L2TP question

L2TP question
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.vpn  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
L2TP question Juergen Kluth 02-13-2008
Posted by Juergen Kluth on February 13, 2008, 2:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,
the most information on L2TP i find (especially rfc's) mention the following
situation :
A client dials up to a ISP and then after ppp autentification (username/pw)
and authorisation (yes, you have payed my bill! to connect the internet) the
LAC ( L2TP Access Concentrator) initiates the L2TP tunnel to the desired
endpoint (the remote lan i want to connect).
--somewhat clear !
but i come to the conclusion that i have to ask my ISP wheather his Dial-In
device supports that L2TP capabilities anyhow ...
Am I principically right ? (you must not mention some world wide adopted
standards here)

user --------- LAC ========== NAS (remote)
ppp L2TP


On a cisco site i found out, that some "able" routers do support L2TP on the
users site (before invocing the ISP's LAC), so that the L2TP tunnel starts
at the users router (passing the ISP's LAC nothing doing).

user (router) ====== (LAC?)======== NAS (remote)
-------- dial-in
L2TP over ppp L2TP over IP Cloud

which seems likely to be the same as a vpn connection from a (windows)
client , where u set up a normal (ppp) dial-in connection, and upon on that
, you run your L2TP (which i assume runs above ppp until the ISPs device and
is the unpacked to IP and releaased nto the internet cloud)


can anyone point me to some information for the second mode , or both
or a "good" point to read ?
thanx
jk



Posted by Doug McIntyre on February 13, 2008, 3:33 pm
>the most information on L2TP i find (especially rfc's) mention the following
>situation :
>A client dials up to a ISP and then after ppp autentification (username/pw)
>and authorisation (yes, you have payed my bill! to connect the internet) the
>LAC ( L2TP Access Concentrator) initiates the L2TP tunnel to the desired
>endpoint (the remote lan i want to connect).
>--somewhat clear !
>but i come to the conclusion that i have to ask my ISP wheather his Dial-In
>device supports that L2TP capabilities anyhow ...
>Am I principically right ? (you must not mention some world wide adopted
>standards here)

>user --------- LAC ========== NAS (remote)
> ppp L2TP


One thing that seems to be missing in your diagrams is the Home
Gateway (LNS) that will terminate the L2TP tunnel on the remote network.

There's not much point in the ISP initiating the tunnel at their LAC
if there's not something at the remote network end to terminate that tunnel...


>On a cisco site i found out, that some "able" routers do support L2TP on the
>users site (before invocing the ISP's LAC), so that the L2TP tunnel starts
>at the users router (passing the ISP's LAC nothing doing).

>user (router) ====== (LAC?)======== NAS (remote)
> -------- dial-in
> L2TP over ppp L2TP over IP Cloud

>which seems likely to be the same as a vpn connection from a (windows)
>client , where u set up a normal (ppp) dial-in connection, and upon on that
>, you run your L2TP (which i assume runs above ppp until the ISPs device and
>is the unpacked to IP and releaased nto the internet cloud)

At this point, the ISP isn't doing anything for you. Its all between
your LAC (ie. L2TP over IPsec is the normal mode, or PPTP) and the
remote LNS. The ISP is just providing you IP connectivity to get to
your LNS.

The Cisco docs on L2TP are really good. So is the Wikipedia article as
branches off to source material.



Posted by Juergen Kluth on February 13, 2008, 6:29 pm
Hi,
at first thanx.

> There's not much point in the ISP initiating the tunnel at their LAC
> if there's not something at the remote network end to terminate that
> tunnel...

You are right , i forgot the LNS
But again : If i would or would have to work with this config:
-Must i ask in this case wether the ISP has a "LAC" capable device (normally
i would assume a DSLAM or else for the endpoint of my dial up connection) ?
to create a tunnel to "my" LNS ?
-"My" LNS, must the this be connected by a fixed / leased line ? Or must it
just typically have a constant IP address ?

regards jk



Posted by Doug McIntyre on February 13, 2008, 7:42 pm
>> There's not much point in the ISP initiating the tunnel at their LAC
>> if there's not something at the remote network end to terminate that
>> tunnel...

>You are right , i forgot the LNS
>But again : If i would or would have to work with this config:
>-Must i ask in this case wether the ISP has a "LAC" capable device (normally
>i would assume a DSLAM or else for the endpoint of my dial up connection) ?
>to create a tunnel to "my" LNS ?

Not sure what the question is here. In this model of you connecting to
an ISP, and the ISP auto-tunneling your taffic, yes, the ISP would
have to have a RAS/BRAS device capable of being a L2TP LAC. That in
turn would identify your clients dialing in and auto-starting the
tunnel for that user to the LNS.

>-"My" LNS, must the this be connected by a fixed / leased line ? Or must it
>just typically have a constant IP address ?

It can be anywhere you have IP connectivity to. Policies of the
service the ISP offering you L2TP services may dictate what they
consider reasonable for connection back to your LNS. The L2TP
tunnelling all happens on the layer-3 IP layer though.

A fixed IP address is pretty much a given for the LNS end.

The other model you originally mentioned last in your first post with
an onsite CPE user device being a LAC to initiate the tunnel across
the Net doesn't require the ISPs involvement in any fashion what-so-ever.



Posted by Juergen Kluth on February 13, 2008, 9:20 pm
Hi,

Your answer confirms what i am starting to think about what i have read the
last hours (http://www.redbooks.ibm.com/redbooks/pdfs/sg242580.pdf ~ page
177 and on)
I want to dig into vpn. ... and started with rfc (?).
There (in the rfc) almost is the LAC at ISP configuration described and i
asked myself what i would have to do (call my ISP ?).
Seems to be "compulsory tunnel".
May be this config is of "earlier times", or has some special features (like
dedicated bandwith with tunnel over atm or has some security advantages
(?).).
I feel very sure this was a "product one could by from his ISP".

The other, "voluntary tunnel", was in my focus, because from my eye i am a
theoretical remote user with dsl (PPPoE - connection to ISP), but this isnt
easy to find in rfc.
And at least the Windows client is able to connect via L2TP (has the LAC in
it, i think).

still at the very surface ...
Thanx + regards
jk





>>> There's not much point in the ISP initiating the tunnel at their LAC
>>> if there's not something at the remote network end to terminate that
>>> tunnel...
>
>>You are right , i forgot the LNS
>>But again : If i would or would have to work with this config:
>>-Must i ask in this case wether the ISP has a "LAC" capable device
>>(normally
>>i would assume a DSLAM or else for the endpoint of my dial up connection)
>>?
>>to create a tunnel to "my" LNS ?
>
> Not sure what the question is here. In this model of you connecting to
> an ISP, and the ISP auto-tunneling your taffic, yes, the ISP would
> have to have a RAS/BRAS device capable of being a L2TP LAC. That in
> turn would identify your clients dialing in and auto-starting the
> tunnel for that user to the LNS.
>
>>-"My" LNS, must the this be connected by a fixed / leased line ? Or must
>>it
>>just typically have a constant IP address ?
>
> It can be anywhere you have IP connectivity to. Policies of the
> service the ISP offering you L2TP services may dictate what they
> consider reasonable for connection back to your LNS. The L2TP
> tunnelling all happens on the layer-3 IP layer though.
>
> A fixed IP address is pretty much a given for the LNS end.
>
> The other model you originally mentioned last in your first post with
> an onsite CPE user device being a LAC to initiate the tunnel across
> the Net doesn't require the ISPs involvement in any fashion what-so-ever.
>
>



Similar ThreadsPosted
Simple netmask question, could some one please answer this question for me. October 11, 2007, 10:22 pm
Unable to Connect with l2tp August 27, 2005, 9:10 pm
IPSec over L2TP - Snapgear + NAT December 2, 2005, 3:07 am
L2TP VPN with Sonicwall TZ170 June 17, 2006, 11:11 pm
[X-post] L2TP with CA authentication, no encryption. August 7, 2006, 11:09 am
Wireless Ipsec, GRE and L2TP (performance analysis) April 10, 2005, 8:42 am
L2tp VPN through netscreen vpn to NCP gateway doesnt work September 1, 2007, 7:51 pm
NAT-T question. April 12, 2005, 9:02 pm
VPN question October 20, 2005, 4:16 pm
How To VPN Question August 29, 2006, 9:52 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map