L2TP Implementation
L2TP is implemented on four levels:
- Source—The local router acting as the LAC.
- Destination—The remote router acting as the LNS.
- Tunnel—A direct path between the LAC and the LNS.
- Session—A PPP connection in a tunnel.
When the router has established destinations, tunnels, and sessions, you can control the L2TP traffic. Making a change to a destination affects all tunnels and sessions to that destination; making a change to a tunnel affects all sessions in that tunnel. For example, closing a destination closes all tunnels and sessions to that destination.
Sequence of Events on the LAC
The router acting as the LAC creates destinations, tunnels, and sessions dynamically, as follows:
- The client initiates a PPP connection with the router.
- The router and the client exchange Link Control Protocol (LCP) packets. The LAC negotiates on behalf of the LNS; this is known as proxy LCP.
- The LAC authenticates the client on behalf of the LNS; this is known as proxy authentication. By using either a local database related to the domain name or RADIUS authentication, the router determines either to terminate or to tunnel the PPP connection.
- If the router discovers that it should tunnel the session,
it does the following:
- Sets up a new destination or selects an existing destination.
- Sets up a new tunnel or selects an existing tunnel.
When a shared secret is configured in either the tunnel profile or the RADIUS attribute Tunnel-Password [69]—depending on which method is used to configure the tunnel—the secret is used to authenticate the tunnel during the establishment phase. The LAC includes the Challenge AVP in the SCCRQ message sent to the LNS. The LNS returns the Challenge Response AVP in the SCCRP message. If the response from the LNS does not match the value expected by the LAC, then tunnel authentication fails and the tunnel is not established.
- Opens a new session.
- The router forwards the results of the LCP negotiations and authentication to the LNS.
A PPP connection now exists between the client and the LNS.
 | Note: The router discards received packets if the size of the variable-length, optional offset pad field in the L2TP header is too large. The router always supports packets that have an offset pad field of up to 16 bytes, and may support larger offset pad fields, depending on other information in the header. This restriction is a possible, although unlikely, cause of excessive discarding of L2TP packets. |
Sequence of Events on the LNS
A router acting as an LNS might be set up as follows:
- The LAC initiates a tunnel with the router acting as the LNS.
- The LNS verifies that a tunnel with this LAC is valid: the destination is configured, the hostname and the tunnel password are correct.
- The LNS completes the tunnel setup with the LAC.
- The LAC sets up a session and initiates a session request to the LNS.
- The LNS uses a static interface or creates a dynamic interface to anchor the PPP session.
- If they are enabled and present, the LNS accepts the proxy LCP and the proxy authentication data and passes them to PPP.
- PPP processes the proxy LCP, if it is present, and, if the proxy LCP is acceptable, places LCP on the LNS in opened state without renegotiation of LCP.
- PPP processes the proxy authentication data, if it is
present, and passes the data to AAA for verification. (If the data
is not present, PPP requests the data from the peer.)
Note: When the proxy LCP is not present or not acceptable, the LNS negotiates LCP with the peer. When LCP renegotiation is enabled on the LNS, the LNS ignores any pre-negotiated LCP parameters and renegotiates both the LCP parameters and PPP authentication with the PPP client.
- The LNS passes the authentication results to the peer.
