Understanding the L2TP Protocol (UL2P)


UL2P:   SOLD       



The L2TP protocol is also often referred to as a virtual dial-up protocol, because L2TP extends a PPP (Point-to-Point Protocol) dial-up session over a public internet network, or is often described as a virtual PPP connection.

1. L2TP Device

Figure 4.16. L2TP
Figure 4.16. L2TP

L2TP basic equipment:

  • Remote Client. An end system or router on a remote access network (e.g. dial-up client).
  • L2TP Access Concentrator (LAC). A system located at one end of the L2TP tunnel and is a peer to the LNS. Located on the remote client/ISP side. As the initiator of incoming calls and the recipient of outgoing calls.
  • L2TP Network Server (LNS). The system that is located at one end of the L2TP tunnel and is a peer to the LAC. Located on the corporate network side. As the initiator of outgoing calls and the recipient of incoming calls.
  • Network Access Server (NAS). NAS can act like LAC or LNS or both.

2. L2TP Tunnel

The L2TP scenario is to form a tunnel or PPP frame tunnel between a remote client and an LNS located on a corporate network. There are 2 known L2TP tunnel models, namely compulsory and voluntary. The main difference between the two lies in the tunnel endpoint. In a compulsory tunnel, the end of the tunnel is at the ISP, while in a voluntary tunnel the end of the tunnel is at the remote client.

2.1. Cumulative L2TP Model

Figure 4.17. Compulsory L2TP Model
Figure 4.17. Compulsory L2TP Model

  1. The remote client initiates a PPP connection to the LAC via the PSTN. In Figure 4.17 above, the LAC is at the ISP.
  2. The ISP accepts the connection and the PPP link is established.
  3. ISPs perform partial authentication to learn usernames. The user map database for LNS tunnel services and endpoints is maintained by the ISP.
  4. The LAC then initiates an L2TP tunnel to the LNS.
  5. If the LNS accepts the connection, the LAC then encapsulates the PPP with L2TP, and forwards it through the appropriate tunnel.
  6. The LNS receives these frames, then drops the L2TP, and processes them as regular incoming PPP frames.
  7. The LNS then uses PPP authentication to validate the user and then assign an IP address.

2.2. Voluntary L2TP Model

Figure 4.18. L2TP Voluntary Model
Figure 4.18. L2TP Voluntary Model

  1. The remote client has a pre-established connection to the ISP. The Remote Client also functions as a LAC. In this case, the host containing the LAC client software has a connection to the public network (the Internet) through the ISP.
  2. The L2TP client (LAC) initiates an L2TP tunnel to the LNS.
  3. If the LNS accepts the connection, the LAC then encapsulates the PPP with L2TP, and forwards it through the tunnel.
  4. The LNS receives these frames, then drops the L2TP, and processes them as regular incoming PPP frames.
  5. The LNS then uses PPP authentication to validate the user and then assign an IP address.

3. How L2TP Works

The components of the tunnel are:

Control channel, its function:

  1. Setup (build) and teardown (renovate) tunnels
  2. Create and teardown payload calls in the tunnel.
  3. Maintain mechanisms to detect tunnel outages.

Sessions (data channel) for data delivery:  

  1. Payload delivery service
  2. Encapsulated PPP packets are sent on sessions
  3. Create and teardown payload calls in the tunnel.
  4. Maintain mechanisms to detect tunnel outages.

Sessions (data channel) for data delivery:

  1. Payload delivery service
  2. Encapsulated PPP packets are sent in sessions.

Figure 4.19. How L2TP Works
Figure 4.19. How L2TP Works

There are 2 steps to establish a tunnel for a PPP session on L2TP:

  1. Establishing a control connection for a tunnel.
  2. Before an incoming or outgoing call begins, a tunnel and control connection must be established.
  3. Session establishment triggered by an incoming or outgoing call request.

An L2TP session must be established before PPP frames can be passed through an L2TP tunnel. Multiple sessions can be established on a single tunnel, and multiple tunnels can be established between the same LAC and LNS.

4. Establishing Control Connection

Figure 4.20. Establishing a Control Connection
Figure 4.20. Establishing a Control Connection

The control connection is the first connection established between the LAC and the LNS before a session is established. Establishing a control connection includes ensuring the identity of the peer, such as identifying the peer's L2TP version, framing, bearer capabilities, and so on.

There are three messages exchanged to establish a control connection (SCCRQ, SCCRP, and SCCN). If there are no more messages waiting in the peer queue, a ZLB ACK is sent.

5. Tunnel Authentication On L2TP

The authentication system used by L2TP is almost the same as CHAP during the establishment of a control connection. L2TP tunnel authentication uses the Challenge AVP included in the SCCRQ or SCCRP message:

  • If an AVP challenge is received on SCCRQ or SCCRP, then an AVP challenge response must be sent following SCCRP or SCCCN respectively.
  • If the expected response and the received response do not match, then tunnel establishment is not allowed.

In order to use the tunnel, a single share password must exist between the LAC and the LNS.

6. Incomong Call On L2TP

Figure 4.21. Incoming Call on L2TP
Figure 4.21. Incoming Call on L2TP

Individual sessions can be established, after the control connection is successfully established. Each session corresponds to one PPP flow between the LAC and the LNS.

Session establishment has a direction that is in accordance with the LAC and LNS. The LAC requests the LNS to accept the session for incoming calls, and the LNS requests the LAC to accept the session to place outgoing calls.

There are 3 messages involved in establishing a session (ICRQ, ICRP, ICCN). If there are no more messages waiting in the peer queue, a ZLB ACK is sent.

7. PPP Delivery 

Every time the tunnel is completely formed, then:

  • PPP frames from remote clients are received on the LAC.
  • Stripped (cutting) CRC
  • Connecting frames
  • Byte transparency
  • Encapsulated in L2TP
  • Forwarded through the associated tunnel.

The LNS receives the L2TP packet and processes the encapsulated PPP frame if it is received on the local PPP interface. The sender of the message is associated with its session and tunnel and places the session ID and tunnel ID in the session ID and tunnel ID headers for all outgoing messages. In this way, PPP frames are multiplexed and demultiplexed over a single tunnel between the LAC and the LNS.

Multiple tunnels can be established on a LAC-LNS pair, and multiple sessions can be established within a session.

8. Session Termination

By sending CDN control messages, session termination can be done by LAC or LNS. After the last session is disconnected, the control connection can be disconnected.

Figure 4.22. Session Termination
Figure 4.22. Session Termination

9. L2TP Over UDP/IP

L2TP uses registered UDP port 1701. The L2TP tunnel initiator will take one source UDP port (which is not 1701) and send to the desired destination with port address 1701.

Likewise, the receiver will take a free port (other than 1701) on its system, and send back to the initiator with the UDP port address (port 1701). Every time the source and destination ports, and addresses are formed, the port address used will also be fixed/static. If the port used changes, the L2TP mechanism through the NAT device will be more complex.

IP fragmentation can occur in L2TP as L2TP packets pass through the IP substrate. L2TP does not have any special treatment to optimize it. LAC implementations can cause LCP to negotiate MRU values, which optimizes the LAC environment so that L2TP packets can be passed with consistent MTU values.

By default in some L2TP implementations UDP checksums must be used for both control and data messages. UDP checksums on data messages may not be used, but checksums on control messages are recommended.

10. Information Security On L2TP

L2TP forms a tunnel from LAC to LNS, so that the data passed cannot be seen transparently by public network users.

There are several forms of security provided by L2TP, namely:

10.1 Tunnel Endpoint Security

The tunnel endpoint authentication procedure during tunnel formation has the same attributes as CHAP (Challenge Handshake Authentication Protocol). This mechanism is not designed to provide authentication after the tunnel formation process. Because it is possible that unauthorized third parties can spy on the data flow on the L2TP tunnel and inject L2TP packets, if after the tunnel formation process occurs.

10.2 Package Level Security

L2TP security requires the involvement of a lower layer transport that performs encryption, integrity, and authentication services for all L2TP traffic. The secure transport will operate on all L2TP packets and is independent of the PPP functions and protocols carried by PPP.

10.3 End to End Security 

Protecting the L2TP packet stream over secure transport also protects the data inside the PPP tunnel as it travels from the LAC to the LNS. This type of protection is not a substitute for end-to-end security between communicating hosts or applications.

10.4 Combination of L2TP and IPsec

When running on IP (layer 3), IPSec is used to encapsulate packets and can also be used for encryption in other tunneling protocols. IPSec provides packet-level security using 2 protocols, namely:

  • AH (Authentication Header). Allows verification of the sender's identity and checking the integrity of the message/information.
  • ESP (Encapsulating Security Payload). Allows encryption of information so that it remains confidential. The original IP is wrapped and the outer IP header usually contains the destination gateway. There is no guarantee of the integrity of the outer IP header, so it is used in conjunction with the AH protocol.

IPsec provides a mode of operation that can tunnel IP packets. Packet-level encryption and authentication are provided by the IPSec tunnel mode.

So to ensure more reliable L2TP security, secure transport is used and IPSec is implemented on layer 3 tunneling. This method is known as L2TP over IPSec. (see assignment: RM Dikshie Fauzie, NIM: 23201093, "Review of IPSec Mechanism and Application: VPN Case Study").

11. Conclusion

Virtual Private Network (VPN) can provide solutions to various existing problems. Because with VPN, the relationship between the head office and branches and business partners of the company is more economical. In addition, the connection with VPN is not limited to the relationship between the head office and branches, but VPN also provides more benefits by providing connection security for users who move around.

IP VPN is based on a public network that runs on an IP platform so that service delivery is more connectionless, meaning that data is sent without any prior path formation process (connection setup). IP is responsible for handling delivery issues, and it is also IP's responsibility to handle datagram recognition or datagram reassembly issues as a direct result of the fragmentation process. The use of a public internet network in VPN services requires better security guarantees compared to regular internet services. Sharing public network infrastructure for something called private requires special security. With this security guarantee, customers can send and access information safely and protected from the possibility of being infiltrated by unwanted accessors.

12. QUESTIONS

  1. What protocols are used to implement VPN on the internet?
  2. What is meant by IPSec and explain the services contained in IPSec?
  3. Describe and explain each part of the IPSec architecture?
  4. Describe and explain the devices in L2TP?
  5. What are some forms of security provided by L2TP?

Post a Comment

Previous Next

نموذج الاتصال