Unit 6

Implementing
Virtual Private Networks
on the ERX

Implementing VPNs on the ERX Rev. 3.2 Page: 6-1

 Implementing VPNs Unit Objectives

• Define the term Virtual Private Network

• List and describe two different approaches to
building VPNs with the ERX
• Describe the basic life of a packet in a L2TP
environment
• Define the configurable L2TP tunnel attributes

Implementing VPNs on the ERX Rev. 3.2 Page: 6-2

 What is a Virtual Private Network?
Company A
Company A

ERX Internet ERX

Company U U

B
Company
B

Company C
Company C

• A private network consisting of 2 or more sites connected

via a public network
• Large Corporate Network Outsourcing - Company A
• Small Corporate Network Outsourcing - Company B
• Traditional Remote Access ‘Backhaul’ - Company C

Unisphere Networks defines a Virtual Private Network (VPN) as a private network

consisting of two or more sites connected via a public network. Applications for VPNs
vary widely in their network requirements and require a network device, such as the ERX,
that is flexible enough to serve very different VPN environments. Some examples of
possible VPN applications include:
•Large corporate network outsourcing - A VPN could be created to connect large or global
corporations with thousands of branch offices. VPNs of this scale are likely to have
thousands of routes and require redundant links and fast convergence times to prevent
network down time.
•Small corporate network outsourcing - A VPN could be created to connect as few as two
sites. VPNs of this scale are likely to have few routes. These VPNs must be designed to
meet the customer’s needs with minimal resource usage.
•Traditional remote access ‘backhaul’ - Some VPNs will be implemented by remote sites
tunneling back to a central site.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-3

 Current VPN Architectures
PC-Based CPE-Based Network-Based

Dial

xDSL
U

Internet
xDSL
T1/E1
nxT1/E1
T3/E3

• Customer Site Originated VPNs

- Software-based, PC originated
- Hardware-based, CPE originated
• Service Provider Originated VPNs

Two prominent VPN architectures have emerged:

•Customer site originated VPNs - With this approach, the VPN is originated at the
customer’s location. The remote user’s PC or CPE router contains software, such as IP
SEC or L2TP, or hardware that initiates and terminates the VPN tunnel. With a customer
site originated VPN, the service provider delivers only the transport. The access control,
configuration and maintenance are typically controlled at the customer site.
•Service Provider Originated VPNs - With this approach, the VPN is originated at the
service provider’s network or local point of presence (POP). The service provider delivers
entire outsource VPN service. The VPN service is controlled and maintained by the
service provider. There are several approaches a service provider can use to implement
VPNs using the ERX.
Unisphere Networks philosophically believes that VPNs should begin as close as possible
to the end user.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-4

 Building VPNs using Virtual Routers
Company A
Company A

ERX ERX
Company U Internet U

Company A Company A
B
Company B Company B
Company
B
Company C Company C

Company C
[email protected] Company C

• Dedicated connections configured in specific virtual routers

• xDSL users
- Domain Map
- RADIUS Vendor Specific Attribute (VSA)
- Profile
- PPP session terminated on the ERX
• Use separate virtual circuits to connect
Virtual Routers

With the ERX, a VPN can be built using Virtual Routers.

Dedicated connections (T1/E1,FT1/FE1) can be configured and assigned to specific virtual
routers.
Remote access users (xDSL) can be assigned to a specific virtual router based on an
entry in the Domain Map, a RADIUS Vendor Specific Attributes (Virtual Router) or an IP
Profile (Virtual Router Name). In this environment, the PPP session is terminated on the
access ERX.
Virtual routers can be connected using separate, secure virtual circuits. All IP information
is kept completely separate among virtual routers within the same ERX.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-5

 Building VPNs using Layer 2 Tunnel
Protocol (L2TP)
Company A
ERX ERX
LAC LNS
Internet
[email protected] U U
L2TP
Tunnel

RADIUS
L2TP
[email protected] Tunnel Company C
LNS

RADIUS RADIUS
[email protected]

• Client/server protocol that allows PPP to be tunneled across a network RADIUS

• LAC - L2TP Access Concentrator
- Located at the ISP’s Point of Presence
- Initiates L2TP Tunnel and Session
• LNS - L2TP Network Server
- Located at the ISP Point of Presence OR at the customer’s location
- Terminates Tunnel
- Terminates the PPP Session

With a traditional remote access connection, a user establishes a connection to a Network

Access Server, such as the ERX, using xDSL and runs PPP over this connection. In this
environment, the physical connection and the PPP session are terminated on the same
device, the ERX.
Layer 2 Tunnel Protocol (L2TP) extends the traditional PPP model by allowing the
physical termination point and the PPP termination point to occur on different devices.
L2TP is a client/server protocol that allows PPP to be tunnel across a network. The
protocol specifies an encapsulation mechanism which can be used to provide VPN
services to a remote client. In this example, the remote client is running IP over PPP.
In L2TP, a tunnel is created between a L2TP Access Concentrator (LAC), an access or
concentrator device (ERX) located within the provider’s network, and an L2TP Network
Server (LNS), a router or similar edge device located within the provider’s network or in
the customer’s network. Within this tunnel, individual client sessions are multiplexed.
Multiple tunnels can exist between the LAC and the LNS. L2TP is described and defined
in RFC 2661.
The LAC acts as one side of the L2TP tunnel and is a peer to the LNS. The LAC sits
between the LNS and a remote system and forwards packets to and from each. The LNS
acts as one side of the L2TP tunnel and is a peer to the LAC. The LNS is the logical
termination point of the PPP session.
L2TP can be used to address some of the challenges of providing corporate network
access to remote users. Instead of dialing into a RAS located on the customer premises,
the remote user dials into an ISP’s local POP. The ISP then provides connectivity across
the Internet to the customer premises using L2TP. To the end user, the tunnel setup is
transparent; what they see is the same as if they had dialed into a remote access server
connected directly to the enterprise network. User data is encapsulated in L2TP headers
and routed across the Internet using standard IP routing.
The ERX can operate as a LAC and as a LNS using the Tunnel Service Line Module. The
Tunnel Service card is a separate line module that terminates L2TP LNS sessions and
manages GRE tunnels. No separate I/O is required. The Tunnel Service card requires 3.0
or later.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-6

 L2TP Life of a Packet: Session Initiation
Domain Map
CompanyC.com
LNS Address Password Tunnel ID
192.168.1.1 mypass CompanyC
U
Internet U

192.168.1.1
Password = mypass

LNS

[email protected]
RADIUS Company C
• User initiates PPP connection to LAC RADIUS
• LAC performs initial authentication and determines:
- Terminate PPP session locally
OR
- Tunnel PPP session to a LNS
• Tunnel Attributes obtained:
- Domain Map
- RADIUS

The user initiates a PPP connection to the LAC. In this example, [email protected]
is initiating a PPP session to the LAC, which is an ERX. The ERX performs the initial
authentication and determines whether to terminate this PPP session or tunnel this PPP
session using L2TP. If the session is going to be tunneled, the ERX needs to determine
several L2TP tunnel attributes, such as the IP address of the LNS and the tunnel
password, in order to initiate and build the L2TP tunnel and session.
The ERX parses the user’s login for the realm or domain name. In this example, the
domain name is CompanyC.com. The ERX looks for an entry of CompanyC.com in the
configured Domain Map. As of release 1.3.0, the Domain Map can now include L2TP
tunnel attributes, as the case here. If the Domain Map includes L2TP tunnel attributes, the
ERX knows that all PPP sessions for this Domain, CompanyC.com, must be tunneled via
L2TP.
If the Domain Map contains an entry for the domain in question but does not contain L2TP
tunnel attributes, the ERX will send the authentication request to the appropriate virtual
router’s RADIUS server.
If the Domain Map does not contain an entry for the domain, the ERX will send the
authentication request to the RADIUS server configured in the default virtual router.
The RADIUS server can be configured to return L2TP tunnel attributes as well for a
particular realm or domain name.
Note: The ERX currently operates as an L2TP LAC in PPP pass-through mode only.
The ERX performs Proxy LCP and Proxy Authentication and passes the results on to the
LNS. The ERX can act as an LNS using the Tunnel Service line module.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-7

 L2TP Tunnel Establishment – Control
Connection
192.168.1.1
Password = mypass

U
Internet U LNS

L2TP Tunnel
Control Connection

Start Control Connection Request (SCCRQ)

[email protected] RADIUS
RADIUS Company C
Start Control Connection Reply (SCCRP)

Start Control Connection Connected (SCCCN)

Zero-Length Body (ZLB ACK)

Hello

Hello

When the first session is initiated ([email protected]) the tunnel is established

between the LAC and the LNS by creating the Control Connection. This Control
Connection is used to identify the peer, the peer’s version number, assign tunnel ID’s, etc.
The Control Connection and the Tunnel are terms often used interchangeably.
To establish the tunnel the LAC sends a Start Control Connection Request (SCCRQ) to
the LNS. The SCCRQ will contain the L2TP version, host name, and assigned Tunnel ID.
If a tunnel password is configured a Chap Challenge AVP (Attribute Value Pair) field would
also be included.
The normal response by the LNS is the send a Start Control Connection Reply (SCCRP).
This message contains the L2TP version of the LNS, host name, and assigned Tunnel ID
on the LNS. The Tunnel ID’s are locally significant and are communicated by LAC and
LNS for mapping all communications to each other over the Control Connection as well as
the data sessions. If a tunnel password is configured a Chap Response AVP (Attribute
Value Pair) field would also be included.
Everything being normal the LAC responds with a Start Control Connection Connected
(SCCCN) message to the LNS as a positive acknowledgement and the LNS will respond
with a Zero-Length Body message acknowledgement back to the LAC. At this point the
Control Connection and Tunnel are established.
To maintain the Tunnel and Control Connection the LAC and LNS will send Hello
messages to each other.
If problems existed during the Control Connection setup sequence either party could send
a Stop Control Connection Notification (StopCCN) message.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-8

 L2TP Session Establishment
192.168.1.1
Password = mypass

U
Internet U LNS
L2TP Tunnel
Session ([email protected])
Control Connection

Incoming Call Request (ICRQ)

[email protected] RADIUS
RADIUS Company C
Incoming Call Reply (ICRP)

Incoming Call Connected (ICCN)

Zero-Length Body ACK (ZLB)

Once the tunnel or Control Connection is established the data session for the remote user
is next created. This is done by the LAC sending an Incoming Call Request message to
the LNS. The ICRQ message contains the assigned session ID and call serial number for
the proposed session.
The LNS then responds with an Incoming Call Reply ICRP) containing its assigned
session ID indicating success with the ICRQ sent.
The LAC then responds with an Incoming Call Connected (ICCN) message to indicate
acceptance of the ICRP message sent by the LNS. Additionally ICCN messages are used
to convey authentication information if Proxy authentication is being implemented. For
example this message could contain the Chap Challenge, Response, and Success
information.
When a session is terminated a Call Disconnect Notify (CDN) message is sent by the
LAC. This message type can also be used by either the LAC or LNS to terminate a
session.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-9

 L2TP Life of a Packet - Open L2TP Tunnel
Domain Map
CompanyC.com
LNS Address Password Tunnel ID
192.168.1.1 mypass CompanyC
U
Internet U

192.168.1.1
Password = mypass
ERX4
L2TP
Tunnel
LNS

[email protected]
RADIUS Company C
• Open tunnel with LNS using L2TP Tunnel Attributes RADIUS
- Tunnel Tag 1
- LNS IP address 192.168.1.1
- Tunnel Password mypass
- Tunnel ID CompanyC
- Hostname ERX4
- Tunnel Medium IPV4
- Tunnel Type L2TP

Once the ERX knows that a PPP session should be tunneled, it will open an L2TP tunnel
and control connection with the LNS. It uses the following L2TP configuration parameters
and L2TP tunnel attributes to establish the tunnel and control connection:
•Tunnel Tag: The Tunnel tag is a mechanism to uniquely identify a set of tunnel attributes.
In 1.3.x, a domain name could only have one set of tunnel attributes. With 2.0.x, the ERX
now allows 31, allowing for such things as rolling over to alternate servers.
•LNS IP address: In this example, the IP address of the LNS is 192.168.1.1. This
attribute is also referred to as the Tunnel Server Endpoint or Tunnel Endpoint.
•Tunnel Password: This password is a shared secret used for optional tunnel
authentication and Attribute Value Pair (AVP) hiding. AVPs are used to encode
operational parameters, such as tunnel ID, over the L2TP control channel. The
authentication mechanism is CHAP-like using the MD5 algorithm.
•Tunnel ID - The Tunnel ID uniquely identifies the L2TP tunnel between the ERX and the
LNS. It is possible to have multiple tunnels between a LAC and LNS. The Tunnel ID is
used to distinguish between these tunnels. It is also possible to have different domains
share a tunnel, if desired. To have multiple domains use the same tunnel, configure the
same tunnel ID for both domains. This attribute is also referred to as the Assigned Tunnel
ID.
•Hostname - The Hostname is used by some LNS’s (I.e. Cisco) to identify multiple tunnels
on a single LNS from different LAC’s.
•Tunnel Medium - Currently, the ERX only supports IPV4 as the tunnel medium. If the
L2TP Tunnel Attributes are configured in the domain map, this parameter defaults to IPV4.
•Tunnel Type - Currently, the ERX only supports L2TP as the tunnel type. If L2TP Tunnel
Attributes are configured in the domain map, this parameter defaults to L2TP.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-10

 Configuring L2TP Tunnel Attributes
Domain Map
CompanyC.com
LNS Address Password Tunnel ID Internet
192.168.1.1 mypass CompanyC
U U
192.168.1.1
Password = mypass

L2TP
Tunnel
LNS
[email protected]

• Configure Domain Map

- ERX4(config)#aaa domain-map CompanyC.com Company C
• Configure a Tunnel Tag RADIUS
- ERX4(config-domain-map)#tunnel 1
• Configure LNS IP Address
- ERX4(config-domain-map-tunnel)#address 192.168.1.1
• Configure Tunnel Password
- ERX4(config-domain-map-tunnel)#password mypass
• Configure Tunnel Identication
- ERX4(config-domain-map-tunnel)#identification CompanyC
• Configure Hostname
- ERX4(config-domain-map-tunnel)#hostname ERX4

ERX4(config)#aaa domain-map CompanyC.com

ERX4(config-domain-map)#tunnel 1
ERX4(config-domain-map-tunnel)#?
address Configure tunnel endpoint address
exit Exit from the current command mode
help Describe the interactive help system
identification Configure tunnel identification
hostname Configure hostname of tunnel
macro Run a CLI macro
medium Configure tunnel medium
no Negate a command or restore its default(s)
password Configure tunnel password
preference Configure tunnel preference
sleep Make the Command Interface pause for a specified duration
type Configure tunnel type
ERX4(config-domain-map-tunnel)#address 192.168.1.1
ERX4(config-domain-map-tunnel)#password mypass
ERX4(config-domain-map-tunnel)#identification CompanyC
ERX4(config-domain-map-tunnel)#end
ERX4#show aaa domain-map
Domain: CompanyC.com; virtual-router: default
Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel
Tag Tunnel Peer Type Medium Password Id Hostname
------ ----------- ------ ------ -------- -------- --------
1 192.168.1.1 l2tp ipv4 mypass CompanyC ERX4
Tunnel Tunnel
Tag Preference
------ ----------
1 1000

Implementing VPNs on the ERX Rev. 3.2 Page: 6-11

 LNS Configuration – L2TP
Domain Map
192.168.1.1
CompanyC.com
Password = mypass
LNS Address Password Tunnel ID
192.168.1.1 mypass CompanyC
U
Internet U LNS

[email protected] RADIUS
RADIUS Company C

First create Profile – Used to create IP interfaces

ip unnumbered loopback
ppp authentication
ip access-routes
ip virtual-router

The remote users IP interfaces are built-on and terminated at the LNS. In order to
facilitate the dynamic creation of these interfaces when a L2TP session is established a
profile is required to define the characteristics of the IP interface. Below is an example of
the parameters and configuration commands to build this profile.

erx3(config)#profile companyc-info
erx3(config-profile)#ppp authentication chap
erx3(config-profile)#ip virtual-router vr2
erx3(config-profile)#ip unnumbered loopback1
erx3(config-profile)#ip access-routes

Implementing VPNs on the ERX Rev. 3.2 Page: 6-12

 LNS Configuration – L2TP (continued)
Domain Map
192.168.1.1
CompanyC.com
Password = mypass
LNS Address Password Tunnel ID
192.168.1.1 mypass CompanyC
U
Internet U LNS

RADIUS
RADIUS Company C

• L2TP destination profile – Used to define the destination LAC

- Contains Remote Host configuration
• Remote Host - Contains properties of the LAC
- Remote Host name exact match with Hostname in Domain-Map

The LNS configuration includes three parts. First exit Exit from the current command mode
one must configure a profile that will be used in help Describe the interactive help system
creating the dynamic IP interfaces on the LNS. local Configure L2TP local parameters for
Next one has to create an L2TP destination profile. remote host
Within the profile is the configuration of the log Configure logging settings
Remote Host used to define the connection to a
macro Run a CLI macro
specific LAC. Below are example configuration
commands: no Negate a command or set its default(s)
profile Assign a profile for remote host
erx3(config)#l2tp destination profile ?
sleep Make the Command Interface pause for a
WORD (32 char max) A destination profile name specified duration
ip Configure a destination profile using IP tunnel Configure L2TP tunnel parameters for remote
virtual-router Configure a destination profile on a host
virtual router erx3(config-l2tp-dest-profile-host)#tunnel password
mypass
erx3config)#l2tp destination profile companyc ?
erx3(config-l2tp-dest-profile-host)#profile companyc-
ip Configure a destination profile using IP info
virtual-router Configure a destination profile on a erx3(config-l2tp-dest-profile-host)#local ?
virtual router host Configure an L2TP local host name for use with
<cr> remote host
erx3(config)#l2tp destination profile companyc ip Configure local ip parameters for use with remote
virtual-router vr2 ip address 192.168.1.2 host

erx3(config-l2tp-dest-profile)#remote host ERX4

erx3(config-l2tp-dest-profile-host)#local ip address
erx3(config-l2tp-dest-profile-host)#? 192.168.1.1
default Set a command to its default(s)
disable Disable L2TP parameter for remote host
enable Enable L2TP parameter for remote host

Implementing VPNs on the ERX Rev. 3.2 Page: 6-13

 L2TP Life of a Packet - Establish L2TP Session
192.168.1.1
Password = mypass
IP Datagram Internet
U U
LNS
PPP
L2TP Tunnel
RFC 2364 PPP
Session ([email protected])
ATM
Control Connection

IP
[email protected] RADIUS
RADIUS PPP Header Company C
L2TP Header

UDP Header

IP Header

Encap X

• L2TP session established with LNS

• LNS terminates and controls the PPP session

Once the initial L2TP tunnel is opened to the LNS, the ERX opens a new L2TP session
with the LNS. After the L2TP session is opened, the PPP session is fully extended from
Alan’s PC to the LNS. Since the PPP session is terminated on the LNS, the LNS provides
and controls all PPP functionality, such as complete authentication, IP address
assignment or data compression capabilities. The LNS can restart LCP and
authentication or it can receive the results of these operations from the LAC. When the
LAC is performing these proxy functions and forwarding PPP frames directly from the
Client’s PC to the LNS it is referred to as operating in PPP pass through mode.
Once the session is established, PPP frames from the remote system are received at the
LAC, stripped of the CRC, link framing and transparency bytes, encapsulated in L2TP and
forwarded over the appropriate tunnel. The LNS receive the L2TP packet and processes
the encapsulated PPP frames as if they were received on a local PPP interface.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-14

 L2TP Life of a Packet - Establish additional
L2TP Session
Domain Map
CompanyC.com 192.168.1.1
LNS Address Password Tunnel ID Password = mypass
192.168.1.1 mypass CompanyC Internet
U U LNS
L2TP Tunnel
Session ([email protected])
Session ([email protected])
[email protected] Control Connection

[email protected]
RADIUS RADIUS
Company C

• Tunnel already opened

• Establish additional L2TP sessions

Multiple sessions may exist within a tunnel. If [email protected] initiates a PPP

session with the ERX, a tunnel is already open. The ERX will simply establish an
additional L2TP session with the LNS.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-15

 How can I tell if it is working?

• show subscriber – perform this on the LNS

• show l2tp tunnel – tunnel summary information

• show l2tp tunnel detail

• show l2tp session – session summary information

• Log categories – l2tp, l2tpIpLowerBinding, l2tpStateMachine

erx4#show l2tp tunnel erx4#show l2tp session

L2TP tunnel 2/companyc is Up with 2 active L2TP session 1/companyc/43 is Up
sessions L2TP session 1/companyc/44 is Up
1 L2TP tunnels found 2 L2TP sessions found
erx4#show l2tp tunnel detail erx4#show l2tp session det
L2TP session 2/companyc/43 is Up
L2TP tunnel 2/companyc is Up with 2 active
sessions Configuration
Administrative state is enabled
Configuration
SNMP traps are disabled
Administrative state is enabled
Session status
SNMP traps are disabled
Effective administrative state is enabled
No peer host name is configured State is established
Local host name is 'ERX4' Local session id is 501, peer session id is 7125
Local address is 192.168.1.2 Statistics packets octets discards
Tunnel address errors
Data rx 8 222 1 0
Transport ipUdp
Data tx 7 159 0 0
Virtual router default
Session operational configuration
Local address 192.168.1.2, peer address
User name is '[email protected]'
192.168.1.1
Tunneling interface atm 5/1.3
Local UDP port 1701, peer UDP port 1701
Call type is lacIncoming
Tunnel status Call serial number is 26
Effective administrative state is enabled
State is established

Implementing VPNs on the ERX Rev. 3.2 Page: 6-16

 • This slide intentionally left blank.

Implementing VPNs on the ERX Rev. 3.2 Page: 6-17