Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs
In Chapter 2, "Designing and Deploying L2TPv3-Based Layer 2 VPNs (L2VPN)," you saw how Layer Two Tunneling Protocol version 3 (L2TPv3) can be used to transport a number of Layer 2 protocols in a site-to-site configuration. This chapter shows how L2TPv2 (RFC2661) and L2TPv3 (RFC3931) can be used to provide home workers, telecommuters, or "road warriors" with access to a corporate or other organization network.
Figure 8-1 depicts L2TP remote access VPNs.
Figure 8-1. L2TP Remote Access VPNs
L2TP can be used to provide remote access in two different ways:
- Voluntary/client-initiated tunnel mode In this mode, PPP connections are tunneled over L2TP directly to a remote VPN gateway called an L2TP Network Server (LNS) from a remote access client or client router.
The key point to note is that the PPP connection and L2TP tunnel are terminated on the same device when using voluntary/client-initiated tunnel mode.
- Compulsory/NAS-initiated tunnel mode In this mode, remote users connect to a Network Access Server (NAS) called an L2TP Access Concentrator (LAC), and PPP frames (to and from the remote access users) are tunneled via L2TP to an LNS.
In this mode, the LAC does not terminate PPP connections (at least PPP connections that are transported over the L2TP tunnel).
In Figure 8-1, remote access users mark@mjlnet.com and john@mjlnet.com are taking advantage of L2TP voluntary/client-initiated tunnel mode to connect to a corporate VPN gateway (LNS).
mark@mjlnet.com is a telecommuter, and uses a small home router to tunnel traffic to and from a VPN gateway. john@mjlnet.com, on the other hand, is a "road warrior" who uses the built-in L2TP/IPsec (L2TP protected by IPsec) client software on his laptop to connect over an Internet connection to the VPN gateway.
peter@mjlnet.com and james@mjlnet.com, on the other hand, do not directly use L2TP to connect to a VPN gateway. Instead, they connect via PPP (over dialup, DSL, or other access technologies) to a service provider LAC, which then tunnels both PPP connections over the same compulsory/NAS-initiated L2TP tunnel to a VPN gateway.
In Figure 8-1, telecommuter home router (mark@mjlnet.com) and john@mjlnet.com are labeled 'L2TPv2/L2TPv3' and 'LAC [L2TPv2]' respectively. You may be wondering why two different versions of L2TP are used depending on whether a remote access user is mobile (a 'road-warrior') or a telecommuter. This is because, to date, all implementation of L2TP included with host operating systems (Windows/Mac OS X) utilize L2TPv2, while Cisco routers (used in Figure 8-1 for telecommuter remote access) support both L2TPv2 and L2TPv3.
This chapter concentrates on L2TPv2 because of its much wider deployment as a remote access VPN protocol.