Nortel L2TP - Manual

303532-A Rev 00 vii Appendix B Configuration Examples Example 1: Remote PC Calling the Corporate Network ................................................ B-1 Configuring the Remote Hosts ................................................................................ B-2 Configuring the LACs and the...

303532-A Rev 00 ix Figures Figure 1-1. L2TP Network Using a LAC ..................................................................... 1-7 Figure 1-2. L2TP Network Using a RAS ..................................................................... 1-7 Figure 1-3. Packet Encapsulation Process .............

303532-A Rev 00 xi Tables Table C-1. Common L2TP Network Problems and Solutions .................................. C-1

303532-A Rev 00 xiii Preface This guide describes Layer 2 Tunneling Protocol (L2TP) and what you do to start and customize L2TP services on a Bay Networks ® router. Before You Begin Before using this guide, you must complete the following procedures. For a new router: • Install the router (refer to ...

Configuring L2TP Services xiv 303532-A Rev 00 Text Conventions This guide uses the following text conventions: bold text Indicates text that you need to enter and command names and options.Example: Enter show ip {alerts | routes} Example: Use the dinfo command. italic text Indicates file and directo...

Preface 303532-A Rev 00 xv Acronyms CHAP Challenge Handshake Authentication Protocol IP Internet Protocol ISDN Integrated Services Digital Network ISP Internet Service Provider L2TP Layer 2 Tunneling Protocol LAC L2TP access concentrator LAN local area network LCP Link Control Protocol LNS L2TP netw...

Configuring L2TP Services xvi 303532-A Rev 00 Bay Networks Technical Publications You can now print Bay Networks technical manuals and release notes free, directly from the Internet. Go to support.baynetworks.com/library/tpubs/. Find the Bay Networks product for which you need documentation. Then lo...

303532-A Rev 00 1-1 Chapter 1 L2TP Overview The Layer 2 Tunneling Protocol (L2TP) provides remote users, such as telecommuters, mobile professionals, and personnel in remote branch offices, with dial-in access to a corporate network. L2TP enables users to create a virtual private network (VPN), whic...

Configuring L2TP Services 1-2 303532-A Rev 00 L2TP Benefits L2TP has several advantages: • Users and businesses can take advantage of existing network equipment and resources. Corporations do not need to maintain and manage remote access servers and other special networking equipment for remote user...

L2TP Overview 303532-A Rev 00 1-3 Multiple users can communicate through a single tunnel between the same LAC and LNS pair. Each user transmits and receives data in an individual L2TP session. The LAC brings down the tunnel for any one of the following reasons: • A network failure occurs. • The LAC ...

Configuring L2TP Services 1-4 303532-A Rev 00 Components of an L2TP Network The following sections describe the components of an L2TP network. For illustrations of L2TP networks, see Figures 1-1 and 1-2 on page 1-7 . Remote Host At the remote site is the user who wants to dial in to the corporate ne...

L2TP Overview 303532-A Rev 00 1-5 L2TP Access Concentrator (LAC) The L2TP access concentrator (LAC) resides at the ISP network. The LAC establishes the L2TP tunnel between itself and the LNS. When the remote user places a call to the ISP network, this call goes to the LAC. The LAC then negotiates th...

Configuring L2TP Services 1-6 303532-A Rev 00 L2TP Network Server (LNS) The L2TP network server (LNS) is a router that resides at the corporate network and serves as the termination point for L2TP tunnels and sessions. The LNS authenticates the PPP connection request and allows the end-to-end PPP tu...

L2TP Overview 303532-A Rev 00 1-7 Examples of L2TP Networks Figure 1-1 shows an L2TP network that uses a LAC to connect to the LNS. The tunnel is between the LAC and the LNS. Figure 1-1. L2TP Network Using a LAC Figure 1-2 shows an L2TP network that uses a RAS to connect to the LNS. The tunnel is be...

Configuring L2TP Services 1-8 303532-A Rev 00 L2TP Packet Encapsulation The PC or router at the remote site sends PPP packets to the LAC. The LAC encapsulates these incoming packets in an L2TP packet and sends it across an IP network through a bidirectional tunnel. After the LNS receives the packets...

L2TP Overview 303532-A Rev 00 1-9 Making a Connection Across an L2TP Network The following steps explain how a remote user connects across an L2TP network that includes a Bay Networks LAC, TMS, and LNS (see Figure 1-1 on page 1-7 ): 1. The remote user dials a LAC at the local ISP network to establis...

Configuring L2TP Services 1-10 303532-A Rev 00 Security in an L2TP Network You can configure two layers of security in an L2TP network: • Tunnel authentication Tunnel authentication is the process of negotiating the establishment of a tunnel between the LAC and the LNS. • User authentication The net...

L2TP Overview 303532-A Rev 00 1-11 Bay Networks L2TP Implementation In an L2TP network, the Bay Networks router is the LNS. LNS software operates on the BLN ® , BCN ® , and ASN ™ platforms. The Bay Networks LNS has the following characteristics: • Each slot can act as an LNS, which means that one ro...

Configuring L2TP Services 1-12 303532-A Rev 00 Tunnel Management The Bay Networks tunnel management server (TMS), which resides at the ISP network, stores the TMS database. This database contains the remote users’ domain name, the IP address information of each LNS, and other tunnel addressing infor...

L2TP Overview 303532-A Rev 00 1-13 You can enable tunnel authentication on the Bay Networks LNS. If tunnel authentication is disabled, which is the default, the LNS sends a default challenge response to the LAC during the authentication process so that the tunnel can be established. The LNS cannot s...

Configuring L2TP Services 1-14 303532-A Rev 00 After tunnel authentication is complete, it does not need to be repeated for other calls to the same LAC. RADIUS User Authentication RADIUS user authentication is enabled by default on the Bay Networks LNS; you must configure this feature so that the LN...

L2TP Overview 303532-A Rev 00 1-15 RADIUS Accounting The RADIUS server can provide accounting services in addition to its authentication services. RADIUS accounting is enabled by default on the Bay Networks LNS. The RADIUS accounting server calculates billing charges for an L2TP session between the ...

Configuring L2TP Services 1-16 303532-A Rev 00 Remote Router Configuration If the host at the remote site is a Bay Networks router, you may need to configure a dial-on-demand circuit for the remote router’s dial-up interface to the LAC at the ISP network. Enable RIP on both the dial-on-demand circui...

L2TP Overview 303532-A Rev 00 1-17 Where to Go Next Go to one of the following chapters for more information: If you want to Go to Start L2TP on a router using default parameter settings. Chapter 2 Change default settings for L2TP parameters. Chapter 3 Obtain information about Site Manager parameter...

303532-A Rev 00 2-1 Chapter 2 Starting L2TP The quickest way to start L2TP is to enable it with the default configuration that Bay Networks software supplies. This configuration uses all available parameter defaults. You need to supply values for several parameters that do not have default values. T...

Configuring L2TP Services 2-2 303532-A Rev 00 Planning Considerations for an L2TP Network This guide primarily explains how to configure a Bay Networks BLN, BCN, or ASN router as an LNS in an L2TP network. To successfully operate in an L2TP network, obtain the following information to configure the ...

Starting L2TP 303532-A Rev 00 2-3 Preparing a Configuration File Before starting L2TP, you must create and save a configuration file with at least one WAN interface, for example, a synchronous or MCT1 port. For information about the Site Manager configuration tool and how to work with configuration ...

Starting L2TP 303532-A Rev 00 2-5 Enabling L2TP on an Existing PPP Interface To enable L2TP on an interface with PPP and IP already enabled, complete the following tasks: 11. Click on OK. 12. Click on Done. You return to the Configuration Manager window. Site Manager Procedure You do this System res...

Starting L2TP 303532-A Rev 00 2-7 Enabling L2TP on an Existing Frame Relay Interface To enable L2TP on an interface with frame relay and IP already enabled, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, choose a WAN connector...

Starting L2TP 303532-A Rev 00 2-9 Enabling L2TP on an Existing ATM Interface To enable L2TP on an interface with ATM and IP already enabled, you can enable L2TP in two ways. If your interface uses a COM connector, complete the tasks in the following table. If your interface uses an ATM connector, go...

303532-A Rev 00 3-1 Chapter 3 Customizing L2TP Services When you enable L2TP, default values are in effect for most parameters (see parameter descriptions in Appendix A , “ L2TP Parameters ”). You may want to change some of these values, depending on the requirements of your network. This chapter in...

Configuring L2TP Services 3-2 303532-A Rev 00 Modifying the L2TP Protocol Configuration To modify how data is transmitted across an L2TP network, such as the number, frequency, and timing of data and acknowledgment packets exchanged between the LNS and LAC, you can modify the L2TP protocol parameter...

Customizing L2TP Services 303532-A Rev 00 3-3 Modifying RADIUS Server Information If you change the address of the RADIUS server that you are using to authenticate remote users and manage accounting functions, you must update the server address information on the LNS. For more information about usin...

Configuring L2TP Services 3-4 303532-A Rev 00 Changing the LNS System Name The LNS system name is the name of the router. This name is used during tunnel setup to identify the LNS uniquely. By default, Site Manager enters the system name that you initially configured when first accessing the router....

Customizing L2TP Services 303532-A Rev 00 3-5 Modifying the Number of L2TP Sessions Permitted You can modify the maximum number of active L2TP sessions that the LNS can manage. The default is 100 sessions. For more information about L2TP sessions, see “ L2TP Sessions ” on page 1-3 . To change the ma...

Configuring L2TP Services 3-6 303532-A Rev 00 Keeping the Remote User’s Domain Name The LNS removes the domain name from the complete user name by default, before passing it on to the RADIUS server for user authentication. To keep the domain name with the user name, complete the following tasks: Sit...

Customizing L2TP Services 303532-A Rev 00 3-7 Changing the Domain Name Delimiter In the complete user name there is a single-character delimiter that separates the user name from the domain name. By default, the LNS removes the domain name when it receives a call. The delimiter tells the LNS which c...

Configuring L2TP Services 3-8 303532-A Rev 00 Enabling Tunnel Authentication To prevent unauthorized users from accessing the corporate network, you can enable tunnel authentication. During tunnel negotiation, the LAC sends its tunnel authentication password to the LNS. If the password is not recogn...

Customizing L2TP Services 303532-A Rev 00 3-9 Modifying L2TP IP Interface Addresses The L2TP IP Interface List window lists the L2TP IP interface addresses for each slot that has L2TP configured. The LNS uses the addresses internally to identify the remote sites. For more information about the L2TP ...

Configuring L2TP Services 3-10 303532-A Rev 00 Disabling RIP RIP is enabled on the LNS by default so that the LNS can learn routes from the remote dial-in router. If the LNS does not require RIP support, you can disable it. To disable RIP, complete the following tasks: Disabling L2TP To disable L2TP...

Customizing L2TP Services 303532-A Rev 00 3-11 Deleting L2TP from a PPP Interface To delete L2TP from a PPP interface, complete the following tasks: 6. Set the Enable L2TP parameter to Disable. Click on Help or see the parameter description on page A-3 . Site Manager disables L2TP for the slot. 7. C...

Configuring L2TP Services 3-12 303532-A Rev 00 Deleting L2TP from a Frame Relay Interface To delete L2TP from a frame relay interface, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, click on a WAN connector configured with L2T...

Customizing L2TP Services 303532-A Rev 00 3-13 Deleting L2TP from an ATM Interface To delete L2TP from an ATM interface on a COM connector, complete the following tasks: To delete L2TP from an ATM interface on an ATM connector, complete the following tasks: Site Manager Procedure You do this System ...

Configuring L2TP Services A-2 303532-A Rev 00 The Technician Interface allows you to modify parameters by issuing set and commit commands with the MIB object ID. This process is equivalent to modifying parameters using Site Manager. For more information about using the Technician Interface to access...

L2TP Parameters 303532-A Rev 00 A-3 Parameter: Enable L2TP Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Default: Enable Options: Enable | Disable Function: Enables or disables L2TP on this interface. Instructions: Site Manager automatically sets this parameter...

Configuring L2TP Services A-4 303532-A Rev 00 Parameter: Retransmit Timer (seconds) Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Default: 1 Options: 1 to 60 seconds Function: Indicates the number of seconds that the LNS waits for an acknowledgment from the LAC...

L2TP Parameters 303532-A Rev 00 A-5 Parameter: Ack Timeout (milliseconds) Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Default: 250 Options: 1 to 350 milliseconds Function: Specifies the maximum number of milliseconds that can elapse before the LNS sends an ac...

Configuring L2TP Services A-6 303532-A Rev 00 Parameter: RADIUS Primary Server Password Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Default: None Options: Any alphanumeric string, up to a maximum of 64 characters Function: Specifies the primary RADIUS server’...

L2TP Parameters 303532-A Rev 00 A-7 Parameter: Remove Domain Name Path: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Default: Enable Options: Enable | Disable Function: Instructs the router whether to remove the domain name from the complete user name before RADIUS ...

Configuring L2TP Services A-8 303532-A Rev 00 L2TP Tunnel Security Parameters The L2TP Tunnel Security List window (Figure A-2) contains the tunnel authentication parameters. Figure A-2. L2TP Tunnel Security List Window The parameter descriptions follow.

L2TP Parameters 303532-A Rev 00 A-9 Parameter: Enable Tunnel Authentication Path: Configuration Manager > Protocols > IP > L2TP > Tunnel Authentication Default: Disable Options: Enable | Disable Function: Enables or disables the use of tunnel authentication for a slot on the LNS. Tunnel ...

Configuring L2TP Services A-10 303532-A Rev 00 L2TP IP Interface Parameters The L2TP IP Interface List window (Figure A-3) contains the list of IP interfaces for each slot on the router configured with L2TP. Figure A-3. L2TP IP Interface List Window When you click on Change, Site Manager displays th...

L2TP Parameters 303532-A Rev 00 A-11 The parameter descriptions follow. Parameter: L2TP IP Interface Address Path: Configuration Manager > Protocols > IP > L2TP > L2TP IP Interface Default: None Options: Any unique IP address Function: Specifies the IP address that identifies the L2TP IP...

Configuring L2TP Services A-12 303532-A Rev 00 Parameter: RIP Enable Path: Configuration Manager > Protocols > IP > L2TP > L2TP IP Interface Default: Enable Options: Enable | Disable Function: Specifies whether RIP Listen is enabled on this interface. See Configuring IP Services for more...

303532-A Rev 00 B-1 Appendix B Configuration Examples This appendix provides two examples of L2TP network configurations. It includes only those parameters that require changes from their default settings for proper configuration. For instructions on modifying parameters, see Chapter 3, “Customizing...

Configuring L2TP Services B-2 303532-A Rev 00 Figure B-1. L2TP Network with PCs at the Remote Site Configuring the Remote Hosts The remote hosts in this network are two PCs running Windows 95. Neither PC has internal L2TP capabilities. In this network, one PC has a synchronous dial connection to the...

Configuration Examples 303532-A Rev 00 B-3 Configuring the LACs and the TMS The LACs in this network are Model 5399 Remote Access Concentrators. Both devices have L2TP modules installed. See Model 5399 Remote Access Concentrator documentation for information about configuring L2TP. The LACs use the ...

Configuring L2TP Services B-4 303532-A Rev 00 6. In the L2TP Tunneling Security window, enable tunnel authentication. 7. In the L2TP IP Interface window, enter the L2TP IP address. During the L2TP session, the RADIUS server assigns the following IP addresses: [email protected]: 192.32.40.1mmark...

Configuration Examples 303532-A Rev 00 B-5 Example 2: Remote Router Calling the Corporate Network Figure B-2 shows a network with two BayStack™ AN ® routers at the remote site. The AN routers are using dial-on-demand service for dial-up connections. In this network, note the following: • PPP is the ...

Configuring L2TP Services B-6 303532-A Rev 00 Configuring the Dial-on-Demand Circuit Modify the dial-on-demand circuit configuration for the AN routers as follows: 1. In the Configuration Manager window, choose Dialup > Demand Circuits > Demand Pools > PPP Circuits > PPP Demand Circuits ...

303532-A Rev 00 C-1 Appendix C Troubleshooting To monitor your L2TP network and solve problems that may occur, first check the event log file for any messages recorded by the LNS. For information about viewing and reading event messages, see Event Messages for Routers and Configuring and Managing Ro...