HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper

Huawei AR G3 Series Enterprise Routers
V200R002C01
L2TP Feature White Paper
Issue
01
Date
2012-05-10
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://enterprise.huawei.com/en/
Issue 01 (2012-05-10)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Contents
Contents
1 Introduction to L2TP .................................................................................................................... 1
2 References ....................................................................................................................................... 2
3 Principles ........................................................................................................................................ 3
3.1 L2TP Implementation....................................................................................................................................... 3
3.2 L2TP Tunnel Establishment ............................................................................................................................. 5
3.3 L2TP Features .................................................................................................................................................. 7
4 Applications ................................................................................................................................... 9
4.1 Typical L2TP Scenarios ................................................................................................................................... 9
Issue 01 (2012-05-10)

ii

1 Introduction to L2TP
Introduction to L2TP
Definition
The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dial-up Network (VPDN)
tunneling protocol.
VPDN allows enterprise users, small-scale ISPs, and mobile office users to access the Internet
over a public network (for example, an ISDN or a PSTN) using the dialup function.
VPDN uses a tunneling protocol to establish secure VPNs for enterprises over a public
network. Branches and traveling staff remotely access the headquarters over tunnels on a
public network.
VPDN uses the following tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Forwarding (L2F)
Layer 2 Tunneling Protocol (L2TP)
L2TP is defined by the Internet Engineering Task Force (IETF). It combines the advantages of
L2F and PPTP, and is considered as an industry standard. Among VPDN tunneling protocols,
L2TP is widely used.
Purpose
The Point-to-Point Protocol (PPP) defines an encapsulation mechanism for transporting
multiprotocol packets across point-to-point links. When PPP runs between a user device and a
network access server (NAS), the L2 termination point and PPP session endpoint reside on the
same physical device, for example, NAS.
L2TP, defined in RFC 2661, transmits PPP packets over a tunnel. L2TP extends the PPP
model because L2TP allows the Layer 2 termination point (LAC) and PPP session endpoint
(LNS) to reside on different devices on a packet switched network. This enables PPP sessions
to be transmitted over the IP network.
Benefits
L2TP brings in the following benefits:
Enables enterprise branches to connect to the enterprise headquarters.
Enables mobile office personnel to access the enterprise headquarters.
Issue 01 (2012-05-10)


2 References
References
The following table lists the references of this document.

Document No.
Description
RFC 2661
Layer Two Tunneling Protocol "L2TP"
Issue 01 (2012-05-10)


3 Principles
Principles
About This Chapter

3.1 L2TP Implementation
3.2 L2TP Tunnel Establishment
3.3 L2TP Features
3.1 L2TP Implementation

LAC
An L2TP Access Concentrator (LAC) provides PPP and L2TP processing capabilities on the
packet switched network. The LAC establishes an L2TP connection with the L2TP network
server (LNS) based on the user name or domain name in PPP packets so that PPP frames can
be transmitted to the LNS.
An LAC can establish different L2TP tunnels to isolate data flows. That is, multiple VPDN
connections can be set up on the LAC.
An LAC transmits data between the LNS and PPP terminal. The LAC encapsulates data
received from the PPP terminal based on L2TP, sends data to the LNS, decapsulates the data
received from the LNS, and sends it to the PPP terminal.
LNS
PPP sessions are initiated by user devices and received by the LNS. After being authenticated
by the LNS, remote users successfully set up PPP sessions with the LNS and can access
resources in the enterprise headquarters. As the other endpoint of an L2TP tunnel, the LNS is
a peer device of the LAC, and set up an L2TP tunnel with the LAC. Additionally, the LNS is
the logical termination point of a PPP session; therefore, the PPP client (user device) and the
LNS establish a virtual point-to-point link.
The LNS is located at the border between the headquarters' private network and the public
network, and is often used as the gateway of the enterprise headquarters. In addition, the LNS
provides the network address translation (NAT) function to translate private IP addresses on
the enterprise headquarters network in to public IP addresses.
Issue 01 (2012-05-10)


3 Principles
Control Message and Data Message

L2TP uses the following messages:
Control message: is used for setup and maintenance of tunnels and session connections
and for packet transmission control. Control messages are transmitted over a reliable
channel, which supports flow control and congestion management.
Data messages: is used to encapsulate PPP frames over a tunnel. Data messages are
transmitted over an unreliable channel without using the flow control, retransmission, or
congestion management mechanism.
The control message and data message use the same packet header. The L2TP header contains
a tunnel ID and a session ID, which are used to identify the tunnel and session respectively.
Packets with the same tunnel ID but different session IDs are transmitted over the same tunnel.
The tunnel ID and session ID are allocated by the LNS.
L2TP Architecture
Figure 3-1 shows the relationship between the PPP frame, control channel, and data channel.
PPP frames are transmitted over an unreliable data channel, and control messages are
transmitted over a reliable L2TP control channel.
Figure 3-1 L2TP architecture
PPP Frame
L2TP data message
L2TP data channel
(unreliable)
L2TP control message

L2TP control channel
reliable
Packet transmission network
Figure 3-2 shows the encapsulation format of an L2TP data packet transmitted between the
LAC and the LNS. L2TP data packets are often encapsulated into UDP packets. The
well-known UDP port for L2TP is 1701, which is only used in initial stage of tunnel setup.
The L2TP tunnel initiator randomly selects an idle port (which may not be port 1701) to
forward packets to port 1701 of the receiver. After receiving the packets, the receiver
randomly selects an idle port (which may not be port 1701) to forward packets to a
user-defined port of the sender. Both ends use the selected ports to communicate until the
tunnel is disconnected.
Figure 3-2 L2TP packet encapsulation format
20 bytes
New IP
Header
8 bytes
16 bytes
UDP Header L2TP Header
2 bytes
20 bytes
PPP
Header
Original IP
Header
Data
Tunnel and Session

Two types of connections are available between an LNS and an LAC:
Issue 01 (2012-05-10)


3 Principles
Tunnel: is set up between an LNS and an LAC.
Session: is transmitted over a tunnel and represents a PPP session over the tunnel.
Multiple L2TP tunnels can be set up between an LNS and an LAC. A tunnel consists of a
control connection and one or more sessions. A session can be set up only after a tunnel is
created successfully. Tunnel setup involves identity protection and exchange of information
such as the L2TP version, frame type, and hardware transfer type. A session corresponds to
one PPP data stream between the LAC and the LNS.
Both control messages and data message are transmitted over tunnels. L2TP uses Hello
packets to verify tunnel connectivity. The LAC and LNS periodically send Hello packets to
each other. If no response packet is received in a certain period of time, the tunnel is torn
down.
3.2 L2TP Tunnel Establishment

Figure 3-3 shows a typical L2TP network.
Figure 3-3 Typical L2TP network
VPDN
AAA Server
(RADIUS)
AAA Server
(RADIUS)
LAC
LNS
ISDN/
PPPoE
PC
Internet
PC
PPP Client
L2TP Tunnel
Headquarters
Figure 3-4 shows the L2TP call setup procedure.
Issue 01 (2012-05-10)


3 Principles
Figure 3-4 L2TP call setup procedure

AAA Server
(RADIUS)
AAA Server
(RADIUS)
(5)
access
accept
(4)
access
request
(10)
(13)
(9)
(12)
(9) (12)
access request
(10) (13)
access accept
Headquarters
Remote User
PC
PSTN/
ISDN
Internet
LAC
LNS
PC
(1) call setup

(2) PPP LCP setup
(3) PAP/CHAP authentication

(6) tunnel establish
(7) session establish
(8) PPP negotiation parameters
(11) (optional) Mandatory CHAP
(14) assign internal IP address
(15) successful communication
1.
The user PC initiates a call connection request.
2.
The PC and the LAC perform PPP LCP negotiation.
3.
The LAC authenticates the PC user using the Password Authentication Protocol (PAP) or
Challenge Handshake Authentication Protocol (CHAP).
# Perform CHAP authentication for access users connected to LAC user-side interfaces.
<Huawei> system-view
[Huawei] interface serial 1/0/0
[Huawei-Serial1/0/0] link-protocol ppp
[Huawei-Serial1/0/0] ppp authentication-mode chap
4.
The LAC sends authentication information including the user name and password to the
RADIUS server for authentication.
5.
The RADIUS server authenticates the user. If the user is authenticated, the LAC initiates
a tunneling request to the LNS.
# Create an L2TP group, set L2TP tunnel parameters, authenticate the user based on the
user name, and initiate a tunneling request to the LNS at 10.1.1.1.
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1
6.
Issue 01 (2012-05-10)
The LAC initiates a tunneling request to the LNS.


7.
3 Principles
If the tunnel needs to be authenticated, the LAC sends a CHAP challenge to the LNS.
The LNS returns a CHAP response and sends its CHAP challenge to the LAC.
Accordingly, the LAC returns a CHAP response to the LNS.
# Set the same authentication parameters for the LAC and LNS. The LAC is used as an
example. The authentication password is huawei in cipher text.
[Huawei-l2tp1] tunnel authentication
[Huawei-l2tp1] tunnel password cipher huawei
8.
The tunnel is authenticated.

# Specify the virtual template interface VT1 that accepts the LAC connection request
and configure the name of the remote tunnel end as lac.
[Huawei-l2tp1] allow l2tp virtual-template 1 remote lac
9.
The LAC sends the CHAP response, response identifier, and PPP negotiation parameters
of the user to the LNS.
10. The LNS sends an access request to its RADIUS server for authentication.
11. The RADIUS server authenticates the access request and returns a response if the user is
authenticated.
12. If the LNS is configured to perform a mandatory CHAP authentication for the user, the
LNS sends a CHAP challenge to the user and the user returns a CHAP response.
# Configure second authentication, for example, mandatory CHAP authentication, for
remote users on the LNS.
[Huawei-l2tp1] mandatory-chap
13. The LNS sends an access request again to its RADIUS server for authentication.
14. The RADIUS server authenticates the access request and returns a response if the user
needs to be authenticated.
15. The LNS assigns an internal IP address to the remote user. The user can access internal
resources of the enterprise network.
# Configure the LNS virtual template interface address as the gateway address, and
import the configured address pool pool 1 to allocate IP addresses to remote users.
[Huawei] interface virtual-ethernet 1
[Huawei-Virtual-Template1] ip address 172.1.1.1 255.255.255.0
[Huawei-Virtual-Template1] remote address pool 1
3.3 L2TP Features
Flexible identity authentication and high security

L2TP does not provide security mechanisms, but allows PPP authentication such as
CHAP and PAP and has all security features of PPP. L2TP can integrate with IPSec to
ensure data security, so L2TP data is difficult to be intercepted. If high security is
required, you can use tunnel encryption, end-to-end data encryption, and end-to-end
application-layer data encryption technologies together with L2TP.
Issue 01 (2012-05-10)


3 Principles
Multi-protocol transmission
L2TP transmits PPP frames, which can be used to encapsulate packets of multiple
network layer protocols.
RADIUS server authentication

The LAC and LNS can send the user name and password of a remote user to a RADIUS
server for authentication. The RADIUS server receives user authentication requests and
completes authentication.
Internal address allocation

An LNS can dynamically allocate and manage private addresses to remote users (see
RFC 1918). This facilitates address management and improves security.
Flexible accounting
Accounting can be performed on the LAC and LNS simultaneously. The LAC on the ISP
side generates bills and the LNS as the enterprise gateway charges and audit fees. L2TP
can provide such accounting data as statistics on incoming and outgoing traffic and
connection start time and end time, allowing flexible accounting.
Reliability
L2TP supports LNS backup. When the primary LNS is unreachable, an LAC can
establish a new connection with a secondary LNS. This enhances reliability and fault
tolerance of VPN services.
Issue 01 (2012-05-10)


4 Applications
Applications
About This Chapter

4.1 Typical L2TP Scenarios
4.1 Typical L2TP Scenarios

L2TP is used in the following scenarios:
NAS-Initialized
Client-Initialized
LAC-Auto-Initiated
Multi-domain Access
NAS-Initialized
As shown in Figure 4-1, the LAC (NAS) initiates an L2TP tunnel setup request. A remote user
connects to the LAC using PPP, and the LAC sends a tunnel setup request to the LNS through
the Internet. Private addresses are assigned to dialup users by the LNS. The LAC or LNS
performs authentication and accounting for remote users. The AR router can function as the
gateway of the enterprise headquarters and branch and provides PPP client and LNS services.
Issue 01 (2012-05-10)


4 Applications
Figure 4-1 NAS-Initiated

RADIUS
RADIUS
Remote User
Headquarters
Internet
LNS
LAC
(NAS)
Branch
L2TP Tunnel
# Configure the AR used as the LNS to respond to the L2TP setup request initiated by the
LAC.
[Huawei-l2tp1] allow l2tp virtual-template 1 remote lac
Client-Initialized
As shown in Figure 4-2, a remote user terminal supporting L2TP initiates an L2TP tunnel
setup request after obtaining the Internet access right. The remote user terminal functions as
the LAC and the private address is assigned by the LNS. In client-initiated scenario, the AR
functions as the LNS and is deployed on the enterprise headquarters gateway.
Figure 4-2 Client-Initialized
RADIUS
Headquarters
Remote User
(LAC)
Internet
LNS
L2TP Tunnel
The client-initialized mode has the following features:
Issue 01 (2012-05-10)

10

4 Applications
Users must install L2TP dialup software on their PCs. PCs running Windows can use the
built-in VPN dialup software.
Users can access the network in multiple ways and can access the Internet without
authentication.
An L2TP tunnel is set up between the client and the LNS, and an L2TP tunnel can carry
only one L2TP session.
IPSec can be used for encryption and authentication in scenarios demanding high
security.
LAC-Auto-Initiated
Remote users must use PPPoE or ISDN to connect to the LAC. The LAC sends a tunnel setup
request to the LNS only after remote users connect to the LAC. As shown in Figure 4-3, a
virtual PPP user is created on the LAC. The LAC performs virtual dialup, sends a tunnel setup
request to the LNS, and sets up an L2TP tunnel for the virtual PPP user. When remote users
access the internal network connected to the LNS, the LAC forwards data over the L2TP
tunnel. In addition to a dialup connection, any IP-based connection can exist between the
remote system and the LAC. The AR functions as the LAC and is deployed on the enterprise
branch gateway.
Figure 4-3 Connecting to the LAC directly
RADIUS
Headquarters
Branch
Internet
LNS
LAC
L2TP Tunnel
# Configure the AR used as the LAC to send an L2TP tunnel setup request to the LNS at
10.1.1.1. The user name is user1.
[Huawei] interface virtual-template 1
[Huawei-Virtual-Template1] ip address ppp-negotiate
[Huawei-Virtual-Template1] ppp pap local-user user1 password simple huawei
[Huawei-Virtual-Template1] l2tp-auto-client enable
[Huawei-Virtual-Template1] quit
[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1
Issue 01 (2012-05-10)

11

4 Applications
Multi-domain Access
As shown in Figure 4-4, different enterprise branches are allowed to access only limited
resources of the enterprise headquarters. The headquarters provides access services for branch
staff. The headquarters establishes VPDN connections with branches using L2TP. The LAC
determines users based on domain names, which facilitates VPDN user management. Each
branch uses a separate L2TP tunnel and obtains private addresses on different segments.
Because source and destination addresses are allocated by the headquarters, you can configure
an ACL on the headquarters to manage access rights of branches.
Figure 4-4 NAS-Initiated
Branch A
PC
E E2 /
Po G
LNS
LAC
0/
GE1/0/0
202.1.1.2/24
GE1/0/0
202.1.1.1/24
/0
Po G
E E3
PC
lac1
L2TP Group1 Tunnel

VT1 10.1.1.1/24
PP
Branch B
lac2
L2TP Group2 Tunnel

VT2 10.2.1.1/24
/0 4
/0 . 1 / 2
E3 . 1
G 0. 4
1
/0
PC1
user1@aaa.com
PC
G
10 E2
. 3 /0 /
.1 0
.1
/2
4
PP
PC3
10.3.1.2/24
lns
Department A
Headquarters
PC
lns
PC4
10.4.1.2/24
Department B
PC2
user2@bbb.com
# Configure the AR used as the LAC.

#
sysname LAC
#
l2tp enable
#
aaa
authentication-scheme huawei
domain aaa.com
domain bbb.com
local-user user1@aaa.com password +Q4Z3D_*-N[Q=^Q`MAF4<1!!
local-user user1@aaa.com service-type ppp
local-user user2@bbb.com password +Q4Z3D_*-N[Q=^Q`AWTQ<1!!
local-user user2@bbb.com service-type ppp
#
interface Virtual-Template1
ip address ppp-negotiate
ppp authentication-mode pap
#
ip address ppp-negotiate
Issue 01 (2012-05-10)

12

4 Applications

#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
#
pppoe-server bind Virtual-Template 1
#
pppoe-server bind Virtual-Template 2
#
l2tp-group 1
tunnel password simple huawei
tunnel name lac1
start l2tp ip 202.1.1.1 domain aaa.com
#
l2tp-group 2
tunnel name lac2
start l2tp ip 202.1.1.1 domain bbb.com
#
return
# Configure the AR used as the LNS.

#
sysname LNS
#
l2tp enable
#
ip pool 1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
ip pool 2
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa
domain aaa.com
domain bbb.com
local-user user1@aaa.com password +Q4Z3D_*-N[Q=^Q`MAF4<1!!
local-user user1@aaa.com service-type ppp
local-user user2@bbb.com password +Q4Z3D_*-N[Q=^Q`AWTQ<1!!
local-user user2@bbb.com service-type ppp
#
remote address pool 1
ip address 10.1.1.1 255.255.255.0
#
Issue 01 (2012-05-10)

13

4 Applications
remote address pool 2

ip address 10.2.1.1 255.255.255.0
#
ip address 202.1.1.1 255.255.255.0
#
ip address 10.3.1.1 255.255.255.0
#
ip address 10.4.1.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1 remote lac1
tunnel name lns
#
l2tp-group 2
allow l2tp virtual-template 2 remote lac2
tunnel name lns
#
return
Issue 01 (2012-05-10)

14

HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper

Încărcat de

Drepturi de autor:

Formate disponibile

Huawei AR G3 Series Enterprise Routers

L2TP Feature White Paper

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential