L2TP Dial-Out Outgoing Call Setup Details

This section details the process described in L2TP Dial-Out Process .

Access-Request Message

To create the username in the authentication request, the router uses the trigger, dial-out route, domain name, and optional Multiprotocol Label Switching (MPLS) route distinguisher (RD). The username is constructed as follows:

[MPLS RD]/{trigger destination address}@domain-name

For example, given a dial-out route with an IP prefix of 10.10.0.0/16, a domain name of L2TP-dial-out.de.dt, and an MPLS RD of 0.0.0.0:65000, if a trigger packet arrives with a destination IP address of 10.10.1.1, the router creates the following username:

0.0.0.0:65000/10.10.1.1@L2TP-dial-out.de.dt

No password is offered, and the authentication request is passed to the S-series AAA server for normal authentication processing.

Using the above example, the AAA domain map processes the L2TP-dial-out.de.dt domain as for any other domain. If RADIUS authentication is configured for the authenticating virtual router (VR) context, AAA passes the authentication request to the E Series RADIUS client. The RADIUS authentication request is consistent with other requests, except that the Service-Type attribute is set to outbound (value of 5).

Access-Accept Message

The router expects RADIUS attributes that define a tunnel to be returned with the additions in Table 87. If tunnel attributes are excluded from the Access-Accept message or the returned Service-Type attribute is not set to outbound, the dial-out session is denied.

Table 87: Additions to RADIUS Attributes in Access-Accept Messages

Attribute Number

Attribute Name

Content

6

Service-Type

Outbound

67

Tunnel-Server-Endpoint

IP address of LAC

Juniper VSA 26-35

Tunnel-Dialout-Number

L2TP dial-out number

Juniper VSA 26-36

PPP-Username

Username used in PPP L2TP dial-out sessions at the LNS

Juniper VSA 26-37

PPP-Password

Password used in PPP L2TP dial-out sessions at the LNS

Juniper VSA 26-38

PPP-Protocol

Authentication protocol used for L2TP sessions.

0 = none

1 = PAP

2 = CHAP

3 = PAP-CHAP

4 = CHAP-PAP

Juniper VSA 26-39

Tunnel-Min-Bps

Minimum line speed; passed to LAC (not interpreted by the LNS)

Juniper VSA 26-40

Tunnel-Max-Bps

Maximum line speed; passed to LAC (not interpreted by the LNS)

Juniper VSA 26-41

Tunnel-Bearer-Type

Bearer capability required: 0=name; 1=analog; 2=digital. Passed to LAC (not interpreted by the LNS).

Outgoing Call

After receiving a valid tunnel definition from AAA, the E Series LNS initiates an outgoing call. The router follows the same load-sharing mechanisms as for incoming calls. See Configuring LAC Tunnel Selection Parameters.

After an outgoing call is successfully signaled, the router dynamically creates a PPP interface. The profile in the dial-out route definition specifies any PPP configuration options. Both the L2TP session and the PPP interface exist on a Service module, identical to the LNS operation for incoming calls.

Once the PPP interface is created, Link Control Protocol (LCP) and IPCP are negotiated.

Mutual Authentication

Mutual authentication takes place in LCP, where the LNS validates the PPP interface on the remote CPE and vice-versa. LNS takes the same actions to authenticate the peer as it does on incoming calls.

The LNS obtains the PPP username and password from the initial Access-Accept message. It then provides this information to the remote CPE for authentication.

Route Installation

Once authentication is complete, the router creates a new access route. This route directs the forwarding of IP packets related to the original trigger packet to the newly created interface. The route does not need to be identical to the one specified in the dial-out route, but it must be able to forward packets that have the same destination address as the trigger packet. However, if the access route does not encompass the dial-out route definition, any other trigger packets initiate a new dial-out session.

The dial-out state machine verifies that the trigger packet can be forwarded over the route.

Related Documentation