L2TP

Introduction

The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dialup Network (VPDN) tunneling protocol. L2TP sets up point-to-point tunnels across a public network (for example, the Internet) and transmits encapsulated PPP frames (L2TP packets) over the tunnels. With L2TP, remote users can access the private networks through L2TP tunnels after connecting to a public network by using PPP.

Typical L2TP network components

A typical L2TP network has the following components:

• Remote system—A remote system is usually a remote user's host or a remote branch's device that needs to access the private network.

• LAC—An L2TP access concentrator (LAC) is both PPP and L2TP capable. It is usually a network access server (NAS) located at a local ISP, which provides access services mainly for PPP users.

  An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system by using L2TP and then sends the encapsulated packets to the LNS. It decapsulates packets received from the LNS and then sends the decapsulated packets to the intended remote system.

• LNS—An L2TP network server (LNS) is both PPP and L2TP capable. It is usually an edge device on an enterprise network.

  An LNS is the other endpoint of an L2TP tunnel. It is the logical termination point of a PPP session tunneled by the LAC. L2TP extends the termination point of a PPP session from a NAS to an LNS by establishing a tunnel.

L2TP tunneling modes

L2TP tunneling modes include NAS-initiated, client-initiated, and LAC-auto-initiated.

NAS-initiated tunneling mode

As shown in Figure 1, a remote system dials in to the LAC through a PPPoE/ISDN network. The LAC initiates a tunneling request to the LNS over the Internet.

Figure-1 NAS-initiated tunneling mode

A NAS-initiated tunnel has the following characteristics:

• The remote system only needs to support PPP, and it does not need to support L2TP.

• Authentication and accounting of the remote system can be implemented on the LAC or LNS.

Client-initiated tunneling mode

As shown in Figure-2, a remote system running L2TP (LAC client) has a public IP address to communicate with the LNS through the Internet. The LAC client can directly initiate a tunneling request to the LNS without any dedicated LAC devices.

Figure-2 Client-initiated tunneling mode

A client-initiated tunnel has the following characteristics:

• A client-initiated tunnel has higher security because it is established between a remote system and the LNS.

• The remote system must support L2TP and be able to communicate with the LNS. This causes poor expandability.

LAC-auto-initiated tunneling mode

In NAS-initiated mode, a remote system must successfully dial in to the LAC through PPPoE or ISDN.

In LAC-auto-initiated mode, you can configure tunnel settings on the LAC to trigger the LAC to initiate a tunneling request to the LNS. When a remote system accesses the private network, the LAC forwards data through the L2TP tunnel.

Figure-3 LAC-auto-initiated tunneling mode

An LAC-auto-initiated tunnel has the following characteristics:

• The connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection.

• You do not need to trigger L2TP tunnel establishment by dialup on the remote system.

• An L2TP session is established immediately after an L2TP tunnel is established. Then, the LAC and LNS, acting as the PPPoE client and PPPoE server, respectively, perform PPP negotiation.

• An L2TP tunnel can carry only one L2TP session.

• The LNS assigns a private IP address to the LAC instead of to the remote system.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Troubleshooting L2TP

Tunnel setup failure

Symptom

After you select VPN > L2TP > TunnelInfo, no tunnel information is displayed. Tunnel establishment fails.

Solution

To resolve the problem, verify the following items to avoid tunnel setup failures:

• The address of the LNS is configured correctly on the LAC.

• The same PPP authentication mode is configured for the LAC and the LNS.

• Usernames and passwords are correctly configured on the LAC and the LNS.

• If the L2TP group number is not 1 on the LNS, the same tunnel name is configured for the LAC and the LNS.

• Tunnel authentication succeeds.

  You can enable tunnel authentication on both sides or either side. To ensure a successful tunnel establishment when tunnel authentication is enabled on both sides or either side, set the same non-null key on the LAC and the LNS.

Data transmission failure

Symptom

After you select VPN > L2TP > TunnelInfo, the page shows that tunnels are successfully established. However, data transmission fails. For example, the LAC and LNS cannot ping each other.

Solution

To resolve the problem:

1. Verify that the LAC has a route to the private network behind the LNS, and vice versa. If no route is available, configure a static route or a dynamic routing protocol.

2. Add the Virtual-Template interface on the LNS to a security zone, and permit the traffic from the security zone to security zone Local.

3. Increase the link bandwidth to enhance the link availability.

   Internet backbone congestion and high packet loss ratio might cause data transmission failures. L2TP data transmission is based on UDP, which does not provide the packet error control feature. If the line is unstable, the LAC and LNS might be unable to ping each other.

Configuration guidelines

Configure L2TP

Procedure

1. Click the Network tab.

2. In the navigation pane, select VPN > L2TP > L2TP.

3. On the L2TP page, click Create.

   The Create L2TP Tunnel page opens.

   Table-1 L2TP tunnel configuration items

   Item	Description
   Group type	L2TP group types include LAC and LNS. A LAC is an endpoint of an L2TP tunnel, and is located between the LNS and remote system. A LAC is used to transmit packets between the LNS and remote system.
   Group number	Number of an L2TP group.
   Local tunnel name	If you do not configure a local tunnel name, the device name is used as the local tunnel name by default.
   Peer tunnel name	When the L2TP group number is not 1, you must configure a peer tunnel name.
   Tunnel password auth	L2TP tunnel authentication is used to prevent the local device from setting up an L2TP tunnel to an invalid device and improves the network security.
   Tunnel password	If you need to modify the tunnel authentication password, do that before the tunnel starts negotiation. If you do that after the tunnel starts negotiation, the password modification does not take effect.
   Confirm tunnel password	Enter the tunnel password again to confirm the password.
   L2TP server addresses	Specify the LNS IP addresses. You can specify up to five addresses.
   PPP authentication mode	When you select PAP or CHAP authentication, make sure the user information is consistent with that on the LNS side.
   PPP server address	IP address of the virtual PPP interface used for negotiating PPP connections.
   Subnet mask	Mask for the IP address of the virtual PPP interface.
   User address pool	Address pool range that can be used by the users. You can specify a single address or an address range.
   Hello interval	The device periodically sends Hello packets at the configured interval to prevent the L2TP tunnel and session between the LAC and LNS from being deleted after they time out.
   AVP hiding	To prevent information such as user password from being intercepted, you can use this feature to transmit the AVP data in hidden mode. This feature takes effect only after the tunnel password authentication feature is enabled.
   Flow control	L2TP session flow control adds sequence numbers to transmitted packets and uses them to reorder packets arriving out of order and to detect lost packets.

4. Click OK.

View tunnel info

On the Tunnel Info page, you can view the tunnel IDs, peer address, peer port, group type, and tunnel status of an L2TP tunnel.