Configuring the L2TP tunnel

With LANconfig, you configure L2TP under Communication > Remote sites > L2TP.





The tunnel configuration for the control data of an L2TP tunnel to a tunnel endpoint is located under L2TP endpoints.





Name
Name of the tunnel endpoint.
L2TP tunnel active
Enables the configured L2TP tunnel.
L2TP version
The L2TP protocol version used, either version 2 or 3.
Important: Ethernet tunnels are only possible with version 3. In this case, be sure to set the protocol "L2TPv3" here.
Note: L2TPv3 in the LCOS is always encapsulated in UDP. This allows transmissions to pass through NAT gateways without problem.
IP address
IP address of the tunnel endpoint (IPv4, IPv6, FQDN).
Note: Leaving this field blank when the L2TPv3 protocol is selected makes this field into a "wildcard" entry that can accept connections from any remote site.
Routing tag
The routing tag of the route to the tunnel endpoint.
Note: If a loopback address is entered as the source address and the routing tag has a value of "0", the device uses the routing tag of the loopback address.
Port
UDP port
Polling interval
Polling interval in seconds
Host name
Name used by the device to authenticate at the tunnel endpoint
Password
Password used by the device to authenticate at the tunnel endpoint
Authenticate remote end
Enable this option if two tunnel endpoints (LAC and LNS) are required to mutually authenticate one another before establishing a tunnel. In this case, the tunnel endpoint name and password for this device are configured as the tunnel endpoint and the option to Authenticate remote end is similarly enabled.
Obfuscate tunnel negotiation
If the tunnel negotiations between the LAC and the LNS are to be encrypted, you enable this option. The two L2TP partners encrypt and decrypt the L2TP messages with the help certain AVPs (attribute value pairs) of a common preshared secret.
Source address
Here you can optionally specify a source address for the device to use as the target address instead of the one that would normally be selected automatically. Possible values are:
  • Name of the IP networks whose addresses are to be used.
  • "INT" for the address of the first intranet
  • "DMZ" for the address of the first DMZ
  • LB0 to LBF for the 16 loopback addresses
  • Any valid IP address
Note: If the list of IP networks or loopback addresses contains an entry named "DMZ", then the associated IP address will be used.
Important: If the source address set here is a loopback address, this will be used unmasked even on masked remote clients.

From LCOS 10.20, layer-3 Ethernet tunnels can be configured to use L2TPv3. The configuration is done in the L2TP endpoint table described above and in the L2TP Ethernet table described below. For a corresponding scenario, see Configuring a WLAN scenario for bridging payload data to the central site. If you specify an IP address or a host name, an attempt is made to establish a connection. If the corresponding field is left blank, no connection is established, but connections can be accepted. Configured properties such as the station name or password are checked by the remote site when the connection is established.

Note: A number of implicit dependencies during the connection establishment and authentication are not directly apparent, so we will enlarge on these here:

Under L2TP list, you make the link between the L2TP remote sites and a previously configured tunnel endpoint.





An entry in this table is necessary only under the following conditions:
Remote site
Name of the L2TP remote device
L2TP endpoint
Name of the tunnel endpoint used by this remote site.
Short hold time
Determines how long the L2TP tunnel endpoint keeps the tunnel open when inactive.
IPv6
This entry specifies the name of the IPv6 WAN interface. Leaving this entry blank causes IPv6 to be disabled for this interface. The IPv6 remote sites are configured under IPv6 > General > WAN interfaces.

Under L2TP Ethernet you link L2TPv3 sessions with one of the 16 L2TP virtual Ethernet interfaces. The L2TP virtual Ethernet interfaces can then be used elsewhere in the configuration, e.g. in the LAN bridge for linking to WLAN or LAN interfaces.





Remote site
Here you configure the name used to assign the Ethernet tunnel to the remote site. For each Ethernet tunnel, this name must be identical at both ends.
L2TP endpoint
Here you configure the name of the L2TP endpoint configured in the L2TP endpoints table. This causes an Ethernet tunnel session to be established via this endpoint. If connections are to be accepted only, and not actively established from this end, leaving this field blank allows any sessions to be accepted. Of course, these still need "to run" via an accepted/established endpoint from the L2TP endpoints table. This can be useful in scenarios where not every endpoint on the receiving side should be configured separately.
Interface
The virtual L2TP Ethernet interface to be used for the L2TPv3 session.

In the case of incoming tunnel requests, a check is performed either by RADIUS or by means of an entry for the requesting host in the L2TP endpoints table. If the table contains an entry with the same IP address (or no IP address is specified for this entry), the device permits tunnel establishment to this host.

For additional protection, for example to enable encryption of the L2TP sessions via IPSec, the device can additionally check the routing tag of the remote site from which it received the data. This option is enabled with L2TP source routing tag check enabled.

You have the option to configure up to 32 additional gateways per tunnel endpoint by clicking on Further remote endpoints.





Important: Ensure that all additionally specified L2TP endpoints are configured identically to the referenced tunnel endpoint.
L2TP endpoint
Name of the tunnel endpoint, as configured in the table of L2TP endpoints.
Begin with L2TP endpoint
Option for selecting the next gateway. The following options are available:
  • Last used: Select the last successful address
  • First: Select the first gateway in the list
  • Random: Random selection from the gateways in the list

On the following tabs you configure the names and the respective routing tags of the alternative gateways.





www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo