3Com Router User Manual

							L2TP Configuration Examples627
Figure 193   Network Connection Wizard (2)
■Click , and configure the IP address of LNS in the popup dialog box (The 
address is the address of LNS interface connected to the Internet), as shown in 
the following figure.
Figure 194   Network Connection Wizard (3) 
						

							628CHAPTER 43: CONFIGURING L2TP 
■Click  to complete the configuration.
■Double click [Connect Connection to 660046] to start VPN connection. Before 
that, if the dialup connection is not set up, the system will automatically 
prompt you to set up dialup connection. After connection, input the username 
and password that are the same as those configured at LNS side, as shown in 
the following figure.
Figure 195   Connect Connection to 660046
■After the VPN is established, execute ipconfig command in the CLI mode of 
Windows2000, and then you can view the IP addresses assigned by LAC (NAS) 
and LNS, as shown in the following figure.
Windows 2000 IP Configuration
Ethernet adapter 
Media State. . . . . . . . . . . .:Cable Disconnected
PPP adapter 
Connection-specific DNS Suffix  . .:
IP Address. . . . . . . . . . . . .:192.168.0.3
Subnet Mask . . . . . . . . . . . .:255.255.255.255
Default Gateway . . . . . . . . . .:192.168.0.3
PPP adapter:
Connection-specific DNS Suffix. . .:
IP Address. . . . . . . . . . . . .:192.170.0.3
Subnet Mask . . . . . . . . . . . .:255.255.255.255
Default Gateway . . . . . . . . . .:192.170.0.3
An Individual User 
Interconnects 
Headquarters via the 
RouterI. Networking requirements
A user wants to communicate with the headquarters, but the headquarters adopts 
a private address (e.g., 192.168.0.0), so the user cannot visit the internal server  
						

							L2TP Configuration Examples629
through the Internet. Through setting up a VPN, the user can have access to the 
information in the internal network.
II. Networking diagram
Figure 196   Networking diagram of an individual user interconnecting headquarters
III. Configuration procedure
1Configuration at the user side
Set up a dialup network, with the same access number as that of Router1, and it 
receives the address assigned by LNS server. Input 
[email protected] as the 
username and 
Hello as the password in the popup terminal window.
2Configuration of Router1 (at LAC side)  
Make sure to enable CHAP authentication on the access interface (e.g., dialup 
interface) at the LAC dialup user side.
aConfigure the username and password.
[Router1] local-user [email protected] password simple Hello
bAdopt AAA authentication.
[Router1] aaa-enable
[Router1] aaa authentication-scheme ppp default local
[Router1] aaa accounting-scheme optional
cConfigure an IP address on Serial0 interface.
[Router1] interface serial 0
[Router1-Serial0] ip address 202.38.160.1 255.255.255.0
[Router1-Serial0] ppp authentication-mode chap
dConfigure a L2TP group and the related attributes.
[Router1] l2tp enable
[Router1] l2tp-group 1
[Router1-l2tp1] tunnel name lac-end
[Router1-l2tp1] start l2tp ip 202.38.160.2 domain 3Com.com
eEnable tunnel authentication and configure a tunnel authentication password.
[Router1-l2tp1] tunnel authentication
[Router1-l2tp1] tunnel password simple 3Com router
fConfigure the domain suffix separator to @.
[Router1] l2tp domain suffix-separator @
gConfigure the match order to matching domain firstly and then called number.
3Configuration of Router2 (at LNS side)  
aConfigure the address pool 1 which is in the range from 192.168.0.2 to 
192.168.0.100.
InternetTunnel
WAN
PSTN
ISDN
PC1
PC2
LAC
Quidway1
LNS
Quidway2
Modem
HeadquarterInternetTunnel
WAN
PSTN
ISDN
PC1
PC2
LAC
Quidway1
LNS
Quidway2
Modem
Headquarter
Router1Router 2 
						

							630CHAPTER 43: CONFIGURING L2TP 
[Router2] ip pool 1 192.168.0.2 192.168.0.100
bEnable AAA authentication.
[Router2] aaa-enable
[Router2] aaa authentication-scheme ppp default local
cConfigure Virtual-Template 1.
[Router2] interface virtual-template 1
[Router2-Virtual-Template1] ip address 192.168.0.1 255.255.255.0
[Router2-Virtual-Template1] ppp authentication-mode chap
[Router2-Virtual-Template1] remote address pool 1
dConfigure a L2TP group and the related attributes.
[Router2] l2tp enable
[Router2] l2tp-group 1
[Router2-l2tp1] tunnel name lns-end
[Router2-l2tp1] allow l2tp virtual-template 1 remote lac-end
eConfigure the username and password that are the same as those configured 
at the LAC side.
[Router2] local-user [email protected] password simple Hello
fEnable tunnel authentication and configure the tunnel authentication 
password to 
3Com.
[Router2-l2tp1] tunnel authentication
[Router2-l2tp1] tunnel password simple 3Com router
gForce to implement local CHAP authentication.
[Router2-l2tp1] mandatory-chap
Networking of VPN 
Protected by IPSecI. Networking requirements
To create an IPSec tunnel between the both ends of L2TP to transmit L2TP packets 
which are encrypted through IPSec, so as to guarantee the security for VPN. 
II. Networking diagram
Figure 197   Networking of VPN protected by IPSec
III. Procedures
1Configuration at the user side
Set up a dialup network whose number is the access number of Router1, and it 
receives the IP address assigned by the LNS server. Input “vpdnuser” as the 
username and “Hello” as the password in the dialup terminal window.
2Configuration at Router1 (LAC side)
aConfigure the username and password.
[Router1] local-user vpdnuser password simple Hello
InternetTunnel
WAN
PSTN
ISDN
PC1
PC2
LAC
Quidway1
LNS
Quidway2
Modem
Company 
headquarters IPSec
encryption tunnelInternetTunnel
WAN
PSTN
ISDN
PC1
PC2
LAC
Quidway1
LNS
Quidway2
Modem
Company 
headquarters IPSec
encryption tunnel
Router1Router2
Headquarters 
						

							L2TP Configuration Examples631
bAdopt AAA authentication.
[Router1] aaa-enable
[Router1] aaa authentication-scheme ppp default local
[Router1] aaa accounting-scheme optional
cCreate an access control list and specify the encrypted L2TP data.
[Router1] acl 101
[Router1-acl-101] rule permit udp source 202.38.161.1 0.0.0.0 
destination 202.38.161.2 0.0.0.0 destination-port equal 1701
dCreate a transform view, use DES encryption and adopt a transport mode.
[Router1] ipsec proposal l2tptrans
[Router1-ipsec-proposal-l2tptrans] transform esp-new
[Router1-ipsec-proposal-l2tptrans] esp-new encryption-algorithm des
[Router1-ipsec-proposal-l2tptrans] esp-new auth sha1-hmac-96
[Router1-ipsec-proposal-l2tptrans] encapsulation-mode transport
eCreate a crypto policy, use IKE negotiation mode and configure IKE 
pre-shared-key.
[Router1] ipsec policy l2tpmap 10 isakmp
[Router1-ipsec-policy-l2tpmap-10] ike pre-shared-key l2tp_ipsec 
remote 202.38.160.2
[Router1-ipsec-policy-l2tpmap-10] match address 101
[Router1-ipsec-policy-l2tpmap-10] set peer 202.38.160.2
[Router1-ipsec-policy-l2tpmap-10] set transform l2tptrans
fConfigure an IP address on Serial 0 interface and apply a IPSec policy.
[Router1] interface serial 0
[Router1-Serial0] ip address 202.38.160.1 255.255.255.0
[Router1-Serial0] ipsec policy l2tymap
gConfigure a L2TP group and configure the related attributes.
[Router1] l2tp enable
[Router1] l2tp-group 1
[Router1-l2tp1] tunnel name lac-end
[Router1-l2tp1] start l2tp ip 202.38.160.2 fullusername vpdnuser
[Router1-l2tp1] undo tunnel authentication
3Configuration at Router2 (LNS side)
aEnable AAA authentication.
[Router2] aaa-enable
[Router2] aaa authentication-scheme ppp default local
bConfigure the username and password that should be the same as those 
configured at the LAC side.
[Router2] local-user vpdnuser password simple Hello
cConfigure an address pool 1 in the range of 192.168.0.2 to 192.168.0.100.
[Router2] ip pool 1 192.168.0.2 192.168.0.100
dConfigure an access control list and specify L2TP data.
[Router2] acl 101
[Router2-acl-101] rule permit udp source 192.168.0.0 0.0.0.255 
destination 202.38.161.1 0.0.0.0
eCreate the transform view, use DES encryption and adopt the transform mode.
[Router2] ipsec proposal l2tptrans 
						

							632CHAPTER 43: CONFIGURING L2TP 
[Router2-ipsec-proposal-l2tptrans] transform esp-new
[Router2-ipsec-proposal-l2tptrans] esp-new encryption-algorithm des
[Router2-ipsec-proposal-l2tptrans] esp-new authentication-algorithm 
sha1-hmac-96
[Router2-ipsec-proposal-l2tptrans] encapsulation-mode transport
fCreate the IPSec policy, use IKE negotiation mode and configure the IKE 
pre-shared-key.
[Router2] ipsec policy l2tpmap 10 isakmp
[Router2-ipsec-policy-l2tpmap-10] ike pre-shared-key l2tp_ipsec 
remote 202.38.160.1
[Router2-ipsec-policy-l2tpmap-10] match address 101
[Router2-ipsec-policy-l2tpmap-10] set peer 202.38.160.1
[Router2-ipsec-policy-l2tpmap-10] set transform l2tptrans
gConfigure the IP address on Serial0 interface and apply the IPSec policy.
[Router2] interface serial 0
[Router2-Serial0] ip address 202.38.160.2 255.255.255.0
[Router2-Serial0] ipsec policy l2tpmap
hConfigure Virtual-Template 1.
[Router2] interface virtual-template 1
[Router2-Virtual-Template1] ip address 192.168.0.1 255.255.255.0
[Router2-Virtual-Template1] ppp authentication-mode chap
[Router2-Virtual-Template1] remote address pool 1
iConfigure a L2TP group and configure the related attributes.
[Router2] l2tp enable
[Router2] l2tp-group 1
[Router2-l2tp1] tunnel name lns-end
[Router2-l2tp1] allow l2tp virtual-template 1 remote lac-end
[Router2-l2tp1] undo tunnel authentication
Troubleshooting L2TPBefore debugging VPN, please confirm that both LAC and LNS are on the same 
public network. The connectivity between them can be tested by 
ping command.
Fault 1: The users fail to log in.
Troubleshooting: 
1Fail to establish the tunnel. The reasons are as follows:
■At LAC side, the LNS address is improperly configured.
■LNS (usually a router) is not configured to receive L2TP group of the peer of the 
tunnel. For details, refer to the description of the 
allow l2tp command.
■Tunnel authentication fails. If the authentication is configured, make sure that 
the tunnel passwords of both sides are consistent with each other.
■If the local end forcedly disconnects the connection and the peer fails to receive 
the corresponding “disconnect” message due to network transmission errors, 
a new tunnel connection immediately originated will not be established 
successfully. The reason is that the peer can only detect that the link is 
disconnected after a certain interval, and the tunnel connections originated by 
two sides with the same IP address are not allowed.
2PPP negotiation fails. The reasons may be: 
						

							Troubleshooting L2TP633
■Errors occur to user name and password set at LAC, or the corresponding user 
information is not set at LNS.
■LNS cannot allocate addresses, e.g., the address pool is set too small, or is not 
set at all.
■The types of tunnel password authentication are inconsistent. Given that the 
default authentication type of VPN connection created by Windows 2000 is 
MSCHAP, if the peer does not support MSCHAP, CHAP is recommended.
Fault 2: After a tunnel is created, the data cannot be transmitted, for 
example, ping operation fails.
Troubleshooting: The reasons may be as follows:
■The address of LAC is configured incorrectly: Generally, LNS distributes 
addresses, but LAC can also specify its own address. If the specified address 
and the address to be allocated by LNS are not in the same segment, this 
problem will occur. It is recommended that LNS allocate the addresses for LAC.
■Network congestion may occur to backbone network and a lot of packets are 
dropped. L2TP transmission is based on UDP (User Datagram Protocol) and UDP 
does not control message errors. If L2TP is adopted on the paths where line 
quality is not guaranteed, the 
ping command will not take effect occasionally. 
						

							634CHAPTER 43: CONFIGURING L2TP  
						

							44
CONFIGURING GRE 
This chapter covers the following topics:
■GRE Protocol Overview
■Configuring GRE
■Displaying and Debugging GRE 
■GRE Configuration Example
■Troubleshooting GRE
GRE Protocol 
OverviewThe Generic Routing Encapsulation (GRE) protocol encapsulates datagram of 
network layer protocols, such as IP and IPX, and enables these encapsulated 
datagrams to transmit in another network layer protocol, such as IP. GRE is a Layer 
3 protocol that creates Virtual Private Network (VPN) tunnels. A tunnel is a virtual 
point-to-point connection and is a virtual interface that only supports 
point-to-point connections. It is necessary to encapsulate and de-encapsulate it 
when a message is transmitted on the tunnel. The interface provides a channel 
where the encapsulated datagram can be transmitted. The interface also 
encapsulates and de-encapsulates the datagram at both ends of a tunnel.
EncapsulationAs shown in Figure 198, after receiving an IPX datagram, the interface connecting 
“Group1” first delivers it to be processed by the IPX protocol which checks the 
destination address domain in the IPX header and determines how to route the 
packet. 
Figure 198   Typical networking diagram of GRE
If it is found that the destination address of the message will route through the 
network with network number 1f (virtual network number of the tunnel), the 
message will be transmitted to the tunnel port with network number 1f. After 
receiving the packet, the tunnel port will perform GRE and then, the packet will be 
processed by the IP module. After IP header is encapsulated, the packet will be 
processed by the corresponding network interface according to the destination 
address and router table.
De-encapsulationThe de-encapsulation is the opposite of encapsulation. When an IP message is 
received at a tunnel interface, its destination address is checked and if the router is 
the destination, then the IP header is removed and processed by the GRE protocol, 
IPX protocol
Group1InternetIPX protocol
Group2
Tunnel Router ARouter B 
						

							636CHAPTER 44: CONFIGURING GRE 
which examines the key, checksum or message sequence number. After the GRE 
header is removed, the IP message is processed by the IPX protocol in the same 
way as an ordinary datagram.
The system receives a datagram to be encapsulated and routed,. The datagram is 
first encapsulated in the GRE message so that the datagram is the payload of a 
GRE message. Then the datagram is encapsulated in an IP message. The IP layer 
forwards the message. The IP protocol that forwards the messages is often called a 
delivery protocol or transport protocol.
The form of an encapsulated message is shown in Figure 199:
Figure 199   Encapsulated tunnel message format (Refer to RFC)
For example: The format of IPX transmission message that is encapsulated in an IP 
tunnel is as follows:
Figure 200   Format of transmission message in the tunnel.
Delivery Header
(Transport Protocol)
GRE Header
(Encapsulation Protocol)
Payload Packet
(Passenger Protocol)
IP
GRE IPX
Passenger Protocol
Carrier Protocol or
Encapsulation Protocol
Transport ProtocolIP
GRE IPX
Passenger Protocol
Carrier Protocol or
Encapsulation Protocol
Transport Protocol