L2TP Minimum Configuration

To configure L2TP services, you must perform at least the following tasks:

• Define a tunnel group at the [edit services l2tp] hierarchy level with the following attributes:

  • l2tp-access-profile—Profile name for the L2TP tunnel.
  • ppp-access-profile—Profile name for the L2TP user.
  • local-gateway—Address for the L2TP tunnel.
  • service-interface—AS PIC interface for the L2TP service.
  • Optionally, you can configure traceoptions for debugging purposes.
  The following example shows a minimum configuration for a tunnel group with trace options:

  [edit services l2tp]

  tunnel-group finance-lns-server {

  l2tp-access-profile westcoast_bldg_1_tunnel;

  ppp-access-profile westcoast_bldg_1;

  local-gateway {

  address 10.21.255.129;

  }

  service-interface sp-1/3/0;

  }

  traceoptions {

  flag all;

  filter {

  protocol udp;

  protocol l2tp;

  protocol ppp;

  protocol radius;

  }

  }

• At the [edit interfaces] hierarchy level:

  • Identify the physical interface at which L2TP tunnel packets enter the router, for example ge-0/3/0.
  • Configure the AS PIC interface with unit 0 family inet defined for IP service, and configure another logical interface with family inet and the dial-options statement.
  The following example shows a minimum interfaces configuration for L2TP:

  [edit interfaces]

  ge-0/3/0 {

  unit 0 {

  family inet {

  address 10.58.255.129/28;

  }

  }

  }

  sp-1/3/0 {

  unit 0 {

  family inet;

  }

  unit 20 {

  dial-options {

  l2tp-interface-id test;

  shared;

  }

  family inet;

  }

  }

• At the [edit access] hierarchy level:

  • Configure a tunnel profile. Each client specifies a unique L2TP Access Concentrator (LAC) name with an interface-id value that matches the one configured on the AS PIC interface unit; shared-secret is authentication between the LAC and the L2TP Network Server (LNS).
  • Configure a user profile. If RADIUS is used as the authentication method, it needs to be defined.
  • Define the RADIUS server with an IP address, port, and authentication data shared between the router and the RADIUS server.

    Note: When the L2TP Network Server (LNS) is configured with RADIUS authentication, the default behavior is to accept the preferred RADIUS-assigned IP address. Previously, the default behavior was to accept and install the nonzero peer IP address that came into the IP-Address option of the IPCP Configuration Request packet.

  • Optionally, you can define a group profile for common attributes, for example keepalive 0 to turn off keepalive messages.
  The following example shows a minimum profiles configuration for L2TP:

  [edit access]

  group-profile westcoast_users {

  ppp {

  keepalive 0;

  }

  }

  profile westcoast_bldg_1_tunnel {

  client production {

  l2tp {

  interface-id test;

  shared-secret "$9$n8HX6A01RhlvL1R"; # SECRET-DATA

  }

  user-group-profile westcoast_users;

  }

  }

  profile westcoast_bldg_1 {

  authentication-order radius;

  }

  radius-server {

  192.168.65.63 {

  port 1812;

  secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5"; # SECRET-DATA

  }

  }