of 17
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
1/17
Huawei AR G3 Series Enterprise Routers V200R002C01
L2TP Feature White Paper
Issue 01
Date 2012-05-10
HUAWEI TECHNOLOGIES CO., LTD.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
2/17
Issue 01 (2012-05-10)Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.i
Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com/en/
http://enterprise.huawei.com/en/http://enterprise.huawei.com/en/http://enterprise.huawei.com/en/
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
3/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper Contents
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
Contents
1 Introduction to L2TP .................................................................................................................... 1
2 References ....................................................................................................................................... 2
3 Principles ........................................................................................................................................ 3
3.1 L2TP Implementation ............................................................... ................................................................. ....... 3
3.2 L2TP Tunnel Establishment .......................................................................... ................................................... 5
3.3 L2TP Features .................................................................................................................................................. 7
4 Applications ................................................................................................................................... 9
4.1 Typical L2TP Scenarios .......................... ................................................................. ........................................ 9
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
4/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 1 Introduction to L2TP
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
1 Introduction to L2TPDefinition
The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dial-up Network (VPDN)
tunneling protocol.
VPDN allows enterprise users, small-scale ISPs, and mobile office users to access the Internet
over a public network (for example, an ISDN or a PSTN) using the dialup function.
VPDN uses a tunneling protocol to establish secure VPNs for enterprises over a public
network. Branches and traveling staff remotely access the headquarters over tunnels on a public network.
VPDN uses the following tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Forwarding (L2F)
Layer 2 Tunneling Protocol (L2TP)
L2TP is defined by the Internet Engineering Task Force (IETF). It combines the advantages of
L2F and PPTP, and is considered as an industry standard. Among VPDN tunneling protocols,L2TP is widely used.
Purpose
The Point-to-Point Protocol (PPP) defines an encapsulation mechanism for transporting
multiprotocol packets across point-to-point links. When PPP runs between a user device and a
network access server (NAS), the L2 termination point and PPP session endpoint reside on thesame physical device, for example, NAS.
L2TP, defined in RFC 2661, transmits PPP packets over a tunnel. L2TP extends the PPP
model because L2TP allows the Layer 2 termination point (LAC) and PPP session endpoint
(LNS) to reside on different devices on a packet switched network. This enables PPP sessionsto be transmitted over the IP network.
Benefits
L2TP brings in the following benefits:
Enables enterprise branches to connect to the enterprise headquarters.
Enables mobile office personnel to access the enterprise headquarters.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
5/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 2 References
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
2 ReferencesThe following table lists the references of this document.
Document No. Description
RFC 2661 Layer Two Tunneling Protocol "L2TP"
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
6/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 3 Principles
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
3 PrinciplesAbout This Chapter
3.1 L2TP Implementation
3.2 L2TP Tunnel Establishment
3.3 L2TP Features
3.1 L2TP Implementation
LAC
An L2TP Access Concentrator (LAC) provides PPP and L2TP processing capabilities on the
packet switched network. The LAC establishes an L2TP connection with the L2TP network
server (LNS) based on the user name or domain name in PPP packets so that PPP frames can be transmitted to the LNS.
An LAC can establish different L2TP tunnels to isolate data flows. That is, multiple VPDNconnections can be set up on the LAC.
An LAC transmits data between the LNS and PPP terminal. The LAC encapsulates datareceived from the PPP terminal based on L2TP, sends data to the LNS, decapsulates the data
received from the LNS, and sends it to the PPP terminal.
LNSPPP sessions are initiated by user devices and received by the LNS. After being authenticated
by the LNS, remote users successfully set up PPP sessions with the LNS and can access
resources in the enterprise headquarters. As the other endpoint of an L2TP tunnel, the LNS is
a peer device of the LAC, and set up an L2TP tunnel with the LAC. Additionally, the LNS isthe logical termination point of a PPP session; therefore, the PPP client (user device) and the
LNS establish a virtual point-to-point link.
The LNS is located at the border between the headquarters' private network and the publicnetwork, and is often used as the gateway of the enterprise headquarters. In addition, the LNS provides the network address translation (NAT) function to translate private IP addresses on
the enterprise headquarters network in to public IP addresses.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
7/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 3 Principles
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Control Message and Data Message
L2TP uses the following messages:
Control message: is used for setup and maintenance of tunnels and session connections
and for packet transmission control. Control messages are transmitted over a reliablechannel, which supports flow control and congestion management.
Data messages: is used to encapsulate PPP frames over a tunnel. Data messages are
transmitted over an unreliable channel without using the flow control, retransmission, or
congestion management mechanism.
The control message and data message use the same packet header. The L2TP header contains
a tunnel ID and a session ID, which are used to identify the tunnel and session respectively.Packets with the same tunnel ID but different session IDs are transmitted over the same tunnel.
The tunnel ID and session ID are allocated by the LNS.
L2TP Architecture
Figure 3-1 shows the relationship between the PPP frame, control channel, and data channel.
PPP frames are transmitted over an unreliable data channel, and control messages aretransmitted over a reliable L2TP control channel.
Figure 3-1 L2TP architecture
Packet transmission network
L2TP data message L2TP control message
PPP Frame
L2TP control channel
(reliable)
L2TP data channel
(unreliable)
Figure 3-2 shows the encapsulation format of an L2TP data packet transmitted between the
LAC and the LNS. L2TP data packets are often encapsulated into UDP packets. Thewell-known UDP port for L2TP is 1701, which is only used in initial stage of tunnel setup.The L2TP tunnel initiator randomly selects an idle port (which may not be port 1701) to
forward packets to port 1701 of the receiver. After receiving the packets, the receiverrandomly selects an idle port (which may not be port 1701) to forward packets to a
user-defined port of the sender. Both ends use the selected ports to communicate until thetunnel is disconnected.
Figure 3-2 L2TP packet encapsulation format
20 bytes 8 bytes 16 bytes 2 bytes 20 bytes
New IP
Header UDP Header L2TP Header
PPP
Header
Original IP
Header Data
Tunnel and Session
Two types of connections are available between an LNS and an LAC:
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
8/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 3 Principles
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Tunnel: is set up between an LNS and an LAC.
Session: is transmitted over a tunnel and represents a PPP session over the tunnel.
Multiple L2TP tunnels can be set up between an LNS and an LAC. A tunnel consists of a
control connection and one or more sessions. A session can be set up only after a tunnel is
created successfully. Tunnel setup involves identity protection and exchange of informationsuch as the L2TP version, frame type, and hardware transfer type. A session corresponds toone PPP data stream between the LAC and the LNS.
Both control messages and data message are transmitted over tunnels. L2TP uses Hello packets to verify tunnel connectivity. The LAC and LNS periodically send Hello packets to
each other. If no response packet is received in a certain period of time, the tunnel is torn
down.
3.2 L2TP Tunnel Establishment
Figure 3-3 shows a typical L2TP network.
Figure 3-3 Typical L2TP network
PC
PC
AAA Server
(RADIUS)
AAA Server
(RADIUS)
LAC LNS
Internet
HeadquartersL2TP Tunnel
PPP Client
ISDN/
PPPoE
VPDN
Figure 3-4 shows the L2TP call setup procedure.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
9/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 3 Principles
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
Figure 3-4 L2TP call setup procedure
PC
PC
AAA Server
(RADIUS)
AAA Server
(RADIUS)
LAC LNS
Internet
Headquarters
Remote User
PSTN/
ISDN
(1) call setup
(2) PPP LCP setup
(3) PAP/CHAP authentication
(4)
access
request
(5)
access
accept
(6) tunnel establish
(7) session establish
(8) PPP negotiation parameters
(11) (optional) Mandatory CHAP
(9)
(12)
(10)
(13)
(9) (12)
access request
(10) (13)
access accept
(14) assign internal IP address
(15) successful communication
1. The user PC initiates a call connection request.
2. The PC and the LAC perform PPP LCP negotiation.
3. The LAC authenticates the PC user using the Password Authentication Protocol (PAP) orChallenge Handshake Authentication Protocol (CHAP).
# Perform CHAP authentication for access users connected to LAC user-side interfaces.
system-view
[Huawei] interface serial 1/0/0
[Huawei-Serial1/0/0] link-protocol ppp
[Huawei-Serial1/0/0] ppp authentication-mode chap
4. The LAC sends authentication information including the user name and password to theRADIUS server for authentication.
5. The RADIUS server authenticates the user. If the user is authenticated, the LAC initiatesa tunneling request to the LNS.
# Create an L2TP group, set L2TP tunnel parameters, authenticate the user based on the
user name, and initiate a tunneling request to the LNS at 10.1.1.1.
system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1
6. The LAC initiates a tunneling request to the LNS.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
10/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 3 Principles
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
7. If the tunnel needs to be authenticated, the LAC sends a CHAP challenge to the LNS.The LNS returns a CHAP response and sends its CHAP challenge to the LAC.
Accordingly, the LAC returns a CHAP response to the LNS.
# Set the same authentication parameters for the LAC and LNS. The LAC is used as an
example. The authentication password is huawei in cipher text. system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] tunnel authentication
[Huawei-l2tp1] tunnel password cipher huawei
8. The tunnel is authenticated.
# Specify the virtual template interface VT1 that accepts the LAC connection requestand configure the name of the remote tunnel end as lac.
system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] allow l2tp virtual-template 1 remote lac
9. The LAC sends the CHAP response, response identifier, and PPP negotiation parametersof the user to the LNS.
10. The LNS sends an access request to its RADIUS server for authentication.
11. The RADIUS server authenticates the access request and returns a response if the user isauthenticated.
12. If the LNS is configured to perform a mandatory CHAP authentication for the user, theLNS sends a CHAP challenge to the user and the user returns a CHAP response.
# Configure second authentication, for example, mandatory CHAP authentication, for
remote users on the LNS.
system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] mandatory-chap
13. The LNS sends an access request again to its RADIUS server for authentication.
14. The RADIUS server authenticates the access request and returns a response if the userneeds to be authenticated.
15. The LNS assigns an internal IP address to the remote user. The user can access internalresources of the enterprise network.
# Configure the LNS virtual template interface address as the gateway address, and
import the configured address pool pool 1 to allocate IP addresses to remote users.
system-view
[Huawei] interface virtual-ethernet 1
[Huawei-Virtual-Template1]ip address 172.1.1.1 255.255.255.0
[Huawei-Virtual-Template1] remote address pool 1
3.3 L2TP Features Flexible identity authentication and high security
L2TP does not provide security mechanisms, but allows PPP authentication such as
CHAP and PAP and has all security features of PPP. L2TP can integrate with IPSec to
ensure data security, so L2TP data is difficult to be intercepted. If high security isrequired, you can use tunnel encryption, end-to-end data encryption, and end-to-end
application-layer data encryption technologies together with L2TP.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
11/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 3 Principles
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Multi-protocol transmission
L2TP transmits PPP frames, which can be used to encapsulate packets of multiplenetwork layer protocols.
RADIUS server authentication
The LAC and LNS can send the user name and password of a remote user to a RADIUSserver for authentication. The RADIUS server receives user authentication requests andcompletes authentication.
Internal address allocation
An LNS can dynamically allocate and manage private addresses to remote users (see
RFC 1918). This facilitates address management and improves security.
Flexible accounting
Accounting can be performed on the LAC and LNS simultaneously. The LAC on the ISPside generates bills and the LNS as the enterprise gateway charges and audit fees. L2TP
can provide such accounting data as statistics on incoming and outgoing traffic andconnection start time and end time, allowing flexible accounting.
Reliability
L2TP supports LNS backup. When the primary LNS is unreachable, an LAC canestablish a new connection with a secondary LNS. This enhances reliability and fault
tolerance of VPN services.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
12/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 4 Applications
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
4 ApplicationsAbout This Chapter
4.1 Typical L2TP Scenarios
4.1 Typical L2TP ScenariosL2TP is used in the following scenarios:
NAS-Initialized
Client-Initialized
LAC-Auto-Initiated
Multi-domain Access
NAS-Initialized
As shown in Figure 4-1, the LAC (NAS) initiates an L2TP tunnel setup request. A remote user
connects to the LAC using PPP, and the LAC sends a tunnel setup request to the LNS through
the Internet. Private addresses are assigned to dialup users by the LNS. The LAC or LNS performs authentication and accounting for remote users. The AR router can function as the
gateway of the enterprise headquarters and branch and provides PPP client and LNS services.
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
13/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 4 Applications
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
Figure 4-1 NAS-Initiated
Branch
LAC
(NAS)
LNS
Internet
Headquarters
L2TP Tunnel
Remote User
RADIUS RADIUS
# Configure the AR used as the LNS to respond to the L2TP setup request initiated by the
LAC.
system-view
[Huawei] l2tp-group 1
[Huawei-l2tp1] allow l2tp virtual-template 1 remote lac
Client-Initialized
As shown in Figure 4-2, a remote user terminal supporting L2TP initiates an L2TP tunnel
setup request after obtaining the Internet access right. The remote user terminal functions as
the LAC and the private address is assigned by the LNS. In client-initiated scenario, the ARfunctions as the LNS and is deployed on the enterprise headquarters gateway.
Figure 4-2 Client-Initialized
(LAC)
LNS
Internet
Headquarters
L2TP Tunnel
Remote User
RADIUS
The client-initialized mode has the following features:
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
14/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 4 Applications
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
Users must install L2TP dialup software on their PCs. PCs running Windows can use the built-in VPN dialup software.
Users can access the network in multiple ways and can access the Internet without
authentication.
An L2TP tunnel is set up between the client and the LNS, and an L2TP tunnel can carryonly one L2TP session.
IPSec can be used for encryption and authentication in scenarios demanding highsecurity.
LAC-Auto-Initiated
Remote users must use PPPoE or ISDN to connect to the LAC. The LAC sends a tunnel setup
request to the LNS only after remote users connect to the LAC. As shown in Figure 4-3, avirtual PPP user is created on the LAC. The LAC performs virtual dialup, sends a tunnel setup
request to the LNS, and sets up an L2TP tunnel for the virtual PPP user. When remote usersaccess the internal network connected to the LNS, the LAC forwards data over the L2TP
tunnel. In addition to a dialup connection, any IP-based connection can exist between theremote system and the LAC. The AR functions as the LAC and is deployed on the enterprise branch gateway.
Figure 4-3 Connecting to the LAC directly
Branch
LAC LNS
Internet
L2TP Tunnel
RADIUS
Headquarters
# Configure the AR used as the LAC to send an L2TP tunnel setup request to the LNS at10.1.1.1. The user name is user1.
system-view
[Huawei] interface virtual-template 1
[Huawei-Virtual-Template1] ip address ppp-negotiate
[Huawei-Virtual-Template1] ppp pap local-user user1 password simple huawei
[Huawei-Virtual-Template1] l2tp-auto-client enable
[Huawei-Virtual-Template1] quit
[Huawei] l2tp-group 1
[Huawei-l2tp1] start l2tp ip 10.1.1.1 fullusername user1
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
15/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 4 Applications
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
Multi-domain Access
As shown in Figure 4-4, different enterprise branches are allowed to access only limitedresources of the enterprise headquarters. The headquarters provides access services for branchstaff. The headquarters establishes VPDN connections with branches using L2TP. The LAC
determines users based on domain names, which facilitates VPDN user management. Each branch uses a separate L2TP tunnel and obtains private addresses on different segments.
Because source and destination addresses are allocated by the headquarters, you can configure
an ACL on the headquarters to manage access rights of branches.
Figure 4-4 NAS-Initiated
P P P o E LNSLAC
L2TP Group1 Tunnel
GE1/0/0
202.1.1.1/24
GE1/0/0
202.1.1.2/24
VT1 10.1.1.1/24
lac1 lns
L2TP Group2 Tunnellac2 lns
PC2
VT2 10.2.1.1/24
PC3
10.3.1.2/24
P P P o
E
G E 2
/ 0 / 0
1 0 . 3 . 1 . 1 / 2 4
G E 2 / 0 / 0
G E 3 / 0 / 0
Branch APC
Branch B PC
PC
Department A
PC4
10.4.1.2/24
PC
G E 3 / 0 / 0
1 0 . 4 . 1 . 1 / 2 4
Headquarters
Department B
# Configure the AR used as the LAC.
#
sysname LAC
#
l2tp enable
#
aaa
authentication-scheme huawei
domain aaa.com
authentication-scheme huaweidomain bbb.com
authentication-scheme huawei
local-user [email protected] password +Q4Z3D_*-N[Q=^Q`MAF4
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
16/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 4 Applications
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
ppp authentication-mode pap
#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1
#
interface GigabitEthernet3/0/0
pppoe-server bind Virtual-Template 2
#
l2tp-group 1
tunnel password simple huawei
tunnel name lac1
start l2tp ip 202.1.1.1 domain aaa.com
#
l2tp-group 2
tunnel password simple huaweitunnel name lac2
start l2tp ip 202.1.1.1 domain bbb.com
#
return
# Configure the AR used as the LNS.
#
sysname LNS
#
l2tp enable
#
ip pool 1gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
ip pool 2
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa
authentication-scheme huawei
domain aaa.com
authentication-scheme huawei
domain bbb.com
authentication-scheme huawei
local-user [email protected] password +Q4Z3D_*-N[Q=^Q`MAF4
8/18/2019 HUAWEI AR G3 Series Enterprise Routers L2TP Feature White Paper
17/17
Huawei AR G3 Series Enterprise Routers
L2TP Feature White Paper 4 Applications
Issue 01 (2012-05-10) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
remote address pool 2
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 10.4.1.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1 remote lac1
tunnel password simple huawei
tunnel name lns
#
l2tp-group 2allow l2tp virtual-template 2 remote lac2
tunnel password simple huawei
tunnel name lns
#
return