Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    L2TP Dial-Out Outgoing Call Setup Details

    This section details the process described in L2TP Dial-Out Process .

    Access-Request Message

    To create the username in the authentication request, the router uses the trigger, dial-out route, domain name, and optional Multiprotocol Label Switching (MPLS) route distinguisher (RD). The username is constructed as follows:

    [MPLS RD]/{trigger destination address}@domain-name

    For example, given a dial-out route with an IP prefix of, a domain name of, and an MPLS RD of, if a trigger packet arrives with a destination IP address of, the router creates the following username:

    No password is offered, and the authentication request is passed to the S-series AAA server for normal authentication processing.

    Using the above example, the AAA domain map processes the domain as for any other domain. If RADIUS authentication is configured for the authenticating virtual router (VR) context, AAA passes the authentication request to the E Series RADIUS client. The RADIUS authentication request is consistent with other requests, except that the Service-Type attribute is set to outbound (value of 5).

    Access-Accept Message

    The router expects RADIUS attributes that define a tunnel to be returned with the additions in Table 1. If tunnel attributes are excluded from the Access-Accept message or the returned Service-Type attribute is not set to outbound, the dial-out session is denied.

    Table 1: Additions to RADIUS Attributes in Access-Accept Messages

    Attribute Number

    Attribute Name







    IP address of LAC

    Juniper VSA 26-35


    L2TP dial-out number

    Juniper VSA 26-36


    Username used in PPP L2TP dial-out sessions at the LNS

    Juniper VSA 26-37


    Password used in PPP L2TP dial-out sessions at the LNS

    Juniper VSA 26-38


    Authentication protocol used for L2TP sessions.

    0 = none

    1 = PAP

    2 = CHAP

    3 = PAP-CHAP

    4 = CHAP-PAP

    Juniper VSA 26-39


    Minimum line speed; passed to LAC (not interpreted by the LNS)

    Juniper VSA 26-40


    Maximum line speed; passed to LAC (not interpreted by the LNS)

    Juniper VSA 26-41


    Bearer capability required: 0=name; 1=analog; 2=digital. Passed to LAC (not interpreted by the LNS).

    Outgoing Call

    After receiving a valid tunnel definition from AAA, the E Series LNS initiates an outgoing call. The router follows the same load-sharing mechanisms as for incoming calls. See Configuring LAC Tunnel Selection Parameters.

    After an outgoing call is successfully signaled, the router dynamically creates a PPP interface. The profile in the dial-out route definition specifies any PPP configuration options. Both the L2TP session and the PPP interface exist on a Service module, identical to the LNS operation for incoming calls.

    Once the PPP interface is created, Link Control Protocol (LCP) and IPCP are negotiated.

    Mutual Authentication

    Mutual authentication takes place in LCP, where the LNS validates the PPP interface on the remote CPE and vice-versa. LNS takes the same actions to authenticate the peer as it does on incoming calls.

    The LNS obtains the PPP username and password from the initial Access-Accept message. It then provides this information to the remote CPE for authentication.

    Route Installation

    Once authentication is complete, the router creates a new access route. This route directs the forwarding of IP packets related to the original trigger packet to the newly created interface. The route does not need to be identical to the one specified in the dial-out route, but it must be able to forward packets that have the same destination address as the trigger packet. However, if the access route does not encompass the dial-out route definition, any other trigger packets initiate a new dial-out session.

    The dial-out state machine verifies that the trigger packet can be forwarded over the route.

    • If the verification is unsuccessful, the dial-out session is put into the failed state.
    • If the verification is successful, the dial-out session is put into the inService state.

    Published: 2014-08-20