RFI L2TP VPN Quick reference guide
G-router/C-router
Universal GSM or CDMA to RS-232 and Ethernet
Gateway
L2TP VPN
Deployment Guide
Author
RFI
-
IV I
Document Version
L2TP VPN Deployment Guide v1.1
Date
17
-
06
-
2010
Covering Product code
G-router
C
-
router
Contents
1Introduction ......................................................................................................... 3
1.1 Purpose ........................................................................................................ 3
1.2 Prerequisites ................................................................................................. 3
1.3 Terminology .................................................................................................. 3
2Setup .................................................................................................................. 4
2.1 Configuring the 2TP Setup .............................................................................. 4
2.2 Hostname Parameters ..................................................................................... 5
2.3 2TP NS Settings .......................................................................................... 5
2.4 PPP Session Settings ....................................................................................... 6
2.5 Controlling 2TP Tunnel Keepalive ..................................................................... 8
2.6 Enabling the 2TP Tunnel ................................................................................ 8
Revision History
Revision Reason Aut or Date
1.0
First version
Michel Stam
11
-
06
-
2010
1.1
Updated
with diagrams and screenshots
Ivo van ing
17
-
06
-
2010
-
Disclaimer
The specifications and information regarding the products in this document are subject to change
without notice. All statements, information, and recommendations in this document are believed
to be accurate but are presented without warranty of any kind, express or implied. Users must
take full responsibility for their application of any products.
Notwithstanding any other warranty herein, all document files and software are provided “as is”
with all faults. RFI Engineering B.V. disclaims all warranties, expressed or implied, including,
without limitation, those of merchantability, fitness for a particular purpose and noninfringement
or arising from a course of dealing, usage, or trade practice.
In no event shall RFI Engineering B.V. or its suppliers be liable for any indirect, special,
consequential, or incidental damages, including, without limitation, lost profits or loss or damage
to data arising out of the use or inability to use this manual, even if RFI Engineering B.V. or its
suppliers have been advised of the possibility of such damages.
© 2010-2011 RFI Engineering B.V.
L2TP VPN Deployment Guide, version 1.1
The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI ngineering B.V.
Page: 3(8)
1 Introduction
This document describes how to set up a 2TP (VPN) connection between a G-router/C-router
and a Cisco NS.
1.1 Purpose
Devices, such as the G-router and the C-router, that communicate via a mobile network, such as
GSM or CDMA, are able to set up a packet oriented data connection to the Internet using GPRS
or CDMA1x. As internet connectivity is becoming more popular in mobile networks, some mobile
network operators (MNO’s) prefer to minimize the number of IP addresses by utilizing NAT
(Network Address Translation), a technology that will allow many users to 'share' one single
Internet IP address for outbound traffic. These users each have a different “private” IP address,
but share the same “public” IP address.
From the internet, traffic can only be routed to the public IP address, which however does not
provide “transit” traffic to a selected private address, thereby rendering it not feasible to access
e.g. the serial port of a C-router or G-router.
When the G-router or C-router is deployed on many sites by a Telco to monitor CPE
configurations, the problem can be overcome by installing a Telco specific APN in the Mobile
Network, whereby each router is identified and accessible. When smaller numbers are deployed,
e.g. the Telco wants to run a pilot test over a smaller number of sites, setting up an own APN
might not be attractive.
An alternative to establish communication from two sides is to establish a VPN tunnel between
each router and the Telco’s VPN server, as VPN servers are much more commonplace and far
more economical than any APN. For this purpose, 2TP ( ayer 2 Tunneling Protocol) VPN client
support was added to the feature set of the G-router and C-router. Network service providers
can access the C-router or G-router directly, using their own 2TP VPN server. The C-router or
G-router will establish (independently and automatically) a VPN connection to the VPN server,
allowing for 2-way communication, overcoming any restriction through the possible use of NAT
by the MNO.
For security purposes, tunnel authentication and session authentication are provided respectively
through a shared secret and through username/password authentication using the PAP and MS-
CHAP protocols.
1.2 Prerequisites
•C-router or G-router firmware version 1.2.0 or later
•A Cisco router supporting 2TP and VPDN tunnel termination.
•This document assumes that the reader is familiar with Cisco IOS router configuration.
The network configuration in this document was tested using a G-router running software
version 1.2.0 and a Cisco 2651XM running Cisco IOS Release 12.3.
1.3 Terminology
The C-router and G-router have been equipped with the possibility of establishing an 2TP VPN
connection to a central VPN router. The 2TP VPN tunnel terminator is called the NS ( 2TP
Network Server). Conversely, the client end of the tunnel is called the AC ( 2TP Access Client).
Connections can be initiated by both ends of the tunnel, the direction indicating the initiating
end. Directions are given with respect to the view of the NS. On top of a 2TP tunnel, a PPP
session is established. It is the PPP session that performs the forwarding of the IP traffic.
The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI ngineering B.V.
Page: 4(8)
2 Setup
The setup in this document details setting up a AIC ( AC Inbound) connection to an NS. This is
specifically done as the C-router or G-router will then initiate the connection to the NS, and the
NS will handle the authentication. As cellular network operators may choose to save on IP
addresses by utilizing NAT, then assigning so-called private IP addresses to mobile devices, this
will allow for a VPN connection without the mobile device requiring a public IP address.
For authentication purposes, a RADIUS server is assumed, but the implementation is left to the
customer. Note that after all settings have been changed, the C-router/G-router will need to be
rebooted in order for the changes to take effect.
Figure 1: Setting up a LAC Inbound connection to a L2TP Network Server
2.1 Configuring the L2TP Setup
The Cisco router is deployed using the sample configuration below, important text is in bold.
version 12.3
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
no service password-encryption
!
hostname l2tp
!
boot-start-marker
boot system flash c2600-advsecurityk9-mz.123-26.bin
boot-end-marker
!
enable secret 0 SECRET
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI ngineering B.V.
Page: 5(8)
ip domain name rfi-engineering.com
vpdn enable
!
vpdn-group SDR-Access
! Default L2TP VPDN group
description Smart Data Router Access
accept-dialin
protocol l2tp
virtual-template 1
session-limit 32767
l2tp sequencing
l2tp tunnel password 0 TUNNELPASS
l2tp tunnel timeout no-session 5
!
!
!
username admin password 0 PASSWORD
!
!
!
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1
mtu 1516
ip unnumbered Loopback0
peer default ip address pool lac
!
ip local pool lac 10.0.0.2 10.0.0.99
ip classless
ip route 0.0.0.0 0.0.0.0 DEFAULTGATEWAY
ip http server
no ip http secure-server
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
!
end
2.2 Hostname Parameters
The following settings are used by the 2TP software running on the Cisco to present a name to
the C/G-router during negotiation. Make sure that these are set. Similarly the IP configuration of
the router is important, but this is left as an excercise for the administrator.
hostname l2tp
ip domain name rfi-engineering.com
2.3 L2TP LNS Settings
Next are the 2TP NS settings;
vpdn enable
!
vpdn-group SDR-Access
! Default L2TP VPDN group
description Smart Data Router Access
accept-dialin
protocol l2tp
virtual-template 1
The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI ngineering B.V.
Page: 6(8)
session-limit 32767
l2tp sequencing
l2tp tunnel password 0 PASSWORD
l2tp tunnel timeout no-session 5
The first of the settings that needs to be executed is 'vpdn enabled'. This enables, amongst
others, the Cisco routers' ability to act as an NS. Then, a so-called VPDN group needs to be
configured with the parameters for establishing an 2TP tunnel.
The first entry gives the vpdn-group its name. Since only one vpdn-group is defined in this
example, this serves a cosmetic purpose, as does the 'description' parameter.
The 'accept-dialin' parameter indicates that the AC is allowed to initiate the 2TP tunnel, with
'protocol l2tp' indicating the desired tunneling protocol to use (the Cisco supports multiple
protocols, 2TP is one of them).
The 'virtual-template 1' setting indicates that the settings for the PPP session that runs over
the 2TP tunnel should be taken from the Virtual-Template 1 interface.
The 'session-limit' parameter indicates the maximum amount of sessions that can be
established to the NS. This should be changed to suit your setup. 2TP sequencing can be
enabled by the 'l2tp sequencing' command. It is not mandatory for operation with a RFI C-
router/G-router AC.
The 2TP tunnel secret can be enabled using the 'l2tp tunnel password' command. The secret
must be identical to the value specified in the Configuration→Network Configuration→L2TP
VPN→Tunnel Secret setting. If the secret is not used, this entry must be empty.
On the Cisco router, the following commands must be entered while the router is enabled:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#vpdn-group SDR-Access
Router(config-vpdn)#no l2tp tunnel password
Router(config-vpdn)#no l2tp tunnel authentication
Router(config-vpdn)#^Z
Router#
It is recommended (but not required) to set a tunnel session timeout using the 'l2tp tunnel
timeout no-session' command. This will ensure that 2TP tunnels without a corresponding PPP
session will be deleted by the router.
2.4 PPP Session Settings
As mentioned in the previous paragraph, the PPP session running on top of a 2TP tunnel takes
its settings from the Virtual-Template 1 interface. Important to the PPP session are the settings
below:
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface Virtual-Template1
mtu 1516
ip unnumbered Loopback0
peer default ip address pool lac
!
ip local pool lac 10.0.0.2 10.0.0.99
When a 2TP tunnel has been established, the Cisco IOS software 'copies' the settings from the
Virtual-Template interface specified in the 'vpdn-group' into a so-called 'Virtual-Access' interface.
This interface is then used by the Cisco router to communicate with the C-router or G-router.
The first setting of note is the 'mtu' setting. The MTU defines the maximum number of bytes that
can be sent using a single PPP over 2TP packet before the Cisco router is forced to use IP
fragmentation. IP fragmentation is something that should be avoided on the Cisco router as it
consumes CPU power which will degrade performance. Hence, the mtu for the interface is chosen
The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI ngineering B.V.
Page: 7(8)
as the default maximum for an Ethernet packet (which is 1500), and the size of the 2TP/PPP
information that is pre-pended to every packet sent over the tunnel (16 bytes). It is important
not to change this value.
The second setting specifies an IP address to send to the C-router/G-router as the tunnel IP
address to use at the Cisco end of the tunnel. For this, a oopback interface is used, which is
specified using the 'interface oopback 0' command. Note that this IP address affects the setting
available as Configuration→Network Configuration→L2TP VPN→Route all traffic over tunnel.
When enabled, then any traffic from the C-router/G-router is sent over the 2TP VPN to the
tunnel terminator. If disabled, the C-router/G-router will only route traffic to the Cisco router
over the 2TP VPN, at the IP address specified on this interface. The tunnel IP address to use at
the C-router/G-router end of the tunnel is specified using the 'peer default ip address pool'
command. The Cisco router will assign an IP address out of the pool to every new tunnel
established. In this case, the pool is called 'lac' and ranges from 10.0.0.2 to 10.0.0.99. The C-
router/G-router will accept automatic assignment from the Cisco router. This is arranged by
setting the Configuration→Network Configuration→L2TP VPN→IP Address setting to 'Automatic'. If
set to 'Static', the user is allowed to enter an IP address. The 'peer default ip address pool'
setting is not necessary in this case. It can be disabled by entering:
Router(config)#interface Virtual-Template1
Router(config-if)#no peer default ip address
Router(config-if)#^Z
Router#
The C-router and G-router are both able to perform PPP authentication as part of the tunnel
process. This requires settings to be changed both on the C-router/Grouter and on the Cisco IOS
router. At this moment, PAP, MS-CHAPv1 and MSCHAPv2 are the only authentication options
available. The sample configuration assumes no authentication. In order to perform
authentication, the Cisco router must be configured to perform authentication. It is assumed
RADIUS is used for this purpose. In order to configure a RADIUS server, execute the following
commands on the Cisco Router:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#radius-server host 172.16.0.5 auth-port 1812 acct-port 1813 key KEY
l2tp(config-sg-radius)#aaa group server radius RAS
Router(config)#server 172.16.0.5 auth-port 1812 acct-port 1813
Router(config)#exit
Router(config)#aaa authentication ppp L2TP group RAS
Router(config)#^Z
These commands configure a RADIUS server at IP address 172.16.0.5, at port 1812 (for
authentication) and port 1813 (for accounting), using the encryption/authentication key KEY.
Next, the Cisco router must be configured for the chosen PPP authentication method. This is
done as follows, for PAP:
Router(config)#interface Virtual-Template1
Router(config-if)#ppp authentication pap L2TP
Router(config-if)#^Z
Router#
For MS-CHAPv1:
Router(config)#interface Virtual-Template1
Router(config-if)#ppp authentication ms-chap L2TP
Router(config-if)#^Z
Router#
For MS-CHAPv2:
Router(config)#interface Virtual-Template1
Router(config-if)#ppp authentication ms-chap-v2 L2TP
Router(config-if)#^Z
Router#
After these changes have been made, configure the C-router or G-router by changing
Configuration→Network Configuration→L2TP VPN→Authentication Method to the chosen
authentication method.
The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI ngineering B.V.
Page: 8(8)
Next, enter the username and password to use for tunnel authentication in the
Configuration→Network Configuration→L2TP VPN→User Name and Password fields.
For PAP, two more settings will appear; these control the maximum amount of authentication
requests that will be made (Maximum Allowed Authentication Requests), and the timeout in
seconds between each successive authentication attempt (Retransmission Timeout).
2.5 Controlling L2TP Tunnel Keepalive
In order to prevent a VPN tunnel from being periodically re-established, several settings are
available to allow the C-router/G-router to keep the tunnel alive.
These are:
Configuration→Network Configuration→L2TP VPN→LCP Echo Request interval
This setting causes the PPP session to periodically check the Cisco router for availability. Its
value is specified as an interval in seconds.
Configuration→Network Configuration→L2TP VPN→Maximum allowed LCP Echo failures
This setting specifies the amount of consecutive Echo failures that are allowed before the C-
router/G-router will assume the tunnel has failed and disconnect.
Configuration→Network Configuration→L2TP VPN→L2TP Echo request interval
This setting performs a similar function to the ' CP Echo Request interval' setting, but does this
at the 2TP tunnel level as opposed to the PPP session level.
Configuration→Network Configuration→L2TP VPN→Maximum allowed of L2TP Echo failures
This setting performs a similar function to the 'Maximum allowed CP Echo failures' setting, but
does this at the 2TP tunnel level as opposed to the PPP session level.
Configuration→Network Configuration→L2TP VPN→L2TP retry delay
The amount of seconds between consecutive attempts to establish a connection to the NS.
Configuration→Network Configuration→L2TP VPN→L2TP connection setup timeout
The number of seconds to wait between two consecutive attempts to contact the NS.
2.6 Enabling the L2TP Tunnel
In order to enable the 2TP tunnel on the C-router and G-router, one setting must be changed.
It is available as Configuration→Services Configuration and is called 'Enable L2TP VPN Client'. It
starts the VPN session when the C-router/G-router is booted.
Table of contents
Other RFI Gateway manuals
Popular Gateway manuals by other brands
Technicolor
Technicolor CGM4140COM user manual
Dinstar
Dinstar DAG1000-4S-V321 Quick installation manual
Veratron
Veratron Link Up instruction manual
ZyXEL Communications
ZyXEL Communications SBG3300-N series user guide
PheeNet
PheeNet WAS-105R Quick installation guide
KMC Controls
KMC Controls Conquest HPO-9007 Series installation guide
