds.

Enabling session flow control

About this task

This feature adds sequence numbers to transmitted packets and uses them to reorder packets arriving out of order and to detect lost packets.

This feature takes effect on both sent and received L2TP data messages. The L2TP sessions support this feature if either the LAC or LNS is enabled with this feature.

Procedure

1. Enter system view.

system-view

2. Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3. Enable the session flow control feature.

tunnel flow-control

By default, this feature is disabled.

Setting the DSCP value of L2TP packets

About this task

The DSCP field is the first 6 bits of the IP ToS byte. This field marks the priority of IP packets for forwarding. This feature sets the DSCP value for the IP packet when L2TP encapsulates a PPP frame into an IP packet.

Procedure

1. Enter system view.

system-view

2. Enter L2TP group view.

l2tp-group group-number [ mode { lac | lns } ]

3. Set the DSCP value of L2TP packets.

ip dscp dscp-value

The default setting is 0.

Setting the TSA ID of the LTS

About this task

To detect loops, the LTS compares the configured TSA ID with each TSA ID AVP in a received ICRQ packet.

· If a match is found, a loop exists. The LTS immediately tears down the session.

· If no match is found, the LTS performs the following operations:

¡ Encapsulates the configured TSA ID into a new TSA ID AVP.

¡ Appends it to the packet.

¡ Sends the packet to the next hop LTS.

Restrictions and guidelines

To avoid loop detection errors, make sure the TSA ID of each LTS is unique.

Procedure

1. Enter system view.

system-view

2. Set the TSA ID of the LTS and enable L2TP loop detection on the LTS.

l2tp tsa-id tsa-id

By default, the TSA ID of the LTS is not configured, and L2TP loop detection is disabled on the LTS.

Enabling L2TP-based EAD

About this task

In some network environments that require high security, configure this feature and use the security policy server to perform further security check for users that pass the L2TP authentication. Users that pass EAD authentication can access network resources. Users that fail EAD authentication can only access the resources in the quarantine areas.

Restrictions and guidelines

EAD authentication fails if no or incorrect ACLs or rules are configured on the CAMS/IMC server even if EAD is enabled on the LNS.

The LNS can use different ACLs to filter packets from different iNode clients.

As a best practice, use EAD authentication for iNode clients on the Internet and use Portal authentication for iNode clients on a LAN.

Prerequisites

Make sure AAA, RADIUS, L2TP, Portal, and the security policy server are configured as required before you enable L2TP-based EAD.

For more information about AAA, RADIUS, and Portal, see User Access and Authentication Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Create a VT interface and enter its view

interface virtual-template interface-number

3. Enable L2TP-based EAD.

ppp access-control enable

By default, L2TP-based EAD is disabled.

Display and maintenance commands for L2TP

Execute display commands in any view and reset commands in user view.

Task	Command
Display L2TP tunnel information.	display l2tp tunnel [ statistics ]
Display L2TP session information.	display l2tp session [ statistics ]
Display information about temporary L2TP sessions.	display l2tp session temporary
Display information about virtual PPP interfaces.	display interface [ virtual-ppp [ interface-number ] ] [ brief [ description \| down ] ]
Display VA pool information for L2TP.	display l2tp va-pool
Display access control information for PPP sessions on a VT interface.	display ppp access-control interface virtual-template interface-number
Disconnect an L2TP tunnel.	reset l2tp tunnel { id tunnel-id \| name remote-name }

‌

Troubleshooting L2TP

Failure to access the private network

Symptom

The remote system cannot access the private network.

Solution

To resolve the problem:

1. Verify the following items to avoid tunnel setup failures:

¡ The address of the LNS is configured correctly on the LAC. For more information, see the lns-ip command.

¡ The LNS can accept L2TP tunneling requests from the LAC. For more information, see the allow command.

¡ Tunnel authentication is enabled on both the LAC and the LNS, and the tunnel authentication keys configured on the two sides match.

2. Verify the following items to avoid PPP negotiation failures:

¡ Usernames and passwords are correctly configured on the LAC and LNS.

¡ IP address negotiation settings are correct on the remote system and LNS.

¡ The authentication type is consistent. For example, the default authentication type for a VPN connection created on Windows 2000 is MS-CHAP. If the peer does not support MS-CHAP, change the authentication type to CHAP on Windows 2000.

Data transmission failure

Symptom

Data transmission fails. A connection is established, but data cannot be transmitted. For example, the LAC and LNS cannot ping each other.

Solution

To resolve the problem:

1. Use the display ip routing-table command on the LAC and LNS to verify that the LAC has a route to the private network behind the LNS, and vice versa. If no route is available, configure a static route or a dynamic routing protocol.

2. Increase the link bandwidth to enhance the link availability.

Internet backbone congestion and high packet loss ratio might cause data transmission failures. L2TP data transmission is based on UDP, which does not provide the packet error control feature. If the line is unstable, the LAC and LNS might be unable to ping each other.

05-Network Connectivity

Configuring L2TP

About L2TP

NAS-initiated tunneling mode

Client-initiated tunneling mode

L2TP tasks at a glance

Configuring basic L2TP capabilities

About this task

Procedure

Configuring an LNS

Creating a VT interface

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Configuring user authentication on an LNS

Restrictions and guidelines for user authentication on an LNS

Configuring mandatory CHAP authentication

Configuring LCP renegotiation

Configuring AAA authentication on an LNS

Configuring optional L2TP parameters

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Prerequisites

Procedure

Troubleshooting L2TP

Symptom

Solution

Symptom

Solution

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us