Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel Mode

To map a domain to an L2TP tunnel locally on the router from Domain Map Tunnel mode, perform the following steps:

1. Specify a domain name and enter Domain Map Configuration mode:
   host1(config)#aaa domain-map westford.com host1(config-domain-map)#
2. Specify a virtual router; in this case, the default router is specified.
   host1(config-domain-map)#router-name default
3. Specify a tunnel to configure and enter Domain Map Tunnel Configuration mode:
   host1(config-domain-map)#tunnel 3
4. Specify the LNS endpoint address of a tunnel.
   host1(config-domain-map-tunnel)#address 192.0.2.13
5. (Optional) Assign a tunnel group to the domain map. You can assign a tunnel group only when no tunnels are currently defined for the domain map from AAA Domain Map Tunnel mode.
   host1(config-domain-map)#tunnel group storm
6. Specify a preference for the tunnel.

   You can specify up to eight levels of preference, and you can assign the same preference to a maximum of 31 tunnels. When you define multiple preferences for a destination, you increase the probability of a successful connection.

   host1(config-domain-map-tunnel)#preference 5
7. (Optional) Specify an authentication password for the tunnel.
   host1(config-domain-map-tunnel)#password temporary

   Note: If you specify a password for the LAC, the router requires that the peer (the LNS) authenticate itself to the router. In this case, if the peer fails to authenticate itself, the tunnel terminates.

8. (Optional) Specify a hostname for the LAC end of the tunnel.

   The LAC sends the hostname to the LNS when communicating to the LNS about the tunnel. The hostname can be up to 64 characters (no spaces).

   host1(config-domain-map-tunnel)#client-name host4

   Note: If the LNS does not accept tunnels from unknown hosts, and if no hostname is specified, the LAC uses the router name as the hostname.

9. (Optional) Specify a server name for the LNS.

   This name specifies the hostname expected from the peer (the LNS) when you set up a tunnel. When this name is specified, the peer must identify itself with this name during tunnel startup. Otherwise, the tunnel is terminated. The server name can be up to 64 characters (no spaces).

   host1(config-domain-map-tunnel)#server-name boston
10. (Optional) Specify a source IP address for the LAC tunnel endpoint. All L2TP packets sent to the peer use this source address.
    host1(config-domain-map-tunnel)#source-address 192.0.3.3

    By default, the router uses the virtual router’s router ID as the source address. You can override this behavior for an L2TP tunnel by specifying a source address. If you do specify a source address, use the address of a stable IP interface (for example, a loopback interface). Make sure that the address is configured in the virtual router for this domain map, and that the address is reachable by the peer.

11. Specify a tunnel identification. (The router groups L2TP sessions with the same tunnel identification into the same tunnel.)
    host1(config-domain-map-tunnel)#identification acton

    The router groups L2TP sessions with the same tunnel identification into the same tunnel. This occurs only when both the destination (virtual router, IP address) and the ID are the same.

12. Specify the L2TP tunnel type (RADIUS attribute 64, Tunnel-Type). Currently, the only supported value is L2TP.
    host1(config-domain-map-tunnel)#type l2tp
13. Specify a medium type for the tunnel. (L2TP supports only IP version 4 [IPv4].)
    host1(config-domain-map-tunnel)#medium ipv4
14. (Optional) Specify a default tunnel client name.
    host1(config-domain-map-tunnel)#exithost1(config-domain-map)#exithost1(config)#aaa tunnel client-name boxford

    If the tunnel client name is not included in the tunnel attributes that are returned from the domain map or authentication server, the router uses the default name.

15. (Optional) Specify a default tunnel password.
    host1(config)#aaa tunnel password 3&92k%b#q4 host1(config)#exit

    If the tunnel password is not included in the tunnel attributes that are returned from the domain map or authentication server, the router uses the default password.

16. (Optional) Set the format for the tunnel assignment ID that is passed to PPP/L2TP.

    The tunnel assignment ID format can be either only assignmentID or clientAuthId + serverAuthId + assignmentId.

    host1(config)#aaa tunnel assignment-id-format assignmentID

    If you do not set a tunnel assignment ID, the software sets it to the default (assignmentID). This parameter is only generated and used by the L2TP LAC device.

17. (Optional) Specify whether or not to use the tunnel peer’s Nas-Port [5] and Nas-Port-Type [61] attributes.

    When enabled, the attribute is supplied by the tunnel peer. When disabled, the attribute is not supplied. Use the no version of the command to restore the default, enable.

    host1(config)#aaa tunnel ignore nas-port enable host1(config)#aaa tunnel ignore nas-port-type disable
18. (Optional) Set up the router to ignore sequence numbers in data packets received on L2TP tunnels.
    host1(config)#l2tp ignore-receive-data-sequencing

    This command does not affect the insertion of sequence numbers in packets sent from the router.

    Best Practice: We recommend that you set up the router to ignore sequence numbers in received data packets if you are using IP reassembly. Because IP reassembly might reorder L2TP packets, out-of-order packets might be dropped when sequence numbers are being used on L2TP data packets.

19. (Optional) Disable the generation of authentication challenges by the local tunnel, so that the tunnel does not send a challenge during negotiation. However, the tunnel does accept and respond to challenges it receives from the peer.
    host1(config)#l2tp disable challenge
20. Verify the L2TP tunnel configuration.

    host1(config)# show aaa domain-map
    Domain: westford.com; router-name: default; ipv6-router-name: default
                                                                                Tunnel
    Tunnel   Tunnel         Tunnel        Tunnel   Tunnel    Tunnel    Tunnel   Client
     Tag      Peer          Source         Type    Medium   Password     Id      Name
    ------   ------------   -----------   ------   ------   ---------  ------   ------
    3        192.168.2.13   192.168.3.3   l2tp     ipv4     temporary  acton    host4
             Tunnel                 Tunnel                     Tunnel
    Tunnel   Server     Tunnel       Max                       Virtual
     Tag      Name    Preference   Sessions     Tunnel RWS     Router
    ------   ------   ----------   --------   --------------   -------
    3        boston   5            0          system chooses   vr2
    

    host1#show aaa tunnel-parameters
    Tunnel password is 3&92k%b#q4
    Tunnel client-name is <NULL>
    Tunnel nas-port-method is none
    Tunnel nas-port ignore disabled
    Tunnel nas-port-type ignore disabled
    Tunnel assignmentId format is assignmentId
    Tunnel calling number format is descriptive