Lucent Technologies 6000 User Manual
11-38
MAX 6000/3000 Network Configuration Guide
Setting Up Virtual Private Networks
Configuring L2TP tunnels for dial-in clients
Configuring L2TP tunnels for dial-in clients
Using multiple L2TP system names
MAX units now support additional tunnel authentication settings to enable more flexible and
secure establishment of Layer 2 Tunneling Protocol (L2TP) and Layer 2 Forwarding (L2F)
tunnels. Previously, constraints caused by L2TP and RADIUS protocol requirements required
that every network access server (NAS) in the network used the same system name for tunnel
authentication, even when the network spanned multiple administrative domains.
secure establishment of Layer 2 Tunneling Protocol (L2TP) and Layer 2 Forwarding (L2F)
tunnels. Previously, constraints caused by L2TP and RADIUS protocol requirements required
that every network access server (NAS) in the network used the same system name for tunnel
authentication, even when the network spanned multiple administrative domains.
With the current software version, each NAS sends a unique system name for tunnel
authentication purposes. The name can be specified on a per-connection or per-server basis. If
RADIUS accounting is enabled, the MAX unit reports the names used for tunnel
authentication in the Stop record.
authentication purposes. The name can be specified on a per-connection or per-server basis. If
RADIUS accounting is enabled, the MAX unit reports the names used for tunnel
authentication in the Stop record.
Note:
Tunnel authentication occurs before a tunnel is established between two end points. It
is negotiated between the MAX unit and a tunnel server and is independent of user
authentication. If tunnel authentication fails, all pending calls associated with the tunnel are
dropped.
authentication. If tunnel authentication fails, all pending calls associated with the tunnel are
dropped.
For L2TP tunnels, because the LAC can now specify its name on a per-connection basis, you
can configure profiles to create parallel tunnels to the same destination. For example, some
sites use parallel tunnels to separate data streams that are directed to the same LNS but
destined for different networks.
can configure profiles to create parallel tunnels to the same destination. For example, some
sites use parallel tunnels to separate data streams that are directed to the same LNS but
destined for different networks.
Overview of RADIUS attribute-value pairs
RADIUS provides attribute-value pairs that support multiple L2TP system names. All of these
attribute-value pairs support tag fields, as described in RFC 2868. Each tag value (from 1 to
31) defines an independent tunnel attempt description. The Tunnel-Client-Auth-ID and
Tunnel-Server-Auth-ID attributes can be specified in Access-Response packets and are
generated in Accounting-Request packets. Following are the relevant attributes:
attribute-value pairs support tag fields, as described in RFC 2868. Each tag value (from 1 to
31) defines an independent tunnel attempt description. The Tunnel-Client-Auth-ID and
Tunnel-Server-Auth-ID attributes can be specified in Access-Response packets and are
generated in Accounting-Request packets. Following are the relevant attributes:
Tunnel-Server-Endpoint (67)
Specifies the IP address or fully
qualified hostname of the LNS, if
you set Tunnel-Type to L2TP, or
PPTP Network Server (PNS), if
you set Tunnel-Type to PPTP.
qualified hostname of the LNS, if
you set Tunnel-Type to L2TP, or
PPTP Network Server (PNS), if
you set Tunnel-Type to PPTP.
If a DNS server is available,
you can specify the fully
qualified hostname of the
LNS. Otherwise, specify the IP
address of the LNS in dotted
decimal notation (N.N.N.N,
where N is a number from 0 to
255.) You must set this
attribute to an accessible IP
hostname or address.
you can specify the fully
qualified hostname of the
LNS. Otherwise, specify the IP
address of the LNS in dotted
decimal notation (N.N.N.N,
where N is a number from 0 to
255.) You must set this
attribute to an accessible IP
hostname or address.
Tunnel-Password (69)
Shared secret for authenticating
L2TP tunnels.
L2TP tunnels.
Table 11-3.RADIUS attributes for specifying L2TP tunnels (continued)
Attribute
Description
Possible values