SlideShare ist ein Scribd-Unternehmen logo

L2tp1

‱Als DOC, PDF herunterladen‱
‱
Shiva Krishna Chandra Shekar
Shiva Krishna Chandra Shekar
Technologie
1 von 16
Layer 2 Tunneling Protocol Introduction Layer Two Tunneling Protocol is an extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable the operation of a virtual private network over the Internet. L2TP merges the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. The two main components that make up L2TP are the L2TP Access Concentrator, which is the device that physically terminates a call and the L2TP Network Server, which is the device that terminates and possibly authenticates the PPP stream. PPP defines a means of encapsulation to transmit multiprotocol packets over layer two point-to-point links. Generally, a user connects to a network access server through ISDN, ADSL, dialup POTS or other service and runs PPP over that connection. In this configuration, the L2 and PPP session endpoints are both on the same NAS. L2TP uses packet-switched network connections to make it possible for the endpoints to be located on different machines. The user has an L2 connection to an access concentrator, which then tunnels individual PPP frames to the NAS, so that the packets can be processed separately from the location of the circuit termination. This means that the connection can terminate at a local circuit concentrator, eliminating possible long- distance charges, among other benefits. From the user's point of view, there is no difference in the operation. Overview L2TP is one of the key building blocks for virtual private networks in the dial access space and is endorsed by Cisco and other internetworking industry leaders. It combines the best of Cisco's Layer 2 Forwarding protocol and Microsoft's Point-to- Point Tunneling Protocol. L2TP acts as a data link layer protocol for tunneling network traffic between two peers over an existing network usually the Internet.
It is common to carry Point-to-Point Protocol sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec. The two endpoints of an L2TP tunnel are called the LAC means L2TP Access Concentrator and the LNS means L2TP Network Server. The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session or call is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. The packets exchanged within an L2TP tunnel are either categorised as control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP tunnel.The following sections supply additional detail about the interworkings and Cisco's implementation of L2TP. Using L2TP tunneling, an Internet Service Provider , or other access service, can create a virtual tunnel to link customer's remote sites or remote users with corporate home networks. The L2TP access concentrator located at the ISP's point of presence exchanges PPP messages with remote users and communicates by way of L2TP requests and responses with the customer's L2TP network server to set up tunnels. L2TP passes protocol-level packets through the virtual tunnel between end points of a point-to-point connection.
Fig: L2TPTunnelStructure Frames from remote users are accepted by the ISP's POP, stripped of any linked framing or transparency bytes, encapsulated in L2TP and forwarded over the appropriate tunnel. The customer's home gateway accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames for the appropriate interface. Figure shows the L2TP tunnel detail and how user lsmith connects to the LNS to access the designated corporate intranet. Architecture The Layer 2 Tunnel Protocol is an emerging Internet Engineering Task Force standard that combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding and Microsoft's Point-to-Point Tunneling Protocol. L2TP is an extension to the Point-to-Point Protocol, which is an important component for VPNs. VPNs allow users and telecommuters to connect to their corporate intranets or extranets. VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability. Traditional dial-up networking services only support registered IP addresses, which limits
the types of applications that are implemented over VPNs. L2TP supports multiple protocols and unregistered and privately administered IP addresses over the Internet. This allows the existing access infastructure, such as the Internet, modems, access servers, and ISDN terminal adapters, to be used. It also allows enterprise customers to outsource dialout support, thus reducing overhead for hardware maintenance costs and 800 number fees, and allows them to concentrate corporate gateway resources. Figure shows the L2TP architecture in a typical dial up environment. Fig:L2TP Architecture L2TP offers the same full-range spectrum of features as L2F, but offers additional functionality. A L2TP-capable home gateway will work with an existing L2F network access server and will concurrently support upgraded components running L2TP. LNSs do not require reconfiguration each time an individual LAC is upgraded from L2F to L2TP. L2F and L2TP Feature L2F L2TP
Comparison Function Flow Control No Yes AVP hiding No Yes Home gateway load sharing Yes Yes Home gateway stacking Yes Yes Home gateway primary and secondary backup Yes Yes DNS name support Yes Yes Domain name flexibility Yes Yes Idle and absolute timeout Yes Yes Multilink PPP support Yes Yes Multichassis Multilink PPP support Yes Yes
Multihop support Yes Yes Security ‱ All security benefits of PPP, including multiple per-user authentication options (CHAP, MS- CHAP, PAP). ‱ Tunnel authentication mandatory ‱ All security benefits of PPP, including multiple per user authentication options (CHAP, MS- CHAP, PAP). ‱ Tunnel authentication optional Incoming Call Sequence A VPDN connection between a remote user, a LAC at the ISP point-of-presence , and the LNS at the home LAN using an L2TP tunnel is accomplished as follows: 1. The remote user initiates a PPP connection to the ISP, using the analog telephone system or ISDN. 2. The ISP network LAC accepts the connection at the POP and the PPP link is established. 3. After the end user and LNS negotiate LCP, the LAC partially authenticates the end user with CHAP or PAP. The username, domain name, or DNIS is used to determine whether the user is a VPDN client. If the user is not a VPDN client, authentication continues, and the client will access the Internet or other contacted service. If the username is a VPDN client, the mapping will name a specific endpoint . 4. The tunnel end points, the LAC and the LNS, authenticate each other before any sessions are attempted within a tunnel. Alternatively, the LNS can accept tunnel creation without any tunnel authentication of the LAC. 5. Once the tunnel exists, an L2TP session is created for the end user.
The LAC will propagate the LCP negotiated options and the partially authenticated CHAP/PAP information to the LNS. The LNS will funnel the negotiated options and authentication information directly to the virtual access interface. If the options configured on the virtual template interface does not match the negotiated options with the LAC, the connection will fail, and a disconnect is sent to the LAC.
Fig: L2TP Incoming Call Flow
The end result is that the exchange process appears to be between the dial-up client and the remote LNS exclusively, as if no intermediary device is involved. Figure offers a pictorial account of the L2TP incoming call sequence with its own corresponding sequence numbers. Note the sequence numbers in figure 3 are not related to the sequence numbers described above. LAC AAA Tunnel Definition Lookup AAA tunnel definition look up allows the LAC to look up tunnel definitions using key words. Two new Cisco AV pairs are added to support LAC tunnel definition lookup: tunnel type and l2tp-tunnel-password. These AV pairs are configured on the Radius server. A description of the values are as follows: tunnel type—Indicates the tunnel type is either L2F or L2TP. This is an optional AV pair and if not defined, reverts to L2F, the default value. If you want to configure an L2TP tunnel, you must use the L2TP AV pair value. This command is case sensitive. l2tp-tunnel-password—This value is the secret (password) used for L2TP tunnel authentication and L2TP AV pair hiding. This is an optional AV pair value; however, if it is not defined, the secret will default to the password associated with the local name on the LAC local username-password database. This AV pair is analogous to the l2tp local secret CLI command. Configure VPDN on the L2TP Access Concentrator The LAC is a device that is typically located at a service provider's POP and initial configuration and ongoing management is done by the service provider. Use the following commands to enable VPDN on a LAC using L2TP beginning in global configuration mode: Step Command Purpose
1. vpdn enable Enables VPDN and inform the router to look for tunnel definitions from an LNS. 2. vpdn group group-number Defines a local group number identifier for which other VPDN variables can be assigned.Valid group numbers range between 1 and 3000. 3. request dialin [l2f | l2tp] ip ip-address {domain domain- name | dnis dialed-number} Enables the router to request a dial in tunnel to an IP address, if the dial in user belongs to a specific domain or the dial in user dialed a specific DNIS. Configure VPDN on a L2TP Network Server The LNS is the termination point for an L2TP tunnel. The LNS initiates outgoing calls and receives incoming calls from the LAC. To configure the LNS to initiate and receive calls, use the following commands beginning in global configuration mode: Step Command Purpose 1. vpdn enable Enables VPDN and inform the router to look for tunnel definitions from an LNS. 2. vpdn group group-number Defines a local group number identifier for which other VPDN variables can be assigned.Valid group numbers range between 1 and 3000.
3. accept dialin [l2f | l2tp | any] virtual-template virtual-template number remote remote-peer-name Allows the LNS to accept an open tunnel request from the specified remote peer, define the Layer 2 protocol to use for the tunnel, and identify the virtual template to use for cloning virtual access interfaces. At this point, you can configure the virtual template interface with configuration parameters you want applied to virtual access interfaces. A virtual template interface is a logical entity configured for a serial interface. The virtual template interface is not tied to any physical interface and is applied dynamically, as needed. Virtual access interfaces are cloned from a virtual template interface, used on demand, and then freed when no longer needed. Use the following commands to create and configure a virtual template interface beginning in global configuration mode. Step Command Purpose 1. interface virtual- template number Creates a virtual template interface, and enter interface configuration mode. 2. ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the LAN. 3. encapsulation ppp Enables PPP encapsulation on the virtual template interface, which will be applied to virtual access interfaces. 4. ppp authentication Enables PAP or CHAP authentication on the virtual
pap | chap template interface, which will be applied to virtual access interfaces. Commands accept dialin To specify the local name to use for authenticating and the virtual template to use for cloning new virtual access interfaces when an incoming L2TP tunnel connection is requested from a specific peer, use the accept dialin VPDN group command. To disable authentication and virtual template cloning, use the no form of this command. accept dialin [l2f | l2tp | any] virtual-template number [remote remote-peer- name] no accept dialin [l2f | l2tp | any] virtual-template number [remote remote- peer-name] Syntax Description l2f | l2tp | any (Optional) Indicates which Layer 2 tunnel protocol to use for a dialin tunnel. 1. l2f—Layer 2 forwarding protocol. 2. l2tp—Layer 2 tunnel protocol. 3. any—VPDN will use autodetect to determine which tunnel type to use, either l2f or l2tp. virtual-template number The virtual template interface that the new virtual access interface cloned from.
remote-peer-name (Optoinal) Case-sensitive name that the remote peer will use for identification and tunnel authentication. Default Disabled Command Mode VPDN group mode L2TP/IPsecurity Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193.The process of setting up an L2TP/IPsec VPN is as follows: 1. Negotiation of IPsec Security Association, typically through Internet Key Exchange . This is carried out over UDP port 500, and commonly uses either a shared password, public keys, or X.509 certificates on both ends, although other keying methods exist. 2. Establishment of Encapsulated Security Payload communication in transport mode. The IP Protocol number for ESP is 50. At this point, a secure channel has been established, but no tunneling is taking place.
When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints. If a firewall or packet filter is integrated into the endpoint itself, however, it will probably be necessary to open port 1701 on that endpoint.A potential point of confusion in L2TP/IPsec is the use of the terms tunnel and secure channel. Tunnel refers to a channel which allows untouched packets of one network to be transported over another network. In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel. Benefits L2TP offers the following benefits: 1. Vendor interoperability. 2. Can be used as part of the wholesale access solution, which allows ISPs to the telco or service providers offer VPNs to Internet Service Providers (ISPs) and other service providers. 3. Can be operated as a client initiated VPN solution, where enterprise customers using a PC, can use the client initiated L2TP from a third party. 4. All value-added features currently available with Cisco's L2F, such as load sharing and backup support, will be available in future IOS releases of L2TP. 5. Supports Multihop, which enables Multichassis Multilink PPP in multiple home gateways. This allows you to stack home gateways so that they appear as a single entity.
Conclusion L2TP Implementation and Operation is an essential resource for anyone who works with L2TP and Virtual Private Networks. Written for developers and network managers, this book provides an overview of the protocol, a detailed explanation of L2TP architecture, a step-by-step guide to its implementation, and information on L2TP security and management. You will find useful background on the OSI model, the underlying PPP technology, how L2TP tunnels PPP, and L2TP LAC and LNS Layer 2 roles. In addition, the book contains detailed information on such topics as: L2TP deployment models, L2TP tunnel structure, terminology, and function, Protocol state machines, Tunnel authentication and initiation, Header and control message format, including AVP, Control Channel dynamics, Session setup, Proxy authentication, Data handling, including Multilink PPP, L2TP security, SNMP management of L2TP networks and Comparisons with L2F, PPTP, and other VPN technologies.
L2tp1

Empfohlen

Microsoft data access components
Microsoft data access componentsMicrosoft data access components
Microsoft data access componentsShiva Krishna Chandra Shekar
 
Ldap
LdapLdap
LdapShiva Krishna Chandra Shekar
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAPCynoteck Technology Solutions Private Limited
 
Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
LDAP
LDAPLDAP
LDAPChandanapriya Sathavalli
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theorycyberleon95
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 

Empfohlen

Microsoft data access components
Microsoft data access componentsMicrosoft data access components
Microsoft data access componentsShiva Krishna Chandra Shekar
 
Ldap
LdapLdap
LdapShiva Krishna Chandra Shekar
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAPCynoteck Technology Solutions Private Limited
 
Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
LDAP
LDAPLDAP
LDAPChandanapriya Sathavalli
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theorycyberleon95
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAPWildan Maulana
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active DirectoryAhmad Haghighi
 
Directory Servers and LDAP
Directory Servers and LDAPDirectory Servers and LDAP
Directory Servers and LDAPWildan Maulana
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
Spring Ldap
Spring LdapSpring Ldap
Spring LdapPiergiorgio Lucidi
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administrationAli Abdo
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
What is active directory
What is active directoryWhat is active directory
What is active directoryrajasekar1712
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJIDSajid khan
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJIDSajid khan
 
LDAP
LDAPLDAP
LDAPLokesh Kumar N
 
Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011Serious_SamSoul
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioLDAPCon
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory TrainingNishad Sukumaran
 
70 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 04100970 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 041009Coffeyville Community College
 
server notes for beginners
server notes for beginners server notes for beginners
server notes for beginners Abhishek Maurya
 
3G Mobile Internet
3G Mobile Internet3G Mobile Internet
3G Mobile InternetErick O'Connor
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 

Weitere Àhnliche Inhalte

Was ist angesagt?

LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active DirectoryAhmad Haghighi
 
Directory Servers and LDAP
Directory Servers and LDAPDirectory Servers and LDAP
Directory Servers and LDAPWildan Maulana
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administrationAli Abdo
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
What is active directory
What is active directoryWhat is active directory
What is active directoryrajasekar1712
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJIDSajid khan
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJIDSajid khan
 
Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011Serious_SamSoul
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioLDAPCon
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory TrainingNishad Sukumaran
 
server notes for beginners
server notes for beginners server notes for beginners
server notes for beginners Abhishek Maurya
 

Was ist angesagt? (20)

LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAP
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active Directory
 
Directory Servers and LDAP
Directory Servers and LDAPDirectory Servers and LDAP
Directory Servers and LDAP
 
LDAP
LDAPLDAP
LDAP
 
Spring Ldap
Spring LdapSpring Ldap
Spring Ldap
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administration
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory Services
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJID
 
Directory services by SAJID
Directory services by SAJIDDirectory services by SAJID
Directory services by SAJID
 
LDAP
LDAPLDAP
LDAP
 
Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 
70 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 04100970 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 041009
 
server notes for beginners
server notes for beginners server notes for beginners
server notes for beginners
 

Andere mochten auch

3G Mobile Internet
3G Mobile Internet3G Mobile Internet
3G Mobile InternetErick O'Connor
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPNetProtocol Xpert
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 

Andere mochten auch (7)

3G Mobile Internet
3G Mobile Internet3G Mobile Internet
3G Mobile Internet
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP Protocols
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
 
Chapter 2 point-to-point protocol (ppp)
Chapter 2 point-to-point protocol (ppp)Chapter 2 point-to-point protocol (ppp)
Chapter 2 point-to-point protocol (ppp)
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Remote access service
Remote access serviceRemote access service
Remote access service
 

Ähnlich wie L2tp1

L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip secZekriaMuzafar
 
Network access layer security protocol
Network access layer security protocolNetwork access layer security protocol
Network access layer security protocolKirti Ahirrao
 
VPN Using MPLS Technique
VPN Using MPLS TechniqueVPN Using MPLS Technique
VPN Using MPLS TechniqueAhmad Atta
 
Computer Networking Tasks.docx
Computer Networking Tasks.docxComputer Networking Tasks.docx
Computer Networking Tasks.docxUsamaAliLone3
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)Krishan Pareek
 
Module 1 slides
Module 1 slidesModule 1 slides
Module 1 slidesAnaniaKapala
 
Ajp notes-chapter-04
Ajp notes-chapter-04Ajp notes-chapter-04
Ajp notes-chapter-04Ankit Dubey
 
Protocols in computer network
Protocols in computer network Protocols in computer network
Protocols in computer network priya sehgal
 
Introduction to Computer Networks and Network Security.pptx
Introduction to Computer Networks and Network Security.pptxIntroduction to Computer Networks and Network Security.pptx
Introduction to Computer Networks and Network Security.pptxShehanMarasinghe1
 
Protocol implementation on NS2
Protocol implementation on NS2Protocol implementation on NS2
Protocol implementation on NS2amreshrai02
 
Networking devices
Networking devicesNetworking devices
Networking devicesrehnuma rusha
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Vpn protocols
Vpn protocolsVpn protocols
Vpn protocolsJadavsejal
 

Ähnlich wie L2tp1 (20)

F0322038042
F0322038042F0322038042
F0322038042
 
L2 tp
L2 tpL2 tp
L2 tp
 
L2 tp
L2 tpL2 tp
L2 tp
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip sec
 
Vpnppt1884
Vpnppt1884Vpnppt1884
Vpnppt1884
 
Network access layer security protocol
Network access layer security protocolNetwork access layer security protocol
Network access layer security protocol
 
VPN Using MPLS Technique
VPN Using MPLS TechniqueVPN Using MPLS Technique
VPN Using MPLS Technique
 
Computer Networking Tasks.docx
Computer Networking Tasks.docxComputer Networking Tasks.docx
Computer Networking Tasks.docx
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 
Mcse question
Mcse questionMcse question
Mcse question
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)MC0087 Internal Assignment (SMU)
MC0087 Internal Assignment (SMU)
 
Module 1 slides
Module 1 slidesModule 1 slides
Module 1 slides
 
Ajp notes-chapter-04
Ajp notes-chapter-04Ajp notes-chapter-04
Ajp notes-chapter-04
 
Protocols in computer network
Protocols in computer network Protocols in computer network
Protocols in computer network
 
Introduction to Computer Networks and Network Security.pptx
Introduction to Computer Networks and Network Security.pptxIntroduction to Computer Networks and Network Security.pptx
Introduction to Computer Networks and Network Security.pptx
 
Protocol implementation on NS2
Protocol implementation on NS2Protocol implementation on NS2
Protocol implementation on NS2
 
Networking devices
Networking devicesNetworking devices
Networking devices
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Vpn protocols
Vpn protocolsVpn protocols
Vpn protocols
 

Mehr von Shiva Krishna Chandra Shekar

Mehr von Shiva Krishna Chandra Shekar (20)

Airtel final
Airtel finalAirtel final
Airtel final
 
Airtel COMPNAY
Airtel COMPNAYAirtel COMPNAY
Airtel COMPNAY
 
Ad hoc
Ad hocAd hoc
Ad hoc
 
Mobile adhoc
Mobile adhocMobile adhoc
Mobile adhoc
 
Ivrs
IvrsIvrs
Ivrs
 
Ip sec
Ip secIp sec
Ip sec
 
I pod
I podI pod
I pod
 
Internet
InternetInternet
Internet
 
Image compression
Image compressionImage compression
Image compression
 
Hyper thread technology
Hyper thread technologyHyper thread technology
Hyper thread technology
 
Raju html
Raju htmlRaju html
Raju html
 
Raju
RajuRaju
Raju
 
Dba
DbaDba
Dba
 
Di splay systems
Di splay systemsDi splay systems
Di splay systems
 
Ananth3
Ananth3Ananth3
Ananth3
 
Ppt
PptPpt
Ppt
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Ananth1
Ananth1Ananth1
Ananth1
 
Virtual instrumentation
Virtual instrumentationVirtual instrumentation
Virtual instrumentation
 
Haptic technology
Haptic technologyHaptic technology
Haptic technology
 

KĂŒrzlich hochgeladen

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 

KĂŒrzlich hochgeladen (20)

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

L2tp1

  • 1. Layer 2 Tunneling Protocol Introduction Layer Two Tunneling Protocol is an extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable the operation of a virtual private network over the Internet. L2TP merges the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. The two main components that make up L2TP are the L2TP Access Concentrator, which is the device that physically terminates a call and the L2TP Network Server, which is the device that terminates and possibly authenticates the PPP stream. PPP defines a means of encapsulation to transmit multiprotocol packets over layer two point-to-point links. Generally, a user connects to a network access server through ISDN, ADSL, dialup POTS or other service and runs PPP over that connection. In this configuration, the L2 and PPP session endpoints are both on the same NAS. L2TP uses packet-switched network connections to make it possible for the endpoints to be located on different machines. The user has an L2 connection to an access concentrator, which then tunnels individual PPP frames to the NAS, so that the packets can be processed separately from the location of the circuit termination. This means that the connection can terminate at a local circuit concentrator, eliminating possible long- distance charges, among other benefits. From the user's point of view, there is no difference in the operation. Overview L2TP is one of the key building blocks for virtual private networks in the dial access space and is endorsed by Cisco and other internetworking industry leaders. It combines the best of Cisco's Layer 2 Forwarding protocol and Microsoft's Point-to- Point Tunneling Protocol. L2TP acts as a data link layer protocol for tunneling network traffic between two peers over an existing network usually the Internet.
  • 2. It is common to carry Point-to-Point Protocol sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec. The two endpoints of an L2TP tunnel are called the LAC means L2TP Access Concentrator and the LNS means L2TP Network Server. The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session or call is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. The packets exchanged within an L2TP tunnel are either categorised as control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested protocols running within each session of the L2TP tunnel.The following sections supply additional detail about the interworkings and Cisco's implementation of L2TP. Using L2TP tunneling, an Internet Service Provider , or other access service, can create a virtual tunnel to link customer's remote sites or remote users with corporate home networks. The L2TP access concentrator located at the ISP's point of presence exchanges PPP messages with remote users and communicates by way of L2TP requests and responses with the customer's L2TP network server to set up tunnels. L2TP passes protocol-level packets through the virtual tunnel between end points of a point-to-point connection.
  • 3. Fig: L2TPTunnelStructure Frames from remote users are accepted by the ISP's POP, stripped of any linked framing or transparency bytes, encapsulated in L2TP and forwarded over the appropriate tunnel. The customer's home gateway accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames for the appropriate interface. Figure shows the L2TP tunnel detail and how user lsmith connects to the LNS to access the designated corporate intranet. Architecture The Layer 2 Tunnel Protocol is an emerging Internet Engineering Task Force standard that combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding and Microsoft's Point-to-Point Tunneling Protocol. L2TP is an extension to the Point-to-Point Protocol, which is an important component for VPNs. VPNs allow users and telecommuters to connect to their corporate intranets or extranets. VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability. Traditional dial-up networking services only support registered IP addresses, which limits
  • 4. the types of applications that are implemented over VPNs. L2TP supports multiple protocols and unregistered and privately administered IP addresses over the Internet. This allows the existing access infastructure, such as the Internet, modems, access servers, and ISDN terminal adapters, to be used. It also allows enterprise customers to outsource dialout support, thus reducing overhead for hardware maintenance costs and 800 number fees, and allows them to concentrate corporate gateway resources. Figure shows the L2TP architecture in a typical dial up environment. Fig:L2TP Architecture L2TP offers the same full-range spectrum of features as L2F, but offers additional functionality. A L2TP-capable home gateway will work with an existing L2F network access server and will concurrently support upgraded components running L2TP. LNSs do not require reconfiguration each time an individual LAC is upgraded from L2F to L2TP. L2F and L2TP Feature L2F L2TP
  • 5. Comparison Function Flow Control No Yes AVP hiding No Yes Home gateway load sharing Yes Yes Home gateway stacking Yes Yes Home gateway primary and secondary backup Yes Yes DNS name support Yes Yes Domain name flexibility Yes Yes Idle and absolute timeout Yes Yes Multilink PPP support Yes Yes Multichassis Multilink PPP support Yes Yes
  • 6. Multihop support Yes Yes Security ‱ All security benefits of PPP, including multiple per-user authentication options (CHAP, MS- CHAP, PAP). ‱ Tunnel authentication mandatory ‱ All security benefits of PPP, including multiple per user authentication options (CHAP, MS- CHAP, PAP). ‱ Tunnel authentication optional Incoming Call Sequence A VPDN connection between a remote user, a LAC at the ISP point-of-presence , and the LNS at the home LAN using an L2TP tunnel is accomplished as follows: 1. The remote user initiates a PPP connection to the ISP, using the analog telephone system or ISDN. 2. The ISP network LAC accepts the connection at the POP and the PPP link is established. 3. After the end user and LNS negotiate LCP, the LAC partially authenticates the end user with CHAP or PAP. The username, domain name, or DNIS is used to determine whether the user is a VPDN client. If the user is not a VPDN client, authentication continues, and the client will access the Internet or other contacted service. If the username is a VPDN client, the mapping will name a specific endpoint . 4. The tunnel end points, the LAC and the LNS, authenticate each other before any sessions are attempted within a tunnel. Alternatively, the LNS can accept tunnel creation without any tunnel authentication of the LAC. 5. Once the tunnel exists, an L2TP session is created for the end user.
  • 7. The LAC will propagate the LCP negotiated options and the partially authenticated CHAP/PAP information to the LNS. The LNS will funnel the negotiated options and authentication information directly to the virtual access interface. If the options configured on the virtual template interface does not match the negotiated options with the LAC, the connection will fail, and a disconnect is sent to the LAC.
  • 8. Fig: L2TP Incoming Call Flow
  • 9. The end result is that the exchange process appears to be between the dial-up client and the remote LNS exclusively, as if no intermediary device is involved. Figure offers a pictorial account of the L2TP incoming call sequence with its own corresponding sequence numbers. Note the sequence numbers in figure 3 are not related to the sequence numbers described above. LAC AAA Tunnel Definition Lookup AAA tunnel definition look up allows the LAC to look up tunnel definitions using key words. Two new Cisco AV pairs are added to support LAC tunnel definition lookup: tunnel type and l2tp-tunnel-password. These AV pairs are configured on the Radius server. A description of the values are as follows: tunnel type—Indicates the tunnel type is either L2F or L2TP. This is an optional AV pair and if not defined, reverts to L2F, the default value. If you want to configure an L2TP tunnel, you must use the L2TP AV pair value. This command is case sensitive. l2tp-tunnel-password—This value is the secret (password) used for L2TP tunnel authentication and L2TP AV pair hiding. This is an optional AV pair value; however, if it is not defined, the secret will default to the password associated with the local name on the LAC local username-password database. This AV pair is analogous to the l2tp local secret CLI command. Configure VPDN on the L2TP Access Concentrator The LAC is a device that is typically located at a service provider's POP and initial configuration and ongoing management is done by the service provider. Use the following commands to enable VPDN on a LAC using L2TP beginning in global configuration mode: Step Command Purpose
  • 10. 1. vpdn enable Enables VPDN and inform the router to look for tunnel definitions from an LNS. 2. vpdn group group-number Defines a local group number identifier for which other VPDN variables can be assigned.Valid group numbers range between 1 and 3000. 3. request dialin [l2f | l2tp] ip ip-address {domain domain- name | dnis dialed-number} Enables the router to request a dial in tunnel to an IP address, if the dial in user belongs to a specific domain or the dial in user dialed a specific DNIS. Configure VPDN on a L2TP Network Server The LNS is the termination point for an L2TP tunnel. The LNS initiates outgoing calls and receives incoming calls from the LAC. To configure the LNS to initiate and receive calls, use the following commands beginning in global configuration mode: Step Command Purpose 1. vpdn enable Enables VPDN and inform the router to look for tunnel definitions from an LNS. 2. vpdn group group-number Defines a local group number identifier for which other VPDN variables can be assigned.Valid group numbers range between 1 and 3000.
  • 11. 3. accept dialin [l2f | l2tp | any] virtual-template virtual-template number remote remote-peer-name Allows the LNS to accept an open tunnel request from the specified remote peer, define the Layer 2 protocol to use for the tunnel, and identify the virtual template to use for cloning virtual access interfaces. At this point, you can configure the virtual template interface with configuration parameters you want applied to virtual access interfaces. A virtual template interface is a logical entity configured for a serial interface. The virtual template interface is not tied to any physical interface and is applied dynamically, as needed. Virtual access interfaces are cloned from a virtual template interface, used on demand, and then freed when no longer needed. Use the following commands to create and configure a virtual template interface beginning in global configuration mode. Step Command Purpose 1. interface virtual- template number Creates a virtual template interface, and enter interface configuration mode. 2. ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the LAN. 3. encapsulation ppp Enables PPP encapsulation on the virtual template interface, which will be applied to virtual access interfaces. 4. ppp authentication Enables PAP or CHAP authentication on the virtual
  • 12. pap | chap template interface, which will be applied to virtual access interfaces. Commands accept dialin To specify the local name to use for authenticating and the virtual template to use for cloning new virtual access interfaces when an incoming L2TP tunnel connection is requested from a specific peer, use the accept dialin VPDN group command. To disable authentication and virtual template cloning, use the no form of this command. accept dialin [l2f | l2tp | any] virtual-template number [remote remote-peer- name] no accept dialin [l2f | l2tp | any] virtual-template number [remote remote- peer-name] Syntax Description l2f | l2tp | any (Optional) Indicates which Layer 2 tunnel protocol to use for a dialin tunnel. 1. l2f—Layer 2 forwarding protocol. 2. l2tp—Layer 2 tunnel protocol. 3. any—VPDN will use autodetect to determine which tunnel type to use, either l2f or l2tp. virtual-template number The virtual template interface that the new virtual access interface cloned from.
  • 13. remote-peer-name (Optoinal) Case-sensitive name that the remote peer will use for identification and tunnel authentication. Default Disabled Command Mode VPDN group mode L2TP/IPsecurity Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193.The process of setting up an L2TP/IPsec VPN is as follows: 1. Negotiation of IPsec Security Association, typically through Internet Key Exchange . This is carried out over UDP port 500, and commonly uses either a shared password, public keys, or X.509 certificates on both ends, although other keying methods exist. 2. Establishment of Encapsulated Security Payload communication in transport mode. The IP Protocol number for ESP is 50. At this point, a secure channel has been established, but no tunneling is taking place.
  • 14. When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints. If a firewall or packet filter is integrated into the endpoint itself, however, it will probably be necessary to open port 1701 on that endpoint.A potential point of confusion in L2TP/IPsec is the use of the terms tunnel and secure channel. Tunnel refers to a channel which allows untouched packets of one network to be transported over another network. In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel. Benefits L2TP offers the following benefits: 1. Vendor interoperability. 2. Can be used as part of the wholesale access solution, which allows ISPs to the telco or service providers offer VPNs to Internet Service Providers (ISPs) and other service providers. 3. Can be operated as a client initiated VPN solution, where enterprise customers using a PC, can use the client initiated L2TP from a third party. 4. All value-added features currently available with Cisco's L2F, such as load sharing and backup support, will be available in future IOS releases of L2TP. 5. Supports Multihop, which enables Multichassis Multilink PPP in multiple home gateways. This allows you to stack home gateways so that they appear as a single entity.
  • 15. Conclusion L2TP Implementation and Operation is an essential resource for anyone who works with L2TP and Virtual Private Networks. Written for developers and network managers, this book provides an overview of the protocol, a detailed explanation of L2TP architecture, a step-by-step guide to its implementation, and information on L2TP security and management. You will find useful background on the OSI model, the underlying PPP technology, how L2TP tunnels PPP, and L2TP LAC and LNS Layer 2 roles. In addition, the book contains detailed information on such topics as: L2TP deployment models, L2TP tunnel structure, terminology, and function, Protocol state machines, Tunnel authentication and initiation, Header and control message format, including AVP, Control Channel dynamics, Session setup, Proxy authentication, Data handling, including Multilink PPP, L2TP security, SNMP management of L2TP networks and Comparisons with L2F, PPTP, and other VPN technologies.