TMS zl Management and Configuration Guide ST.1.0.090213
4-79
Firewall
Application-Level Gateways
l2tp
The Layer 2 Tunneling Protocol (L2TP) ALG is required to cover the following
two scenarios:
1. The Windows 200x L2TP Network Server (LNS) deviates from the L2TP
implementation by always sending L2TP data packets to UDP 1701 rather
than to the port number from which the client initiated the connection. If
NAT is employed, the firewall drops the data packets, because they are
expected to come on the NAT port that replaced the original source port
of the connection rather than on the original source port.
2. Tunnel recipients pick up arbitrary ports during tunnel establishment
rather than UDP 1701.
Scenario 1. The L2TP ALG creates a new association when it receives a
Start-Control-Connection-Request (SCCRQ) message from the L2TP Access
Concentrator (LAC), which results in two associations in the firewall:
■ the association that is originally created by the firewall, which handles
data that arrives on the port where the client initiated the connection. If
NAT is used, this association permits data that arrives on the NAT port.
■ the association that is created by the ALG, which allows data packets that
come from the LNS with source port UDP 1701.
Scenario 2. The L2TP ALG creates a new association with “destination port
unknown” once an SCCRQ message is sent, which results in two associations
in the firewall:
■ the association that is created by the firewall, which permits packets from
UDP 1701
■ an association that is created by the ALG that has no specified destination
port, which handles any reply packets that arrive on a port other than
UDP 1701
In both of the cases above, one of the associations is eventually deleted,
depending upon which association is being used for further communication.
Limitations. The following are not supported:
■ Multiple tunnels between the same systems
■ Multiple tunnels with the same tunnel ID and the same tunnel recipient