Mechanism of L2TP VPN in the Call-LNS Scenario

This section describes the mechanism of L2TP VPN in the Call-LNS scenario in terms of tunnel negotiations, packet encapsulation, security policies, and source NAT on the LAC.

Tunnel Negotiation

In the Call-LNS scenario, after L2TP VPN is configured on the LAC and LNS, the LAC proactively initiates a tunnel negotiation request to the LNS. Figure 1 shows the tunnel negotiation process.

Figure 1 L2TP VPN tunnel establishment in the Call-LNS scenario

The LAC and LNS establish an L2TP VPN tunnel.

Packet Exchange Procedure	Packet Content
LAC: sends an SCCRQ packet to notify the LNS of the tunnel ID (1). An LAC or LNS can establish multiple tunnels simultaneously to transmit different user services. The LAC or LNS negotiates the tunnel IDs for tunnels to be established to distinguish between the tunnels. L2TP packets are transmitted using UDP. When sending an SCCRQ packet, the LAC selects an idle interface as the source interface to send the packet to interface 1701 of the LNS. After receiving the packet, the LNS uses interface 1701 to send a response packet to the specified interface of the LAC. The interfaces at both sides are fixed until the tunnel is disconnected.
LNS: sends an SCCRP packet to notify the LAC of the tunnel ID (1).
LAC: sends an SCCCN packet. So far, the two devices have negotiated the tunnel ID to establish an L2TP VPN tunnel.

Packet Exchange Procedure

Packet Content

LAC: sends an SCCRQ packet to notify the LNS of the tunnel ID (1).

An LAC or LNS can establish multiple tunnels simultaneously to transmit different user services. The LAC or LNS negotiates the tunnel IDs for tunnels to be established to distinguish between the tunnels.

L2TP packets are transmitted using UDP. When sending an SCCRQ packet, the LAC selects an idle interface as the source interface to send the packet to interface 1701 of the LNS. After receiving the packet, the LNS uses interface 1701 to send a response packet to the specified interface of the LAC. The interfaces at both sides are fixed until the tunnel is disconnected.

LNS: sends an SCCRP packet to notify the LAC of the tunnel ID (1).

LAC: sends an SCCCN packet.

So far, the two devices have negotiated the tunnel ID to establish an L2TP VPN tunnel.

The LAC and LNS establish an L2TP session.

In Step 3, the LAC establishes a PPP connection with the LNS. The L2TP session is used to record and manage the status of the PPP connection. Therefore, before establishing a PPP connection, the LAC and LNS need to negotiate an L2TP session.

Packet Exchange Procedure	Packet Content
LAC: sends an ICRQ packet to notify the LNS of the session ID (81).
LNS: sends an ICRP packet to notify the NAS of the session ID (77).
LAC: sends an ICCN packet. So far, the two devices have negotiated the session ID to establish an L2TP session.

Packet Exchange Procedure

Packet Content

LAC: sends an ICRQ packet to notify the LNS of the session ID (81).

LNS: sends an ICRP packet to notify the NAS of the session ID (77).

LAC: sends an ICCN packet.

So far, the two devices have negotiated the session ID to establish an L2TP session.

The LAC and LNS establish a PPP connection.

The LAC establishes a PPP connection with the LNS to obtain an intranet IP address from the LNS.

Packet Exchange Procedure	Packet Content
LAC: sends an LCP Request packet to negotiate link-layer parameters. For example, as shown in the figure at the right side, the negotiated MRU is 1500. The LNS returns an LCP ACK packet to the LAC.
LAC: sends a PAP Request packet to request the PPPoE server to perform identity authentication. As shown in the figure at the right side, the PAP packet carries user name hb@hb and password admin@123. The LNS returns a PAP ACK packet carrying the authentication result. If the LAC uses CHAP authentication, the authentication process is little different. For details, see section PPP CHAP. NOTE: An L2TP VPN tunnel does not have the data encapsulation function. To prevent user data theft, you are advised to use the IPSec technology to provide the data encryption function for L2TP VPN.
LAC: After identity authentication succeeds, the LAC sends an IPCP Request packet to request the LNS to assign an intranet IP address. The LNS sends an IPCP ACK packet to the LAC. The packet carries the intranet IP address allocated to the LAC. So far, the PPP connection has been established. As shown in the following figure, the intranet address assigned by the LNS to the LAC is 172.16.1.51.

Packet Exchange Procedure

Packet Content

LAC: sends an LCP Request packet to negotiate link-layer parameters. For example, as shown in the figure at the right side, the negotiated MRU is 1500.

The LNS returns an LCP ACK packet to the LAC.

LAC: sends a PAP Request packet to request the PPPoE server to perform identity authentication. As shown in the figure at the right side, the PAP packet carries user name hb@hb and password admin@123. The LNS returns a PAP ACK packet carrying the authentication result.

If the LAC uses CHAP authentication, the authentication process is little different. For details, see section PPP CHAP.

NOTE:

An L2TP VPN tunnel does not have the data encapsulation function. To prevent user data theft, you are advised to use the IPSec technology to provide the data encryption function for L2TP VPN.

LAC: After identity authentication succeeds, the LAC sends an IPCP Request packet to request the LNS to assign an intranet IP address.

The LNS sends an IPCP ACK packet to the LAC. The packet carries the intranet IP address allocated to the LAC. So far, the PPP connection has been established. As shown in the following figure, the intranet address assigned by the LNS to the LAC is 172.16.1.51.

The packet from a user in the enterprise branch is encapsulated by the LAC and decapsulated by the LNS and reaches the server on the enterprise headquarters. For details on packet encapsulation, see Packet Encapsulation.

Packet Encapsulation

Figure 2 shows the packet encapsulation and decapsulation processes.

Figure 2 Packet encapsulation in the Call-LNS scenario

An employee in the enterprise branch sends a packet to access an intranet server on the enterprise headquarters.
The PC of the employee on the branch sends the packet to the LAC based on a local route.
After receiving the packet, the LAC uses its VT interface to perform PPP and L2TP encapsulation on the packet.
The LAC sends the encapsulated packet based on the public route to the Internet.
After receiving the packet, the LNS uses its VT interface to remove the L2TP and PPP headers from the packet and forwards the packet to the intranet server on the headquarters based on the intranet route.
After the receiving the packet, the server on the enterprise headquarters returns a response packet to the employee.

Security Policy

Figure 3 shows the security zones that packets pass through on the LAC.
When employees on the enterprise branch access an intranet server on the enterprise headquarters, the packets that pass through the LAC are classified into two types, and the security policy processes the two types of packets as follows:
- Service packets sent by the employee to the access the server on the enterprise headquarters
  The service packets access the LAC from the Trust zone and are encapsulated by the VT interface in the DMZ. The services pass through the Trust zone and DMZ in sequence. The Trust zone and DMZ are used as an example. The interface that connecting the LAC to the branch network resides in the Trust zone, and the VT interface on the LAC resides in the DMZ.
- L2TP packets sent by the LAC
  The L2TP packets include the negotiation packets used for establishing an L2TP VPN tunnel and L2TP-encapsulated service packets. The L2TP packets pass through the Local and Untrust zones in sequence.
Figure 3 Packet direction on the LAC
Figure 4 shows the security zones that packets pass through on the LNS.
When employees on the enterprise branch access an intranet server on the enterprise headquarters, the packets that pass through the LNS are classified into two types, and the security policy processes the two types of packets as follows:
- L2TP packets received by the LNS
  The L2TP packets include the L2TP negotiation packets exchanged by the LAC and LNS to establish a tunnel and the pre-decapsulated L2TP packets sent by the employee to access the server of the enterprise headquarters. The L2TP packets are transmitted from the Untrust zone to the Local zone.
- Service packets sent by the employee to the access the server on the enterprise headquarters
  The VT interface of the LNS decapsulates the L2TP packets and sends them to the Trust zone where the desired server on the headquarters resides. The packets are transmitted from the DMZ to the Trust zone.
Figure 4 Packet direction on the LNS

Table 1 describes the matching conditions of the security policies on the LAC and LNS.

**Table 1** Matching conditions of the security policies on the LAC and LNS
Traffic Direction	Device	Source Zone	Destination Zone	Source Address	Destination Address	Application
Traffic sent by an employee in the enterprise branch to access a server on the enterprise headquarters	LAC	Trust	DMZ	10.1.1.0/24	192.168.1.0/24	*
	LAC	Local	Untrust	1.1.1.1/32	1.1.1.2/32	L2TP
	LNS	Untrust	Local	1.1.1.1/32	2.2.2.2/32	L2TP
	LNS	DMZ	Trust	172.16.1.51/24	192.168.1.0/24	*
Traffic sent by the server on the enterprise headquarters to access the employee in the branch	LAC	DMZ	Trust	192.168.1.0/24	10.1.1.0/24	*
	LNS	Trust	DMZ	192.168.1.0/24	172.16.1.51/24	*

*: indicates that the application depends on the service type, which can be TCP, UDP, ICMP and any other service packet type.

Source NAT on the LAC

In the scenario, a source NAT policy needs to be configured on the LAC to enable users to access desired resources. The source NAT policy does not affect the establishment of an L2TP VPN tunnel. As shown in Figure 5, an L2TP tunnel has been established between the LAC and LNS. The VT interface named VT1 on the LAC obtains IP address 172.16.1.1/24 from the LNS. The IP address of the VT interface named VT2 on the LNS is not used here.

Figure 5 Source NAT on the LAC

The preceding figure shows the process for an employee in the branch accesses a server on the enterprise headquarters, which helps you understand the role that the source NAT policy on the LAC plays in packet forwarding.

The employee in the branch sends a packet to access a server on the enterprise headquarters. The source and destination addresses of the packet are 10.1.1.1 and 192.168.1.1 respectively.
After receiving the packet, the LAC searches for the route whose destination address is 192.168.1.0/24 to forward the packet.
The LAC finds that the outbound interface of the packet is VT1 and performs L2TP encapsulation for the packet. The source and destination addresses of the encapsulated packet are 1.1.1.1 and 2.2.2.1 respectively.
The LAC searches its routing table for a route to forward the encapsulated L2TP packet. It uses the default route whose destination address is 0.0.0.0/0 to forward the packet to the Internet.
After receiving the L2TP packet, the LNS decapsulates it and sends it to the server on the enterprise headquarters. The server on the enterprise headquarters sends a response packet to the LNS. The source and destination addresses of the response packet are 192.168.1.1 and 10.1.1.1 respectively.
After receiving the response packet, the LNS searches for a route to forward the packet.
The LNS does not have any route destined for network segment 10.1.1.0/24. Therefore, the response packet cannot be transmitter over the L2TP tunnel to the employee. Finally, the packet is forwarded to the Internet based on the default route and is discarded on the Internet.

The source NAT policy on the LAC can translate the source address (10.1.1.1) of the packet sent by the employee to the address of VT1 (172.16.1.1) on the LAC. In this way, the destination address of the response packet from the server on the enterprise headquarter is changed to 172.16.1.1. Therefore, the response packet can match the UNR on the LNS. Then the response packet is sent over the L2TP tunnel to the employee on the branch. Configure source NAT as follows:

[LAC] nat-policy
[LAC-policy-nat] rule name policy1
[LAC-policy-nat-rule-policy1] egress-interface Virtual-Template vt1
[LAC-policy-nat-rule-policy1] source-address 10.1.1.0 24
[LAC-policy-nat-rule-policy1] action nat easy-ip
[LAC-policy-nat-rule-policy1] quit
[LAC-policy-nat] quit

You are not advised to add a route to the branch intranet on the LNS because:

If there are many subnets on the branch, lots of routes to the subnets need to be added on the LNS, which increases the network maintenance workload.
The addresses of branch subnets may change. Related routes on the LNS need to be modified, which increases network maintenance workload.