Network Router User Manual
Configuring L2TP Services
1-12
303532-A Rev 00
Tunnel Management
The Bay Networks tunnel management server (TMS), which resides at the ISP
network, stores the TMS database. This database contains the remote users’
domain name, the IP address information of each LNS, and other tunnel
addressing information that the network administrator configures. The LAC
requests this information from the TMS to construct the L2TP tunnel.
When the LAC receives a call, it forwards the domain name to the TMS. The
domain name is the portion of the user’s address that specifies a particular location
in the network. For example, if the user name is jdoe@baynetworks.com,
baynetworks.com is the domain name. The TMS looks up the domain name and
verifies that the remote user is an L2TP user. The TMS also provides the LAC
with the addressing information required to establish a tunnel to the correct LNS.
Tunnel Authentication
For security purposes, you can enable the LNS to perform tunnel authentication.
Tunnel authentication is the process of negotiating the establishment of a tunnel.
During tunnel authentication, the LNS identifies the L2TP client or LAC by
comparing the LAC’s tunnel authentication password with its own password. If
the passwords match, the LNS permits the LAC to establish a tunnel.
The LAC does not send the tunnel authentication password as a plain-text
message. The exchange of passwords works much like the PPP Challenge
Handshake Authentication Protocol (CHAP). When one side receives a challenge,
it responds with a value that is calculated based on the authentication password.
The receiving side matches the value against its own calculation. If the values
match, authentication is successful.
Tunnel authentication occurs in both directions, which means that the LAC and
LNS both try to verify the other’s identity.
Note:
The domain name referred to in this guide is a domain identifier that
does not follow a specific format. It is not related to any Domain Name System
(DNS) protocol requirements.