L2TP Tunnels and Credentials

Back up to the L2TP Category
From AAISP Support Site
Revision as of 12:29, 9 May 2016 by AA-Andrew (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Information about Tunnels and Credentials

L2TP establishes a tunnel, and over that tunnel it establishes one or more sessions, each of which uses PPP.

The tunnel requires an endpoint address (e.g. l2tp.aa.net.uk or 90.155.53.19) and a hostname (which is sort of the login name for the tunnel). The tunnel can also include a secret, which we do not use for our L2TP outbound service to customer's L2TP servers.

Once the tunnel is established, a session can be established over the tunnel. The session does not have to have any authentication, but it is normal for the endpoints to negotiate PAP or CHAP using LCP, and so the connecting end will need a username and password to complete the PPP level authentication.

So, in total, you would need:

  1. Tunnel IP
  2. Tunnel Hostname
  3. Tunnel Secret (if used)
  4. Session Username
  5. Session Password

An L2TP session is PPP and can negotiate whatever authentication it likes for the session. In practice this is usually done by a proxy, so in the case of both SIMs and Broadband we will receive proxied negotiation details for the circuit, and will pass on those proxy details to the far end.

The far end should ideally used these details, which also include a calling station ID (circuit ID or ICCID). In the case of broadband the far end could restart LCP and re-run PPP authentication if it wished, end to end with the connecting device. This is not usually possible with a SIM though, so proxied credentials should be accepted.

Note, also, for a SIM, it is possible for the connection to have no authentication, i.e. LCP has negotiated no authentication protocol. This may upset some L2TP endpoints if they are not expecting this. They should authenticate on the ICCID (calling station) in such cases.