3Com 10014299 Troubleshooting L2TP

632 CHAPTER 43: CONFIGURING L2TP

[Router2-ipsec-proposal-l2tptrans] transform esp-new

[Router2-ipsec-proposal-l2tptrans] esp-new encryption-algorithm des

[Router2-ipsec-proposal-l2tptrans] esp-new authentication-algorithm

sha1-hmac-96

[Router2-ipsec-proposal-l2tptrans] encapsulation-mode transport

fCreate the IPSec policy, use IKE negotiation mode and configure the IKE

pre-shared-key.

[Router2] ipsec policy l2tpmap 10 isakmp

[Router2-ipsec-policy-l2tpmap-10] ike pre-shared-key l2tp_ipsec

remote 202.38.160.1

[Router2-ipsec-policy-l2tpmap-10] match address 101

[Router2-ipsec-policy-l2tpmap-10] set peer 202.38.160.1

[Router2-ipsec-policy-l2tpmap-10] set transform l2tptrans

gConfigure the IP address on Serial0 interface and apply the IPSec policy.

[Router2] interface serial 0

[Router2-Serial0] ip address 202.38.160.2 255.255.255.0

[Router2-Serial0] ipsec policy l2tpmap

hConfigure Virtual-Template 1.

[Router2] interface virtual-template 1

[Router2-Virtual-Template1] ip address 192.168.0.1 255.255.255.0

[Router2-Virtual-Template1] ppp authentication-mode chap

[Router2-Virtual-Template1] remote address pool 1

iConfigure a L2TP group and configure the related attributes.

[Router2] l2tp enable

[Router2] l2tp-group 1

[Router2-l2tp1] tunnel name lns-end

[Router2-l2tp1] allow l2tp virtual-template 1 remote lac-end

[Router2-l2tp1] undo tunnel authentication

Troubleshooting L2TP Before debugging VPN, please confirm that both LAC and LNS are on the same

public network. The connectivity between them can be tested by ping command.

Fault 1: The users fail to log in.

Troubleshooting:

1Fail to establish the tunnel. The reasons are as follows:

■At LAC side, the LNS address is improperly configured.

■LNS (usually a router) is not configured to receive L2TP group of the peer of the

tunnel. For details, refer to the description of the allow l2tp command.

■Tunnel authentication fails. If the authentication is configured, make sure that

the tunnel passwords of both sides are consistent with each other.

■If the local end forcedly disconnects the connection and the peer fails to receive

the corresponding “disconnect” message due to network transmission errors,

a new tunnel connection immediately originated will not be established

successfully. The reason is that the peer can only detect that the link is

disconnected after a certain interval, and the tunnel connections originated by

two sides with the same IP address are not allowed.

2PPP negotiation fails. The reasons may be: