Reference

L2TP Support




1. What is L2TP ?

Tunneling is the key to L2TP (and other virtual dial-up services). With tunneling, protocol packets of one type of network are put inside or encapsulated in the protocol packets of another network for transport across that network. A tunnel has an entry point and an exit point that are essentially interfaces between two different types of networks, although they are defined in software.

Dial-up users typically use the PPP (Point-to-Point Protocol) for an Internet connection. PPP is a layer 2 protocol that frames data so it can be sent across a dial-up connection. The protocol allows users to run TCP/IP software such as Web browsers as if they were directly connected to the Internet. In fact, user TCP/IP packets are put into PPP frames for transport across the dial-up link to an ISP. The ISP then extracts the TCP/IP packets and forwards them on the Internet. L2TP enhances PPP by granting a means for a remote user to extend a PPP link across the Internet all the way to a corporate site. In essence, a tunnel is established across the Internet from the ISP to a corporate site and frames are transmitted through the tunnel. Once the tunnel is set up, the ISP is essentially out of the picture and the user communicates to the corporate network over what appears to be a direct dial-up connection.

2. Advantages of L2TP
 

3. How L2TP Works

In L2TP terminology, the NAS (network access server) at the ISP is the L2TP client and is called a LAC (L2TP Access Concentrator).  The Prestige at the corporate LAN is the server and is called a LNS (L2TP Network Server).  A tunnel exists between the LAC and the LNS. The (mobil) user employs L2TP for the Internet tunnel. In simple terms, a LAC forwards packets and must have a PSTN connection; a LNS negotiates PPP but does not necessarily have a PSTN connection.  Obviously, however, both the LAC and the LNS must have access to the Internet.  Both the LNS and LAC are called an L2TP endpoint. After call connection, the user and the LNS negotiate PPP in exactly the same fashion as a direct connection. However, instead of interfacing to the physical device, e.g., ISDN, the LNS is talking to an L2TP tunnel, i.e., a logical device Please refer to the diagram below.

Figure 1-1 How L2TP works

3.1. LNS (L2TP Network Server)

The LNS terminates a PPP connection -it handles the server side of the L2TP protocol.  Since L2TP runs on top of IP, the LNS may have only a single LAN or WAN interface yet still be able to terminate calls arriving at any LAC's full range of PPP interfaces (async, synchronous ISDN, V.120, etc.).

3.2. LAC (L2TP Access Concentrator)

The LAC relays the traffic between the LNS and the user.  It may tunnel any protocol carried within PPP. For incoming calls, the LAC may negotiate LCP and authentication to discover the apparent identity of the user; or it may use other mechanism, e.g., CLID.  In the case of PPP authentication, the LAC only performs partial negotiation, i.e., receiving PAP request or sending CHAP challenge and receiving response.  Once the user name (and hence the realm) is know, the LAC forwards all negotiation data thus far gathered (LCP and authentication) to the LNS.

Note that a Prestige can be both a LAC and a LNS at the same time.
The remote user dials in to an ISP. A tunnel is then set up from the ISP across the Internet to a corporate gateway server. Once the tunnel is set up, mobil users access the corporate network as if they had dialed directly into that network.

3.3. Internet-based tunnel process

  1. The remote user dials the ISP and the ISP collects logon information from the client. A PPP (analog modem) or native ISDN connection is established between the client and the ISP.
  2. The ISP inspects the username in the logon information and determines whether a virtual dial-up service is required.  The ISP maintains a database (endpoint table) for a corporation that associates the username (the realm or domain name)     with a specific endpoint (i.e., the corporate gateway).
  3. The ISP establishes a tunnel by contacting the corporate gateway.
  4. The authentication information that was initially collected from the remote user in Step 1 is forwarded to the corporate gateway. Now the remote user is authenticated by the corporate LNS.
  5. Now the user has an end-to-end PPP link.

At this point, the connection between the remote user and the corporate network is like any PPP connection. When the ISP receives frames from the remote user over the PPP link, they are encapsulated in L2TP, and forwarded over the tunnel to the LNS. The corporate gateway receives these frames, strips L2TP, and processes them as normal incoming frames.

4. The Prestige and L2TP
We will describe scenarios where we use the Prestige as a LNS and/or LAC for both outgoing and incoming calls.

4.1. Endpoint Table

Both the LNS and the LAC refer to this table to find the tunnel endpoint. Please note that a receiving L2TP endpoint must have a fixed, globally unique IP address while an initiating endpoint may have a dynamic IP address.

4.2. Prestige as LNS

Figure 1-2 Prestige as LNS

In this scenario, the ISP is the LAC. The LAC will search for the Endpoint Name (domain or realm name) in its endpoint table to know whether it should create a tunnel or not (i.e., ordinary Internet access). In the above example, a tunnel is created between the Prestige LNS and the LAC. The User and password in Win 95's Dial-up-Networking must be defined in menu 14.1, the profile for this Dial-in User, so that PPP authentication can take place directly between the Mobil user and the Prestige LNS while the LAC (ISP) remains transparent to the process.

4.2.1. Outgoing Call

For an LNS to initiate an outbound L2TP call, it requires a remote node in the same fashion as a regular PSTN call. Moreover, you need to specify a mode of tunneling i.e., None, Proxy or Direct and if tunneling is requested, you need to specify the L2TP endpoint. This can be done in Menu 11.1 - Remote Node Profile.

Figure 1-3 SMT Menu 11.1


                Menu 11.1 - Remote Node Profile

     Rem Node Name= ChangeMe
     Active= Yes                     Route= IPX
     Call Direction= Outgoing        Bridge= No
     Tunneling Mode= Direct 
     Endpoint Index=1                Edit PPP Options= No
                                     Rem IP Addr= 0.0.0.0
     Incoming:                       Edit IP/IPX/Bridge= No
       Rem Login= N/A                Telco Option:
       Rem Password= N/A             Allocated Budget(min)= 0
       Rem CLID= N/A                    Period(hr)= 0
       Call Back= N/A                   Transfer Type= 64K
     Outgoing:                          Nailed-Up Connection= No
       My Login= ChangeMe            Session Options:
       My Password= ********            Edit Filter Sets= No
       Authen= CHAP/PAP                 Idle Timeout(sec)= 300
       Pri Phone #= 1234
       Sec Phone #=

                    Press ENTER to Confirm or ESC to Cancel:
 


 

Field Description
Tunneling mode Select mode of Layer 2 Tunneling Protocall (L2TP in menu 10). Choices are None, Direct or Proxy. 
Endpoint Index This is the corresponding index number of the endpoint tunnel in Menu 10.

Table 1-1 SMT Menu 11.1- Remote Profile L2TP fields
 

Direct mode

In Direct mode you use two Prestiges directly to implement L2TP as illustrated.

Figure 1-4 Prestiges in Direct mode

The LAC  (home or branch office Prestige) can log in to the ISP with the SUA feature enabled, and when traffic needs to reach the corporate IPX (NetWare) server, a tunnel will be created to the LNS. The LNS needs to have a static IP address from the Internet. This is because when the LAC tries to setup a tunnel to the corporate network, it needs to know LNS's IP address. In the above example, the LAC must enter the IP address of the LNS. However, for the LNS, since the LAC's IP address could be dynamically assigned each time a call is made to the ISP, the user can enter any IP address in this case i.e., it is irrelevant. The LNS will accept the tunnel setup request from any IP address as long as My  Host Name and Shared Secret are correct.

The relevant SMT menus are as follows. Four tunnel endpoint profiles can be defined in Menu 10.
 


Menu 10 - Tunnel Endpoint Setup

1. ________
2. ________
3. ________
4. ________

Enter Node # to Edit:

Figure 1-6 Menu 10 - Tunnel Endpoint Setup

Selecting one endpoint profile takes you to the following menu.
 


    Menu 10.1 - Tunnel Endpoint Profile

      Endpoint Name= ?
      Active= Yes
      My Host Name= ?
      Peer Host Name= ?
      shared Secret= ********
      IP Address= ?

     Press ENTER to Confirm or ESC to Cancel:
 

 Figure 1-7 Menu 10.1 Tunnel Endpoint Profile
 
 

Field Description
Endpoint Name This tells the Prestige the far end of the desired tunnel.
Active Select Yes to activate this endpoint node.
My Host Name This is the name of the Prestige for L2TP authentication.
Peer Host Name This is the name of the peer computer at the far end.
Shared Secret This password must be the same for both endpoints.
IP Address A receiving L2TP endpoint must have a fixed, globally unique IP address.

Table 1-2 Tunnel Endpoint Profile Fields
 

Proxy Mode

If outgoing calls are allowed and there is an idle phone line, a LAC can place a call on behalf of the LNS. In this scenario, the LAC acts as a proxy for the LNS.


Figure 1-8 Prestige in Proxy mode.

For the LNS, choose Proxy for Tunneling Mode in menu 11.1. The menu 10.1 entries are the same as described above.

4.2.2. Incoming Call

An incoming L2TP call to an LNS is handled in exactly the same way as a PSTN call.

4.3. Prestige as LAC

Endpoint Name in Menu 10.1 is the key setting for the LAC for both incoming and outgoing calls.

4.3.1. Incoming Call

For calls to a LAC, the long form of NAI (Network Access Identifier) is used. The NAI is in the form of username@realm, where realm is typically a domain name, e.g., john@zyxel.com. The domain name is the key in the search of the endpoint. The LAC will search for the Endpoint Name in its endpoint table to know whether to create a tunnel or not. If there is a matching domain name in the LAC's endpoint table, then the LAC handles this as a request for Internet tunneling.

4.3.2. Outgoing Call

If outgoing calls are allowed and there is an idle phone line, a LAC can place a call on behalf of the LNS. In this scenario, the LAC acts as a proxy for the LNS.

L2TP provides authentication but does not encrypt data as it travels across the Internet. The IETF's IPSec protocol operates at layer 3 (network layer) to provide encryption for various tunneling protocols.


All contents copyright 1999 ZyXEL Communications Corporation.