[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1

Latest reply: May 19, 2018 01:31:14 3599 4 1 0
At present most people are pretty familiar with clients on PCs, tablets, or mobile phones. The most common are PPPoE clients, which are the often-talked about broadband Internet access clients. Second to these are VPN clients. These kinds of clients are not used by leisure Internet users, but are rather generally services provided by companies for their employees working remotely. Here we'll primarily discuss one type of VPN client, the L2TP VPN client.

The role of an L2TP VPN client is to help users initiate and build an L2TP tunnel directly to the company HQ network on a PC, tablet or cell phone. This achieves the objective of allowing the user to freely access the HQ network, and is a bit like how Professor Du (star of a popular Korean sci-fi/romance drama) was able to instantly travel between two distant worlds by controlling the entrance to the wor**ole to Earth (HQ). Whether we're talking about the real world or the virtual online world, it seems that happiness can only be experienced when time and distance concerns are eliminated. I'll use real-world experience to inform everyone how client-initiated VPNs can help you attain the same happiness as Professor Du.

If Professor Du wanted to use the L2TP VPN client to pass through the "wor**ole" and enter an enterprise network, he would first have to pass through the LNS "gatekeeper" identity check (the methods involved in this check are very clear, with everything necessary for tunnel inspection included, including checks of user name, password, and host name). Users who pass inspection are supplied with a special pass (an IP address of the enterprise network) by the LNS, while those who attempt to gain unauthorized access are bid adieu―this is the simple approach displayed in client-initiated VPNs' information exchange. In order to help everyone better grasp this, and to aid in comparing client-initiated VPNs to the NAS-initiated VPNs discussed in the next section, I've drawn a simple diagram (Figure 1-1). I'll then use this diagram to further dissect the information exchanges between the L2TP client and the LNS.

Figure 1-1 Process for building a client-initiated VPN

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-1


Client-initiated VPN configuration is shown in Table 1-1. A key point is that the connections between the L2TP client, the LNS, and the internal network servers are all direct connections, which avoids routing configuration; user authentication also is done using relatively simple local authentication. In addition, the internal network server needs to configure a gateway, to ensure that its response packets bound for the L2TP client are able to reach the LNS.

Table 1-1 Client-initiated VPN configuration

Configured Item

L2TP Client (Using a VPN Client as an Example)


L2TP configuration

l  Other terminal's IP address:

l  User log-in (PPP user) name: l2tpuser

l  User log-in (PPP user) password: Admin@123

l  LNS Tunnel name (optional): LNS

l  PPP authentication mode (PAP/CHAP/EAP; some clients are defaulted to CHAP): CHAP

l  Tunnel validation (optional, some clients don't support this): not selected

The first three fields are mandatory, while the last three fields may not be available on all clients

l2tp enable

interface Virtual-Template1

 ppp authentication-mode chap

 ip address

 remote address pool 1

l2tp-group 1

 undo tunnel authentication        

 allow l2tp virtual-template 1   //Designates a VT interface.

 tunnel name LNS         //Indicates the name of this tunnel terminal.

AAA authentication configuration



 local-user l2tpuser password cipher Admin@123  //Indicates the local user name and password.

 local-user l2tpuser service-type ppp   //Indicates the user service type.

 ip pool 1    //Indicates the address pool.



Now, I don't think many people know too much about the VT interface, is that right? The VT interface is a logical interface used in Layer 2 protocol communication, and is usually used during PPPoE negotiation. L2TP cooperates with PPPoE in order to acclimate itself to the Ethernet environment, which is why we find the VT interface here. I will explain more about the role of VT interfaces in client-initiated VPNs as we proceed.

Below, I will use packet captures to help explain the complete process of setting up a client-initiated VPN.

1 Step 1: Setting Up an L2TP Tunnel (Control Connection)―Three Pieces of Information Enter the Wor**ole

An L2TP client and the LNS negotiate parameters such as the tunnel ID, UDP port (the LNS uses port 1701 to respond to the client's tunnel building request), host name, L2TP version, tunnel authentication (if the client does not support tunnel authentication, the LNS tunnel authentication function should be closed―this is true for the WIN7 operating system) by exchanging three pieces of information.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-2


To aid everyone in understanding the meaning of negotiation, Table 1-2 gives the tunnel ID negotiation process.

Table 1-2 Tunnel ID negotiation process

Step 1


L2TP Client: Hey LNS, use "1" as the tunnel ID to communicate with me.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-3

Step 2


LNS: OK, L2TP Client, and make sure you also use "1" as the tunnel ID to communicate with me.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-4

Step 3


L2TP Client: OK.



2 Step 2: Establishing an L2TP Session―Three Pieces of Information to Awaken the Wor**ole Gateguard

The L2TP client and the LNS exchange three pieces of information to negotiate a session ID and establish an L2TP session. However, only if the "gateguard" is first notified can identity authentication information be submitted!

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-5


Table 1-3 gives the process for negotiating a session ID.

Table 1-3 Process for negotiating a session ID

Step 1


L2TP Client: Hey LNS, use "1" as the session ID to communicate with me.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-6

Step 2


LNS: OK, L2TP Client, and make sure you also use "1" as the session ID to communicate with me.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-7

Step 3


L2TP Client: OK.



3 Step 3: Creating a PPP Connection―Identity Authentication and Issuance of the "Special Pass"

1.         LCP negotiation

LCP negotiation is conducted separately in both directions, and primarily negotiates MRU size. MRU is a PPP data link layer parameter, and is similar to the Ethernet's MTU. If one of the terminal devices in the PPP link sends a packet with a payload larger than the other terminal's MRU, this packet will be fragmented when it is sent.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-8

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-9


The above screenshot shows that the post-negotiation MRU value is 1460.

2.         PPP authentication

Authentication methods include CHAP, PAP, and EAP. Both CHAP and PAP authentication can be conducted either locally or on an AAA server, while EAP can conduct authentication on an AAA server. EAP authentication is relatively complex, and there are differences in the support provided for this by different models of firewalls, so here we'll only discuss CHAP, the most common authentication process.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-10 

Table 1-4 displays a classic three-way handshake PPP authentication process.

Table 1-4 Three-way handshake PPP authentication process

Step 1

LNS: Hey, L2TP Client, I'm sending you a "challenge", use it to encrypt your password.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-11

Step 2

L2TP Client: OK, I'm sending my user name and encrypted password to you, please authenticate them.

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-12

Step 3

LNS: Authentication was successful, welcome to the world of PPP!

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-13


The user name and password configured on the LNS are used to authenticate the client. Of course, this requires that the "person in question" and the "visa" have to be exact matches―this is to say that the user name and password configured on the L2TP client and the LNS have to be identical. Next, I'll briefly explain what it means for the user names to be identical.

?       If the "visa" configured on the LNS is the user name (no domain), then the L2TP client's user log-in name must be the user name.

?       If the "visa" configured on the LNS is the full user name (username@default or username@domain), then the L2TP client's user log-in name must be username@default or username@domain.

In this example, the user name configured on the LNS is 12tpuser, so when the client logs-in it must enter an identical user name. The reasoning behind this is very simple, but this is a common error that many make during configuration.

The concept of a "domain" is always used in AAA authentication, and I'm sure everyone is wondering what purpose it serves to add a domain behind the user name.

Large corporations will often assign different departments to different domains, and then create different address pools for these different departments on the LNS according to their domain―this is to say that different departments' network segments can be separated using address pools, which makes it easy to later deploy different security policies for different departments.

3.         IPCP negotiation to successfully assign an IP address

The IP address assigned by the LNS to the L2TP client is

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-14

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-15


After having read this far, everyone should be clear that the addresses in the LNS's address pool are used to assign IP addresses to remote clients. Of course, these should be private addresses and should also abide by the internal network's IP address planning rules just like other internal network host addresses. But what about the VT interface?

Actually, the VT interface is also an internal network interface, and should also be planned according to the internal network's IP address planning principles. The overall principles behind IP address planning are as follows:

?       It is suggested that independent network segments be planned separately for the VT interface, the address pool and the HQ network address, so that the addresses for the three don't overlap.

?       If the addresses of the address pool and the HQ network address are configured to the same network segment, then the ARP proxy function must be activated on the LNS interface that connects to the HQ network, and the L2TP virtual forwarding function must also be enabled, to ensure that the LNS can respond to ARP requests sent by the HQ network server.

If the LNS interface connecting to the HQ network is GE0/0/1, then the configuration for enabling the ARP proxy function and the L2TP virtual forwarding function is as follows:

[LNS] interface GigabitEthernet0/0/1

[LNS-GigabitEthernet0/0/1] arp-proxy enable      //Enable the ARP proxy function.

[LNS-GigabitEthernet0/0/1] virtual-l2tpforward enable       //Enable the L2TP virtual forwarding function.

After reading through the process for PPP authentication, everyone should now know that L2TP is cleverly able to use PPP's authentication functions to achieve its own objective of authenticating remote user access. What was responsible for facilitating this cooperative project? The VT interface:

[LNS] l2tp-group 1

[LNS-l2tp1] allow l2tp virtual-template 1

It is this above command that links L2TP with PPP; the VT interface manages PPP authentication, while the L2TP module is the VT interface's boss. Cooperation between the two is thus achieved in this way. The VT interface is only used between L2TP and PPP―this is a nameless hero that doesn't participate in encapsulation, and also doesn't need to be broadcast publicly, so it is perfectly acceptable to configure its IP address as a private network IP address.

The L2TP client-initiated VPN negotiation process is far more complex than for GRE VPNs. Let's summarize the characteristics of client-initiated VPN tunnels:

?       L2TP VPNs are greatly different than GRE VPNs. GRE VPNs do not have a tunnel negotiation process, and are tunnels that do not control connections and state, so there is no way to view the tunnel or inspect the state of the tunnel. However, L2TP VPNs are controlled-connection tunnels, and can check on and view the tunnel and session.

?       As shown in Figure 1-2, there is an L2TP tunnel between the L2TP client and the LNS for client-initiated VPNs. There is only one L2TP session in the tunnel, and the PPP connection is carried on this L2TP session. This is different than the NAS-initiated VPNs that will be discussed in the next section, and this is important to pay attention to.

Figure 1-2 Relationship between an L2TP tunnel and session with the PPP connection on a client-initiated VPN

[Dr.WoW] [No.26] L2TP Client-initiated VPNs-part1-1336609-16




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Jun 29, 2015 08:18:35 Helpful(0) Helpful(0)

Thank you .
  • x
  • convention:

Created Dec 18, 2017 12:43:58 Helpful(0) Helpful(0)

Sir i have configured l2tp all sessions are good to connect but after doing ppp negotiation it gives me error "timeout occurred during the attempt to connect to the peer".  What could be possible reason plz help
  • x
  • convention:

MVE Created Apr 5, 2018 15:20:46 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Created May 19, 2018 01:31:14 Helpful(0) Helpful(0)

Nice document :)
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits