Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

L2TP Overview

0

0

Article ID: KB4211 KB Last Updated: 28 Jun 2010Version: 4.0
Summary:
L2TP Overview
Symptoms:

Solution:

Note: This article applies to ScreenOS 4.0 and higher.

Layer 2 Tunneling Protocol (L2TP) provides a way for a dial-up user to make a virtual Point-to-Point Protocol (PPP) connection to an L2TP Network Server (LNS). Your NetScreen can function as a LNS. L2TP sends PPP frames through a tunnel between an L2TP Access Concentrator (LAC) and the LNS. Originally, L2TP was designed so that a LAC residing at an ISP site tunneled to an LNS at either another ISP or corporate site. The L2TP tunnel did not extend completely to the dial-up user's computer, but only to the LAC at the dial-up user's local ISP. (This is sometimes referred to as a compulsory L2TP configuration.)

Image of example one

With the NetScreen-Remote client installed on Windows 2000 or Windows NT, or a Windows 2000 client by itself, to act as a LAC, the L2TP tunnel can extend directly to the dial-up user's computer, thus providing end-to-end tunneling. (This approach is sometimes referred to as a voluntary L2TP configuration.)

Image of example two

Because the PPP link extends from the dial-up user across the Internet to the NetScreen device (LNS), it is the NetScreen device, not the ISP, that assigns the client its IP address, DNS and WINS servers addresses, and authenticates the user, either from the local database or from an external authentication server (RADIUS, SecurID, or LDAP). The dial-up user receives two IP addresses-one for its physical connection to the ISP, and a logical one from the LNS. When the dial-up user contacts his or her ISP, perhaps using PPP, the ISP makes IP and DNS assignments, and authenticates the user. This allows users to connect to the Internet with a routable IP address, which becomes the outer IP address of the L2TP tunnel.

Image of example three

Then, when the L2TP tunnel forwards the encapsulated PPP frames to the NetScreen device, the NetScreen device assigns the user an IP address, and DNS and WINS settings. The IP address can be a private, non-routable address, which becomes the inner IP address of the L2TP tunnel.

Image of example four

The current version of ScreenOS provides the following L2TP support:

  • L2TP tunnels originating from a host running Windows 2000.
  • A combination of L2TP and IPSec in transport mode (L2TP-over-IPSec).

For NetScreen-Remote:

  • L2TP-over-IPSec with Main mode negotiations using certificates.
  • Aggressive mode using either a pre-shared key or certificates.

For Windows 2000:

  • L2TP-over-IPSec with Main mode negotiations using certificates.
  • User authentication using either the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) from the local database or an external authentication server (RADIUS, SecurID, or LDAP).
  • The assignment of dial-up users' IP address, Domain Name System (DNS) servers, and Windows Internet Naming Service (WINS) servers from either the local database or a RADIUS server.
  • L2TP tunnels and L2TP-over-IPSec tunnels for the root system and virtual systems .
Note: The local database and RADIUS servers support both PAP and CHAP. SecurID and LDAP servers support PAP only.

Note: To use L2TP, the NetScreen device must be operating at Layer 3, with security zone interfaces in NAT or Route mode. When the NetScreen device is operating at Layer 2, with security zone interfaces in Transparent mode, no L2TP-related material appears in the WebUI, and L2TP-related CLI commands elicit error messages.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search