Chapter 4. Troubleshooting the Layer 2 Tunneling Protocol Version 2 VPNs

Layer Two Tunneling Protocol (L2TP) version 2 is defined in RFC 2661 and combines the best features of Layer Two Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP). L2TP, like L2F and PPTP, is designed to separate the functionality of the traditional Network Access Server (NAS). Calls from remote access clients are terminated at a local access concentrator known as the L2TP Access Concentrator (LAC), but PPP connections are terminated on a separate device called an L2TP Network Server (LNS). PPP connections are tunneled from the LAC to the LNS over an intervening network.

This separation of traditional NAS functionality can potentially lead to cost savings because calls no longer need to be made directly to a distant NAS but, instead, can be made to a LAC at the local service provider Point-of-Presence (POP).

It is worth noting that the LAC could, for example, be a traditional dial-in access server or could be a digital subscriber line access multiplexer (DSLAM).

The functionality of L2TP can extended to allow separate links in a Multilink PPP group to be terminated on different NASs and then bundled together by tunneling them to one device using L2TP. On Cisco routers, Multichassis Multilink PPP (MMP) provides this functionality.

L2TP operates in two different modes, compulsory tunnel mode and voluntary tunnel mode. In compulsory tunnel mode, the LAC terminates calls from remote access clients locally and tunnels their PPP sessions across the intervening network to an LNS. This mode does not require the remote access clients to have any knowledge of L2TP. Remote access clients simply need to dial into the LAC using PPP.

Figure 4-1 illustrates compulsory tunnel mode.

Figure 4-1. L2TP Compulsory Tunnel Mode

[View full size image]

In voluntary tunnel mode, on the other hand, remote access clients run L2TP software natively and function as the LAC in the L2TP connection model. The remote access client/LAC (referred to as the "LAC Client" in RFC 2661) connects to the LNS, and PPP frames are tunneled through the L2TP tunnel directly between the client and the LNS.

Figure 4-2 illustrates voluntary tunnel mode.

Figure 4-2. L2TP Voluntary Tunnel Mode

[View full size image]

As previously mentioned, L2TPv2 is derived from L2F and PPTP. Some of the main similarities and differences between L2TPv2 and L2F/PPTP are as follows:

• L2F was developed by Cisco Systems, and PPTP was developed by a consortium of vendors. L2TPv2 is an industry standard and was developed within the Internet Engineering Task Force (IETF).

• L2TP is more easily extensible than L2F and PPTP because L2TP control messages are made up of attribute-value-pairs (AVPs).

• L2TPv2 and PPTP are designed to tunnel PPP. L2F, on the other hand, can tunnel both PPP and SLIP.

  Note that L2TPv3 is designed to tunnel a wide variety of Layer 2 protocols; see Chapter 5, "Troubleshooting L2TPv3 Based VPNs," for more details.

• L2TPv2 is similar to L2F with regard to its control connection. In both L2TP and L2F, control messages are transmitted in-band (using the same transport mechanism as data messages, UDP in an IP network), whereas in PPTP, control messages are transmitted out-of-band over a separate TCP connection.

• Both L2TPv2 and PPTP include the capability to make outgoing calls, whereas L2F does not.

• L2TPv2 and PPTP can operate in both compulsory and voluntary tunnel modes. L2F, on the other hand, can operate only in compulsory tunnel mode.

• Both L2TPv2 and L2F support authentication of tunnel endpoints (LAC/LNS and L2F NAS/Home Gateway in L2TPv2 and L2F, respectively) during tunnel setup, whereas PPTP does not (it relies on authentication of PPP peers instead).

• L2TPv2 and L2F both transport data and control messages over UDP in an IP network (using UDP port 1701). The L2TPv2 and L2F headers are both derived from Generic Routing Encapsulation (GRE). PPTP data messages are transported over Enhanced GRE (IP protocol 47), and PPTP control messages are transported over TCP (using port 1723).

• Reliable delivery of control messages is included in L2TPv2, PPTP, and L2F, but is implemented in different ways. L2TP uses either implicit or explicit acknowledgment, and PPTP control messages are delivered over an inherently reliable TCP connection. In L2F, control messages are exchanged in lock-step.

• L2TPv2 uses similar control messages to PPTP.

• The LAC and the L2F NAS (the functional equivalent of the LAC) both have the ability to negotiate LCP and authenticate the remote access client then pass this information to the LNS or the L2F Home Gateway (the functional equivalent of the LNS). PPTP has no such capability.

• L2TPv2 has the built-in capability to hide the content of control messages (AVP hiding), whereas L2F and PPTP do not.

It is not the purpose of this book to provide an exhaustive examination of the operation and configuration of the L2TP protocol, but it is useful to provide a review so that you have a good basis for the troubleshooting section that follows. This review is provided in the next section.