Configuring
L2TP Services
BayRS Version 13.00
Site Manager Software Version 7.00
Part No. 303532-A Rev 00
October 1998
Bay Networks, Inc. Software License Agreement
NOTICE: Please carefully read this license agreement before copying or using the accompanying software or
installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement).
BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF
THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS
UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these
terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to
obtain a credit for the full purchase price.
1. License Grant. Bay Networks, Inc. (“Bay Networks”) grants the end user of the Software (“Licensee”) a personal,
nonexclusive, nontransferable license: a) to use the Software either on a single computer or, if applicable, on a single
authorized device identified by host ID, for which it was originally acquired; b) to copy the Software solely for backup
purposes in support of authorized use of the Software; and c) to use and copy the associated user manual solely in
support of authorized use of the Software by Licensee. This license applies to the Software only and does not extend
to Bay Networks Agent software or other Bay Networks software products. Bay Networks Agent software or other
Bay Networks software products are licensed for use under the terms of the applicable Bay Networks, Inc. Software
License Agreement that accompanies such software and upon payment by the end user of the applicable license fees
for such software.
2. Restrictions on use; reservation of rights. The Software and user manuals are protected under copyright laws.
Bay Networks and/or its licensors retain all title and ownership in both the Software and user manuals, including any
revisions made by Bay Networks or its licensors. The copyright notice must be reproduced and included with any
copy of any portion of the Software or user manuals. Licensee may not modify, translate, decompile, disassemble, use
for any competitive analysis, reverse engineer, distribute, or create derivative works from the Software or user manuals
or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or transfer
the Software or user manuals, in whole or in part. The Software and user manuals embody Bay Networks’ and its
licensors’ confidential and proprietary intellectual property. Licensee shall not sublicense, assign, or otherwise
disclose to any third party the Software, or any information about the operation, design, performance, or
implementation of the Software and user manuals that is confidential to Bay Networks and its licensors; however,
Licensee may grant permission to its consultants, subcontractors, and agents to use the Software at Licensee’s facility,
provided they have agreed to use the Software only in accordance with the terms of this license.
3. Limited warranty. Bay Networks warrants each item of Software, as delivered by Bay Networks and properly
installed and operated on Bay Networks hardware or other equipment it is originally licensed for, to function
substantially as described in its accompanying user manual during its warranty period, which begins on the date
Software is first shipped to Licensee. If any item of Software fails to so function during its warranty period, as the sole
remedy Bay Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be
included in a future Software release. Bay Networks further warrants to Licensee that the media on which the
Software is provided will be free from defects in materials and workmanship under normal use for a period of 90 days
from the date Software is first shipped to Licensee. Bay Networks will replace defective media at no charge if it is
returned to Bay Networks during the warranty period along with proof of the date of shipment. This warranty does not
apply if the media has been damaged as a result of accident, misuse, or abuse. The Licensee assumes all responsibility
for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained
from the Software. Bay Networks does not warrant a) that the functions contained in the software will meet the
Licensee’s requirements, b) that the Software will operate in the hardware or software combinations that the Licensee
may select, c) that the operation of the Software will be uninterrupted or error free, or d) that all defects in the
operation of the Software will be corrected. Bay Networks is not obligated to remedy any Software defect that cannot
be reproduced with the latest Software release. These warranties do not apply to the Software if it has been (i) altered,
except by Bay Networks or in accordance with its instructions; (ii) used in conjunction with another vendor’s product,
resulting in the defect; or (iii) damaged by improper environment, abuse, misuse, accident, or negligence. THE
FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL
OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of
303532-A Rev 00
iii
its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or
altered files, data, or programs.
4. Limitation of liability. IN NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY
COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR
PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN
IF BAY NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT
SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT
EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LICENSE.
5. Government Licensees. This provision applies to all Software and documentation acquired directly or indirectly
by or on behalf of the United States Government. The Software and documentation are commercial products, licensed
on the open market at market prices, and were developed entirely at private expense and without the use of any U.S.
Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or
disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial
Computer Software––Restricted Rights clause of FAR 52.227-19 and the limitations set out in this license for civilian
agencies, and subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS
252.227-7013, for agencies of the Department of Defense or their successors, whichever is applicable.
6. Use of Software in the European Community. This provision applies to all Software acquired for use within the
European Community. If Licensee uses the Software within a country in the European Community, the Software
Directive enacted by the Council of European Communities Directive dated 14 May, 1991, will apply to the
examination of the Software to facilitate interoperability. Licensee agrees to notify Bay Networks of any such
intended examination of the Software and may procure support and assistance from Bay Networks.
7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to
Bay Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the
Bay Networks copyright; those restrictions relating to use and disclosure of Bay Networks’ confidential information
shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if
Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason,
Licensee will immediately destroy or return to Bay Networks the Software, user manuals, and all copies. Bay
Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license.
8. Export and Re-export. Licensee agrees not to export, directly or indirectly, the Software or related technical data
or information without first obtaining any required export licenses or other governmental approvals. Without limiting
the foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first
obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert
any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports
are restricted or embargoed under United States export control laws and regulations, or to any national or resident of
such restricted or embargoed countries; or (ii) provide the Software or related technical data or information to any
military end user or for any military end use, including the design, development, or production of any chemical,
nuclear, or biological weapons.
9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent
jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement
will be governed by the laws of the state of California.
Should you have any questions concerning this Agreement, contact Bay Networks, Inc., 4401 Great America
Parkway, P.O. Box 58185, Santa Clara, California 95054-8185.
LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND
AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS
AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND
LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND
COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS
AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST BAY
NETWORKS UNLESS BAY NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN
EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT.
iv
303532-A Rev 00
Contents
Preface
Before You Begin .............................................................................................................xiii
Text Conventions .............................................................................................................xiv
Acronyms ......................................................................................................................... xv
Bay Networks Technical Publications ..............................................................................xvi
How to Get Help ..............................................................................................................xvi
Chapter 1
L2TP Overview
What Is Tunneling? .........................................................................................................1-2
Components of an L2TP Network ..................................................................................1-4
Remote Host ............................................................................................................1-4
Tunnel Management Server (TMS) ..........................................................................1-5
L2TP Network Server (LNS) ....................................................................................1-6
Bay Networks L2TP Implementation ............................................................................1-11
Tunnel Management ...............................................................................................1-12
Tunnel Authentication .............................................................................................1-12
RADIUS User Authentication .................................................................................1-14
RADIUS Accounting ...............................................................................................1-15
303532-A Rev 00
v
L2TP IP Interface Addresses .................................................................................1-15
Remote Router Configuration ................................................................................1-16
Chapter 2
Starting L2TP
Tunnel Authentication Passwords .............................................................................2-2
Preparing a Configuration File ........................................................................................2-3
Enabling L2TP on an Existing PPP Interface .................................................................2-5
Enabling L2TP on an Existing Frame Relay Interface ....................................................2-7
Enabling L2TP on an Existing ATM Interface .................................................................2-9
Chapter 3
Customizing L2TP Services
Enabling Tunnel Authentication ......................................................................................3-8
Modifying L2TP IP Interface Addresses .........................................................................3-9
Disabling RIP ................................................................................................................3-10
Disabling L2TP .............................................................................................................3-10
Deleting L2TP from a PPP Interface .............................................................................3-11
Deleting L2TP from a Frame Relay Interface ...............................................................3-12
Deleting L2TP from an ATM Interface ...........................................................................3-13
Appendix A
L2TP Parameters
L2TP Configuration Parameters .................................................................................... A-2
L2TP Tunnel Security Parameters ................................................................................. A-8
L2TP IP Interface Parameters ..................................................................................... A-10
vi
303532-A Rev 00
Appendix B
Configuration Examples
Example 1: Remote PC Calling the Corporate Network ................................................ B-1
Configuring the LACs and the TMS ........................................................................ B-3
Configuring the LNS ................................................................................................ B-3
Example 2: Remote Router Calling the Corporate Network .......................................... B-5
Configuring the Dial-on-Demand Circuit ................................................................. B-6
Configuring the PPP Interface ................................................................................. B-6
Appendix C
Troubleshooting
Index
303532-A Rev 00
vii
Figures
Figure 1-1. L2TP Network Using a LAC .....................................................................1-7
Figure 1-2. L2TP Network Using a RAS .....................................................................1-7
Figure 1-3. Packet Encapsulation Process .................................................................1-8
Figure 1-4. Tunnel Authentication Control Messages ...............................................1-13
Figure 1-5. Remote Router Dialing the LNS .............................................................1-16
Figure A-1. L2TP Configuration List Window ............................................................. A-2
Figure A-2. L2TP Tunnel Security List Window ......................................................... A-8
Figure A-3. L2TP IP Interface List Window .............................................................. A-10
Figure A-4. L2TP IP Interface Window .................................................................... A-10
Figure B-1. L2TP Network with PCs at the Remote Site ........................................... B-2
Figure B-2. L2TP Network with Routers at the Remote Site ..................................... B-5
303532-A Rev 00
ix
Tables
Table C-1.
Common L2TP Network Problems and Solutions .................................. C-1
303532-A Rev 00
xi
Preface
This guide describes Layer 2 Tunneling Protocol (L2TP) and what you do to start
and customize L2TP services on a Bay Networks® router.
Before You Begin
Before using this guide, you must complete the following procedures. For a new
router:
•
•
Install the router (refer to the installation guide that came with your router).
Connect the router to the network and create a configuration file (refer to
Quick-Starting Routers, Configuring BayStack Remote Access, or Connecting
ASN Routers to a Network).
Make sure that you are running the latest version of Bay Networks BayRS™ and
Site Manager software. For information about upgrading BayRS and Site
Manager, see the upgrading guide for your version of BayRS.
303532-A Rev 00
xiii
Configuring L2TP Services
Text Conventions
This guide uses the following text conventions:
bold text
Indicates text that you need to enter and command
names and options.
Example: Enter
{
|
}
show ip alerts routes
Example: Use the command.
dinfo
italic text
Indicates file and directory names, new terms, book
titles, and variables in command syntax descriptions.
Where a variable is two or more words, the words are
connected by an underscore.
Example: If the command syntax is:
<valid_route>
show at
valid_route is one variable and you substitute one value
for it.
screen text
separator ( > )
Indicates system output, for example, prompts and
system messages.
Example: Set Bay Networks Trap Monitor Filters
Shows menu paths.
Example: Protocols > IP identifies the IP option on the
Protocols menu.
vertical line ( | )
Separates choices for command keywords and
arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
Example: If the command syntax is:
{
|
}, you enter either:
show ip alerts routes
or
, but not both.
show ip alerts show ip routes
xiv
303532-A Rev 00
Preface
Acronyms
CHAP
IP
Challenge Handshake Authentication Protocol
Internet Protocol
ISDN
ISP
Integrated Services Digital Network
Internet Service Provider
L2TP
LAC
Layer 2 Tunneling Protocol
L2TP access concentrator
local area network
LAN
LCP
Link Control Protocol
LNS
L2TP network server
MPPP
PAP
Multilink Point-to-Point Protocol
Password Authentication Protocol
Point-to-Point Protocol
PPP
RADIUS
RAS
Remote Authentication Dial-In User Service
remote access server
RIP
Routing Information Protocol
start control connection connected
start control connection reply
start control connection request
terminal adapter
SCCCN
SCCRP
SCCRQ
TA
TCP/IP
TMS
UDP
Transmission Control Protocol/Internet Protocol
tunnel management server
User Datagram Protocol
VPN
WAN
virtual private network
wide area network
303532-A Rev 00
xv
Configuring L2TP Services
Bay Networks Technical Publications
You can now print Bay Networks technical manuals and release notes free,
directly from the Internet. Go to support.baynetworks.com/library/tpubs/. Find the
Bay Networks product for which you need documentation. Then locate the
specific category and model or version for your hardware or software product.
Using Adobe Acrobat Reader, you can open the manuals and release notes, search
for the sections you need, and print them on most standard printers. You can
download Acrobat Reader free from the Adobe Systems Web site,
You can purchase Bay Networks documentation sets, CDs, and selected technical
publications through the Bay Networks Collateral Catalog. The catalog is located
on the World Wide Web at support.baynetworks.com/catalog.html and is divided
into sections arranged alphabetically:
•
•
•
The “CD ROMs” section lists available CDs.
The “Guides/Books” section lists books on technical topics.
The “Technical Manuals” section lists available printed documentation sets.
Make a note of the part numbers and prices of the items that you want to order.
Use the “Marketing Collateral Catalog description” link to place an order and to
print the order form.
How to Get Help
For product assistance, support contracts, or information about educational
services, go to the following URL:
Or telephone the Bay Networks Technical Solutions Center at:
800-2LANWAN
xvi
303532-A Rev 00
Chapter 1
L2TP Overview
The Layer 2 Tunneling Protocol (L2TP) provides remote users, such as
telecommuters, mobile professionals, and personnel in remote branch offices,
with dial-in access to a corporate network. L2TP enables users to create a virtual
private network (VPN), which uses the existing physical infrastructure of a public
network, such as the Internet, but offers the security and exclusivity of a private
network.
Topic
Page
L2TP Benefits
1-2
What Is Tunneling?
1-2
Components of an L2TP Network
L2TP Packet Encapsulation
Making a Connection Across an L2TP Network
Security in an L2TP Network
Bay Networks L2TP Implementation
Where to Go Next
1-4
1-8
1-9
1-10
1-11
1-17
303532-A Rev 00
1-1
Configuring L2TP Services
L2TP Benefits
L2TP has several advantages:
•
Users and businesses can take advantage of existing network equipment and
resources.
Corporations do not need to maintain and manage remote access servers and
other special networking equipment for remote users. Instead, they can use
their existing Internet leased connections and resources at the Internet Service
Provider (ISP) network, thereby significantly reducing corporate networking
and maintenance costs.
In addition, corporations do not need to provide technical support to the
remote users. Because the remote user is making a local call to the ISP, the
ISP provides technical assistance if the user has trouble making connections.
•
Remote users can place a free local call to their ISP for access to the Internet,
eliminating long-distance toll calls required to dial the corporate network
directly.
•
•
ISPs earn more business from corporate customers using the equipment,
thereby increasing the ISP’s revenues.
L2TP is a standards-based protocol that provides greater interoperability with
networking equipment from other vendors.
What Is Tunneling?
Tunneling is a way of forwarding traffic from remote users to a corporate network
through an IP network. A tunnel is a virtual connection between two sites, for
example, an access concentrator at the ISP network and a router at the corporate
network. Tunneling across an existing public network such as the Internet creates
a virtual private network that offers corporate network access to a wider range of
remote users.
L2TP is a tunneling mechanism that extends the end point of the Point-to-Point
Protocol (PPP) connection from an L2TP access concentrator (LAC) or remote
access server (RAS) at the ISP network to an L2TP network server (LNS) at the
corporate site.
1-2
303532-A Rev 00
L2TP Overview
Multiple users can communicate through a single tunnel between the same LAC
and LNS pair. Each user transmits and receives data in an individual L2TP
session.
The LAC brings down the tunnel for any one of the following reasons:
•
•
A network failure occurs.
The LAC or other equipment at the ISP is not operating properly. If the LAC
fails, all tunnel users are disconnected.
•
There are no active sessions inside the tunnel.
An individual session ends when a remote user disconnects the call, but
multiple sessions can run inside a single tunnel.
•
•
The system administrator at the ISP terminates the user connection.
The LAC is not responding to a Hello packet from the LNS.
For the LAC to reestablish a tunnel, the remote user has to place a new call.
L2TP Sessions
Packets are exchanged across an L2TP tunnel during an L2TP session. An L2TP
session is created when an end-to-end WAN connection is established between the
remote host and the LNS.
The L2TP portion of the packets sent through the tunnel contains a header with a
call ID field (also called a session ID) and a tunnel ID field. The call ID field,
which indicates the session that the WAN packet belongs to, is negotiated between
the LAC and the LNS when the L2TP call is set up. The tunnel ID specifies the
tunnel that the L2TP session is using.
In addition to the fields in the header, the L2TP packet contains a call serial
number, which is a unique number for each L2TP call. This number matches the
call to the L2TP session.
For an L2TP session, you can enable flow control. Flow control manages
congestion across the connection, ensures that packets are not lost, and makes sure
the devices at each end of the connection are communicating properly.
To enable flow control, see Chapter 3, “Customizing L2TP Services.”
303532-A Rev 00
1-3
Configuring L2TP Services
Components of an L2TP Network
The following sections describe the components of an L2TP network. For
illustrations of L2TP networks, see Figures 1-1 and 1-2 on page 1-7.
Remote Host
At the remote site is the user who wants to dial in to the corporate network. The
remote user can be located anywhere, provided that the user can dial into an ISP
network using a PC or a router. The ISP provides the connection to the Internet.
The host at the remote site can be a PC or router that uses PPP for dial-up
connections.
•
If the PC or router does not have built-in L2TP software capabilities, it dials
into a LAC, which provides a tunnel across the Internet to the corporate LNS.
•
If the PC or router is an L2TP client, that is, it has built-in L2TP functionality,
the L2TP client software provides a tunnel through a RAS across the Internet
to the corporate LNS. A LAC is unnecessary with an L2TP client.
The main difference between connecting an L2TP client and a nonclient is the
starting point of the tunnel. For an L2TP client, the tunnel begins at the PC or
router; for a non-L2TP client, the tunnel begins at the LAC. All tunnels end at the
LNS.
Note: This guide’s primary focus is on an L2TP network between a remote
host that does not have built-in L2TP capabilities and uses a LAC, rather than a
RAS.
1-4
303532-A Rev 00
L2TP Overview
L2TP Access Concentrator (LAC)
The L2TP access concentrator (LAC) resides at the ISP network. The LAC
establishes the L2TP tunnel between itself and the LNS.
Note: In this guide, the term LAC refers to a remote access server with L2TP
capabilities. The term RAS refers to a remote access server without L2TP
capabilities.
When the remote user places a call to the ISP network, this call goes to the LAC.
The LAC then negotiates the activation of an L2TP tunnel with the LNS. This
tunnel carries data from the remote user to the corporate network.
For more information about the Bay Networks implementation of the LAC in an
L2TP network, see “Bay Networks L2TP Implementation” on page 1-11.
Remote Access Server (RAS)
The remote access server (RAS) resides at the ISP network. If the remote host is
an L2TP client, the tunnel is established from the remote client through a RAS to
an LNS at the corporate network. In this situation, there is no need for a LAC.
The RAS does not establish the tunnel; it only forwards already tunneled data to
the destination.
Tunnel Management Server (TMS)
At the ISP network, there needs to be a mechanism for identifying L2TP tunneled
users so that the LAC can construct the L2TP tunnel. Bay Networks uses a
mechanism called a tunnel management server (TMS); other vendors may use a
different method.
303532-A Rev 00
1-5
Configuring L2TP Services
L2TP Network Server (LNS)
The L2TP network server (LNS) is a router that resides at the corporate network
and serves as the termination point for L2TP tunnels and sessions.
The LNS authenticates the PPP connection request and allows the end-to-end PPP
tunneled connection. The LNS may also perform user authentication with a
RADIUS server to prevent unauthorized users from accessing the network;
however, user authentication may also be done by the LNS itself.
An LNS can support multiple remote users, each communicating within their own
L2TP session. The L2TP session is the virtual end-to-end connection over which
the LAC sends data to the LNS.
The Bay Networks router is an LNS. For information about the Bay Networks
LNS, see “Bay Networks L2TP Implementation” on page 1-11.
RADIUS Server
An L2TP network may include a Remote Authentication Dial-in User Service
(RADIUS) server. The RADIUS server has three main functions in an L2TP
network:
•
•
•
Authenticating the remote users
Assigning IP addresses to the remote users
Providing accounting services for corporate billing
The RADIUS server database centralizes the authentication function, eliminating
provide accounting services for the corporate network, calculating billing charges
for an L2TP session.
For information about the Bay Networks implementation of RADIUS user
authentication and accounting, see “RADIUS User Authentication” on page 1-14
and “RADIUS Accounting” on page 1-15.
1-6
303532-A Rev 00
L2TP Overview
Examples of L2TP Networks
Figure 1-1 shows an L2TP network that uses a LAC to connect to the LNS. The
tunnel is between the LAC and the LNS.
ISP network
Frame relay
connection
Corporate network
LNS
Remote
host
LAC
Tunnel
PPP
connection
PC
Data
TMS
RADIUS
server
No L2TP
functionality
L2T0003A
Figure 1-1.
L2TP Network Using a LAC
Figure 1-2 shows an L2TP network that uses a RAS to connect to the LNS. The
tunnel is between the PC (the L2TP client) and the LNS.
ISP network
Frame relay
connection
Corporate network
LNS
Remote
host
RAS
Tunnel
PC
Data
RADIUS
server
L2TP
client
L2T0004A
Figure 1-2.
L2TP Network Using a RAS
303532-A Rev 00
1-7
Configuring L2TP Services
L2TP Packet Encapsulation
The PC or router at the remote site sends PPP packets to the LAC. The LAC
encapsulates these incoming packets in an L2TP packet and sends it across an IP
network through a bidirectional tunnel. After the LNS receives the packets, it
decapsulates them and terminates the PPP connection.
Figure 1-3 shows how data is encapsulated for transmission over an L2TP
network.
Remote user places a call
PPP
IP
DATA
LAC
Layer 2
protocol
PPP
IP/UDP L2TP
IP
DATA
LNS
DATA
IP
Data packet moves to the corporate network
L2T0005A
Figure 1-3.
Packet Encapsulation Process
1-8
303532-A Rev 00
Making a Connection Across an L2TP Network
The following steps explain how a remote user connects across an L2TP network
that includes a Bay Networks LAC, TMS, and LNS (see Figure 1-1 on page 1-7):
1. The remote user dials a LAC at the local ISP network to establish a PPP
connection to the corporate network.
In the call, the user includes any required information, for example, a user
name, including a domain name, and a password. When the user dials in, he
and baynetworks.com is the domain name.
2. The LAC receives the call and passes the domain name to the TMS.
If the TMS finds a match for the domain name, a tunnel can be created. The
TMS also checks the number of current connections so that they will not
exceed the maximum number allowed.
If the user is not a tunnel candidate, as determined by the domain name, the
LAC assumes that the remote host is making a regular dial-in request and
authenticates the user accordingly.
3. The LAC tries to establish an L2TP tunnel with the LNS.
For the LAC to send a tunnel request to the LNS, it needs the address of the
LNS. The LAC requests the address from the TMS. It then checks for this
address in its own routing table. After obtaining the address, the LAC sends a
tunnel request to the LNS. The LNS may perform tunnel authentication, if
configured to do so. If the LAC and LNS complete tunnel authentication
successfully, the LAC establishes the tunnel.
4. After the tunnel is established, the LAC forwards the remote user’s name to
the LNS, which verifies the user’s identity with the corporate RADIUS server.
If the RADIUS server recognizes the user name, it replies with an
acknowledgment and an IP address that it assigns to the remote user for the
duration of the call. This IP address identifies the remote user who may not
have an address of his own.
5. After the remote user is successfully authenticated, the user has an end-to-end
PPP connection to the corporate network over the Internet.
The tunnel can now carry a user session during which the LAC and the LNS
exchange PPP packets.
303532-A Rev 00
1-9
Configuring L2TP Services
Security in an L2TP Network
You can configure two layers of security in an L2TP network:
Tunnel authentication
•
Tunnel authentication is the process of negotiating the establishment of a
tunnel between the LAC and the LNS.
•
User authentication
The network administrator at the corporate site can configure a RADIUS
server with the names and passwords of authorized users. The server’s
database centralizes the authentication function, eliminating the need to
configure each LNS with user names and passwords.
When the LNS receives a call, it forwards the user information to the
RADIUS server, which verifies whether the user is authorized to access the
network.
You can also configure the LNS to perform user authentication if a RADIUS
server is not part of the network configuration.
For more information about the Bay Networks implementation of tunnel and user
authentication, see “Tunnel Authentication” on page 1-12 and “RADIUS User
Authentication” on page 1-14.
1-10
303532-A Rev 00
L2TP Overview
Bay Networks L2TP Implementation
In an L2TP network, the Bay Networks router is the LNS. LNS software operates
on the BLN®, BCN®, and ASN™ platforms.
The Bay Networks LNS has the following characteristics:
•
•
Each slot can act as an LNS, which means that one router can have many LNS
interfaces, each with its own address. You can have as many LNS interfaces as
there are available slots on the router.
The LNS performs user authentication with a RADIUS server to prevent
unauthorized users from accessing the network.
•
•
The LNS accepts only incoming calls; it does not place calls to the LAC.
The Bay Networks L2TP implementation supports only IP traffic through the
L2TP tunnel. The LNS supports only numbered IP addresses.
•
The router interface between the ISP and the corporate network (see
Figure 1-1 on page 1-7) is a leased line operating with frame relay, PPP
(including PPP multilink), or ATM. Bay Networks recommends that you use a
high-speed link, such as T1, for the leased connection.
•
•
•
•
The LNS terminates PPP multilink and PPP encapsulated data within an
L2TP packet.
The LNS operates with the LAC implementation configured on the Bay
Networks Model 5399 Remote Access Concentrator.
The host (PC or router) dialing into the ISP network can be on the same
subnet as the IP interface on the LNS.
The LNS supports RIP. RIP is particularly useful when the remote host is a
router, because it enables the LNS to learn routing information from the
remote router.
For instructions on how to configure a Bay Networks router as an LNS, see
Chapter 2, “Starting L2TP.”
303532-A Rev 00
1-11
Configuring L2TP Services
Tunnel Management
The Bay Networks tunnel management server (TMS), which resides at the ISP
network, stores the TMS database. This database contains the remote users’
domain name, the IP address information of each LNS, and other tunnel
addressing information that the network administrator configures. The LAC
requests this information from the TMS to construct the L2TP tunnel.
When the LAC receives a call, it forwards the domain name to the TMS. The
domain name is the portion of the user’s address that specifies a particular location
in the network. For example, if the user name is [email protected],
baynetworks.com is the domain name. The TMS looks up the domain name and
verifies that the remote user is an L2TP user. The TMS also provides the LAC
with the addressing information required to establish a tunnel to the correct LNS.
Note: The domain name referred to in this guide is a domain identifier that
does not follow a specific format. It is not related to any Domain Name System
(DNS) protocol requirements.
Tunnel Authentication
For security purposes, you can enable the LNS to perform tunnel authentication.
Tunnel authentication is the process of negotiating the establishment of a tunnel.
During tunnel authentication, the LNS identifies the L2TP client or LAC by
comparing the LAC’s tunnel authentication password with its own password. If
the passwords match, the LNS permits the LAC to establish a tunnel.
The LAC does not send the tunnel authentication password as a plain-text
message. The exchange of passwords works much like the PPP Challenge
Handshake Authentication Protocol (CHAP). When one side receives a challenge,
it responds with a value that is calculated based on the authentication password.
The receiving side matches the value against its own calculation. If the values
match, authentication is successful.
Tunnel authentication occurs in both directions, which means that the LAC and
LNS both try to verify the other’s identity.
1-12
303532-A Rev 00
L2TP Overview
You can enable tunnel authentication on the Bay Networks LNS. If tunnel
authentication is disabled, which is the default, the LNS sends a default challenge
response to the LAC during the authentication process so that the tunnel can be
established. The LNS cannot send outgoing calls, so it cannot initiate tunnel
authentication.
During tunnel authentication, the following exchange of messages takes place:
1. The LAC sends a tunnel setup message, called the start control connection
request (SCCRQ) message to the LNS. This message includes a challenge to
the LNS.
2. The LNS replies with a tunnel response, a challenge response, and its own
challenge message. This is called the start control connection reply (SCCRP)
message.
3. The LAC replies with a challenge response that includes its tunnel
(SCCCN) message.
4. If this same password is configured for the LNS, the LNS grants approval to
the LAC to establish a tunnel.
Figure 1-4 shows tunnel authentication.
ISP network
Corporate network
PPP connection
LNS
LAC
SCCRQ
tunnel request and challenge
SCCRP
tunnel response, challenge response,
and LNS challenge
SCCCN
challenge response
L2T0006A
Figure 1-4.
Tunnel Authentication Control Messages
303532-A Rev 00
1-13
Configuring L2TP Services
After tunnel authentication is complete, it does not need to be repeated for other
calls to the same LAC.
RADIUS User Authentication
RADIUS user authentication is enabled by default on the Bay Networks LNS; you
must configure this feature so that the LNS can validate the remote user’s identity
before allowing access to the network.
The network administrator at the corporate site must configure a RADIUS server
with the names and passwords of authorized users. When the LNS receives a call,
it forwards an authentication request with the user information to the RADIUS
server, which verifies whether the user is authorized. If the user is permitted
access to the network, the RADIUS server replies with an acknowledgment
message and the appropriate IP address for that user to make a connection.
The IP address that the RADIUS server assigns is essential because many remote
hosts may not have their own addresses. The LNS uses the address to identify the
remote host and send data to the remote user. After the session ends, the IP
address becomes available for another user.
If the corporate network uses an existing RADIUS database for L2TP
connections, you do not have to reconfigure the names in the database. The LNS
automatically removes the domain portion of the user name that is included as part
of the call from the LAC to the LNS. If you want to keep the domain name, you
can disable this feature. For instructions, see Chapter 3, “Customizing L2TP
Services.”
For more information about configuring Bay Networks routers as RADIUS
servers, see Configuring RADIUS.
1-14
303532-A Rev 00
L2TP Overview
RADIUS Accounting
The RADIUS server can provide accounting services in addition to its
authentication services. RADIUS accounting is enabled by default on the Bay
Networks LNS.
The RADIUS accounting server calculates billing charges for an L2TP session
between the remote user and the LNS. To determine these charges, the server uses
information that it receives from the LNS, such as the status of each call and the
number of packets sent during the session. Using this data, the server determines
billing charges, which the network administrator can use to manage network costs.
The primary RADIUS accounting server can be the same server as the
authentication server or it can be a different server.
For more information about RADIUS accounting, see Configuring RADIUS.
L2TP IP Interface Addresses
When configuring the Bay Networks LNS, you must configure an IP address for
every slot that has an L2TP interface. This address is referred to as the L2TP IP
interface address. The L2TP IP interface can be any valid IP address.
The L2TP IP interface address is internal to the LNS. When communicating with
the remote user, the LNS associates the user’s IP address, which is assigned by the
RADIUS server, with the L2TP IP interface address that you configured.
The L2TP IP interface address and the RADIUS-assigned IP address do not have
to be in the same subnet.
303532-A Rev 00
1-15
Configuring L2TP Services
Remote Router Configuration
If the host at the remote site is a Bay Networks router, you may need to configure
a dial-on-demand circuit for the remote router’s dial-up interface to the LAC at the
ISP network.
Enable RIP on both the dial-on-demand circuit and the attached LAN interface of
the remote router, so that the LNS can learn routing information from the remote
router. To avoid unnecessarily activating the circuit because of RIP packets,
enable dial-optimized routing for the dial-on-demand circuit (see Figure 1-5).
In addition, configure a default or static route for the remote router, which uses the
next-hop address that corresponds to the L2TP IP interface address of the LNS.
This default or static route enables the remote router to deliver L2TP packets to
the LNS.
LAC
192.168.18.41
PC 1
LNS
192.168.19.34
Dial-in router
192.32.25.34
PC 2
L2TP IP, RIP enabled
192.32.33.94
192.32.25.35
LAN interface Dial-on-demand
RIP enabled RIP enabled
192.32.25.33 Dial-optimized
routing enabled
192.32.25.66
L2T0009B
Figure 1-5.
Remote Router Dialing the LNS
1-16
303532-A Rev 00
L2TP Overview
Where to Go Next
Go to one of the following chapters for more information:
If you want to
Go to
Start L2TP on a router using default parameter settings.
Change default settings for L2TP parameters.
Chapter 2
Chapter 3
Appendix A
Obtain information about Site Manager parameters (this is the same
information you obtain using Site Manager online Help).
Review configuration examples.
Appendix B
Appendix C
Troubleshoot L2TP configuration problems.
303532-A Rev 00
1-17
Chapter 2
Starting L2TP
The quickest way to start L2TP is to enable it with the default configuration that
Bay Networks software supplies. This configuration uses all available parameter
defaults. You need to supply values for several parameters that do not have default
values.
Topic
Page
Planning Considerations for an L2TP Network
Preparing a Configuration File
2-2
2-3
2-4
2-5
2-7
2-9
Enabling L2TP on an Unconfigured WAN Interface
Enabling L2TP on an Existing PPP Interface
Enabling L2TP on an Existing Frame Relay Interface
Enabling L2TP on an Existing ATM Interface
303532-A Rev 00
2-1
Configuring L2TP Services
Planning Considerations for an L2TP Network
This guide primarily explains how to configure a Bay Networks BLN, BCN, or
ASN router as an LNS in an L2TP network. To successfully operate in an L2TP
network, obtain the following information to configure the LNS.
If you plan to enable tunnel authentication, which is optional for the Bay
Networks LNS, you must obtain the LAC password from your ISP. For more
information about the authentication process, see “Tunnel Authentication” on
page 1-12.
RADIUS Server Information
The Bay Networks implementation of L2TP requires that you configure a
RADIUS server to perform user authentication and to assign IP addresses to
remote users.
For the RADIUS server, do the following:
•
•
Configure the RADIUS server with user names and domain names.
Obtain the address and password of the RADIUS server to enter in the LNS
configuration.
•
Configure the RADIUS server to assign IP addresses to remote users.
This address identifies the remote user to the LNS during an L2TP session. If
the remote user does not have a preconfigured address, the only way to assign
addresses is by the RADIUS server. This address is also used for network
communication across the subscriber network.
For more information about configuring Bay Networks routers as RADIUS
servers, see Configuring RADIUS.
2-2
303532-A Rev 00
Starting L2TP
Preparing a Configuration File
Before starting L2TP, you must create and save a configuration file with at least
one WAN interface, for example, a synchronous or MCT1 port.
Note: L2TP is not compatible with dial services. Do not enable L2TP on the
same slot that you enable for a dial service, such as dial-on-demand, dial
backup, or bandwidth-on-demand.
For information about the Site Manager configuration tool and how to work with
configuration files, see Configuring and Managing Routers with Site Manager.
To open the configuration file, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the main Site Manager window, choose The Tools menu opens.
Tools.
2. Choose Configuration Manager.
The Configuration Manager window
opens.
3. Choose Local File, Remote File, or
Site Manager prompts you for the
configuration file you want to open.
Dynamic.
4. Select the file and click on OK.
The Configuration Manager window
opens, displaying the router modules.
From the Configuration Manager window, go to one of the following sections to
enable L2TP:
Section
Page
Enabling L2TP on an Unconfigured WAN Interface
Enabling L2TP on an Existing PPP Interface
Enabling L2TP on an Existing Frame Relay Interface
Enabling L2TP on an Existing ATM Interface
2-4
2-5
2-7
2-9
303532-A Rev 00
2-3
Configuring L2TP Services
Enabling L2TP on an Unconfigured WAN Interface
To enable L2TP on an unconfigured WAN interface, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
choose a WAN connector.
The Add Circuit window opens.
2. Accept the default circuit name or change The WAN Protocols window opens.
it, then click on OK.
3. Choose PPP, Frame Relay, or ATM then The Select Protocols window opens.
click on OK.
The IP Configuration window opens.
The L2TP Configuration window opens.
5. Enter the IP address of the LNS (router),
then click on OK.
6. Set the following parameters:
•
•
•
RADIUS Primary Server IP Address
RADIUS Primary Server Password
RADIUS Client IP Address
Click on Help or see the parameter
descriptions beginning on page A-5.
7. Click on OK.
The L2TP Tunneling Security window
opens.
8. Click on OK.
The L2TP IP Interface List window opens,
followed by the L2TP IP Configuration
window.
9. Set the following parameters:
Site Manager displays a message
alerting you of the time delay to create
the L2TP tunnel circuits.
•
L2TP IP Interface Address
Subnet Mask
•
Click on Help or see the parameter
descriptions beginning on page A-11.
10. Click on OK.
You return to the L2TP IP Interface List
window, which displays the IP interface
address and the subnet mask. A
message window opens that reads, L2TP
Configuration is completed.
(continued)
2-4
303532-A Rev 00
Starting L2TP
Site Manager Procedure (continued)
You do this
System responds
11. Click on OK.
12. Click on Done.
You return to the Configuration Manager
window.
Enabling L2TP on an Existing PPP Interface
To enable L2TP on an interface with PPP and IP already enabled, complete the
following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
choose a WAN connector.
The Edit Connector window opens.
2. Choose Edit Circuit.
The Circuit Definition window opens.
the window.
4. Choose Add/Delete.
The Select Protocols window opens.
The L2TP Configuration window opens.
5. Choose L2TP, then click on OK.
6. Set the following parameters:
•
•
•
RADIUS Primary Server IP Address
RADIUS Primary Server Password
RADIUS Client IP Address
Click on Help or see the parameter
descriptions beginning on page A-5.
7. Click on OK.
The L2TP Tunneling Security window
opens.
8. Click on OK.
The L2TP IP Interface List window opens,
followed by the L2TP IP Configuration
window.
(continued)
303532-A Rev 00
2-5
Configuring L2TP Services
Site Manager Procedure (continued)
You do this
System responds
9. Set the following parameters:
Site Manager displays a message
•
•
L2TP IP Interface Address
Subnet Mask
alerting you of the time delay to create
the L2TP tunnel circuits.
Click on Help or see the parameter
descriptions beginning on page A-11.
10. Click on OK.
You return to the L2TP IP Interface List
window, which displays the IP interface
address and the subnet mask. A
message window opens that reads, L2TP
Configuration is completed.
11. Click on OK.
12. Click on Done.
You return to the Circuit Definition
window.
13. Choose File.
The File menu opens.
14. Choose Exit.
You return to the Configuration Manager
window.
2-6
303532-A Rev 00
Starting L2TP
Enabling L2TP on an Existing Frame Relay Interface
To enable L2TP on an interface with frame relay and IP already enabled, complete
the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
choose a WAN connector.
The Edit Connector window opens.
2. Choose Edit Circuit.
The Frame Relay Circuit Definition
window opens.
3. Choose Services.
The Frame Relay Service List window
opens.
the window.
5. Choose Add/Delete.
The Select Protocols window opens.
The L2TP Configuration window opens.
6. Choose L2TP, then click on OK.
7. Set the following parameters:
•
•
•
RADIUS Primary Server IP Address
RADIUS Primary Server Password
RADIUS Client IP Address
Click on Help or see the parameter
descriptions beginning on page A-5.
8. Click on OK.
The L2TP Tunneling Security window
opens.
9. Click on OK.
The L2TP IP Interface List window opens,
followed by the L2TP IP Configuration
window.
10. Set the following parameters:
Site Manager displays a message
alerting you of the time delay to create
the L2TP tunnel circuits.
•
•
L2TP IP Interface Address
Subnet Mask
Click on Help or see the parameter
descriptions beginning on page A-11.
(continued)
303532-A Rev 00
2-7
Configuring L2TP Services
Site Manager Procedure (continued)
You do this
System responds
11. Click on OK.
You return to the L2TP IP Interface List
window, which displays the IP interface
address and the subnet mask. A
message window opens that reads, L2TP
Configuration is completed.
12. Click on OK.
13. Click on Done.
You return to the Frame Relay Service
List window.
14. Click on Done.
You return to the Frame Relay Circuit
Definition window.
15. Click on Done.
You return to the Configuration Manager
window.
2-8
303532-A Rev 00
Starting L2TP
Enabling L2TP on an Existing ATM Interface
To enable L2TP on an interface with ATM and IP already enabled, you can enable
L2TP in two ways. If your interface uses a COM connector, complete the tasks in
the following table. If your interface uses an ATM connector, go to page 2-10.
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
choose a WAN connector.
The Edit Connector window opens.
The Circuit Definition window opens.
The Group Protocols menu opens.
The Select Protocols window opens.
The L2TP Configuration window opens.
4. Choose Add/Delete.
5. Choose L2TP, then click on OK.
6. Set the following parameters:
•
•
•
RADIUS Primary Server IP Address
RADIUS Primary Server Password
RADIUS Client IP Address
Click on Help or see the parameter
descriptions beginning on page A-5.
7. Click on OK.
The L2TP Tunneling Security window
opens.
8. Click on OK.
The L2TP IP Interface List window opens,
followed by the L2TP IP Configuration
window.
9. Set the following parameters:
Site Manager displays a message
alerting you of the time delay to create
the L2TP tunnel circuits.
•
•
L2TP IP Interface Address
Subnet Mask
Click on Help or see the parameter
descriptions beginning on page A-11.
10. Click on OK.
You return to the L2TP IP Interface List
window, which displays the IP interface
address and the subnet mask. A
message window opens that reads, L2TP
Configuration is completed.
11. Click on OK.
(continued)
2-9
303532-A Rev 00
Configuring L2TP Services
Site Manager Procedure (continued)
You do this
System responds
12. Click on Done.
You return to the Circuit Definition
window.
13. Choose File.
The File menu opens.
14. Choose Exit.
You return to the Configuration Manager
window.
If your ATM interface uses an ATM connector, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
choose an ATM connector.
The Edit ATM Connector window opens.
The ATM Service Records List window
opens.
3. Choose Protocols.
The Protocols menu opens.
4. Choose Add/Delete.
The Select Protocols window opens.
The L2TP Configuration window opens.
Site Manager enables L2TP.
5. Choose L2TP, then click on OK.
6. Complete steps 6 through 11 in the
previous table.
7. Click on Done.
8. Click on Done.
9. Click on Done.
You return to the ATM Service Records
List window.
You return to the Edit ATM Connector
window.
You return to the Configuration Manager
window.
2-10
303532-A Rev 00
Chapter 3
Customizing L2TP Services
When you enable L2TP, default values are in effect for most parameters (see
parameter descriptions in Appendix A, “L2TP Parameters”). You may want to
Topic
Page
Modifying the L2TP Protocol Configuration
Modifying RADIUS Server Information
Changing the LNS System Name
Modifying the Number of L2TP Sessions Permitted
Keeping the Remote User’s Domain Name
Changing the Domain Name Delimiter
Enabling Tunnel Authentication
3-2
3-3
3-4
3-5
3-6
3-7
3-8
Modifying L2TP IP Interface Addresses
Disabling RIP
3-9
3-10
3-10
3-11
3-12
3-13
Disabling L2TP
Deleting L2TP from a PPP Interface
Deleting L2TP from a Frame Relay Interface
Deleting L2TP from an ATM Interface
303532-A Rev 00
3-1
Configuring L2TP Services
Modifying the L2TP Protocol Configuration
To modify how data is transmitted across an L2TP network, such as the number,
frequency, and timing of data and acknowledgment packets exchanged between
the LNS and LAC, you can modify the L2TP protocol parameters.
To modify the L2TP protocol configuration, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
The L2TP menu opens.
4. Choose L2TP Configuration.
The L2TP Configuration List window
opens.
6. Edit any of the following parameters:
•
•
•
•
•
•
Receive Window Size
Retransmit Timer (seconds)
Maximum Retransmit
Hello Timer (seconds)
Ack Timeout (milliseconds)
Tunnel Flow Control
Click on Help or see the parameter
descriptions beginning on page A-3.
7. Click on Done.
You return to the Configuration Manager
window.
3-2
303532-A Rev 00
Customizing L2TP Services
Modifying RADIUS Server Information
If you change the address of the RADIUS server that you are using to authenticate
remote users and manage accounting functions, you must update the server
address information on the LNS.
For more information about using a RADIUS server in an L2TP network, see
“RADIUS Server” on page 1-6.
To modify the address of the RADIUS server, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
The L2TP menu opens.
4. Choose L2TP Configuration.
The L2TP Configuration List window
opens.
5. Select an LNS entry from the list.
6. Set the following parameters:
•
•
•
RADIUS Primary Server IP Address
RADIUS Primary Server Password
RADIUS Client IP Address
Click on Help or see the parameter
descriptions beginning on page A-5.
7. Click on Done.
You return to the Configuration Manager
window.
You can also modify the RADIUS information in the configuration windows
specific to RADIUS. For more information, see Configuring RADIUS.
303532-A Rev 00
3-3
Configuring L2TP Services
Changing the LNS System Name
The LNS system name is the name of the router. This name is used during tunnel
setup to identify the LNS uniquely.
By default, Site Manager enters the system name that you initially configured
when first accessing the router. See Configuring and Managing Routers with Site
Manager for more details about system information.
To change the LNS system name, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
3. Choose L2TP.
The L2TP menu opens.
4. Choose L2TP Configuration.
The L2TP Configuration List window
opens.
5. Select an LNS entry from the list.
6. Set the LNS System Name parameter.
Click on Help or see the parameter
description on page A-5.
7. Click on Done.
You return to the Configuration Manager
window.
3-4
303532-A Rev 00
Customizing L2TP Services
Modifying the Number of L2TP Sessions Permitted
You can modify the maximum number of active L2TP sessions that the LNS can
manage. The default is 100 sessions.
For more information about L2TP sessions, see “L2TP Sessions” on page 1-3.
To change the maximum number of L2TP sessions supported by the LNS,
complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
3. Choose L2TP.
The L2TP menu opens.
4. Choose L2TP Configuration.
The L2TP Configuration List window
opens.
5. Select an LNS entry from the list.
6. Set the Max L2TP Sessions parameter.
Click on Help or see the parameter
description on page A-3.
7. Click on Done.
You return to the Configuration Manager
window.
303532-A Rev 00
3-5
Configuring L2TP Services
Keeping the Remote User’s Domain Name
The LNS removes the domain name from the complete user name by default,
before passing it on to the RADIUS server for user authentication.
To keep the domain name with the user name, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
3. Choose L2TP.
The L2TP menu opens.
4. Choose L2TP Configuration.
The L2TP Configuration List window
opens.
5. Select an LNS entry from the list.
6. Set the Remove Domain Name
parameter to Disable. Click on Help or
see the parameter description on
page A-7.
7. Click on Done.
You return to the Configuration Manager
window.
3-6
303532-A Rev 00
Customizing L2TP Services
Changing the Domain Name Delimiter
In the complete user name there is a single-character delimiter that separates the
user name from the domain name. By default, the LNS removes the domain name
when it receives a call. The delimiter tells the LNS which characters to remove.
The default delimiter is an at sign (@).
To change the delimiter, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
3. Choose L2TP.
The L2TP menu opens.
4. Choose L2TP Configuration.
The L2TP Configuration List window
opens.
5. Select an LNS entry from the list.
6. Set the Domain Name Delimiter
parameter. Click on Help or see the
parameter description on page A-7.
7. Click on Done.
You return to the Configuration Manager
window.
303532-A Rev 00
3-7
Configuring L2TP Services
Enabling Tunnel Authentication
To prevent unauthorized users from accessing the corporate network, you can
enable tunnel authentication. During tunnel negotiation, the LAC sends its tunnel
authentication password to the LNS. If the password is not recognized by the
LNS, authentication is unsuccessful and the LAC cannot create the tunnel.
Note: If you are using the Password Authentication Protocol (PAP) for PPP
authentication, do not enable tunnel authentication.
For more information about tunnel authentication, see “Tunnel Authentication” on
page 1-12.
To enable tunnel authentication, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
The L2TP menu opens.
4. Choose Tunnel Authentication.
The L2TP Tunnel Security List window
opens.
6. Set the following parameters:
•
•
Enable Tunnel Authentication
Tunnel Authentication Password
Click on Help or see the parameter
descriptions on page A-9.
7. Click on Done.
You return to the Configuration Manager
window.
3-8
303532-A Rev 00
Customizing L2TP Services
Modifying L2TP IP Interface Addresses
The L2TP IP Interface List window lists the L2TP IP interface addresses for each
slot that has L2TP configured. The LNS uses the addresses internally to identify
the remote sites.
For more information about the L2TP IP interface, see “L2TP IP Interface
Addresses” on page 1-16.
To change an address on the list, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
The L2TP menu opens.
5. Select an LNS entry from the list.
6. Click on Change.
The L2TP IP Interface List window opens.
The L2TP IP Interface window opens.
7. Modify the following parameters:
•
•
L2TP IP Interface Address
Subnet Mask
Click on Help or see the parameter
descriptions beginning on page A-11.
8. Click on OK.
You return to the L2TP IP Interface List
window. The new address appears in the
list.
9. Click on Done.
You return to the Configuration Manager
window.
303532-A Rev 00
3-9
Configuring L2TP Services
Disabling RIP
RIP is enabled on the LNS by default so that the LNS can learn routes from the
remote dial-in router. If the LNS does not require RIP support, you can disable it.
To disable RIP, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
3. Choose L2TP.
The L2TP menu opens.
4. Choose L2TP IP Interface.
5. Select an LNS entry from the list.
The L2TP IP Interface List window opens.
6. Set the RIP Enable parameter to Disable.
Click on Help or see the parameter
description on page A-12.
7. Click on Done.
You return to the Configuration Manager
window.
Disabling L2TP
To disable L2TP on a slot, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
The Protocols menu opens.
choose Protocols.
2. Choose IP.
The IP menu opens.
3. Choose L2TP.
The L2TP menu opens.
4. Choose L2TP Configuration.
The L2TP Configuration List window
opens.
5. Select an LNS entry from the list.
(continued)
3-10
303532-A Rev 00
Customizing L2TP Services
Site Manager Procedure (continued)
You do this
System responds
6. Set the Enable L2TP parameter to
Disable. Click on Help or see the
parameter description on page A-3.
Site Manager disables L2TP for the slot.
7. Click on Done.
You return to the Configuration Manager
window.
Deleting L2TP from a PPP Interface
To delete L2TP from a PPP interface, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
click on a WAN connector configured with
L2TP.
The Edit Connector window opens.
2. Choose Edit Circuit.
3. Choose Protocols.
4. Choose Add/Delete.
5. Click on L2TP.
The Circuit Definition window opens.
The Protocols menu opens.
The Select Protocols window opens.
Site Manager deselects L2TP.
6. Click on OK.
You return to the Circuit Definition
window.
7. Choose File.
The File menu opens.
8. Choose Exit.
You return to the Configuration Manager
window.
303532-A Rev 00
3-11
Configuring L2TP Services
Deleting L2TP from a Frame Relay Interface
To delete L2TP from a frame relay interface, complete the following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
click on a WAN connector configured with
L2TP.
The Edit Connector window opens.
2. Choose Edit Circuit.
The Frame Relay Circuit Definition
window opens.
3. Choose Services.
The Frame Relay Service List window
opens.
4. Choose Protocols in the top left corner of The Protocols menu opens.
the window.
5. Choose Add/Delete.
6. Click on L2TP.
7. Click on OK.
The Select Protocols window opens.
Site Manager deselects L2TP.
You return to the Frame Relay Service
List window.
8. Click on Done.
You return to the Frame Relay Circuit
Definition window.
9. Click on Done.
You return to the Configuration Manager
window.
3-12
303532-A Rev 00
Customizing L2TP Services
Deleting L2TP from an ATM Interface
To delete L2TP from an ATM interface on a COM connector, complete the
following tasks:
Site Manager Procedure
System responds
You do this
1. In the Configuration Manager window,
click on a COM connector configured with
L2TP.
The Edit Connector window opens.
2. Choose Edit Circuit.
3. Choose Group Protocols.
4. Choose Add/Delete.
5. Click on L2TP.
The Circuit Definition window opens.
The Group Protocols menu opens.
The Select Protocols window opens.
Site Manager deselects L2TP.
6. Click on OK.
You return to the Circuit Definition
window.
7. Choose File.
The File menu opens.
8. Choose Exit.
You return to the Configuration Manager
window.
To delete L2TP from an ATM interface on an ATM connector, complete the
following tasks:
Site Manager Procedure
You do this
System responds
1. In the Configuration Manager window,
click on an ATM connector configured with
L2TP.
The Edit ATM Connector window opens.
2. Choose Service Attributes.
The ATM Service Records List window
opens.
3. Choose Protocols in the top left corner of The Protocols menu opens.
the window.
4. Choose Add/Delete.
The Select Protocols window opens.
Site Manager deselects L2TP.
5. Click on L2TP.
(continued)
303532-A Rev 00
3-13
Configuring L2TP Services
Site Manager Procedure (continued)
You do this
System responds
6. Click on OK.
You return to the ATM Service Records
List window.
7. Click on Done.
You return to the Edit ATM Connector
window.
8. Click on Done.
You return to the Configuration Manager
window.
3-14
303532-A Rev 00
Appendix A
L2TP Parameters
This appendix contains the Site Manager parameter descriptions for L2TP
services. You can display the same information using Site Manager online Help.
For information about the IP parameters that you set when enabling L2TP, see
Topic
Page
L2TP Configuration Parameters
L2TP Tunnel Security Parameters
L2TP IP Interface Parameters
A-2
A-8
A-10
For each parameter, this appendix provides the following information:
•
•
•
•
•
•
•
Parameter name
Configuration Manager menu path
Default setting
Valid parameter options
Parameter function
Instructions for setting the parameter
Management information base (MIB) object ID
303532-A Rev 00
A-1
Configuring L2TP Services
The Technician Interface allows you to modify parameters by issuing set and
commit commands with the MIB object ID. This process is equivalent to
modifying parameters using Site Manager. For more information about using the
Technician Interface to access the MIB, see Using Technician Interface Software.
Caution: The Technician Interface does not verify parameter values you enter.
Entering an invalid value can corrupt your configuration.
L2TP Configuration Parameters
The L2TP Configuration List window (Figure A-1) contains parameters that
define how L2TP sends and receives data.
Figure A-1.
L2TP Configuration List Window
The parameter descriptions follow.
A-2
303532-A Rev 00
L2TP Parameters
Parameter: Enable L2TP
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: Enable
Options: Enable | Disable
Function: Enables or disables L2TP on this interface.
Instructions: Site Manager automatically sets this parameter to Enable when you select L2TP
as a protocol. Accept the default, Enable, to use L2TP. To temporarily disable
L2TP, set this parameter to Disable.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.2
Parameter: Max L2TP Sessions
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: 100
Options: 1 to 100 sessions
Function: Specifies the maximum number of L2TP sessions that the LNS allows.
Instructions: Enter the maximum number of L2TP sessions that you want the LNS to support.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.16
Parameter: Receive Window Size
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: 4
Options: 1 to 7 packets
Function: Specifies the number of control packets that the LNS can receive from the LAC
without the LNS sending an acknowledgment packet to the LAC.
Instructions: Enter the number of packets that determine the window size, or accept the
default value.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.6
303532-A Rev 00
A-3
Configuring L2TP Services
Parameter: Retransmit Timer (seconds)
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: 1
Options: 1 to 60 seconds
Function: Indicates the number of seconds that the LNS waits for an acknowledgment
from the LAC before resending packets.
Instructions: If you are experiencing many timeouts during L2TP tunnel negotiation or
during a session, set this value to a number greater than the default. Otherwise,
accept the default.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.7
Parameter: Maximum Retransmit
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: 1
Options: 1 to 60
Function: Specifies the maximum number of times the LNS retransmits packets to the
LAC.
Instructions: If you are experiencing many timeouts during L2TP tunnel negotiation or
during a session, set this value to a number greater than the default. Otherwise,
accept the default.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.8
Parameter: Hello Timer (seconds)
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: 60
Options: 1 to 60 seconds
Function: Indicates the maximum number of seconds that can elapse without data activity
before the LNS sends a packet through the tunnel to the LAC to check the
connection.
Instructions: Set this parameter to a smaller number only if the connection is not stable.
Otherwise, accept the default.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.9
A-4
303532-A Rev 00
L2TP Parameters
Parameter: Ack Timeout (milliseconds)
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: 250
Options: 1 to 350 milliseconds
Function: Specifies the maximum number of milliseconds that can elapse before the LNS
sends an acknowledgment to the LAC that it received an L2TP control message,
such as a tunnel authentication or session control message.
Instructions: If you are unsure of the stability of the connection or the L2TP session, set this
parameter to a number smaller than the default. Otherwise, accept the default.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.10
Parameter: LNS System Name
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: BayRS
Options: The router’s system name or any name you specify
Function: Specifies the name of the LNS. This name applies to the router, not just the slot
with the LNS interface.
Instructions: Site Manager automatically enters the name from the router’s system
information. You can modify it, if you choose. If no system name is provided,
the router uses BayRS.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.12
Parameter: RADIUS Primary Server IP Address
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: None
Options: Any 32-bit IP address
Function: Specifies the primary RADIUS server for user authentication.
Instructions: Enter the IP address of the RADIUS server. If the RADIUS server is already
configured, Site Manager automatically supplies the address.
MIB Object ID: 1.3.6.1.4.1.18.3.5.22.2.1.3
303532-A Rev 00
A-5
Configuring L2TP Services
Parameter: RADIUS Primary Server Password
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: None
Options: Any alphanumeric string, up to a maximum of 64 characters
Function: Specifies the primary RADIUS server’s password.
Instructions: Enter the password for the RADIUS server. If the RADIUS server is already
configured, Site Manager automatically supplies the password.
MIB Object ID: 1.3.6.1.4.1.18.3.5.22.2.1.11
Parameter: RADIUS Client IP Address
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: None
Options: Any IP address
Function: Identifies the router acting as the LNS. This address applies for the entire router.
Instructions: Enter the IP address of the router. If the RADIUS server is already configured,
Site Manager automatically supplies the address.
MIB Object ID: 1.3.6.1.4.1.18.3.5.22.1.1.5
Parameter: Tunnel Flow Control
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: Disable
Options: Enable | Disable
Function: Specifies whether the LNS uses flow control on the tunneled data packets. Flow
control ensures the stable flow of data between both sides of the connection.
Instructions: To enable flow control, select Enable. Otherwise, accept the default, Disable.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.20
A-6
303532-A Rev 00
L2TP Parameters
Parameter: Remove Domain Name
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: Enable
Options: Enable | Disable
Function: Instructs the router whether to remove the domain name from the complete user
name before RADIUS authentication takes place. If enabled, the LNS removes
the delimiter separating the user name and the domain name and all characters
to the right of the delimiter. Removing the domain name ensures that the
RADIUS server can identify the user without having to reconfigure the names in
the server database.
Instructions: Accept the default, Enable, to remove the domain name from the user name.
Select Disable to keep the domain name.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.21
Parameter: Domain Name Delimiter
Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration
Default: @
Options: A single-character string (for example, a colon)
Function: This character identifies the delimiter used to separate the domain name from
the user name. This parameter is relevant only if you accept the default value,
Enable, for the Remove Domain Name parameter.
Instructions: Specify a character as a delimiter or accept the default.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.22
303532-A Rev 00
A-7
L2TP Parameters
Parameter: Enable Tunnel Authentication
Path: Configuration Manager > Protocols > IP > L2TP > Tunnel Authentication
Default: Disable
Options: Enable | Disable
Function: Enables or disables the use of tunnel authentication for a slot on the LNS.
Tunnel authentication provides a level of network security to protect the
corporate network from unauthorized users.
Instructions: Set this parameter to Enable for the LNS to perform tunnel authentication.
Otherwise, accept the default, Disable.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.1.1.2
Parameter: Tunnel Authentication Password
Path: Configuration Manager > Protocols > IP > L2TP > Tunnel Authentication
Default: None
Options: An alphanumeric string, up to a maximum of 40 characters
Function: Identifies the LNS to the LAC if the devices are using tunnel authentication. The
LAC and the LNS must share the same password to successfully complete
tunnel authentication.
Instructions: Enter a password.
MIB Object ID: 1.3.6.1.4.1.18.3.5.23.1.1.5
303532-A Rev 00
A-9
Configuring L2TP Services
L2TP IP Interface Parameters
The L2TP IP Interface List window (Figure A-3) contains the list of IP interfaces
for each slot on the router configured with L2TP.
Figure A-3.
L2TP IP Interface List Window
When you click on Change, Site Manager displays the L2TP IP Interface window
(Figure A-4).
Figure A-4.
L2TP IP Interface Window
A-10
303532-A Rev 00
L2TP Parameters
The parameter descriptions follow.
Parameter: L2TP IP Interface Address
Path: Configuration Manager > Protocols > IP > L2TP > L2TP IP Interface
Default: None
Options: Any unique IP address
Function: Specifies the IP address that identifies the L2TP IP interface for the LNS. You
must provide an address for each slot configured as an LNS.
Instructions: Enter a unique IP address. This address applies for the entire router slot.
MIB Object ID: Not Applicable
Parameter: Subnet Mask
Path: Configuration Manager > Protocols > IP > L2TP > L2TP IP Interface
Default: None
Options: A 32-bit IP subnet mask
Function: Specifies the network and subnet portion of the L2TP IP interface address.
Site Manager automatically calculates a natural subnet mask based on the class
of the network address. For example, if you enter a Class C address, the subnet
mask will be 255.255.255.0.
To configure more subnets for your network, you can change this natural mask.
Instructions: Accept the assigned natural subnet mask or enter a new one. You are not
restricted to entering a natural mask. For example, if the L2TP IP address is
192.32.16.55, you can enter a subnet mask of 255.255.255.192.
MIB Object ID: 1.3.6.1.4.1.18.3.5.3.2.1.24.1.6
303532-A Rev 00
A-11
Configuring L2TP Services
Parameter: RIP Enable
Path: Configuration Manager > Protocols > IP > L2TP > L2TP IP Interface
Default: Enable
Options: Enable | Disable
Function: Specifies whether RIP Listen is enabled on this interface. See Configuring IP
Services for more information about RIP.
Instructions: Accept the default, Enable, so that the LNS can learn routes from a remote
dial-in router. Select Disable to disable RIP.
MIB Object ID: 1.3.6.1.4.1.18.3.5.3.2.2.2.1.2
A-12
303532-A Rev 00
Appendix B
Configuration Examples
This appendix provides two examples of L2TP network configurations. It includes
only those parameters that require changes from their default settings for proper
configuration. For instructions on modifying parameters, see Chapter 3,
“Customizing L2TP Services.”
This appendix assumes that you are familiar with L2TP configuration procedures.
Routers and Configuring and Managing Routers with Site Manager.
Example 1: Remote PC Calling the Corporate Network
Figure B-1 shows a sample L2TP network. In this network, note the following:
•
•
•
•
Domain names are in the TMS database.
User names and domain names are in the RADIUS server database.
Tunnel IP interface addresses are unique for each slot.
Frame relay is the WAN protocol for the connection between the ISP network
and the corporate network.
303532-A Rev 00
B-1
Configuring L2TP Services
No active call from mmark;
no tunnel needed
ISP network
LAC 2
PC
TMS
No L2TP
functionality
Modem
Corporate
network
Router
LNS
192.32.16.55
LAC 1
Frame relay
Tunnel
.26.0
.17
PC
TA
Multilink
PPP
192.32.68.2
L2TP IP
interface
No L2TP
ISDN
RADIUS server
192.32.26.6
bay_private
functionality
Domain name in TMS database
baynetworks.com = 192.32.16.55
IP addresses in the
RADIUS server database
192.32.40.1 [email protected]
192.32.40.2 [email protected]
L2T0007B
Figure B-1.
L2TP Network with PCs at the Remote Site
Configuring the Remote Hosts
The remote hosts in this network are two PCs running Windows 95. Neither PC
has internal L2TP capabilities.
In this network, one PC has a synchronous dial connection to the ISP via a
modem. The other PC has a 128 Kb/s dial ISDN connection through an ISDN
terminal adapter (TA).
The user names at the PCs are [email protected] and
B-2
303532-A Rev 00
Configuration Examples
Configuring the LACs and the TMS
The LACs in this network are Model 5399 Remote Access Concentrators. Both
devices have L2TP modules installed. See Model 5399 Remote Access
Concentrator documentation for information about configuring L2TP.
The LACs use the same TMS, which you configure with the following
information:
Domain name: baynetworks.com
Tunnel end point address (LNS address): 192.32.16.55
Tunnel authentication password: LAC1
Configuring the LNS
The LNS in this network is a BN router with at least two synchronous interfaces.
To configure the router as an LNS:
1. Choose a WAN port for the slot you want as the LNS.
2. From the WAN Protocols menu, choose Frame Relay.
3. From the Select Protocols menu, choose IP and L2TP.
4. In the IP Configuration window, enter the IP address of the LNS.
Parameter Name
Value
IP Address
192.32.16.55
5. In the L2TP Configuration window, enter the RADIUS server
information.
Parameter Name
Value
RADIUS Primary Server IP Address
RADIUS Primary Server Password
RADIUS Client IP Address
192.32.26.6
bay_private
192.32.16.55
303532-A Rev 00
B-3
Configuring L2TP Services
6. In the L2TP Tunneling Security window, enable tunnel authentication.
Parameter Name
Value
Enable Tunnel Authentication
Tunnel Authentication Password
Enable
LAC1
7. In the L2TP IP Interface window, enter the L2TP IP address.
Parameter Name
Value
L2TP IP Interface Address
Subnet Mask
192.32.68.2
255.255.255.0
During the L2TP session, the RADIUS server assigns the following IP
addresses:
[email protected]: 192.32.40.1
[email protected]: 192.32.40.2
These addresses are stored in the RADIUS server database.
Data Path Through the Network
After all components of the network are configured, jsmart can place a call to the
local ISP. The LAC that receives this call sends the user name to the TMS, which
verifies the domain name and address and sends this information back to the LAC
so that it can forward the data.
The LAC then negotiates the initiation of the tunnel with the LNS, and the tunnel
is brought up. The LNS then authenticates [email protected] with the
RADIUS server. After the RADIUS server grants access, it assigns the address
192.32.40.1 to jsmart, to include the remote host (jsmart’s PC) in the virtual
private network.
Data now passes through the tunnel from jsmart’s PC to the LNS for the duration
of the L2TP session. When jsmart disconnects the call, the session is terminated.
If no other active sessions are using the tunnel, the tunnel is brought down.
B-4
303532-A Rev 00
Configuration Examples
Example 2: Remote Router Calling the Corporate Network
Figure B-2 shows a network with two BayStack™ AN® routers at the remote site.
The AN routers are using dial-on-demand service for dial-up connections.
In this network, note the following:
•
•
•
PPP is the WAN protocol for the connection between the ISP network and the
corporate network.
For the LNS configuration, you do not need to configure a static route for the
remote router’s network because the LNS can learn the route using RIP.
The IP network addresses are assigned as follows:
[email protected]: 192.32.40.1
[email protected]: 192.32.40.2
No active call from mmark;
no tunnel needed
ISP network
LAC 2
mmark@bay.com
TMS
PC
PC
No L2TP
Corporate
network
Modem
functionality
Router
LNS
192.32.16.55
LAC 1
jsmart@bay.com
PPP
Tunnel
.26.0
.17
TA
ISDN
No L2TP
functionality
Multilink
PPP
192.32.40.254
L2TP IP
interface
RADIUS server
192.32.26.6
bay_private
Domain name in TMS database
bay.com = 192.32.16.55
IP addresses in the
RADIUS server database
192.32.40.1 jsmart@bay.com
192.32.40.2 mmark@bay.com
L2T0008B
Figure B-2.
L2TP Network with Routers at the Remote Site
The LNS configuration in this example is the same as in Example 1; however, you
must modify the configuration of the remote AN router. Go to the next sections.
303532-A Rev 00
B-5
Configuring L2TP Services
Configuring the Dial-on-Demand Circuit
Modify the dial-on-demand circuit configuration for the AN routers as follows:
1. In the Configuration Manager window, choose Dialup > Demand Circuits
> Demand Pools > PPP Circuits > PPP Demand Circuits to display the
PPP Demand Circuits window.
2. Disable outbound authentication.
Parameter Name
Value
Outbound Authentication
CHAP Local Name
Disable
jsmart@bay.com
Enabled
Dial Optimized Routing
3. Enable RIP on the dial-on-demand circuit.
4. Configure default or static routes for the PC LAN to the L2TP IP
interface.
For more information about dial-on-demand, see Configuring Dial Services.
Configuring the PPP Interface
Modify the PPP interface configuration for the AN routers as follows:
1. In the Configuration Manager window, choose Protocols > PPP >
Interfaces to display the PPP Interface List window.
2. Select the PPP interface to the ISP network.
3. Click on Lines to display the PPP Line List window.
4. Enable RFC 1661 compliance.
Parameter Name
Value
RFC1661 Compliance
Enable
For more information about PPP, see Configuring PPP Services.
B-6
303532-A Rev 00
Appendix C
Troubleshooting
To monitor your L2TP network and solve problems that may occur, first check the
event log file for any messages recorded by the LNS. For information about
viewing and reading event messages, see Event Messages for Routers and
Configuring and Managing Routers with Site Manager.
Table C-1 provides troubleshooting solutions for common problems with your
L2TP network.
Table C-1.
Problem
Common L2TP Network Problems and Solutions
What to Do
L2TP tunnel did not initiate.
Check whether you enabled tunnel authentication for
the LNS on that slot.
If authentication is enabled, make sure that the
authentication password is the same for the LAC and
the LNS.
You can also check the tunnel statistics, which are
automatically enabled on the LNS.
L2TP host (PC or router) cannot
reach the corporate network
through the established
connection.
Check the address and user authentication
information configured in the RADIUS server
database.
(continued)
303532-A Rev 00
C-1
Configuring L2TP Services
(continued)
Table C-1.
Problem
Common L2TP Network Problems and Solutions
What to Do
L2TP session is not active.
The LNS failed to negotiate the PPP LCP options.
Reconfigure the host at the remote site dialing in to
the ISP.
For a Bay Networks router at the remote site, check
the PPP MRU/MRRU size. The LNS supports an
MRU/MRUU size of 1500 only.
Use the following guidelines to configure a Bay
Networks router at the remote site:
•
For router software versions up to and including
11.02/rel, use an MTU size of 1510, which is the
default.
•
For router software versions 11.02/rev and later
set the PPP parameter RFC1661 Compliance to
Enable.
You can also check the session statistics, which are
automatically enabled on the LNS.
Bay Networks router at the remote Check the IP address assigned by the RADIUS
site cannot tunnel into the
corporate network.
server. There may be a mismatch between the
address of the remote router dialing in to the LAC
and the address that the RADIUS server assigns.
For example, router A dials in with its IP address of
1.1.1.3 and the RADIUS server assigns an incorrect
IP address of 1.1.1.5.
C-2
303532-A Rev 00
Index
A
L
accounting, RADIUS, 1-15
Ack Timeout (milliseconds) parameter, A-5
acronyms, xv
L2TP
customizing configuration, 3-1
deleting, PPP interface, 3-11
description, 1-1
B
C
disabling, 3-10
network components, 1-4
packet encapsulation, 1-8
purpose, 1-2
configuration examples, B-1
configuration file, requirements, 2-3
conventions, text, xiv
starting, 2-3
troubleshooting, C-1
D
deleting L2TP
from ATM, 3-13
from frame relay, 3-12
from PPP, 3-11
L2TP network server. See LNS
LAC
domain name, description, 1-12
configuration example, B-3
description, 1-5
E
LNS
educational services, xvi
changing system name, 3-4
configuration example, B-3
configuring router as, 2-3
customizing parameters, 3-1
description, 1-6
Enable L2TP parameter, A-3
Enable Tunnel Authentication parameter, A-9
H
Hello Timer (seconds) parameter, A-4
enabling tunnel authentication, 3-8
303532-A Rev 00
Index-1
LNS (continued)
S
L2TP security, 1-10
modifying protocol configuration, 3-2
operating with LACs, 1-11
sessions, L2TP
description, 1-3
LNS System Name parameter, A-5
LNS system name, changing, 3-4
Subnet Mask parameter, A-11
support, Bay Networks, xvi
M
T
Max L2TP Sessions parameter, A-3
technical publications, xvi
technical support, xvi
P
text conventions, xiv
TMS, description, 1-5, 1-12
troubleshooting network problems, C-1
parameters
tunnel authentication
description, 1-12
enabling, 3-8
customizing, 3-1
descriptions, A-1
Tunnel Authentication Password parameter, A-9
Tunnel Flow Control parameter, A-6
tunnel management server. See TMS
tunnel, description, 1-2
password, RADIUS server
description, 1-14
setting, 3-3
password, tunnel authentication
description, 1-12
setting, 3-8
U
product support, xvi
user authentication, RADIUS, 1-14
publications, Bay Networks, xvi
V
R
virtual private network (VPN), description, 1-1
RADIUS server
changing address and password, 3-3
description, 1-6
for user authentication, 1-14
Receive Window Size parameter, A-3
remote access server (RAS), 1-5
Remove Domain Name parameter, A-7
Retransmit Timer (seconds) parameter, A-4
RIP Enable parameter, A-12
router platforms for L2TP, 1-11
Index-2
303532-A Rev 00
|