Documente Academic
Documente Profesional
Documente Cultură
V200R002C01
Issue
01
Date
2012-05-10
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://enterprise.huawei.com/en/
Issue 01 (2012-05-10)
Contents
Contents
1 Introduction to L2TP .................................................................................................................... 1
2 References ....................................................................................................................................... 2
3 Principles ........................................................................................................................................ 3
3.1 L2TP Implementation....................................................................................................................................... 3
3.2 L2TP Tunnel Establishment ............................................................................................................................. 5
3.3 L2TP Features .................................................................................................................................................. 7
4 Applications ................................................................................................................................... 9
4.1 Typical L2TP Scenarios ................................................................................................................................... 9
Issue 01 (2012-05-10)
ii
1 Introduction to L2TP
Introduction to L2TP
Definition
The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dial-up Network (VPDN)
tunneling protocol.
VPDN allows enterprise users, small-scale ISPs, and mobile office users to access the Internet
over a public network (for example, an ISDN or a PSTN) using the dialup function.
VPDN uses a tunneling protocol to establish secure VPNs for enterprises over a public
network. Branches and traveling staff remotely access the headquarters over tunnels on a
public network.
VPDN uses the following tunneling protocols:
L2TP is defined by the Internet Engineering Task Force (IETF). It combines the advantages of
L2F and PPTP, and is considered as an industry standard. Among VPDN tunneling protocols,
L2TP is widely used.
Purpose
The Point-to-Point Protocol (PPP) defines an encapsulation mechanism for transporting
multiprotocol packets across point-to-point links. When PPP runs between a user device and a
network access server (NAS), the L2 termination point and PPP session endpoint reside on the
same physical device, for example, NAS.
L2TP, defined in RFC 2661, transmits PPP packets over a tunnel. L2TP extends the PPP
model because L2TP allows the Layer 2 termination point (LAC) and PPP session endpoint
(LNS) to reside on different devices on a packet switched network. This enables PPP sessions
to be transmitted over the IP network.
Benefits
L2TP brings in the following benefits:
Issue 01 (2012-05-10)
2 References
References
Description
RFC 2661
Issue 01 (2012-05-10)
3 Principles
Principles
LNS
PPP sessions are initiated by user devices and received by the LNS. After being authenticated
by the LNS, remote users successfully set up PPP sessions with the LNS and can access
resources in the enterprise headquarters. As the other endpoint of an L2TP tunnel, the LNS is
a peer device of the LAC, and set up an L2TP tunnel with the LAC. Additionally, the LNS is
the logical termination point of a PPP session; therefore, the PPP client (user device) and the
LNS establish a virtual point-to-point link.
The LNS is located at the border between the headquarters' private network and the public
network, and is often used as the gateway of the enterprise headquarters. In addition, the LNS
provides the network address translation (NAT) function to translate private IP addresses on
the enterprise headquarters network in to public IP addresses.
Issue 01 (2012-05-10)
3 Principles
Control message: is used for setup and maintenance of tunnels and session connections
and for packet transmission control. Control messages are transmitted over a reliable
channel, which supports flow control and congestion management.
Data messages: is used to encapsulate PPP frames over a tunnel. Data messages are
transmitted over an unreliable channel without using the flow control, retransmission, or
congestion management mechanism.
The control message and data message use the same packet header. The L2TP header contains
a tunnel ID and a session ID, which are used to identify the tunnel and session respectively.
Packets with the same tunnel ID but different session IDs are transmitted over the same tunnel.
The tunnel ID and session ID are allocated by the LNS.
L2TP Architecture
Figure 3-1 shows the relationship between the PPP frame, control channel, and data channel.
PPP frames are transmitted over an unreliable data channel, and control messages are
transmitted over a reliable L2TP control channel.
Figure 3-1 L2TP architecture
PPP Frame
L2TP data message
L2TP data channel
(unreliable)
Figure 3-2 shows the encapsulation format of an L2TP data packet transmitted between the
LAC and the LNS. L2TP data packets are often encapsulated into UDP packets. The
well-known UDP port for L2TP is 1701, which is only used in initial stage of tunnel setup.
The L2TP tunnel initiator randomly selects an idle port (which may not be port 1701) to
forward packets to port 1701 of the receiver. After receiving the packets, the receiver
randomly selects an idle port (which may not be port 1701) to forward packets to a
user-defined port of the sender. Both ends use the selected ports to communicate until the
tunnel is disconnected.
Figure 3-2 L2TP packet encapsulation format
20 bytes
New IP
Header
8 bytes
16 bytes
2 bytes
20 bytes
PPP
Header
Original IP
Header
Data
Issue 01 (2012-05-10)
3 Principles
Session: is transmitted over a tunnel and represents a PPP session over the tunnel.
Multiple L2TP tunnels can be set up between an LNS and an LAC. A tunnel consists of a
control connection and one or more sessions. A session can be set up only after a tunnel is
created successfully. Tunnel setup involves identity protection and exchange of information
such as the L2TP version, frame type, and hardware transfer type. A session corresponds to
one PPP data stream between the LAC and the LNS.
Both control messages and data message are transmitted over tunnels. L2TP uses Hello
packets to verify tunnel connectivity. The LAC and LNS periodically send Hello packets to
each other. If no response packet is received in a certain period of time, the tunnel is torn
down.
AAA Server
(RADIUS)
AAA Server
(RADIUS)
LAC
LNS
ISDN/
PPPoE
PC
Internet
PC
PPP Client
L2TP Tunnel
Headquarters
Issue 01 (2012-05-10)
3 Principles
AAA Server
(RADIUS)
(5)
access
accept
(4)
access
request
(10)
(13)
(9)
(12)
(9) (12)
access request
(10) (13)
access accept
Headquarters
Remote User
PC
PSTN/
ISDN
Internet
LAC
LNS
PC
1.
2.
3.
The LAC authenticates the PC user using the Password Authentication Protocol (PAP) or
Challenge Handshake Authentication Protocol (CHAP).
# Perform CHAP authentication for access users connected to LAC user-side interfaces.
<Huawei> system-view
[Huawei] interface serial 1/0/0
[Huawei-Serial1/0/0] link-protocol ppp
[Huawei-Serial1/0/0] ppp authentication-mode chap
4.
The LAC sends authentication information including the user name and password to the
RADIUS server for authentication.
5.
The RADIUS server authenticates the user. If the user is authenticated, the LAC initiates
a tunneling request to the LNS.
# Create an L2TP group, set L2TP tunnel parameters, authenticate the user based on the
user name, and initiate a tunneling request to the LNS at 10.1.1.1.
<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1
6.
Issue 01 (2012-05-10)
7.
3 Principles
If the tunnel needs to be authenticated, the LAC sends a CHAP challenge to the LNS.
The LNS returns a CHAP response and sends its CHAP challenge to the LAC.
Accordingly, the LAC returns a CHAP response to the LNS.
# Set the same authentication parameters for the LAC and LNS. The LAC is used as an
example. The authentication password is huawei in cipher text.
<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] tunnel authentication
[Huawei-l2tp1] tunnel password cipher huawei
8.
9.
The LAC sends the CHAP response, response identifier, and PPP negotiation parameters
of the user to the LNS.
10. The LNS sends an access request to its RADIUS server for authentication.
11. The RADIUS server authenticates the access request and returns a response if the user is
authenticated.
12. If the LNS is configured to perform a mandatory CHAP authentication for the user, the
LNS sends a CHAP challenge to the user and the user returns a CHAP response.
# Configure second authentication, for example, mandatory CHAP authentication, for
remote users on the LNS.
<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] mandatory-chap
13. The LNS sends an access request again to its RADIUS server for authentication.
14. The RADIUS server authenticates the access request and returns a response if the user
needs to be authenticated.
15. The LNS assigns an internal IP address to the remote user. The user can access internal
resources of the enterprise network.
# Configure the LNS virtual template interface address as the gateway address, and
import the configured address pool pool 1 to allocate IP addresses to remote users.
<Huawei> system-view
[Huawei] interface virtual-ethernet 1
[Huawei-Virtual-Template1] ip address 172.1.1.1 255.255.255.0
[Huawei-Virtual-Template1] remote address pool 1
Issue 01 (2012-05-10)
3 Principles
Multi-protocol transmission
L2TP transmits PPP frames, which can be used to encapsulate packets of multiple
network layer protocols.
Flexible accounting
Accounting can be performed on the LAC and LNS simultaneously. The LAC on the ISP
side generates bills and the LNS as the enterprise gateway charges and audit fees. L2TP
can provide such accounting data as statistics on incoming and outgoing traffic and
connection start time and end time, allowing flexible accounting.
Reliability
L2TP supports LNS backup. When the primary LNS is unreachable, an LAC can
establish a new connection with a secondary LNS. This enhances reliability and fault
tolerance of VPN services.
Issue 01 (2012-05-10)
4 Applications
Applications
NAS-Initialized
Client-Initialized
LAC-Auto-Initiated
Multi-domain Access
NAS-Initialized
As shown in Figure 4-1, the LAC (NAS) initiates an L2TP tunnel setup request. A remote user
connects to the LAC using PPP, and the LAC sends a tunnel setup request to the LNS through
the Internet. Private addresses are assigned to dialup users by the LNS. The LAC or LNS
performs authentication and accounting for remote users. The AR router can function as the
gateway of the enterprise headquarters and branch and provides PPP client and LNS services.
Issue 01 (2012-05-10)
4 Applications
RADIUS
Remote User
Headquarters
Internet
LNS
LAC
(NAS)
Branch
L2TP Tunnel
# Configure the AR used as the LNS to respond to the L2TP setup request initiated by the
LAC.
<Huawei> system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] allow l2tp virtual-template 1 remote lac
Client-Initialized
As shown in Figure 4-2, a remote user terminal supporting L2TP initiates an L2TP tunnel
setup request after obtaining the Internet access right. The remote user terminal functions as
the LAC and the private address is assigned by the LNS. In client-initiated scenario, the AR
functions as the LNS and is deployed on the enterprise headquarters gateway.
Figure 4-2 Client-Initialized
RADIUS
Headquarters
Remote User
(LAC)
Internet
LNS
L2TP Tunnel
Issue 01 (2012-05-10)
10
4 Applications
Users must install L2TP dialup software on their PCs. PCs running Windows can use the
built-in VPN dialup software.
Users can access the network in multiple ways and can access the Internet without
authentication.
An L2TP tunnel is set up between the client and the LNS, and an L2TP tunnel can carry
only one L2TP session.
IPSec can be used for encryption and authentication in scenarios demanding high
security.
LAC-Auto-Initiated
Remote users must use PPPoE or ISDN to connect to the LAC. The LAC sends a tunnel setup
request to the LNS only after remote users connect to the LAC. As shown in Figure 4-3, a
virtual PPP user is created on the LAC. The LAC performs virtual dialup, sends a tunnel setup
request to the LNS, and sets up an L2TP tunnel for the virtual PPP user. When remote users
access the internal network connected to the LNS, the LAC forwards data over the L2TP
tunnel. In addition to a dialup connection, any IP-based connection can exist between the
remote system and the LAC. The AR functions as the LAC and is deployed on the enterprise
branch gateway.
Figure 4-3 Connecting to the LAC directly
RADIUS
Headquarters
Branch
Internet
LNS
LAC
L2TP Tunnel
# Configure the AR used as the LAC to send an L2TP tunnel setup request to the LNS at
10.1.1.1. The user name is user1.
<Huawei> system-view
[Huawei] interface virtual-template 1
[Huawei-Virtual-Template1] ip address ppp-negotiate
[Huawei-Virtual-Template1] ppp pap local-user user1 password simple huawei
[Huawei-Virtual-Template1] l2tp-auto-client enable
[Huawei-Virtual-Template1] quit
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1
Issue 01 (2012-05-10)
11
4 Applications
Multi-domain Access
As shown in Figure 4-4, different enterprise branches are allowed to access only limited
resources of the enterprise headquarters. The headquarters provides access services for branch
staff. The headquarters establishes VPDN connections with branches using L2TP. The LAC
determines users based on domain names, which facilitates VPDN user management. Each
branch uses a separate L2TP tunnel and obtains private addresses on different segments.
Because source and destination addresses are allocated by the headquarters, you can configure
an ACL on the headquarters to manage access rights of branches.
Figure 4-4 NAS-Initiated
Branch A
PC
E E2 /
Po G
LNS
LAC
0/
GE1/0/0
202.1.1.2/24
GE1/0/0
202.1.1.1/24
/0
Po G
E E3
PC
lac1
PP
Branch B
lac2
/0 4
/0 . 1 / 2
E3 . 1
G 0. 4
1
/0
PC1
user1@aaa.com
PC
G
10 E2
. 3 /0 /
.1 0
.1
/2
4
PP
PC3
10.3.1.2/24
lns
Department A
Headquarters
PC
lns
PC4
10.4.1.2/24
Department B
PC2
user2@bbb.com
Issue 01 (2012-05-10)
12
4 Applications
Issue 01 (2012-05-10)
13
4 Applications
Issue 01 (2012-05-10)
14