l2tp feature white paper

Huawei AR G3 Series Enterprise Routers V200R002C01

L2TP Feature White Paper

Issue 01

Date 2012-05-10

HUAWEI TECHNOLOGIES CO., LTD.

Issue 01 (2012-05-10) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd. i

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior

written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees or

representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://enterprise.huawei.com/en/

http://enterprise.huawei.com/en/

Huawei AR G3 Series Enterprise Routers

L2TP Feature White Paper Contents


Copyright © Huawei Technologies Co., Ltd.

ii

Contents

1 Introduction to L2TP .................................................................................................................... 1

2 References ....................................................................................................................................... 2

3 Principles ........................................................................................................................................ 3

3.1 L2TP Implementation ....................................................................................................................................... 3

3.2 L2TP Tunnel Establishment ............................................................................................................................. 5

3.3 L2TP Features .................................................................................................................................................. 7

4 Applications ................................................................................................................................... 9

4.1 Typical L2TP Scenarios ................................................................................................................................... 9


L2TP Feature White Paper 1 Introduction to L2TP



1

1 Introduction to L2TP

Definition

The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dial-up Network (VPDN)

tunneling protocol.

VPDN allows enterprise users, small-scale ISPs, and mobile office users to access the Internet

over a public network (for example, an ISDN or a PSTN) using the dialup function.

VPDN uses a tunneling protocol to establish secure VPNs for enterprises over a public

network. Branches and traveling staff remotely access the headquarters over tunnels on a

public network.

VPDN uses the following tunneling protocols:

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Forwarding (L2F)

Layer 2 Tunneling Protocol (L2TP)

L2TP is defined by the Internet Engineering Task Force (IETF). It combines the advantages of

L2F and PPTP, and is considered as an industry standard. Among VPDN tunneling protocols,

L2TP is widely used.

Purpose

The Point-to-Point Protocol (PPP) defines an encapsulation mechanism for transporting

multiprotocol packets across point-to-point links. When PPP runs between a user device and a

network access server (NAS), the L2 termination point and PPP session endpoint reside on the

same physical device, for example, NAS.

L2TP, defined in RFC 2661, transmits PPP packets over a tunnel. L2TP extends the PPP

model because L2TP allows the Layer 2 termination point (LAC) and PPP session endpoint

(LNS) to reside on different devices on a packet switched network. This enables PPP sessions

to be transmitted over the IP network.

Benefits

L2TP brings in the following benefits:

Enables enterprise branches to connect to the enterprise headquarters.

Enables mobile office personnel to access the enterprise headquarters.


L2TP Feature White Paper 2 References



2

2 References

The following table lists the references of this document.

Document No. Description

RFC 2661 Layer Two Tunneling Protocol "L2TP"


L2TP Feature White Paper 3 Principles



3

3 Principles

About This Chapter

3.1 L2TP Implementation

3.2 L2TP Tunnel Establishment

3.3 L2TP Features

3.1 L2TP Implementation

LAC

An L2TP Access Concentrator (LAC) provides PPP and L2TP processing capabilities on the

packet switched network. The LAC establishes an L2TP connection with the L2TP network

server (LNS) based on the user name or domain name in PPP packets so that PPP frames can

be transmitted to the LNS.

An LAC can establish different L2TP tunnels to isolate data flows. That is, multiple VPDN

connections can be set up on the LAC.

An LAC transmits data between the LNS and PPP terminal. The LAC encapsulates data

received from the PPP terminal based on L2TP, sends data to the LNS, decapsulates the data

received from the LNS, and sends it to the PPP terminal.

LNS

PPP sessions are initiated by user devices and received by the LNS. After being authenticated

by the LNS, remote users successfully set up PPP sessions with the LNS and can access

resources in the enterprise headquarters. As the other endpoint of an L2TP tunnel, the LNS is

a peer device of the LAC, and set up an L2TP tunnel with the LAC. Additionally, the LNS is

the logical termination point of a PPP session; therefore, the PPP client (user device) and the

LNS establish a virtual point-to-point link.

The LNS is located at the border between the headquarters' private network and the public

network, and is often used as the gateway of the enterprise headquarters. In addition, the LNS

provides the network address translation (NAT) function to translate private IP addresses on

the enterprise headquarters network in to public IP addresses.





4

Control Message and Data Message

L2TP uses the following messages:

Control message: is used for setup and maintenance of tunnels and session connections

and for packet transmission control. Control messages are transmitted over a reliable

channel, which supports flow control and congestion management.

Data messages: is used to encapsulate PPP frames over a tunnel. Data messages are

transmitted over an unreliable channel without using the flow control, retransmission, or

congestion management mechanism.

The control message and data message use the same packet header. The L2TP header contains

a tunnel ID and a session ID, which are used to identify the tunnel and session respectively.

Packets with the same tunnel ID but different session IDs are transmitted over the same tunnel.

The tunnel ID and session ID are allocated by the LNS.

L2TP Architecture

Figure 3-1 shows the relationship between the PPP frame, control channel, and data channel.

PPP frames are transmitted over an unreliable data channel, and control messages are

transmitted over a reliable L2TP control channel.

Figure 3-1 L2TP architecture

Packet transmission network

L2TP data message L2TP control message

PPP Frame

L2TP control channel

（reliable）L2TP data channel

(unreliable)

Figure 3-2 shows the encapsulation format of an L2TP data packet transmitted between the

LAC and the LNS. L2TP data packets are often encapsulated into UDP packets. The

well-known UDP port for L2TP is 1701, which is only used in initial stage of tunnel setup.

The L2TP tunnel initiator randomly selects an idle port (which may not be port 1701) to

forward packets to port 1701 of the receiver. After receiving the packets, the receiver

randomly selects an idle port (which may not be port 1701) to forward packets to a

user-defined port of the sender. Both ends use the selected ports to communicate until the

tunnel is disconnected.

Figure 3-2 L2TP packet encapsulation format

20 bytes 8 bytes 16 bytes 2 bytes 20 bytes

New IP

HeaderUDP Header L2TP Header

PPP

Header

Original IP

HeaderData

Tunnel and Session

Two types of connections are available between an LNS and an LAC:





5

Tunnel: is set up between an LNS and an LAC.

Session: is transmitted over a tunnel and represents a PPP session over the tunnel.

Multiple L2TP tunnels can be set up between an LNS and an LAC. A tunnel consists of a

control connection and one or more sessions. A session can be set up only after a tunnel is

created successfully. Tunnel setup involves identity protection and exchange of information

such as the L2TP version, frame type, and hardware transfer type. A session corresponds to

one PPP data stream between the LAC and the LNS.

Both control messages and data message are transmitted over tunnels. L2TP uses Hello

packets to verify tunnel connectivity. The LAC and LNS periodically send Hello packets to

each other. If no response packet is received in a certain period of time, the tunnel is torn

down.

3.2 L2TP Tunnel Establishment

Figure 3-3 shows a typical L2TP network.

Figure 3-3 Typical L2TP network

PC

PC

AAA Server

(RADIUS)

AAA Server

(RADIUS)

LAC LNS

Internet

HeadquartersL2TP Tunnel

PPP Client

ISDN/

PPPoE

VPDN

Figure 3-4 shows the L2TP call setup procedure.





6

Figure 3-4 L2TP call setup procedure

PC

PC

AAA Server

(RADIUS)

AAA Server

(RADIUS)

LAC LNS

Internet

Headquarters

Remote User

PSTN/

ISDN

(1) call setup

(2) PPP LCP setup

(3) PAP/CHAP authentication

(4)

access

request

(5)

access

accept

(6) tunnel establish

(7) session establish

(8) PPP negotiation parameters

(11) (optional) Mandatory CHAP

(9)

(12)

(10)

(13)

(9) (12)

access request

(10) (13)

access accept

(14) assign internal IP address

(15) successful communication

1. The user PC initiates a call connection request.

2. The PC and the LAC perform PPP LCP negotiation.

3. The LAC authenticates the PC user using the Password Authentication Protocol (PAP) or

Challenge Handshake Authentication Protocol (CHAP).

# Perform CHAP authentication for access users connected to LAC user-side interfaces.

<Huawei> system-view

[Huawei] interface serial 1/0/0

[Huawei-Serial1/0/0] link-protocol ppp

[Huawei-Serial1/0/0] ppp authentication-mode chap

4. The LAC sends authentication information including the user name and password to the

RADIUS server for authentication.

5. The RADIUS server authenticates the user. If the user is authenticated, the LAC initiates

a tunneling request to the LNS.

# Create an L2TP group, set L2TP tunnel parameters, authenticate the user based on the

user name, and initiate a tunneling request to the LNS at 10.1.1.1.


[Huawei] l2tp-group 1

[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1

6. The LAC initiates a tunneling request to the LNS.





7

7. If the tunnel needs to be authenticated, the LAC sends a CHAP challenge to the LNS.

The LNS returns a CHAP response and sends its CHAP challenge to the LAC.

Accordingly, the LAC returns a CHAP response to the LNS.

# Set the same authentication parameters for the LAC and LNS. The LAC is used as an

example. The authentication password is huawei in cipher text.



[Huawei-l2tp1] tunnel authentication

[Huawei-l2tp1] tunnel password cipher huawei

8. The tunnel is authenticated.

# Specify the virtual template interface VT1 that accepts the LAC connection request

and configure the name of the remote tunnel end as lac.



[Huawei-l2tp1] allow l2tp virtual-template 1 remote lac

9. The LAC sends the CHAP response, response identifier, and PPP negotiation parameters

of the user to the LNS.

10. The LNS sends an access request to its RADIUS server for authentication.

11. The RADIUS server authenticates the access request and returns a response if the user is

authenticated.

12. If the LNS is configured to perform a mandatory CHAP authentication for the user, the

LNS sends a CHAP challenge to the user and the user returns a CHAP response.

# Configure second authentication, for example, mandatory CHAP authentication, for

remote users on the LNS.



[Huawei-l2tp1] mandatory-chap

13. The LNS sends an access request again to its RADIUS server for authentication.

14. The RADIUS server authenticates the access request and returns a response if the user

needs to be authenticated.

15. The LNS assigns an internal IP address to the remote user. The user can access internal

resources of the enterprise network.

# Configure the LNS virtual template interface address as the gateway address, and

import the configured address pool pool 1 to allocate IP addresses to remote users.


[Huawei] interface virtual-ethernet 1

[Huawei-Virtual-Template1] ip address 172.1.1.1 255.255.255.0

[Huawei-Virtual-Template1] remote address pool 1

3.3 L2TP Features Flexible identity authentication and high security

L2TP does not provide security mechanisms, but allows PPP authentication such as

CHAP and PAP and has all security features of PPP. L2TP can integrate with IPSec to

ensure data security, so L2TP data is difficult to be intercepted. If high security is

required, you can use tunnel encryption, end-to-end data encryption, and end-to-end

application-layer data encryption technologies together with L2TP.





8

Multi-protocol transmission

L2TP transmits PPP frames, which can be used to encapsulate packets of multiple

network layer protocols.

RADIUS server authentication

The LAC and LNS can send the user name and password of a remote user to a RADIUS

server for authentication. The RADIUS server receives user authentication requests and

completes authentication.

Internal address allocation

An LNS can dynamically allocate and manage private addresses to remote users (see

RFC 1918). This facilitates address management and improves security.

Flexible accounting

Accounting can be performed on the LAC and LNS simultaneously. The LAC on the ISP

side generates bills and the LNS as the enterprise gateway charges and audit fees. L2TP

can provide such accounting data as statistics on incoming and outgoing traffic and

connection start time and end time, allowing flexible accounting.

Reliability

L2TP supports LNS backup. When the primary LNS is unreachable, an LAC can

establish a new connection with a secondary LNS. This enhances reliability and fault

tolerance of VPN services.


L2TP Feature White Paper 4 Applications



9

4 Applications

About This Chapter

4.1 Typical L2TP Scenarios

4.1 Typical L2TP Scenarios

L2TP is used in the following scenarios:

NAS-Initialized

Client-Initialized

LAC-Auto-Initiated

Multi-domain Access

NAS-Initialized

As shown in Figure 4-1, the LAC (NAS) initiates an L2TP tunnel setup request. A remote user

connects to the LAC using PPP, and the LAC sends a tunnel setup request to the LNS through

the Internet. Private addresses are assigned to dialup users by the LNS. The LAC or LNS

performs authentication and accounting for remote users. The AR router can function as the

gateway of the enterprise headquarters and branch and provides PPP client and LNS services.





10

Figure 4-1 NAS-Initiated

Branch

LAC

(NAS)

LNS

Internet

Headquarters

L2TP Tunnel

Remote User

RADIUS RADIUS

# Configure the AR used as the LNS to respond to the L2TP setup request initiated by the

LAC.



[Huawei-l2tp1] allow l2tp virtual-template 1 remote lac

Client-Initialized

As shown in Figure 4-2, a remote user terminal supporting L2TP initiates an L2TP tunnel

setup request after obtaining the Internet access right. The remote user terminal functions as

the LAC and the private address is assigned by the LNS. In client-initiated scenario, the AR

functions as the LNS and is deployed on the enterprise headquarters gateway.

Figure 4-2 Client-Initialized

(LAC)

LNS

Internet

Headquarters

L2TP Tunnel

Remote User

RADIUS

The client-initialized mode has the following features:





11

Users must install L2TP dialup software on their PCs. PCs running Windows can use the

built-in VPN dialup software.

Users can access the network in multiple ways and can access the Internet without

authentication.

An L2TP tunnel is set up between the client and the LNS, and an L2TP tunnel can carry

only one L2TP session.

IPSec can be used for encryption and authentication in scenarios demanding high

security.

LAC-Auto-Initiated

Remote users must use PPPoE or ISDN to connect to the LAC. The LAC sends a tunnel setup

request to the LNS only after remote users connect to the LAC. As shown in Figure 4-3, a

virtual PPP user is created on the LAC. The LAC performs virtual dialup, sends a tunnel setup

request to the LNS, and sets up an L2TP tunnel for the virtual PPP user. When remote users

access the internal network connected to the LNS, the LAC forwards data over the L2TP

tunnel. In addition to a dialup connection, any IP-based connection can exist between the

remote system and the LAC. The AR functions as the LAC and is deployed on the enterprise

branch gateway.

Figure 4-3 Connecting to the LAC directly

Branch

LAC LNS

Internet

L2TP Tunnel

RADIUS

Headquarters

# Configure the AR used as the LAC to send an L2TP tunnel setup request to the LNS at

10.1.1.1. The user name is user1.


[Huawei] interface virtual-template 1

[Huawei-Virtual-Template1] ip address ppp-negotiate

[Huawei-Virtual-Template1] ppp pap local-user user1 password simple huawei

[Huawei-Virtual-Template1] l2tp-auto-client enable

[Huawei-Virtual-Template1] quit


[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1





12

Multi-domain Access

As shown in Figure 4-4, different enterprise branches are allowed to access only limited

resources of the enterprise headquarters. The headquarters provides access services for branch

staff. The headquarters establishes VPDN connections with branches using L2TP. The LAC

determines users based on domain names, which facilitates VPDN user management. Each

branch uses a separate L2TP tunnel and obtains private addresses on different segments.

Because source and destination addresses are allocated by the headquarters, you can configure

an ACL on the headquarters to manage access rights of branches.

Figure 4-4 NAS-Initiated

PPPoE

LNSLAC

L2TP Group1 Tunnel

GE1/0/0

202.1.1.1/24

GE1/0/0

202.1.1.2/24

VT1 10.1.1.1/24

lac1 lns

L2TP Group2 Tunnellac2 lns

PC1

[email protected]

PC2

[email protected]

VT2 10.2.1.1/24

PC3

10.3.1.2/24

PPPoE

GE2/

0/0

10.3

.1.1

/24G

E2/0/0

GE3/

0/0

Branch APC

Branch B PC

PC

Department A

PC4

10.4.1.2/24

PC

GE3/0/0

10.4.1.1/24

Headquarters

Department B

# Configure the AR used as the LAC.

#

sysname LAC

#

l2tp enable

#

aaa

authentication-scheme huawei

domain aaa.com


domain bbb.com


local-user [email protected] password +Q4Z3D_*-N[Q=^Q`MAF4<1!!

local-user [email protected] service-type ppp

local-user [email protected] password +Q4Z3D_*-N[Q=^Q`AWTQ<1!!


#

interface Virtual-Template1

ip address ppp-negotiate

ppp authentication-mode pap

#


ip address ppp-negotiate





13


#

interface GigabitEthernet1/0/0

ip address 202.1.1.2 255.255.255.0

#


pppoe-server bind Virtual-Template 1

#


pppoe-server bind Virtual-Template 2

#

l2tp-group 1

tunnel password simple huawei

tunnel name lac1

start l2tp ip 202.1.1.1 domain aaa.com

#

l2tp-group 2


tunnel name lac2

start l2tp ip 202.1.1.1 domain bbb.com

#

return

# Configure the AR used as the LNS.

#

sysname LNS

#

l2tp enable

#

ip pool 1

gateway-list 10.1.1.1

network 10.1.1.0 mask 255.255.255.0

#

ip pool 2

gateway-list 10.2.1.1

network 10.2.1.0 mask 255.255.255.0

#

aaa


domain aaa.com


domain bbb.com


local-user [email protected] password +Q4Z3D_*-N[Q=^Q`MAF4<1!!


local-user [email protected] password +Q4Z3D_*-N[Q=^Q`AWTQ<1!!


#



remote address pool 1

ip address 10.1.1.1 255.255.255.0

#







14

remote address pool 2

ip address 10.2.1.1 255.255.255.0

#


ip address 202.1.1.1 255.255.255.0

#


ip address 10.3.1.1 255.255.255.0

#


ip address 10.4.1.1 255.255.255.0

#

l2tp-group 1

allow l2tp virtual-template 1 remote lac1


tunnel name lns

#

l2tp-group 2

allow l2tp virtual-template 2 remote lac2


tunnel name lns

#

return

l2tp feature white paper

Documents