Setting Up Virtual Private Networks
Configuring L2TP tunnels for dial-in clients
MAX 6000/3000 Network Configuration Guide 11-31
Configuring L2TP tunnels for dial-in clients
L2TP enables you to dial into a local ISP and connect to a private corporate network across the
Internet. You dial into a local MAX, configured as an L2TP Access Concentrator (LAC), and
establish a PPP connection. Attributes in your RADIUS user profile specify that the MAX,
acting as an LAC, establishes an L2TP tunnel. The LAC contacts the L2TP Network Server
(LNS) that connects to the private network. The LAC and the LNS establish an L2TP tunnel
(via UDP), and any traffic your client sends is tunneled to the private network. Once the MAX
units establish the tunnel, the client connection has a PPP connection with the LNS and
appears to be directly connected to the private network.
You can configure the MAX to act as either an LAC, an LNS, or both. The LAC performs the
following functions:
Establishes PPP connections with dial-in clients.
Sends requests to LNS units, requesting creation of tunnels.
Encapsulates and forwards all traffic from clients to the LNS via the tunnel.
De-encapsulates traffic received from an established tunnel, and forwards it to the client.
Sends tunnel-disconnect requests to LNS units when clients disconnect.
The LNS performs the following functions:
Responds to requests by LAC units for creation of tunnels.
Encapsulates and forwards all traffic from the private network to clients via the tunnel.
De-encapsulates traffic received from an established tunnel, and forwards it to the private
network.
Disconnects tunnels on the basis of requests from the LAC.
Disconnects tunnels when the value you set for a user profiles MAX-Connect-Time
attribute expires. You can also manually disconnect tunnels fro m the LNS by us ing SNMP,
the terminal-server Kill command, or the DO Hangup command (which you access by
pressing Ctrl-D).
Note: With the current software version, a MAX acting as an LNS cannot send Incoming Call
Requests to an LAC. Only an LAC can make requests for the creation of L2TP tunnels.
Note: By supporting hidden attributes, the MAX is in conformance with MAX Draft 16 of
the L2TP RFC. The MAX 6000 and MAX 3000 units parse and decrypt hidden attributes as
well as the random vector AVP. The SCCRQ command does not support a suppressed tunnel
ID AVP. The units do not suppress any attributes except under the control of a debug flag.

Elements of L2TP tunneling

This section describes how L2TP tunnels work between an LAC and an LNS. A client dials
into an LAC, from either a modem or ISDN device, and the LAC establishes a cross-Internet
IP connection to the LNS. The LAC then requests an L2TP tunnel via the IP connection.
The LNS is the terminating part of the tunnel, where most of the L2TP processing occurs. It
communicates with the private network (the destination network for the dial-in clients) through
a direct connection.