Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

L2TP Minimum Configuration

• Define a tunnel group at the [edit services l2tp] hierarchy level with the following attributes:

  • l2tp-access-profile—Profile name for the L2TP tunnel.
  • ppp-access-profile—Profile name for the L2TP user.
  • local-gateway—Address for the L2TP tunnel.
  • service-interface—AS PIC interface for the L2TP service.
  • Optionally, you can configure traceoptions for debugging purposes.
  The following example shows a minimum configuration for a tunnel group with trace options:
  [edit services l2tp]

  tunnel-group finance-lns-server {l2tp-access-profile westcoast_bldg_1_tunnel;ppp-access-profile westcoast_bldg_1;local-gateway {address 10.21.255.129;}service-interface sp-1/3/0;}

  traceoptions {flag all;filter {protocol udp;protocol l2tp;protocol ppp;protocol radius;}}

• At the [edit interfaces] hierarchy level:

  • Identify the physical interface at which L2TP tunnel packets enter the router, for example ge-0/3/0.
  • Configure the AS PIC interface with unit 0 family inet defined for IP service, and configure another logical interface with family inet and the dial-options statement.
  The following example shows a minimum interfaces configuration for L2TP:
  [edit interfaces]

  ge-0/3/0 {unit 0 {family inet {address 10.58.255.129/28;}}}

  sp-1/3/0 {unit 0 {family inet;}unit 20 {dial-options {l2tp-interface-id test;shared;}family inet;}}

• At the [edit access] hierarchy level:

  • Configure a tunnel profile. Each client specifies a unique L2TP Access Concentrator (LAC) name with an interface-id value that matches the one configured on the AS PIC interface unit; shared-secret is authentication between the LAC and the L2TP Network Server (LNS).
  • Configure a user profile. If RADIUS is used as the authentication method, it needs to be defined.
  • Define the RADIUS server with an IP address, port, and authentication data shared between the router and the RADIUS server.

    Note: When the L2TP Network Server (LNS) is configured with RADIUS authentication, the default behavior is to accept the preferred RADIUS-assigned IP address. Previously, the default behavior was to accept and install the nonzero peer IP address that came into the IP-Address option of the IPCP Configuration Request packet.

  • Optionally, you can define a group profile for common attributes, for example keepalive 0 to turn off keepalive messages.
  The following example shows a minimum profiles configuration for L2TP:
  [edit access]

  group-profile westcoast_users {ppp {keepalive 0;}}

  profile westcoast_bldg_1_tunnel {client production {l2tp {interface-id test;shared-secret "$9$n8HX6A01RhlvL1R"; # SECRET-DATA}user-group-profile westcoast_users;}}

  profile westcoast_bldg_1 {authentication-order radius;}

  radius-server {192.168.65.63 {port 1812;secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5"; # SECRET-DATA}}