L2TP tunneling modes and tunnel establishment process

L2TP tunneling modes include NAS-initiated, client-initiated, and LAC-auto-initiated.

As shown in Figure 23, a remote system dials in to the LAC through a PPPoE/ISDN network. The LAC initiates a tunneling request to the LNS over the Internet.

A NAS-initiated tunnel has the following characteristics:

• The remote system only needs to support PPP, and it does not need to support L2TP.

• Authentication and accounting of the remote system can be implemented on the LAC or LNS.

As shown in Figure 24, the following workflow is used to establish a NAS-initiated tunnel:

1. A remote system (Host A) initiates a PPP connection to the LAC (Device A).

2. The remote system and LAC perform PPP LCP negotiation.

3. The LAC authenticates PPP user information of Host A by using PAP or CHAP.

4. The LAC sends the authentication information (username and password) to its RADIUS server (RADIUS server A) for authentication.

5. RADIUS server A authenticates the user and returns the result.

6. The LAC initiates an L2TP tunneling request to the LNS (Device B) when the following conditions exist:

   • The user passes the authentication.

   • The user is determined to be an L2TP user according to the username or the ISP domain to which the user belongs.

7. If tunnel authentication is needed, the LAC and LNS send CHAP challenge messages to authenticate each other before successfully establishing an L2TP tunnel.

8. The LAC and LNS negotiate to establish L2TP sessions.

9. The LAC sends PPP user information and PPP negotiation parameters to the LNS.

10. The LNS sends the authentication information to its RADIUS server (RADIUS server B) for authentication.

11. RADIUS server B authenticates the user and returns the result.

12. If the user passes the authentication, the LNS assigns a private IP address to the remote system (Host A).

13. The PPP user can access internal resources of the enterprise.

In steps 12 and 13, the LAC forwards packets for the remote system and LNS. Host A and LAC exchange PPP frames, and the LAC and LNS exchange L2TP packets.

As shown in Figure 25, a remote system running L2TP (LAC client) has a public IP address to communicate with the LNS through the Internet. The LAC client can directly initiate a tunneling request to the LNS without any dedicated LAC devices.

A client-initiated tunnel has the following characteristics:

• A client-initiated tunnel has higher security because it is established between a remote system and the LNS.

• The remote system must support L2TP and be able to communicate with the LNS. This causes poor expandability.

As shown in Figure 26, the workflow for establishing a client-initiated tunnel is similar to that for establishing a NAS-initiated tunnel. (Details not shown.)

In NAS-initiated mode, a remote system must successfully dial in to the LAC through PPPoE or ISDN.

In LAC-auto-initiated mode, you can use the l2tp-auto-client command on the LAC to trigger the LAC to initiate a tunneling request to the LNS. When a remote system accesses the private network, the LAC forwards data through the L2TP tunnel.

An LAC-auto-initiated tunnel has the following characteristics:

• The connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection.

• An L2TP session is established immediately after an L2TP tunnel is established. Then, the LAC and LNS, acting as the PPPoE client and PPPoE server, respectively, perform PPP negotiation.

• An L2TP tunnel can carry only one L2TP session.

• The LNS assigns a private IP address to the LAC instead of to the remote system.

As shown in Figure 28, the workflow for establishing an LAC-auto-initiated tunnel is similar to that for establishing a NAS-initiated tunnel. (Details not shown.)