Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring L2TP

Understanding L2TP

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol. You can use L2TP to enable Point-to-Point Protocol (PPP) tunneling within your network.

For information about how to configure L2TP service, see the Junos OS Services Interfaces Library for Routing Devices and the Junos OS Network Interfaces Library for Routing Devices.

Minimum L2TP Configuration

To define the minimum configuration for L2TP, include at least the following statements at the [edit access] hierarchy level:

Note:

When the L2TP network server (LNS) is configured with RADIUS authentication, the default behavior is to accept the preferred RADIUS-assigned IP address. Previously, the default behavior was to accept and install the nonzero peer IP address received in the Internet Protocol Control Protocol (IPCP) configuration request packet.

Referencing the Group Profile from the L2TP Profile

You can reference a configured group profile from the L2TP tunnel profile.

To reference the group profile configured at the [edit access group-profile profile-name] hierarchy level, include the group-profile statement at the [edit access profile profile-name client client-name] hierarchy level:

profile-name references a configured group profile from a PPP user profile.

Configuring the L2TP Client

To configure the client, include the client statement at the [edit access profile profile-name] hierarchy level:

client-name is the peer identity.

For L2TP, you can optionally use the wildcard (*) to define a default tunnel client to authenticate multiple LACs with the same secret and L2TP attributes. If an LAC with a specific name is not defined in the configuration, the wildcard tunnel client authenticates it.

Note:

The * for the default client configuration applies only to M Series routers. On MX Series routers, use default instead. See Configuring an L2TP Access Profile on the LNS for more about MX Series routers.

Example: Defining the Default Tunnel Client

Requirements

Overview

Configuration

CLI Quick Configuration

For any tunnel client, you can optionally use the user group profile to define default PPP attributes for all users coming in through a tunnel. The user group profile must define PPP attributes. If the user group profile is specified, all users (PPP sessions) use the PPP attributes specified in the user group profile. The PPP attributes specified in the local or RADIUS server take precedence over those specified in the user group profile.

Optionally, you can use a wildcard client to define a user group profile. When you do this, any client entering this tunnel uses the PPP attributes (defined user group profile attributes) as its default PPP attributes.

Example: PPP MP for L2TP

Requirements

Overview

Configuration

CLI Quick Configuration

How to Configure L2TP Authentication

When you configure PPP properties for an L2TP profile, you typically configure the chap-secret statement or pap-password statement.

Configuring the CHAP Secret for an L2TP Profile

CHAP allows each end of a PPP link to authenticate its peer, as defined in RFC 1994. The authenticator sends its peer a randomly generated challenge that the peer must encrypt using a one-way hash; the peer must then respond with that encrypted result. The key to the hash is a secret known only to the authenticator and authenticated. When the response is received, the authenticator compares its calculated result with the peer’s response. If they match, the peer is authenticated.

Each end of the link identifies itself to its peer by including its name in the CHAP challenge and response packets it sends to the peer. This name defaults to the local hostname, or you can explicitly set it using the local-name option. When a host receives a CHAP challenge or CHAP response packet on a particular interface, it uses the peer identity to look up the CHAP secret key to use.

Note:

When you configure PPP properties for a Layer 2 Tunneling Protocol (L2TP) profile, you typically configure the chap-secret statement or pap-password statement.

To configure CHAP, include the profile statement and specify a profile name at the [edit access] hierarchy level:

Then reference the CHAP profile name at the [edit interfaces interface-name ppp-options chap] hierarchy level.

You can configure multiple profiles. You can also configure multiple clients for each profile.

profile is the mapping between peer identifiers and CHAP secret keys. The identity of the peer contained in the CHAP challenge or response queries the profile for the secret key to use.

client is the peer identity.

chap-secret secret is the secret key associated with that peer.

Example: Configuring L2TP PPP CHAP

Requirements

Overview

Configuration

CLI Quick Configuration

Configuring the PAP Password for an L2TP Profile

To configure the Password Authentication Protocol (PAP) password, include the pap-password statement at the [edit access profile profile-name client client-name] hierarchy level:

pap-password is the password for PAP.

Example: Configuring PAP for an L2TP Profile

Requirements

Overview

Configuration

CLI Quick Configuration

Configuring L2TP for M7i and M10i Routers

For M7i and M10i routers, you can configure Layer 2 Tunneling Protocol (L2TP) tunneling security services on an Adaptive Services Physical Interface Card (PIC) or a MultiServices PIC.

To configure L2TP, include the following statements at the [edit access] hierarchy level:

Example: Configuring L2TP

Requirements

Overview

Configuration

CLI Quick Configuration