Lucent Technologies 6000 User Manual
11-32
MAX 6000/3000 Network Configuration Guide
Setting Up Virtual Private Networks
Configuring L2TP tunnels for dial-in clients
Configuring L2TP tunnels for dial-in clients
Figure 11-8 shows an ISP POP MAX, acting as an LAC, communicating across the WAN with
a private network. Clients dial into the ISP POP and are forwarded across the Internet to the
private network.
a private network. Clients dial into the ISP POP and are forwarded across the Internet to the
private network.
Figure 11-8. L2TP tunnel across the Internet
How the MAX creates L2TP tunnels
The dial-in client, the LAC, and the LNS establish, use, and terminate an L2TP-tunnel
connection as follows:
connection as follows:
1
A client dials, over either a modem or ISDN connection, into the LAC.
2
On the basis of dialed number or after authentication (depending on the LAC
configuration), the LAC communicates with the LNS to establish an IP connection.
configuration), the LAC communicates with the LNS to establish an IP connection.
3
Over the IP connection, the LAC and LNS establish a control channel.
4
The LAC sends an Inbound Call Request to the LNS.
5
Depending on the LNS configuration, the client might need to authenticate itself a second
time.
time.
6
After successful authentication, the tunnel is established, and data traffic flows.
7
When the client disconnects from the LAC, the LAC sends a Call Disconnect Notify
message to the LNS. The LAC and LNS disconnect the tunnel.
message to the LNS. The LAC and LNS disconnect the tunnel.
Proxy LCP and authentication support for L2TP
If a PPP client’s profile is configured to initiate an L2TP tunnel, the MAX unit attempts to
open a tunnel (or reuse an existing one) following initial authentication of the connection. It
can open a tunnel after completing CLID or DNIS authentication or after authenticating the
caller’s name and password. If the LAC authenticates the initial dial-in call using a name and
password, it negotiates Link Control Protocol (LCP) with the client and opens the PPP Auth
state to determine who the client is, so it can contact the appropriate LNS.
open a tunnel (or reuse an existing one) following initial authentication of the connection. It
can open a tunnel after completing CLID or DNIS authentication or after authenticating the
caller’s name and password. If the LAC authenticates the initial dial-in call using a name and
password, it negotiates Link Control Protocol (LCP) with the client and opens the PPP Auth
state to determine who the client is, so it can contact the appropriate LNS.
With earlier versions of the system software, when the LAC contacted the LNS for a client
connection, it sent an empty LCP Config Request packet in the data stream. When the LNS
received the packet, it restarted LCP negotiations and authenticated the client. With currently
supported proxy LCP, instead of an empty LCP Config Request, the LAC sends the LNS the
following information:
connection, it sent an empty LCP Config Request packet in the data stream. When the LNS
received the packet, it restarted LCP negotiations and authenticated the client. With currently
supported proxy LCP, instead of an empty LCP Config Request, the LAC sends the LNS the
following information:
•
The first LCP Config Request packet received from the client.
•
The last LCP Config Request packet received from the client.
Internet
P50
RADIUS server
Dial-in
clients
clients
Modem
LAC
LNS
L2TP tunnel
Private network