3Com Router User Manual

							42
CONFIGURING VPN
This chapter covers the following topics:
■VPN Overview
■Basic Networking Applications of VPN
■Classification of IP VPN 
VPN OverviewVPN establishes private networks on public networks by creating a “virtual”, or 
logical network from resources of the existing network. Carriers can make use of 
their spare network resources to provide VPN service and profit from the network 
resources to the maximum extent. In addition:
■VPNs are used by enterprises or user groups to securely access remote 
networks. From the perspective of VPN users, it makes no difference whether 
they use VPN service or traditional private networks. Being a private network, 
VPN keeps its resources independent from those of the carrying networkand 
the resources of a VPN cannot be used by other VPNs on the same carrying 
network or by network users who do not belong to the VPN. The VPN is safe 
enough to make sure that the internal information within a VPN is free from 
being invaded by external users.
■VPN technology is more complicated than the mechanisms of various ordinary 
point-to-point applications. Network interconnection between the users of 
private networks is required for VPN service, including the creation of VPN 
internal network topology, route calculation, adding and deleting of members.
The advantages of VPN include:
■The security of data transportation can be ensured. With VPN, reliable and safe 
connections can be established between remote users, branches of companies 
and commercial partners, and between suppliers and headquarters of 
companies. The advantage is especially significant in the integration of 
E-commerce or financial networks with the communication networks.
■Communicating information over the public networks decreases the cost for 
enterprises in connecting their remote branches, staff on business trips, and 
the business partners. It also improves the utility ratio of network resources and 
thereby increases the profits of Internet Service Providers (ISPs).
■VPN users can be added and deleted by configuring parameters without 
changing hardware, which makes VPN applications highly flexible.
■With VPN, VPN users can make mobile access at any time and any place, 
meeting the increasing mobile service requirements. 
						

							598CHAPTER 42: CONFIGURING VPN
The VPN with service quality guarantee can provide different levels of service 
quality guarantees for users by charging for different services. 
Basic Networking 
Applications of VPNAn enterprise that has an intranet established with VPN is shown in the following 
figure.
Figure 178   Schematic diagram of VPN networking
In this configuration, the users who need the internal resources of enterprises, can 
access the POP (Point of Presence) server of local ISP via PSTN or ISDN, and further 
access the internal resources of the enterprises. Traditional WAN construction 
techniques only supply the service with the aid of leased line between them. After 
a VPN is established, the remote users and the clients in other places can access 
internal resources of enterprises even if they do not have the Internet access 
authority given by local ISP. 
VPN services of enterprises only require a server supporting VPN (a Windows NT 
server or a router). After connecting the local POP server via PSTN or ISDN, the 
users who want a resource directly call the remote servers of enterprises (VPN 
servers). The access server of ISP along with the VPN server accomplishes the call 
process.
Classification of IP 
VPN
 
IP VPN is the emulation of leased line services (remote dial-up and DDN) of WAN 
equipment using IP facilities (including public Internet or private IP backbone 
network). IP VPN classification is based on:
■Operation Mode
■Tunnel Protocols
■Service Purpose
■Networking Model
Operation ModeVPNs can be CPE- or network-based. CPE-based VPNs require installation of 
networking and authentication equipment to support establishment of the VPN. It 
requires configuration and administration of WAN resources and bandwidth 
management.
In a network-based VPN, the maintenance of VPN is allocated to the ISP, although 
users are allowed to manage and control services to some extent. VPN functions 
are mainly fulfilled on the equipment at the network side. This type of service 
reduces the investments of the users, increases the flexibility and scalability of 
services, bringing profits to the service providers.
POP
POPPOPPC
PSTN/ISDN
Partner
Remote user
Internal server Internet
Headquarters 
						

							Classification of IP VPN 599
Tunnel ProtocolsThe tunnel protocols can be divided into layer 2 tunneling protocols and layer 3 
tunneling protocols depending on the layer at which the tunneling is implemented 
based on OSI model.
Layer 2 tunneling protocol
The Layer 2 tunneling protocol encapsulates the whole PPP frame in the internal 
tunnel. The current layer 2 tunneling protocols mainly include: 
■Point-to-Point Tunneling Protocol (PPTP): supported by Microsoft Corporation, 
Lucent Technologies and 3Com Corporation, and supported in Windows NT 
4.0 version and above. This protocol supports the tunneling encapsulation of 
PPP protocols on IP networks. Being a calling control and management 
protocol, PPTP adopts the enhanced Generic Routing Encapsulation (GRE) 
technique to provide the encapsulation service of flow and congestion control 
for the transmitted PPP packets.
■Layer 2 Forwarding Protocol (L2F): As for the physical location, it supports the 
tunneling encapsulation of higher level protocols at the link layer and achieves 
the separation of dial-up server and dial-up protocol connection.
■Layer 2 Tunneling Protocol (L2TP): drafted by IETF and aided by companies such 
as Microsoft Corporation. It integrates the advantages of the above two 
protocols, and thus is accepted by the most enterprises as standard RFC. L2TP 
can be used not only for dial-up VPN (VPDN accessing) services but also leased 
line VPN services.
Layer 3 tunneling protocol
Layer 3 tunneling protocol starts from and ends in ISP. PPP session ends in NAS and 
only layer 3 messages are carried over the tunnel. The current layer 3 tunneling 
protocols include: 
■General Routing Encapsulation (GRE) protocol: used to implement the 
encapsulation of any network layer protocol on another network layer 
protocol.
■IP Security (IPSec) protocols:The IPSec protocol is composed of multiple 
protocols, such as Authentication Header (AH), Encapsulating Security Payload 
(ESP), Internet Key Exchange (IKE). They build a complete data security 
architecture on IP networks. 
GRE and IPSec are mainly used for VPN leased line services.
Comparison of layer 2 and layer 3 tunnel protocols
Layer 3 tunnel is more secure, scalable, and reliable. In terms of security, because 
layer 2 tunnel usually ends on the equipment at the user side, there is a high 
demand for security and firewall technology over a user network. Layer 3 tunnel 
usually ends at an ISP gateway and does not impose any threat to the security of 
the users network
In terms of scalability, transmission efficiency may be degraded on a Layer 2 IP 
tunnel because all the PPP frames are encapsulated. And PPP session will run 
through the entire tunnel and end on the equipment at user side. So the gateway 
at the user side must store status and information about the PPP session, which 
affects the load and scalability of the system. In addition, because LCP and NCP 
negotiations of PPP are very time sensitive, the efficiency of IP tunnel results in a 
series of problems, such as PPP session timeout. Fortunately, layer 3 tunnel ends at  
						

							600CHAPTER 42: CONFIGURING VPN
ISP gateway and PPP session ends at NAS, it is unnecessary for the gateway at the 
user end to manage and maintain the status of every PPP session, thus improving 
system performance.
Generally, Layer 2 and Layer 3 tunnel protocols are used independently so 
combining L2TP together with the IPSec protocol provides better performance and 
security for the users.
Service PurposeVPNs are also classified according to the types of service they provide:
■Intranet VPN: In an intranet VPN, the branches of an enterprise located 
everywhere are interconnected through the public network, which is the 
extension or substitute of traditional leased line networks or other enterprise 
networks.
■Access VPN: Access VPN provides a means to establish private connections with 
the intranet or extranet of enterprises through the public networks for those 
staff members on business errands, remote personnel and SOHO. Access VPN 
has two types: client-initiated VPN connections and NAS-initiated VPN 
connections.
■Extranet VPN: Extranet VPN extends an intranet to partners and clients through 
VPN so that different enterprises can build their VPNs using public networks.
Networking ModelVPNs are classified by the type of networking model that they use:
■Virtual Leased Line (VLL): VLL emulates the traditional leased line service with 
the help of the IP network and hence providing asymmetrical and inexpensive 
leased line service. For the users at both ends of the VLL, the VLL is similar to 
the traditional leased line.
■Virtual Private Dial-up Network (VPDN): VPDN is implemented utilizing dial-up 
and access services of the public network (ISDN and PSTN), which provides 
access services for enterprises, small-sized ISPs, and mobile offices.
■Virtual Private LAN Segment (VPLS) service: In VPLS, LANs can be 
interconnected through virtual private segment with the help of IP public 
networks. It is the extension of LAN across IP public network.
■Virtual Private Routing Network (VPRN) service: VPRN implements the 
interconnection of headquarters, branches and remote offices by means of 
managing virtual routers, with the aid of the IP public networks. There are two 
ways to implement the services: one is to utilize the traditional VPN protocols 
as IPSec and GRE, and the other is to utilize the MPLS (Multiple Protocol Label 
Switching) technology. 
						

							43
CONFIGURING L2TP 
VPDN and L2TP 
OverviewVirtual Private Dial Network (VPDN) is fulfilled with the help of dial-up and access 
services of public network (ISDN and PSTN), which provides access services for 
enterprises, small ISPs, and mobile offices.
VPDN adopts private communication protocols with network encryption feature, 
so enterprises can establish safe VPNs on public networks. Branch employees can 
connect to their enterprises remote internal network through virtual encryption 
tunnels, while other users on public networks cannot access the Intranet resources 
through such virtual tunnels.
VPDN system is composed of NAS (Network Access Server), equipment, and 
management tools at the user end.
■NAS is provided by telecom departments or large-sized ISPs. As the access 
server of VPDN, NAS provides WAN interfaces, in charge of connecting PSTN or 
ISDN, and supports various LAN protocols, security management and 
authentication, and supports tunnels and other related techniques.
■The user-side equipment is located in the headquarters of an enterprise. 
According to different network functions, the equipment can function as a 
NAS, router or firewall.
■The management tool is responsible for managing VPDN equipment and users, 
including NMS and AAA.
Remote dial-up users access local ISP NAS by dialing via the local PSTN or ISDN. 
With the aid of a onnection to the local ISP and proper tunneling protocol 
encapsulating a higher-level protocol, a VPN is established between the NAS and 
the peer gateway.
VPDN OperationThe VPDN tunneling protocol can be PPTP, L2F, or L2TP, the dominant protocol. 
When adopting the L2TP to build a VPDN, the typical networking is illustrated in 
Figure 179. 
						

							602CHAPTER 43: CONFIGURING L2TP 
Figure 179   Networking diagram of typical VPDN application
In this figure, LAC stands for L2TP Access Concentrator, which is a switch network 
device with a PPP end system and L2TP client-side processing ability. Usually, LAC is 
a NAS, which provides access service for users through PSTN/ISDN. LNS stands for 
L2TP Network Server, which is the device with a PPP end system and L2TP 
server-side processing ability.
LAC resides between the LNS and the remote system (remote users and remote 
branches) and is responsible for transmitting packets between them. It 
encapsulates the packets received from the remote system according to L2TP and 
sends them to the LNS, then de-encapsulates the packets from the LNS and sends 
them to the remote system. A local connection or PPP link can be used between 
the LAC and the remote system, but in a VPDN application, the PPP link is often 
adopted. Being an end of the L2TP tunnel, LNS is the peer device of LAC and is the 
logical terminating end of the PPP sessions transmitted by the LAC through the 
tunnel. 
Methods of 
Implementing VPDNThere are two methods to implement VPDN:
■NAS-originated VPN: NAS first establishes a tunnel with VPDN gateway using 
tunneling protocol, conveying the PPP connection to the gateways of 
enterprises. The current available protocols are L2F and L2TP.The advantage of 
the method is its transparency to users. After logging in once, the users can 
access the Intranet, which authenticates the users and distributes the internal 
addresses for users, avoiding consuming public addresses. The accounting of 
dial-up users can be implemented by the AAA at the LNS or LAC side. Users 
can access the network through various platforms. With the method, NAS 
should support VPDN protocol and the authentication system should support 
VPDN attributes. The gateway is usually a router or a VPN private gateway.
■Client-originated VPN: The client at the user end establishes a tunnel with the 
VPDN gateway. The client first calls and connects to the Internet, then 
establishes a tunnel connection with the enterprise gateway through special 
software for client (such as L2TP supported by Windows2000 platform). The 
advantage of the method is that there is no mode or geographical limit on 
accessing the Internet for users, independent of the ISP. The accounting of 
dial-up users can only be implemented through the AAA at the LNS side. The 
disadvantage of this method is that the users may be required to install special 
software.
PC
PST N/ISDN
Remote users
Access serv er Remote us ers
Internal serv er
Internet backbone
network
L2T P channel LA CLN SRouter 
						

							VPDN and L2TP Overview603
The networking diagram of these two typical methods is illustrated in the 
following figure:
Figure 180   Networking diagram of two typical methods of VPDN
Overview of L2TPThe L2TP (Layer 2 Tunneling Protocol) supports transmitting PPP frames by 
tunneling, and the end of layer 2 data link and the PPP session can reside on 
different devices, communicating based on packet switching which extends the 
PPP model. Integrating the respective advantages of L2F protocol and PPTP, L2TP 
has become the industrial standard of layer 2 tunneling protocol. The architecture 
of the protocol stack to which the L2TP belongs is illustrated in 
Figure 181.
Figure 181   L2TP architecture
The L2TP architecture illustrated in Figure 181 describes the relation among PPP 
frames, control channels and data channels. A PPP frame is first transmitted in the 
unreliable data channel after being encapsulated with the L2TP header, and then 
undergoes the packet transmission process of UDP, Frame Relay and ATM. A 
control message is transmitted in the reliable L2TP control channel.
Tunnel and session
A L2TP tunnel is established between LAC and LNS, which is composed of one 
control connection and n (n0) sessions. Only one L2TP tunnel can be established 
between a pair of LAC and LNS. Both control message and PPP data message are 
transmitted in the tunnel. A session is also established between LAC and LNS, but 
session establishment must follow the successful establishment of the tunnel 
(including the exchange of such information as identity protection, L2TP version, 
frame type and hardware transmission type). One session connection corresponds 
to one PPP data stream between LAC and LNS.
PSTN/ISDN
LACLNS
LACLNSInternet
Internet LAC Client
Remote
ClientHomeLAN
HomeLAN
Packet Transport (UDP,……) L2TP Data Channel
(unreliable) L2TP Data MessagesPPP Frames
L2TP Control Channel
(reliable) L2TP Control Messages 
						

							604CHAPTER 43: CONFIGURING L2TP 
The L2TP header includes the information of tunnel and session IDs, which are 
used to identify different tunnels and sessions. The messages with the same tunnel 
ID and different session IDs is multiplexed in one tunnel. Tunnel ID and session ID 
are distributed to the opposite end of the tunnel.
L2TP detects the connectivity of a tunnel using a Hello message. When the tunnel 
is idle for some time, LAC and LNS begin to transmit the Hello message to the 
opposite end. If no response to the Hello message is received for some time, the 
sessionis cleared up.
Control message and data message
L2TP has two types of messages: control message and data message. The control 
message is used to establish, maintain and transmit the tunnel and session 
connection. The data message is used to encapsulate the PPP frame and transmit 
it in the tunnel. The transmission of a control message is reliable, but data 
message transmission is not reliable. If a data message is lost, it is not transmitted 
again. L2TP supports flow control and congestion control only for control 
messages, not for data messages.
L2TP is transmitted in the form of a UDP message. L2TP registers UDP Port 1701, 
which is used only for initial tunnel establishment. Originating side of L2TP tunnel 
randomly selects an idle port (it need not to be 1701) and transmits a message to 
1701 port of receiving side. After receiving the message, the receiving side 
randomly selects an idle port (it need not to be 1701 and transmits a message 
back to the specified port of the originating side. By now, the selected ports of 
both sides are selected and remain unchanged during the time segment when the 
tunnel is connected.
After being transmitted to L2TP and encapsulated with L2TP header, the PPP 
frame will be eventually encapsulated into UDP messages and transmitted on a 
TCP/IP network.
IV. Call setup flow of L2TP tunnel
Call setup flow of L2TP tunnel is shown in the following figure:  
						

							VPDN and L2TP Overview605
Figure 182   Call setup flow of L2TP channel
V. Features of L2TP
■Flexible identity authentication mechanism and high security
L2TP protocol by itself does not provide connection security, but it can depend 
on the authentication (e.g. CHAP and PAP) provided by PPP, so it has all security 
features of PPP. L2TP can be integrated with IPSec to fulfill data security, so it is 
difficult to attack the data transmitted with L2TP. As required by specific 
network security, L2TP adopts channel encryption technique, end-to-end data 
encryption or application layer data encryption on it to improve data security.
■Multi-protocol transmission
L2TP transmits PPP packets, so multiple protocols can be encapsulated in 
PPP packets.
■Supports the authentication of RADIUS server
LAC requires the authentication of RADIUS with user name and password. 
RADIUS server receives authentication request of the user, fulfils the 
authentication and returns the configuration information to establish the 
connection to LAC.
■Supports internal address allocation
LNS can be put behind the Intranet firewall. It can dynamically distribute and 
manage the addresses of remote users and support the application of private 
WANPSTN/ISDN
RADIUS Server RADIUS Server
Access request
(12)(16)
Access response
(13)(17)
(12)
(16)(13)
(17)
LACLNS
(5) AV Pairs
 Tunnel messae( (4) Request
tunnl message
PCPC
PC Router ARouter B
Call Setup (1)
PPP LCP Setup (2)
PAP orCHAP authentication
(3)
(6) Tunnel establishment
 (7) SCCRQ message [ LAC challenge ]
SCCRP message [ LNS CH AP response, CHAP challenge ]
(9) SCCCN message [ Authentication passes£
¬LAC CHAP response ]
(10) Authentication passes)
user CHAP response + response identifier + PPP  negotiation  parameters (11)(8)
14) Optional second time
CHAP challenge(
 (15) CHAP response
(18) Authentication passes
RADIUS Aut hent i cat i on
RADIUS Aut hent i cat i on 
						

							606CHAPTER 43: CONFIGURING L2TP 
addresses (RFC1918). The addresses allocated to remote users are private 
addresses belonging to an enterprise, thus the addresses can be easily 
managed and the security can also be improved.
■Flexible network charging
Charging can be fulfilled at both LAC and LNS sides at the same time, that is, at 
ISP (to generate bills) and Intranet gateway (to pay for charge and audit). L2TP 
can provide such charging data as transmitted packet number, byte number, 
start time and end time of the connection. And it can easily perform network 
charging according to these data.
■Reliability
L2TP supports the backup of LNS. When an active LNS is inaccessible, LAC can 
reconnect the backup LNS, which improves the reliability and error tolerance of 
VPN services.
Basic Configuration at 
LACBasic configuration at LAC side includes:
■Enable L2TP
■Create a L2TP group
■Originate L2TP connection request and configure LNS address
Configure AAA and local users
Enable L2TPThe L2TP on a router can work normally only after it is enabled. If it is disabled, the 
router will not provide the related function even if the L2TP parameters are 
configured.
Perform the following tasks in the system view.
Ta b l e 665   Enable/Disable L2TP
By default, L2TP is disabled.
Create a L2TP GroupTo configure related parameters of L2TP, an L2TP group should be added. The L2TP 
group is used to configure the L2TP functions on the router and facilitate the 
networking applications of one-to-one, one-to-multiple, multiple-to-one and 
multiple-to-multiple connections between the LAC and LNS. L2TP group is 
numbered separately on the LAC and the LNS. Hence, it is only necessary to keep 
the corresponding relations between the related configurations of L2TP group at 
LAC and LNS side (e.g., the peer end name of the tunnel originating L2TP 
connection request and the LNS address). 
After a L2TP group is created, other configurations related to this L2TP group, 
such as local name, originating L2TP connection request and LNS address, can be 
performed in L2TP group view. L2TP group1 works as the default L2TP group.
Perform the following tasks in the system view.
OperationCommand
Enable L2TPl2tp enable
Disable L2TPundo l2tp enable