BayRS Version 14.00 Part No. 308634-14.
Copyright © 1999 Nortel Networks All rights reserved. Printed in the USA. September 1999. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document.
Nortel Networks NA Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE.
for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs. 4. Limitation of liability.
Contents Preface Before You Begin .............................................................................................................xiii Text Conventions .............................................................................................................xiv Acronyms ......................................................................................................................... xv Hard-Copy Technical Manuals .......................................................................
Remote Router Configuration ................................................................................1-16 Framed Routes .......................................................................................................1-17 Configuring the Framed-Route Feature ...........................................................1-18 Name Server Addresses ........................................................................................1-19 Configuring the NSA Feature on the LNS ......................
Deleting L2TP from an ATM Interface ...........................................................................3-14 Appendix A L2TP Parameters L2TP Configuration Parameters .................................................................................... A-2 L2TP Tunnel Security Parameters ............................................................................... A-10 L2TP IP Interface Parameters .....................................................................................
Figures Figure 1-1. L2TP Network Using a LAC .....................................................................1-7 Figure 1-2. L2TP Network Using a RAS .....................................................................1-7 Figure 1-3. Packet Encapsulation Process .................................................................1-8 Figure 1-4. Tunnel Authentication Control Messages ...............................................1-13 Figure 1-5. Remote Router Dialing the LNS ...................
Tables Table B-1. Configuration Commands for the Model 5399 LAC ................................ B-3 Table B-2. Configuration for the nortelnetworks Domain .......................................... B-4 Table B-3. Configuration Commands for the Model 5399 LAC .............................. B-14 Table B-4. Configuration for the nortelnetworks Domain ........................................ B-15 Table C-1. Common L2TP Network Problems and Solutions ................................... C-1 308634-14.
Preface This guide describes Layer 2 Tunneling Protocol (L2TP) and what you do to start and customize L2TP services on a Nortel Networks™ router. Before You Begin Before using this guide, you must complete the following procedures. For a new router: • Install the router (see the installation guide that came with your router). • Connect the router to the network and create a configuration file (see Quick-Starting Routers, Configuring BayStack Remote Access, or Connecting ASN Routers to a Network).
Configuring L2TP Services Text Conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is: ping , you enter: ping 192.32.10.12 bold text Indicates command names and options and text that you need to enter. Example: Enter show ip {alerts | routes}. Example: Use the dinfo command.
Preface separator ( > ) Shows menu paths. Example: Protocols > IP identifies the IP option on the Protocols menu. vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is: show ip {alerts | routes}, you enter either: show ip alerts or show ip routes, but not both.
Configuring L2TP Services RADIUS Remote Authentication Dial-In User Service RAS remote access server RIP Routing Information Protocol SCCCN start control connection connected SCCRP start control connection reply SCCRQ start control connection request TA terminal adapter TCP/IP Transmission Control Protocol/Internet Protocol TMS tunnel management server UDP User Datagram Protocol VPN virtual private network VSA vendor-specific attribute WAN wide area network Hard-Copy Technical Man
Preface How to Get Help If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
Chapter 1 L2TP Overview The Layer 2 Tunneling Protocol (L2TP) provides remote users, such as telecommuters, mobile professionals, and personnel in remote branch offices, with dial-in access to a corporate network. L2TP enables users to create a virtual private network (VPN). A VPN uses the existing physical infrastructure of a public network, such as the Internet, but offers the security and exclusivity of a private network.
Configuring L2TP Services L2TP Benefits L2TP provides the following benefits to remote users, corporations, and ISPs: • Users and businesses can take advantage of existing network equipment and resources. Corporations do not need to maintain and manage remote access servers and other special networking equipment for remote users.
L2TP Overview Multiple users can communicate through a single tunnel between the same LAC and LNS pair. Each user transmits and receives data in an individual L2TP session. The LAC brings down the tunnel for any one of the following reasons: • A network failure occurs. • The LAC or other equipment at the ISP is not operating properly. If the LAC fails, all tunnel users are disconnected. • There are no active sessions inside the tunnel.
Configuring L2TP Services Components of an L2TP Network The following sections describe the components of an L2TP network. For illustrations of L2TP networks, see Figures 1-1 and 1-2 on page 1-7. Remote Host At the remote site is the user who wants to dial in to the corporate network. The remote user can be located anywhere, provided that the user can dial into an ISP network using a PC or a router. The ISP provides the connection to the Internet.
L2TP Overview L2TP Access Concentrator (LAC) The L2TP access concentrator (LAC) resides at the ISP network. The LAC establishes the L2TP tunnel between itself and the LNS. Note: In this guide, the term LAC refers to a remote access server with L2TP capabilities. The term RAS refers to a remote access server without L2TP capabilities. When the remote user places a call to the ISP network, this call goes to the LAC. The LAC then negotiates the activation of an L2TP tunnel with the LNS.
Configuring L2TP Services L2TP Network Server (LNS) The L2TP network server (LNS) is a router that resides at the corporate network and serves as the termination point for L2TP tunnels and sessions. The LNS authenticates the PPP connection request and allows the end-to-end PPP tunneled connection. The LNS may also perform user authentication with a RADIUS server to prevent unauthorized users from accessing the network; however, user authentication may also be done by the LNS itself.
L2TP Overview Examples of L2TP Networks Figure 1-1 shows an L2TP network that uses a LAC to connect to the LNS. The tunnel is between the LAC and the LNS. ISP network PC Frame relay connection LAC Remote host LNS Tunnel PPP connection Corporate network Data RADIUS server No L2TP functionality TMS L2T0003A Figure 1-1. L2TP Network Using a LAC Figure 1-2 shows an L2TP network that uses a RAS to connect to the LNS. The tunnel is between the PC (the L2TP client) and the LNS.
Configuring L2TP Services L2TP Packet Encapsulation The PC or router at the remote site sends PPP packets to the LAC. The LAC encapsulates these incoming packets in an L2TP packet and sends it across an IP network through a bidirectional tunnel. After the LNS receives the packets, it decapsulates them and terminates the PPP connection. Figure 1-3 shows how data is encapsulated for transmission over an L2TP network.
L2TP Overview Making a Connection Across an L2TP Network The following steps explain how a remote user connects across an L2TP network that includes a Nortel Networks LAC, TMS, and LNS (see Figure 1-1 on page 1-7): 1. The remote user dials a LAC at the local ISP network to establish a PPP connection to the corporate network. In the call, the user includes any required information, for example, a user name, including a domain name, and a password.
Configuring L2TP Services Security in an L2TP Network You can configure two layers of security in an L2TP network: • Tunnel authentication Tunnel authentication is the process of negotiating the establishment of a tunnel between the LAC and the LNS. • User authentication The network administrator at the corporate site can configure a RADIUS server with the names and passwords of authorized users.
L2TP Overview Nortel Networks L2TP Implementation In an L2TP network, the Nortel Networks router is the LNS. LNS software operates on the following routers: • • • BayStack™ Access Node (AN®) and Advanced Remote Node™ (ARN™) Backbone Link Node (BLN®) and Backbone Concentrator Node (BCN®) Access Stack Node (ASN™) The Nortel Networks LNS has the following characteristics: • Each slot can act as an LNS, which means that one router can have many LNS interfaces, each with its own address.
Configuring L2TP Services Tunnel Management The Nortel Networks tunnel management server (TMS), which resides at the ISP network, stores the TMS database. This database contains the remote users’ domain name, the IP address information of each LNS, and other tunnel addressing information that the network administrator configures. The LAC requests this information from the TMS to construct the L2TP tunnel. When the LAC receives a call, it forwards the domain name to the TMS.
L2TP Overview You can enable tunnel authentication on the Nortel Networks LNS. If tunnel authentication is disabled, which is the default, the LNS sends a default challenge response to the LAC during the authentication process so that the tunnel can be established. The LNS cannot send outgoing calls, so it cannot initiate tunnel authentication. During tunnel authentication, the following exchange of messages takes place: 1.
Configuring L2TP Services After tunnel authentication is complete, it does not need to be repeated for other calls to the same LAC. RADIUS User Authentication RADIUS user authentication is enabled by default on the Nortel Networks LNS; you must configure this feature so that the LNS can validate the remote user’s identity before allowing access to the network. The network administrator at the corporate site must configure a RADIUS server with the names and passwords of authorized users.
L2TP Overview RADIUS Accounting The RADIUS server can provide accounting services in addition to its authentication services. RADIUS accounting is enabled by default on the Nortel Networks LNS. The RADIUS accounting server calculates billing charges for an L2TP session between the remote user and the LNS. To determine these charges, the server uses information that it receives from the LNS, such as the status of each call and the number of packets sent during the session.
Configuring L2TP Services Remote Router Configuration If the host at the remote site is a Nortel Networks router, you may need to configure a dial-on-demand circuit for the remote router’s dial-up interface to the LAC at the ISP network. Enable RIP on both the dial-on-demand circuit and the attached LAN interface of the remote router, so that the LNS can learn routing information from the remote router.
L2TP Overview Framed Routes The Nortel Networks L2TP implementation supports framed routes. With framed-route support, the LNS does not need to use RIP to learn all routes on a remote network. Instead, when a user dials in, the RADIUS server sends the LNS a framed route, which includes all the information that the LNS needs to communicate with the remote user. Note: You can configure the LNS to use framed routes for some remote sites and RIP for other remote sites.
Configuring L2TP Services Figure 1-7 shows the same network with framed-route support on the LNS. In this configuration, remote site A has an associated framed route stored on the central RADIUS server. This framed route describes the routing table entries required for the LNS to communicate with users at remote site A. When a user dials in from remote site A, the RADIUS server sends the framed route to the LNS as part of the session/user authentication process.
L2TP Overview prefix_length is optional. It specifies the length of the network mask for the remote user’s network: 8 for Class A addresses; 16 for Class B addresses; 24 for Class C addresses. gateway is the address of the interface through which the LNS connects to the remote user’s network. If you specify 0.0.0.0 for gateway, the system automatically sets the gateway to the address of the L2TP interface. metric is the number of hops from the gateway to the destination network.
Configuring L2TP Services Figure 1-8. TCP/IP Settings Window for Server-Assigned NSAs To use server-assigned NSAs, users should not enter primary and secondary domain name server (DNS) and WINS name server addresses (also called NetBIOS name server addresses or NBNS addresses). Instead, when a user dials in, the LNS or the RADIUS server automatically assigns name server addresses for the connection.
L2TP Overview Configuring the NSA Feature on the LNS By default, the NSA feature is disabled on the router acting as the LNS. When users dial in from a remote location, the connection uses the DNS and NBNS (WINS) addresses in the Dial-Up Networking TCP/IP Settings window on their PCs. (See Figure 1-8 on page 1-20.) To configure the NSA feature on the router, you use Site Manager to set the Name Server Address Origin parameter to either Local or RADIUS. The following sections describe these options.
Configuring L2TP Services • The RADIUS server must support vendor-specific attributes (VSAs) and must have the following entries in its dictionary: ATTRIBUTE Bay-Primary-DNS-Server Bay-VSA(54, ipaddr) ATTRIBUTE Bay-Secondary-DNS-Server Bay-VSA(55, ipaddr) ATTRIBUTE Bay-Primary-NBNS-Server Bay-VSA(56, ipaddr) ATTRIBUTE Bay-Secondary-NBNS-Server Bay-VSA(57, ipaddr) Example: Name Server Address Origin Parameter Set to Local Figure 1-9 shows a network with the following configuration: • Users at remo
L2TP Overview DNS 1 Remote host A PC DNS 2 ISP network Remote host B Corporate network LNS LAC PC NBNS 1 Remote host C PC TMS NBNS 2 L2T0010A Figure 1-9. Network with Local Name Server Address Origin 308634-14.
Configuring L2TP Services Example: Name Server Address Origin Parameter Set to RADIUS Figure 1-10 shows a network with the following configuration: • Users at remote hosts Eng. host A, Eng. host B, Fin. host C, and Fin. host D have specified “Server assigned name server addresses” in the Dial-Up Networking TCP/IP Settings window on their PCs. • The Name Server Address Origin parameter is set to RADIUS on the LNS at the corporate site.
L2TP Overview Eng. DNS 1 Eng. host A Eng. DNS 2 PC Eng. host B Eng. NBNS 1 PC Eng. NBNS 2 ISP network Corporate network LNS LAC Fin. host A PC RADIUS server Fin. host B PC TMS Fin. DNS 1 Fin. DNS 2 Fin. NBNS 1 Fin.NBNS 2 L2T0011A Figure 1-10. Network with RADIUS Name Server Address Origin 308634-14.
Configuring L2TP Services Checking NSA Assignments from the Remote Host To see which NSAs the LNS or RADIUS server assigned to a particular user, complete the following steps at the remote user’s PC: 1. Choose Start > Run. The Run window opens (Figure 1-11). Figure 1-11. 2. Run Window At the Open: prompt, enter: winipcfg The IP Configuration window opens (Figure 1-12). 1-26 308634-14.
L2TP Overview Figure 1-12. 3. IP Configuration Window Click on More Info. The More Info. IP Configuration window opens (Figure 1-13). The DNS Servers field lists the primary and secondary DNS server addresses assigned by the server. (Click on the ... button to see the secondary server address.) The Primary WINS Server and Secondary WINS Server fields list the primary and secondary NBNS addresses, if any. 308634-14.
Configuring L2TP Services Figure 1-13. 1-28 More Info. IP Configuration Window 308634-14.
L2TP Overview Where to Go Next Go to one of the following chapters for more information: If you want to Go to Start L2TP on a router using default parameter settings. Chapter 2 Change default settings for L2TP parameters. Chapter 3 Obtain information about Site Manager parameters (this is the same information that you obtain using Site Manager online Help). Appendix A Review configuration examples. Appendix B Troubleshoot L2TP configuration problems. Appendix C 308634-14.
Chapter 2 Starting L2TP The quickest way to start L2TP is to enable it with the default configuration that Nortel Networks software supplies. This configuration uses all available parameter defaults. You need to supply values for several parameters that do not have default values.
Configuring L2TP Services Planning Considerations for an L2TP Network This guide primarily explains how to configure a Nortel Networks AN, ARN, BLN, BCN, or ASN router as an LNS in an L2TP network. To successfully operate in an L2TP network, obtain the following information to configure the LNS. Tunnel Authentication Passwords If you plan to enable tunnel authentication, which is optional for the Nortel Networks LNS, you must obtain the LAC password from your ISP.
Starting L2TP Preparing a Configuration File Before starting L2TP, you must create and save a configuration file with at least one WAN interface, for example, a synchronous or MCT1 port. Note: L2TP is not compatible with dial services. Do not enable L2TP on the same slot that you enable for a dial service, such as dial-on-demand, dial backup, or bandwidth-on-demand.
Configuring L2TP Services Enabling L2TP on an Unconfigured WAN Interface To enable L2TP on an unconfigured WAN interface, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, click on a WAN connector. The Add Circuit window opens. 2. Accept the default circuit name or change it, then click on OK. The WAN Protocols window opens. 3. Choose PPP, Frame Relay, or ATM DXI, then click on OK. The Select Protocols window opens.
Starting L2TP Site Manager Procedure (continued) You do this System responds 10. Click on OK. Site Manager displays a message alerting you of the time delay to create the L2TP tunnel circuits. 11. Click on OK. You return to the L2TP IP Interface List window, which displays the IP interface address and the subnet mask. A message window opens that reads, L2TP Configuration is completed. 12. Click on Done. You return to the Configuration Manager window.
Configuring L2TP Services Site Manager Procedure (continued) You do this System responds 8. Click on OK. The L2TP IP Interface List window opens, followed by the L2TP IP Interface Configuration window. 9. Set the following parameters: • L2TP IP Interface Address • Subnet Mask Click on Help or see the parameter descriptions beginning on page A-13. 2-6 10. Click on OK. Site Manager displays a message alerting you of the time delay to create the L2TP tunnel circuits. 11. Click on OK.
Starting L2TP Enabling L2TP on an Existing Frame Relay Interface To enable L2TP on an interface with frame relay and IP already enabled, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, click on a WAN connector. The Edit Connector window opens. 2. Choose Edit Circuit. The Frame Relay Circuit Definition window opens. 3. Choose Services. The Frame Relay Service List window opens. 4.
Configuring L2TP Services Site Manager Procedure (continued) 2-8 You do this System responds 12. Click on OK. You return to the L2TP IP Interface List window, which displays the IP interface address and the subnet mask. A message window opens that reads, L2TP Configuration is completed. 13. Click on Done. You return to the Frame Relay Service List window. 14. Click on Done. You return to the Frame Relay Circuit Definition window. 15. Click on Done. You return to the Configuration Manager window.
Starting L2TP Enabling L2TP on an Existing ATM Interface To enable L2TP on an interface with ATM and IP already enabled, you enable L2TP in one of two ways. If your interface uses a COM connector, complete the tasks in the following table. If your interface uses an ATM connector, go to page 2-10. Site Manager Procedure You do this System responds 1. In the Configuration Manager window, click on a WAN connector. The Edit Connector window opens. 2. Choose Edit Circuit.
Configuring L2TP Services Site Manager Procedure (continued) You do this System responds 11. Click on OK. You return to the L2TP IP Interface List window, which displays the IP interface address and the subnet mask. A message window opens that reads, L2TP Configuration is completed. 12. Click on Done. You return to the Circuit Definition window. 13. Choose File. The File menu opens. 14. Choose Exit. You return to the Configuration Manager window.
Chapter 3 Customizing L2TP Services When you enable L2TP, default values are in effect for most parameters (see parameter descriptions in Appendix A, “L2TP Parameters”). You may want to change some of these values, depending on the requirements of your network.
Configuring L2TP Services Modifying the L2TP Protocol Configuration To modify how data is transmitted across an L2TP network, such as the number, frequency, and timing of data and acknowledgment packets exchanged between the LNS and the LAC, you can modify the L2TP protocol parameters. To modify the L2TP protocol configuration, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, choose Protocols. The Protocols menu opens. 2.
Customizing L2TP Services Modifying RADIUS Server Information If you change the address of the RADIUS server that you are using to authenticate remote users and manage accounting functions, you must update the server address information on the LNS. For more information about using a RADIUS server in an L2TP network, see “RADIUS Server” on page 1-6. To modify the address of the RADIUS server, complete the following tasks: Site Manager Procedure You do this System responds 1.
Configuring L2TP Services Changing the LNS System Name The LNS system name is the name of the router. This name is used during tunnel setup to identify the LNS uniquely. By default, Site Manager enters the system name that you initially configured when first accessing the router. See Configuring and Managing Routers with Site Manager for more details about system information. To change the LNS system name, complete the following tasks: Site Manager Procedure You do this System responds 1.
Customizing L2TP Services Modifying the Number of L2TP Sessions Permitted You can modify the maximum number of active L2TP sessions that the LNS can manage. The default is 100 sessions for all routers except the AN. (The default number of sessions for the AN is 50.) For more information about L2TP sessions, see “L2TP Sessions” on page 1-3. To change the maximum number of L2TP sessions supported by the LNS, complete the following tasks: Site Manager Procedure You do this System responds 1.
Configuring L2TP Services Keeping the Remote User’s Domain Name By default, the LNS removes the domain name from the complete user name before passing it on to the RADIUS server for user authentication. To keep the domain name with the user name, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, choose Protocols. The Protocols menu opens. 2. Choose IP. The IP menu opens. 3. Choose L2TP. The L2TP menu opens. 4.
Customizing L2TP Services Changing the Domain Name Delimiter In the complete user name, a single-character delimiter separates the user name from the domain name. By default, the LNS removes the domain name when it receives a call. The delimiter tells the LNS which characters to remove. The default delimiter is an at sign (@). To change the delimiter, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, choose Protocols.
Configuring L2TP Services Enabling Tunnel Authentication To prevent unauthorized users from accessing the corporate network, you can enable tunnel authentication. During tunnel negotiation, the LAC sends its tunnel authentication password to the LNS. If the password is not recognized by the LNS, authentication is unsuccessful and the LAC cannot create the tunnel. Note: If you are using the Password Authentication Protocol (PAP) for PPP authentication, do not enable tunnel authentication.
Customizing L2TP Services Configuring the Name Server Address Feature The name server address (NSA) feature enables a remote host dialing in to a Nortel Networks router acting as an LNS to obtain NSAs from either the LNS or a RADIUS server. For more information about the name server address feature and how to configure the remote host to use NSAs, see “Name Server Addresses” on page 1-19.
Configuring L2TP Services Modifying L2TP IP Interface Addresses The L2TP IP Interface List window lists the L2TP IP interface addresses for each slot that has L2TP configured. The LNS uses the addresses internally to identify the remote sites. For more information about the L2TP IP interface, see “L2TP IP Interface Addresses” on page 1-15. To change an address in the list, complete the following tasks: Site Manager Procedure You do this System responds 1.
Customizing L2TP Services Disabling RIP RIP is enabled on the LNS by default so that the LNS can learn routes from the remote dial-in router. If the LNS does not require RIP support, you can disable it. To disable RIP, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, choose Protocols. The Protocols menu opens. 2. Choose IP. The IP menu opens. 3. Choose L2TP. The L2TP menu opens. 4. Choose L2TP IP Interface.
Configuring L2TP Services Site Manager Procedure (continued) You do this System responds 6. Set the Enable L2TP parameter to Disable. Click on Help or see the parameter description on page A-3. Site Manager disables L2TP for the slot. 7. Click on Done. You return to the Configuration Manager window. Deleting L2TP from a PPP Interface To delete L2TP from a PPP interface, complete the following tasks: Site Manager Procedure 3-12 You do this System responds 1.
Customizing L2TP Services Deleting L2TP from a Frame Relay Interface To delete L2TP from a frame relay interface, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, click on a WAN connector configured with L2TP. The Edit Connector window opens. 2. Choose Edit Circuit. The Frame Relay Circuit Definition window opens. 3. Choose Services. The Frame Relay Service List window opens. 4.
Configuring L2TP Services Deleting L2TP from an ATM Interface To delete L2TP from an ATM interface on a COM connector, complete the following tasks: Site Manager Procedure You do this System responds 1. In the Configuration Manager window, click on a COM connector configured with L2TP. The Edit Connector window opens. 2. Choose Edit Circuit. The Circuit Definition window opens. 3. Choose Group Protocols. The Group Protocols menu opens. 4. Choose Add/Delete. The Select Protocols window opens. 5.
Customizing L2TP Services Site Manager Procedure (continued) You do this System responds 6. Click on L2TP. Site Manager deselects L2TP. 7. Click on OK. You return to the ATM Service Records List window. 8. Click on Done. You return to the Edit ATM Connector window. 9. Click on Done. Your return to the Select Connection Type window. 10. Click on Done. You return to the Configuration Manager window. 308634-14.
Appendix A L2TP Parameters This appendix contains the Site Manager parameter descriptions for L2TP services. You can display the same information using Site Manager online Help. For information about the IP parameters that you set when enabling L2TP, see Configuring IP, ARP, RARP, RIP, and OSPF Services.
Configuring L2TP Services The Technician Interface allows you to modify parameters by issuing set and commit commands with the MIB object ID. This process is equivalent to modifying parameters using Site Manager. For more information about using the Technician Interface to access the MIB, see Using Technician Interface Software. Caution: The Technician Interface does not verify the validity of your parameter values. Entering an invalid value can corrupt your configuration.
L2TP Parameters Parameter: Enable L2TP Path: Default: Options: Function: Instructions: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Enable Enable | Disable Enables or disables L2TP on this interface. Site Manager automatically sets this parameter to Enable when you select L2TP as a protocol. Accept the default, Enable, to use L2TP. To temporarily disable L2TP, set this parameter to Disable. MIB Object ID: 1.3.6.1.4.1.18.3.5.23.2.1.
Configuring L2TP Services Parameter: Retransmit Timer (seconds) Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration 1 1 to 60 seconds Indicates the number of seconds that the LNS waits for an acknowledgment from the LAC before resending packets. Instructions: If you are experiencing many timeouts during L2TP tunnel negotiation or during a session, set this value to a number greater than the default. Otherwise, accept the default. MIB Object ID: 1.3.6.1.4.1.
L2TP Parameters Parameter: Ack Timeout (milliseconds) Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration 250 1 to 360 milliseconds Specifies the maximum number of milliseconds that can elapse before the LNS sends an acknowledgment to the LAC that it received an L2TP control message, such as a tunnel authentication or session control message.
Configuring L2TP Services Parameter: RADIUS Primary Server Password Path: Default: Options: Function: Instructions: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration None Any alphanumeric string, up to a maximum of 64 characters Specifies the primary RADIUS server’s password. Enter the password for the RADIUS server. If the RADIUS server is already configured, Site Manager automatically supplies the password. MIB Object ID: 1.3.6.1.4.1.18.3.5.22.2.1.
L2TP Parameters Parameter: Remove Domain Name Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Enable Enable | Disable Instructs the router whether to remove the domain name from the complete user name before RADIUS authentication takes place. If enabled, the LNS removes the delimiter separating the user name and the domain name and all characters to the right of the delimiter.
Configuring L2TP Services Parameter: Name Server Address Origin Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration Disable Disable | Local | RADIUS Specifies whether or not the NSA feature is enabled and, if enabled, specifies the source of the domain name server (DNS) and NetBIOS name server (NBNS) addresses. Instructions: Set to Disable if you do not want to use the NSA feature.
L2TP Parameters Parameter: Secondary DNS Address Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > L2TP Configuration None Any valid IP address If the Name Server Address Origin parameter is set to Local, the Secondary DNS Address parameter specifies the address of the secondary domain name server (DNS) that every remote host should use. The system uses this secondary DNS if it cannot reach the primary DNS. Instructions: Enter the IP address of the secondary DNS.
Configuring L2TP Services L2TP Tunnel Security Parameters The L2TP Tunnel Security List window (Figure A-2) contains the tunnel authentication parameters. Figure A-2. L2TP Tunnel Security List Window The parameter descriptions follow. A-10 308634-14.
L2TP Parameters Parameter: Enable Tunnel Authentication Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > Tunnel Authentication Disable Enable | Disable Enables or disables the use of tunnel authentication for a slot on the LNS. Tunnel authentication provides a level of network security to protect the corporate network from unauthorized users. Instructions: Set this parameter to Enable for the LNS to perform tunnel authentication. Otherwise, accept the default, Disable.
Configuring L2TP Services L2TP IP Interface Parameters The L2TP IP Interface List window (Figure A-3) contains the list of IP interfaces for each slot on the router configured with L2TP. Figure A-3. L2TP IP Interface List Window When you click on Change, Site Manager displays the L2TP IP Interface window (Figure A-4). Figure A-4. A-12 L2TP IP Interface Window 308634-14.
L2TP Parameters The parameter descriptions follow. Parameter: L2TP IP Interface Address Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > L2TP IP Interface None Any unique IP address Specifies the IP address that identifies the L2TP IP interface for the LNS. You must provide an address for each slot configured as an LNS. Instructions: Enter a unique IP address.
Configuring L2TP Services Parameter: RIP Enable Path: Default: Options: Function: Configuration Manager > Protocols > IP > L2TP > L2TP IP Interface Enable Enable | Disable Specifies whether RIP Listen is enabled on this interface. See Configuring IP, ARP, RARP, RIP, and OSPF Services for more information about RIP. Instructions: Accept the default, Enable, so that the LNS can learn routes from a remote dial-in router. Select Disable to disable RIP. MIB Object ID: 1.3.6.1.4.1.18.3.5.3.2.2.2.1.
Appendix B Configuration Examples This appendix includes two examples of L2TP network configurations. Each example describes how to configure the following devices in the L2TP network: • Remote device (PC or router) • LAC • TMS • LNS • RADIUS server This appendix assumes that you are familiar with L2TP configuration procedures for the router. In addition, it assumes that you are familiar with the configuration interfaces of the other network devices in the examples.
Configuring L2TP Services • IP addresses are assigned as follows: jsmart@nortelnetworks.com: 192.168.210.101 mmark@nortelnetworks.com: 192.168.210.102 No active call from mmark; no tunnel needed mmark@nortelnetworks.com ISP network LAC 2 TMS server PC PC No L2TP functionality Modem LAC 1 .111 jsmart@nortelnetworks.com PC ISDN TA No L2TP functionality 192.32.20.0/ .160 255.255.255.0 .112 ISDN .110 1.192.1.1 Router Tunnel Multilink PPP Domain name in TMS database nortelnetworks.com = 1.192.
Configuration Examples Configuring the Model 5399 as a LAC LAC1 in this network is a Model 5399 Remote Access Concentrator (RAC). LAC2 is a third-party vendor’s RAC. These instructions assume that you are configuring LAC1, the Model 5399, using the command line interface. For information about using the command line interface, see Managing Remote Access Concentrators Using Command Line Interfaces. To configure the Model 5399 as a LAC, do the following: 1.
Configuring L2TP Services 5. Configure static routes to the LNS WAN interface. The command syntax to add a route is as follows: route add <#_of_hops> For example: route add 1.192.1.0 255.255.255.0 192.32.20.110 1 Note that each time that you reboot the Model 5399, you must reconfigure the static routes. As an alternative, add the static routes to the file config.annex, which resides on the TMS.
Configuration Examples To create the domain nortelnetworks.com, do the following at the # prompt: 1. Go to the annex directory by entering cd /usr/annex. 2. Add the domain and configure it according to Table B-2 by entering: ./tms_dbm add nortelnetworks.com 0 te=1.192.1.2 maxu=unlimited\ tutype=l2tp authp=acp pauth=192.168.210.
Configuring L2TP Services 8. Click on Edit authentication shared secret. The Enter shared secret window opens. 9. Enter server1 as the shared secret and click on Set. This secret is the same as the RADIUS primary server password configured on the LNS. You return to the main window. 10. Click on Users. The User name window opens. 11. Click on Add. The Enter User Name window opens. 12. Enter jsmart as the user name, then click on OK. The password window opens. 13.
Configuration Examples Configuring the LNS The LNS in this network is a BN router. For instructions on modifying LNS parameters, see Chapter 3, “Customizing L2TP Services.” To configure the router as an LNS, complete the following tasks: 1. Choose a WAN port on the slot that you want to use as the LNS. 2. Choose Frame Relay from the WAN Protocols menu. The Select Protocols window opens. 3. Choose IP, BGP, and L2TP and then click on OK. The IP Configuration window opens. 4. Enter 1.192.1.
Configuring L2TP Services 10. Enter the following values for the L2TP IP address and mask parameters. Parameter Name Value L2TP IP Interface Address (Note that this address is different from the LNS WAN interface IP address.) 1.192.2.2 Subnet Mask 255.255.255.0 11. Click on OK, then click on Done. You return to the Configuration Manager window. 12. Choose Protocols > Frame Relay > Interfaces. The Frame Relay Interface List window opens. 13.
Configuration Examples Data Path Through the Network After you configure all components of the network, jsmart can call the local ISP. The LAC that receives this call sends the user name to the TMS, which verifies the domain name and address and sends this information back to the LAC so that it can forward the data. The LAC then negotiates the initiation of the tunnel with the LNS, and the tunnel is brought up. The LNS then authenticates jsmart@nortelnetworks.com with the RADIUS server.
Configuring L2TP Services Example 2: Remote Router Calling the Corporate Network Figure B-2 shows a network with an ASN router at the remote site. The ASN router is using dial-on-demand service for the dial-up connection. In this network, note the following: • PPP is the WAN protocol for the connection between the ISP network and the corporate network. • For the LNS configuration, you do not need to configure a static route for the remote router’s network because the LNS can learn the route using RIP.
Configuration Examples Configuring the Dial-on-Demand Remote Router This section explains how you configure dial-on-demand on the remote ASN router. The lines are ISDN, and the ASN is using a dual Sync/ISDN BRI module. For more information about dial-on-demand, see Configuring Dial Services. 1. Configure an ISDN port and accept the default (2B+D) for the Port Application Mode parameter. 2. Add the ISDN interface to a demand pool by choosing Dialup > Demand Pools > Add.
Configuring L2TP Services 8. 9. Click on Add and configure the following entry, then click on OK. Parameter Name Value Outgoing Phone Number 9785553456 ISDN Numbering Type Default (Unknown) ISDN Numbering Plan Telephony Click on Done to return to the Demand Circuits window. 10. Add IP and RIP to the demand circuit by clicking on Protocols > Add/Delete in the corner of the Demand Circuits window. The Select Protocols window opens. 11.
Configuration Examples Parameter Name Value Directory Number 9785550002 SPID 0002 ISDN Numbering Type Default (Unknown) ISDN Numbering Plan Telephony 14. Click on Done to return to the Configuration Manager window. 15. Verify that in the PPP configuration, the record Interface for Dial up Lines has RFC 1661 Compliance enabled. To do this: a. Choose Protocols > PPP > Interfaces. b. Select Interface for Dial up Lines and click on Lines. The PPP Line Lists window opens. c.
Configuring L2TP Services Configuring the Model 5399 as a LAC LAC1 in this network is a Model 5399 Remote Access Concentrator (RAC). These instructions assume that you are configuring the Model 5399 using the command line interface. For information about using the command line interface, see Managing Remote Access Concentrators Using Command Line Interfaces. To configure the Model 5399 as a LAC: 1. From the Model 5399 console, log on as superuser by entering su, followed by the superuser password.
Configuration Examples 5. Configure static routes to the LNS WAN interface. The command syntax to add a route is as follows: route add <#_of_hops> For example: route add 1.192.1.0 255.255.255.0 192.32.20.110 1 Note that each time that you reboot the Model 5399, you must reconfigure the static routes. As an alternative, add the static routes to the file config.annex, which resides on the TMS.
Configuring L2TP Services To create the domain nortelnetworks.com, do the following tasks at the # prompt: 1. Go to the annex directory by entering cd /usr/annex. 2. Add the domain and configure it according to Table B-4 by entering: ./tms_dbm add nortelnetworks.com 0 te=1.192.1.2 maxu=unlimited\ tutype=l2tp authp=acp pauth=192.168.210.2 Note: You do not specify hwtype and hwaddr for PPP connections.
Configuration Examples 7. Choose Any RAS Client, then click on OK. You return to the main window. 8. Click on Edit authentication shared secret. The Enter shared secret window opens. 9. Enter server1 as the shared secret and click on Set. This secret is the same as the RADIUS primary server password configured on the LNS. You return to the main window. 10. Click on Users. The User name window opens. 11. Click on Add. The Enter User Name window opens. 12.
Configuring L2TP Services Configuring the LNS The LNS in this network is a BN router with at least two synchronous interfaces. For instructions on modifying LNS parameters, see Chapter 3, “Customizing L2TP Services.” To configure the router as an LNS, complete the following tasks: 1. Choose a WAN port on the slot that you want to use as the LNS. 2. From the WAN Protocols menu, choose PPP. The Select Protocols window opens. 3. Choose IP, RIP, BGP, and L2TP, and then click on OK.
Configuration Examples 10. Configure the L2TP interface, as follows: Parameter Name Value L2TP IP Interface Address (Note that this address is different from the LNS WAN interface IP address.) 1.192.2.2 Subnet Mask 255.255.255.0 11. Click on OK, then, after the L2TP circuits are created, click on Done. You return to the Configuration Manager window. 12. Choose Protocols > IP > Policy Filters > BGP4 and configure BGP4 accept and announce policies.
Appendix C Troubleshooting To monitor your L2TP network and solve problems that may occur, first check the event log file for any messages recorded by the LNS. For information about any event message, see the event message database on the documentation CD, or access the database at http://support.baynetworks.com/library/tpubs/events. Table C-1 provides troubleshooting solutions for common problems with your L2TP network. Table C-1.
Configuring L2TP Services Table C-1. Common L2TP Network Problems and Solutions (continued) Problem What to Do L2TP session is not active. The LNS failed to negotiate the PPP LCP options. Reconfigure the host at the remote site dialing in to the ISP. For a Nortel Networks router at the remote site, check the PPP MRU/MRRU size. The LNS supports an MRU/MRUU size of 1500 only.
Index A accounting, RADIUS, 1-15 F Ack Timeout (milliseconds) parameter, A-5 flow control, enabling, 3-2 acronyms, xv framed routes configuring, 1-18 described, 1-17 authentication, RADIUS, 1-14 authentication, tunnel description, 1-12 enabling, 3-8 H C Hello Timer (seconds) parameter, A-4 configuration examples, B-1 L configuration file, requirements, 2-3 domain name description, 1-12 sending to RADIUS server, 3-6 L2TP configuration examples, B-1 customizing configuration, 3-1 data transmiss
LAC configuration examples, B-3, B-14 description, 1-5 tunnel authentication, security, 1-12 Layer 2 Tunneling Protocol.
support, Nortel Networks, xvii T technical publications, xvi technical support, xvii text conventions, xiv TMS configuration examples, B-4, B-15 description, 1-5, 1-12 troubleshooting network problems, C-1 tunnel authentication description, 1-12 enabling, 3-8 Tunnel Authentication Password parameter, A-11 tunnel management server (TMS) configuration examples, B-4, B-15 description, 1-5, 1-12 tunnel, description, 1-2 U user authentication, RADIUS, 1-14 V virtual private network (VPN), description, 1-1 30
