Вы находитесь на странице: 1из 7

Technology Introduction VPN

L2TP

L2TP
The Layer Two Tunneling Protocol (L2TP) is a protocol for tunneling PPP packets across networks in a way that is as transparent as possible to both end-users and applications.

Note: The term router and the router icon in this document refer to a router in a generic sense or a Layer 3 switch.

VPDN Overview
A virtual private dial-up network (VPDN) is a virtual private network (VPN) that utilizes the dial-up function of public networks such as ISDN or PSTN networks to provide access services for enterprises, small Internet service providers (ISPs), and telecommuters. The VPDN technology uses a proprietary encryption protocol to build secure VPNs across public networks for enterprises. Branches away from the headquarters and staff on business can remotely access the Intranet resources in the headquarters through an encrypted virtual tunnel over public networks, while other users on the public networks cannot. A VPDN tunnel can be set up in two ways: The network access server (NAS) directly connects users to an enterprise gateway (for instance, VPDN gateway) in PPP mode through tunneling protocols like Layer 2 Forwarding (L2F) or Layer 2 Tunneling Protocol (L2TP), so as to establish a tunnel with the VPDN gateway. The configuration and creation of a tunnel is transparent to users. Users only log in to the enterprise gateway once to access the enterprise network responsible for user authentication and address assignment, without the need for occupying public address. However, the NAS needs to support the VPDN protocol and the authentication system needs to support VPDN attributes. The client establishes a tunnel with the VPDN gateway. This is done in such way that the client first accesses the Internet, and then establishes a tunnel with the gateway through dedicated client software (for example, L2TP client supported by Windows 2000).There is no limit to how and where users access the Internet. ISPs

Technology Introduction VPN

L2TP

are also not involved. The need for installing dedicated software (usually, Windows 2000 platform), however, limits the platforms that users can use. In general, a router or a VPN proprietary server is used as a gateway. VPDN tunneling protocols are broken into three types: PPTP, L2F, and L2TP, of which L2TP is widely used at present.

L2TP Overview
I. Background
The point-to-Point Protocol (PPP) defines an encapsulation mechanism for transporting multi-protocol packets over Layer 2 (L2) point-to-point links. Typically, a user obtains an L2 connection to a network access server (NAS) using technologies such as dial-up plain old telephone service (dial-up POTS), ISDN or asymmetric digital subscriber line (ADSL). In such a configuration, PPP is used and the L2 termination point and the PPP session endpoint reside on the same physical device, namely the NAS. L2TP tunnels PPP packets. It extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected over a packet-switched network. By combining the best features of L2F and PPTP, L2TP becomes the Layer 2 tunneling industry standard defined by the Internet Engineering Task Force (IETF).

II. Typical application


Figure 1 shows a typical VPDN built by using L2TP.
Remote user LAC LNS

PSDN/ISDN

Internet L2TP tunnel

Remote embranchment

Inner server

Figure 1 VPDN built by using L2TP As shown in Figure 1, a VPDN built by using L2TP includes two key components: L2TP access concentrator (LAC) and L2TP network server (LNS). An LAC, attached to a packet-switched network, has a PPP end system and the L2TP handling capability. An LAC is usually a network access server (NAS), which provides access services to users over PSTN or ISDN networks.

Technology Introduction VPN

L2TP

An L2TP network server (LNS) is a device providing the L2TP server side services on the PPP end system. An LAC lies between LNSs and remote systems (remote users or branches). It encapsulates the packets received from a remote system by using L2TP and sends them to the LNS, and decapsulates the packets received from the LNS and sends them to the remote system. Between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used in a VPDN application. An LNS, an end system of an L2TP tunnel, is the peer of an LAC. It is the logical termination point of a PPP session that is tunneled by the LAC.

III. Technical specifications


1) L2TP architecture

Figure 2 shows the relationship between the PPP frame, control channel, and data channel. PPP frames are transferred over the unreliable L2TP data channels, while control messages are transferred within the reliable L2TP control channels.
PPP frame L2TP data message L2TP data channel L2TP control message L2TP control channel

Packet transmission network

Figure 2 L2TP architecture

IP header Public network

UDP header L2TP header

PPP header

IP header Private network

Data

Figure 3 L2TP packet encapsulation structure Figure 3 depicts the encapsulation structure of an L2TP data packet between the LAC and the LNS. Usually, L2TP data is transferred in the form of User Data Protocol (UDP) packets. The well-known UDP port for L2TP is 1701, which is only used in the initial tunnel creation stage. The L2TP tunnel initiator selects an idle port (which is unnecessarily 1701) to send a packet to port 1701 of the receiver. After receiving the packet, the receiver also selects an idle port (which is unnecessarily 1701 either) to return a packet to the specified port of the initiator. From then on, the two parties use the negotiated ports to communicate until the tunnel is disconnected. 2) Tunnel and session

Two types of connections are present between an LNS and an LAC: tunnel and session. A tunnel is between an LNS and an LAC.

Technology Introduction VPN

L2TP

A session is multiplexed on a tunnel and represents a PPP session carried within the tunnel. Multiple L2TP tunnels can exist between an LNS-LAC pair. A tunnel consists of a control connection and one or more sessions. A session can be set up only after a tunnel is created successfully. A session corresponds to one PPP data stream between the LAC and the LNS. Both control messages and PPP frames are transferred on the tunnel. L2TP uses Hello packets to check the connectivity of a tunnel. The LAC and LNS regularly send Hello packets to each other. If no response packet is received in a certain period of time, the tunnel is torn down. 3) Control message and data message

L2TP supports two types of messages: control message and data message. Control messages are intended for establishment and maintenance of tunnels and sessions and for transmission control. Control messages are transmitted over a reliable channel, which supports flow control and congestion control. Data messages are intended to encapsulate PPP frames to be tunneled. Data messages are transmitted over an unreliable channel without flow control, congestion control, and retransmission mechanisms. Control messages and data messages share the same header structure. An L2TP header contains a tunnel ID and a session ID, which are used to identify the tunnel and session respectively. Packets with the same tunnel ID but different session IDs are multiplexed to the same tunnel. The tunnel ID and session ID in a header are those of the intended receiver, not the sender.

IV. Two typical L2TP tunnel modes


Figure 4 shows two typical tunnel modes: Tunnel between a remote system and the LNS. Tunnel between an LAC client (a host running L2TP) and the LNS.

LAC client LAC

Internet
LNS Inner server Inner server LNS

PSDN/ISDN Frame relay or ATM

LAC Remote system

Figure 4 Two typical L2TP tunnel modes

Technology Introduction VPN

L2TP

Different tunnel mode has different tunnel initiator: A tunnel between a remote user and an LNS can be initiated by the remote dial-up user. In this mode, the remote system dials in the LAC through PSTN or ISDN and then the LAC initiates a tunneling request to the LNS over the Internet. Upon receipt of the tunneling request, the LNS assigns an address to the dial-up user. Authentication and accounting of the remote dial-up user can be implemented by either the agent on the LAC side or the LNS. A tunnel between an LAC client and an LNS is initiated directly by the LAC client. In this mode, the LAC client directly initiates a tunneling request to the LNS, without requiring an independent LAC. The LNS assigns an address to the LAC client.

V. L2TP tunnel establishment


Figure 5 shows a typical L2TP network.
RADIUS server RADIUS server

IP network

IP network

PSTN/ISDN
Host A Router A LAC

WAN
Router B LNS

Host B

Host C

Figure 5 Typical L2TP network Figure 6 shows the setup procedure of an L2TP call.

Technology Introduction VPN


LAC Router A LAC RADIUS server LNS Router B LNS RADIUS server

L2TP

Client

(1) Call setup (2) PPP LCP setup (3) PPP or CHAP authenticaion (4) Access request (5) Access accept (6) Tunnel setup (7) PPP or CHAP authentication (challenge/response) (8) Authentication passes (9) User CHAP response, PPP negotiation parameter (10) Access request (11) Acesss accept (12) CHAP authentication twice (challenge/response) (13) Access request (14) Acesss accept (15) Authentication passes

Figure 6 L2TP call setup procedure Setup procedure of an L2TP call follows: 1) 2) 3) 4) 5) 6) 7) The remote user makes a PPP call. The remote user and the LAC (Router A) perform PPP LCP negotiation. The LAC authenticates the remote user using the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). The LAC sends the authentication information (the username and password) to its RADIUS server for authentication. The LAC RADIUS server authenticates the user. If the user passes authentication, the LAC initiates a tunneling request to the LNS. If authentication of the tunnel is required, the LAC sends a CHAP challenge to the LNS. The LNS returns a CHAP response and sends its CHAP challenge to the LAC. Accordingly, the LAC returns a CHAP response to the LNS. 8) 9) The tunnel passes authentication. The LAC sends the CHAP response, response identifier, and PPP negotiation parameters of the user to the LNS. 10) The LNS sends an access request to its RADIUS server for authentication. 11) The RADIUS server authenticates the access request and returns a response if the user passes authentication. 12) If the LNS is configured to perform a mandatory CHAP authentication of the user, the LNS sends a CHAP challenge to the user and the user returns a CHAP response. 13) The LNS resends the access request to its RADIUS server for authentication.

Technology Introduction VPN

L2TP

14) The RADIUS server authenticates the access request and returns a response if the user passes authentication. 15) The LNS assigns an internal IP address to the remote user. Now, the user can access the internal resources of the enterprise network.

VI. L2TP features


1) Flexible identity authentication mechanism and high security

L2TP itself does not provide security for connections. However, it has all the security features of PPP for it allows for PPP authentication (CHAP or PAP). L2TP can also cooperate with IPSec to guarantee data security, making tunneled data more difficult to be attacked. In addition, tunnel encryption, end-to-end data encryption, and end-to-end application-layer data encryption technologies can be used together with L2TP for higher data security as required. 2) Multi-protocol transmission

L2TP tunnels PPP frames, which can be used to encapsulate packets of multiple network layer protocols. 3) RADIUS authentication

An LAC can send the username and password of a remote user to a RADIUS server for authentication. 4) Private address allocation

An LNS can reside behind the firewall of a corporate network, dynamically allocating private addresses to remote users and managing the corporate private addresses (RFC 1918). This facilitates address management and improves security. 5) Accounting flexibility

Accounting can be carried out on the LAC and LNS simultaneously, allowing bills to be generated on the ISP side and charging and auditing to take place on the enterprise gateway. L2TP can provide such accounting data as statistics on inbound and outbound traffic (in packets and bytes) and connection start time and end time. All these enable flexible accounting. 6) Reliability

L2TP supports LNS backup. When the connection to the primary LNS is torn down, an LAC can establish a new one with a secondary LNS, enhancing the reliability and fault tolerance of VPN services.

Вам также может понравиться