Description of LAC and LNS of the L2TP on firewalls

74

L2TP access concentrator (LAC): It is a device attached to the switching network. The LAC has a PPP terminal system and delivers L2TP processing. It usually provides access services for PPP users.

The LAC is located between the L2TP network server (LNS) and a user, used to transfer information packets between the LNS and the user. The LAC encapsulates the information packets received from the user based on L2TP and delivers the information packets to the LNS. In addition, it decapsulates information packets received from the LNS and delivers the information packets to the user.

The LAC and the user are connected in local connection mode or over a PPP link. In the VPDN application scenario, the LAC and the user are connected over the PPP link.

LNS: It is both a logical termination point of a PPP system and an L2TP server. Generally, it serves as an edge on the enterprise intranet.

As one side of an L2TP tunnel endpoint, the LNS is a peer to the LAC. The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. By establishing an L2TP tunnel on the public network, the peer end of a PPP session is logically extended from the LAC to the LNS on the enterprise intranet.

Other related questions:
Can the interface address of the AR router used as the L2TP LAC and VT interface address of the LNS be on different network segments
The interface address of the AR router used as the L2TP LAC and VT interface address of the LNS can be on different network segments. The LAC and LNS can communicate with each other, but it is recommended that the interface address of the AR router used as the L2TP LAC and VT interface address of the LNS on the same network segment.

How can I quickly locate why the LAC cannot set up an L2TP tunnel with the LNS
When configuring the L2TP function, the LAC cannot set up a tunnel with the LNS. How can I quickly locate the fault? 1. Run the start l2tp command on the LAC to check whether there is a reachable route to the LNS. If no, configure a reachable route to the LNS. 2. Check the L2TP configuration on the LNS and delete the parameter remote specified in the allow l2tp command. If an L2TP tunnel can be established successfully, the LAC cannot set up a tunnel with the LNS because the tunnel name on the LAC is incorrect or the tunnel name specified by the LNS is incorrect. Use either of the following methods to solve this problem: -Run the tunnel name command on the LAC to set the local tunnel name to the value of the parameter remote specified by the allow l2tp command on the LNS. -Run the allow l2tp command on the LNS to change the value of the parameter remote to the tunnel name configured on the LAC. If no local tunnel name is configured using the tunnel name command on the LAC, the value of the parameter remote is the device name of the LAC.

Configuring the LNS to use the RADIUS server to authenticate mobile users in a Client-Initiated scenario
Configure the LNS to use the RADIUS server to authenticate mobile users in a Client-Initiated scenario as follows: Example for Configuring L2TP VPN (RADIUS Authentication) in the Client-Initiated Scenario

Does the AR support RADIUS accounting
The support for RADIUS accounting is as follows: - AR routers of all versions support RADIUS authentication for NAC users. - AR routers of V200R002C00 and later versions support RADIUS authentication for administrators. - AR routers of V200R005C10 and later versions support RADIUS authentication for PPPoE users. - AR routers do not support RADIUS authentication for LAC and LNS users.

How to rapidly locate the cause of a failure to establish a tunnel between the LAC and LNS
During L2TP configuration, the LAC cannot set up a tunnel with the LNS. Perform the following operations to quickly locate the fault.
1. Run the start l2tp command on the LAC to check whether there is a reachable route to the LNS. If the route is unreachable, ensure route reachability.
2. Check the L2TP configuration on the LNS and delete the remote parameter specified in the allow l2tp command. If an L2TP tunnel can be established successfully, the LAC cannot set up a tunnel with the LNS because the tunnel name on the LAC is incorrect or the tunnel name specified by the LNS is incorrect. Use the following methods:
 - Run the tunnel name command on the LAC to set the local tunnel name to the value of remote specified by the allow l2tp command on the LNS.
 - Run the allow l2tp command on the LNS to change the value of remote to the tunnel name configured on the LAC. If no local tunnel name is configured using the tunnel name command on the LAC, the value of remote is the device name of the LAC.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top