Voluntary tunnel mode can be implemented in one of two basic configurations:
Figure 8-2 illustrates L2TP with PPP user authentication (without IPsec protection).
Figure 8-2. L2TP with PPP User Authentication (Without IPsec Protection)
In Figure 8-2, remote access user john@mjlnet.com connects to a VPN gateway (LNS) over an L2TP tunnel without IPsec protection. Security consists of only PPP authentication of the user himself (there is no authentication of the machine the user uses to connect to the VPN gateway).
Figure 8-3 shows L2TP over IPsec (L2TP/IPsec) with PPP user authentication.
Figure 8-3. L2TP over IPsec with PPP User Authentication
When remote access user john@mjlnet.com connects to the VPN gateway (LNS) over an IPsec-protected L2TP tunnel (L2TP/IPsec), the machine that the user is using is authenticated using preshared keys or digital signatures (digital certificates) during IKE (phase 1) negotiation, and user john@mjlnet.com himself is authenticated during PPP negotiation (PPP authentication).
Even when using L2TP/IPsec, it is important to ensure that users themselves are authenticated in addition to the machine that they are using. This is because if the user is not authenticated, someone who steals a VPN user's machine could easily establish connectivity to a VPN gateway.
L2TPv2 Message Formats and Message Types
To understand L2TP tunnel setup, it is important to understand the L2TP message format and message types. Figure 8-4 shows the L2TPv2 message header format.
Figure 8-4. L2TPv2 Message Header Format
The fields in the L2TPv2 message header have the following functions:
Note that in voluntary tunnel mode there is one data session (PPP connection) per tunnel; in compulsory tunnel mode, however, there are usually many data sessions per L2TPv2 tunnel.
Figure 8-5 shows the overall format of L2TPv2 messages.
Figure 8-5. Overall Format of L2TPv2 Messages
As shown in Figure 8-5, the overall L2TPv2 message format consists of an IP header, followed by a UDP header (with its destination port set to be 1701), followed by the L2TPv2 message header (shown in Figure 8-4) and a payload. If this is a data message (T bit=0), the payload contains a PPP frame. If this is a control message (T bit=1), the payload contains a number of AVPs, which indicate the specific type of control message, as well as carrying other information relevant to the control message.
Note that one type of L2TPv2 message, called a Zero-Length-Body Ack (ZLB Ack), does not include a payload.
Now that you know how L2TPv2 messages are constructed, it is time to take a look at specific L2TPv2 control message types as described in Table 8-1.
Message Type Value |
Message |
Description |
---|---|---|
1 |
Start-Control-Connection-Request (SCCRQ) |
Initiates control connection establishment |
2 |
Start-Control-Connection-Reply (SCCRP) |
Control connection establishment |
3 |
Start-Control-Connection-Connected (SCCCN) |
Completes control connection establishment |
4 |
Stop-Control-Connection-Notification (StopCCN) |
Control connection teardown |
5 |
(Reserved) |
(Reserved) |
6 |
Hello (HELLO) |
Control connection keepalive |
7 |
Outgoing-Call-Request (OCRQ) |
Initiates data session establishment (outgoing call) |
8 |
Outgoing-Call-Reply (OCRP) |
Data session establishment (outgoing call) |
9 |
Outgoing-Call-Connected (OCCN) |
Completes data session (outgoing call) |
10 |
Incoming-Call-Request (ICRQ) |
Initiates data session establishment (incoming call) |
11 |
Incoming-Call-Reply (ICRP) |
Data session establishment (incoming call) |
12 |
Incoming-Call-Connected (ICCN) |
Completes data session (incoming call) |
13 |
(Reserved) |
(Reserved) |
14 |
Call-Disconnect-Notify (CDN) |
Data session teardown |
15 |
WAN-Error-Notify (WEN) |
Error reporting |
16 |
Set-Link-Info |
PPP session control |
L2TP/IPsec Remote Access VPN Setup (Voluntary/Client-Initiated Tunnel Mode)
Figure 8-6 shows how L2TP/IPsec remote access VPNs are set up.
Figure 8-6. L2TP/IPsec Remote Access VPN Setup
In Figure 8-6, you can see that the first stage in the setup of an L2TP/IPsec remote access VPN is the negotiation of IKE between the remote access client and the VPN gateway (Steps 1 and 2). Internet Key Exchange (IKE) is used to negotiate cryptographic parameters and algorithms, exchange keying material, and authenticate IPsec peers. For more information on IKE, see Chapter 6, "Deploying Site-to-Site IPsec VPNs."
Note
Obviously, if IPsec is not configured to protect the L2TP tunnel, IKE negotiation (Steps 1 and 2 in Figure 8-6) does not take place.
Note that Windows L2TP/IPsec clients initiate IKEv1 main mode (rather than aggressive mode) phase 1 negotiation, followed by phase 2 quick mode negotiation.
After IKE negotiation has completed successfully, L2TP tunnel setup begins (Step 3). This consists of the exchange of SCCRQ, SCCRP, and SCCCN messages (see Table 8-1).
Following L2TP tunnel setup is L2TP session setup (Step 4). This comprises the exchange of ICRQ, ICRP, and ICCN messages.
Finally, PPP negotiation takes place (Steps 5, 6, and 7). PPP negotiation begins with Link Control Protocol (LCP) negotiation, followed by PPP authentication, and then Network Control Protocol (NCP) negotiation.
LCP is used to negotiate link parameters such as Maximum Receive Unit (MRU), compression, and authentication protocol. PPP authentication is used to authenticate the remote access user (rather than the machine, which is authenticated during IKE negotiation).
During NCP negotiation, network protocols, and any parameters associated with network protocols can be negotiated. The most commonly negotiated NCP is the IP Control Protocol (IPCP), which facilitates the negotiation of IP transport over PPP as well as associated parameters such as IP addresses, IP compression, and DNS/WINS server addresses.
Okay, so that's the theory. Now it is time to take a look at L2TP/IPsec remote access VPN setup in practiceas demonstrated in Examples 8-1 to 8-3 from a VPN gateway's perspective. Note that only the relevant portion of the command output is shown.
Example 8-1. L2TP/IPsec Remote Access VPN Setup: IKE Negotiation (Steps 1 and 2 in Figure 8-6)
mjlnet.VPN.Gateway.03#debug crypto isakmp Crypto ISAKMP debugging is on mjlnet.VPN.Gateway.03#debug vpdn l2x-events L2X protocol events debugging is on mjlnet.VPN.Gateway.03#debug ppp negotiation PPP protocol negotiation debugging is on mjlnet.VPN.Gateway.03# *Jun 5 19:49:06.291: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (N) NEW SA *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1 (line 1) *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): processing vendor id payload *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 228 mismatch *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): processing vendor id payload *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): processing vendor id payload *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2 *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): processing vendor id payload *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 184 mismatch *Jun 5 19:49:06.291: ISAKMP: Looking for a matching key for 192.168.1.1 in default : success *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.1.1 *Jun 5 19:49:06.291: ISAKMP:(0:0:N/A:0): local preshared key found *Jun 5 19:49:06.295: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy *Jun 5 19:49:06.295: ISAKMP: encryption DES-CBC *Jun 5 19:49:06.295: ISAKMP: hash SHA *Jun 5 19:49:06.295: ISAKMP: default group 1 *Jun 5 19:49:06.295: ISAKMP: auth pre-share *Jun 5 19:49:06.295: ISAKMP: life type in seconds *Jun 5 19:49:06.295: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Jun 5 19:49:06.295: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3 *Jun 5 19:49:06.323: ISAKMP:(0:1:SW:1): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP *Jun 5 19:49:06.323: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jun 5 19:49:06.323: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2 (line 2) *Jun 5 19:49:06.371: ISAKMP (0:134217729): received packet from 192.168.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP *Jun 5 19:49:06.371: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jun 5 19:49:06.371: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3 (line 3) *Jun 5 19:49:06.371: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0 *Jun 5 19:49:06.403: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0 *Jun 5 19:49:06.403: ISAKMP: Looking for a matching key for 192.168.1.1 in default : success *Jun 5 19:49:06.403: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 192.168.1.1 *Jun 5 19:49:06.407: ISAKMP:(0:1:SW:1):SKEYID state generated *Jun 5 19:49:06.407: ISAKMP:received payload type 17 *Jun 5 19:49:06.407: ISAKMP:received payload type 17 *Jun 5 19:49:06.407: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jun 5 19:49:06.407: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3 *Jun 5 19:49:06.407: ISAKMP:(0:1:SW:1): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Jun 5 19:49:06.407: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jun 5 19:49:06.407: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4 (line 4) *Jun 5 19:49:06.423: ISAKMP (0:134217729): received packet from 192.168.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5 (line 5) *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0 *Jun 5 19:49:06.423: ISAKMP (0:134217729): ID payload next-payload : 8 type : 1 address : 192.168.1.1 protocol : 0 port : 0 length : 12 *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0 *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):SA authentication status: authenticated *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):SA has been authenticated with 192.168.1.1 *Jun 5 19:49:06.423: ISAKMP: Trying to insert a peer 10.40.10.1/192.168.1.1/500/, and inserted successfully. *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Jun 5 19:49:06.423: ISAKMP (0:134217729): ID payload next-payload : 8 type : 1 address : 10.40.10.1 protocol : 17 port : 500 length : 12 *Jun 5 19:49:06.423: ISAKMP:(0:1:SW:1):Total payload length: 12 *Jun 5 19:49:06.427: ISAKMP:(0:1:SW:1): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Jun 5 19:49:06.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jun 5 19:49:06.427: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE (line 6) *Jun 5 19:49:06.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jun 5 19:49:06.427: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE (line 7) *Jun 5 19:49:06.451: ISAKMP (0:134217729): received packet from 192.168.1.1 dport 500 sport 500 Global (R) QM_IDLE *Jun 5 19:49:06.451: ISAKMP: set new node -1715998770 to QM_IDLE (line 7) *Jun 5 19:49:06.451: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = - 1715998770 *Jun 5 19:49:06.451: ISAKMP:(0:1:SW:1): processing SA payload. message ID = - 1715998770 *Jun 5 19:49:06.451: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1 *Jun 5 19:49:06.451: ISAKMP: transform 1, ESP_3DES *Jun 5 19:49:06.451: ISAKMP: attributes in transform: *Jun 5 19:49:06.451: ISAKMP: SA life type in seconds *Jun 5 19:49:06.451: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Jun 5 19:49:06.451: ISAKMP: SA life type in kilobytes *Jun 5 19:49:06.451: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Jun 5 19:49:06.451: ISAKMP: encaps is 2 (Transport) *Jun 5 19:49:06.455: ISAKMP: authenticator is HMAC-MD5 *Jun 5 19:49:06.455: ISAKMP:(0:1:SW:1):atts are acceptable. *Jun 5 19:49:06.707: ISAKMP:(0:1:SW:1): Creating IPSec SAs *Jun 5 19:49:06.707: inbound SA from 192.168.1.1 to 10.40.10.1 (f/i) 0/0 (proxy 192.168.1.1 to 10.40.10.1) *Jun 5 19:49:06.707: has spi 0xCAB64693 and conn_id 2000 and flags 4 *Jun 5 19:49:06.707: lifetime of 3600 seconds *Jun 5 19:49:06.707: lifetime of 250000 kilobytes *Jun 5 19:49:06.707: has client flags 0x0 *Jun 5 19:49:06.707: outbound SA from 10.40.10.1 to 192.168.1.1 (f/i) 0/0 (proxy 10.40.10.1 to 192.168.1.1) *Jun 5 19:49:06.707: has spi -1967707474 and conn_id 2001 and flags C *Jun 5 19:49:06.707: lifetime of 3600 seconds *Jun 5 19:49:06.707: lifetime of 250000 kilobytes *Jun 5 19:49:06.707: has client flags 0x0 *Jun 5 19:49:06.707: ISAKMP:(0:1:SW:1): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) QM_IDLE *Jun 5 19:49:06.707: ISAKMP:(0:1:SW:1):Node -1715998770, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY *Jun 5 19:49:06.707: ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 (line 8) *Jun 5 19:49:06.715: ISAKMP (0:134217729): received packet from 192.168.1.1 dport 500 sport 500 Global (R) QM_IDLE *Jun 5 19:49:06.715: ISAKMP:(0:1:SW:1):deleting node -1715998770 error FALSE reason "QM done (await)" *Jun 5 19:49:06.715: ISAKMP:(0:1:SW:1):Node -1715998770, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jun 5 19:49:06.715: ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE (line 9) |
Highlighted lines 1 and 2 indicate that the remote access VPN client and the VPN gateway have exchanged the first two messages in the IKE main mode exchange (states MM1 and MM2). The purpose of these two messages is to agree on an IKE policy (cryptographic parameters and algorithms).
Now that an IKE policy has been negotiated, the remote access VPN client and VPN gateway exchange the third and fourth messages in the IKE main mode exchange (indicated by the MM3 and MM4 states in highlighted lines 3 and 4). These messages are used to exchange keying material.
Highlighted lines 5 and 6 indicate that the fifth and sixth main mode messages have been exchanged (states MM5 and MM6). These messages are used to authenticate the IPsec peers. Note that during the exchange of messages 5 and 6, the remote access VPN client machine (but not the user of the machine) is authenticated by the VPN gateway (and vice versa).
Highlighted line 7 shows that IKE phase 1 is complete. IKE phase 2 (quick mode) is about to begin.
Highlighted lines 8, 9, and 10 indicate that the remote access VPN client and VPN gateway have exchanged three quick mode (IKE phase 2) messages. During this quick mode exchange, the peers negotiate the IPsec policy (cryptographic parameters and algorithms) that will be used to protect L2TP.
L2TPv2 tunnel and session setup (Steps 3 and 4 in Figure 8-6) can begin (see Example 8-2).
Example 8-2. L2TP/IPsec Remote Access VPN Setup: L2TP Tunnel and Session Setup (Steps 3 and 4 in Figure 8-6)
*Jun 5 19:49:06.731: L2TP: I SCCRQ from markxp1 tnl 3 (line 1) *Jun 5 19:49:06.731: Tnl 12726 L2TP: Tunnel Authorization started for host markxp1 *Jun 5 19:49:06.731: Tnl 12726 L2TP: New tunnel created for remote markxp1, address 192.168.1.1 *Jun 5 19:49:06.731: L2X: Requested security for socket, UDP socket info: local 10.40.10.1(1701), remote 192.168.1.1(1701) *Jun 5 19:49:06.731: Tnl 12726 L2TP: O SCCRP to markxp1 tnlid 3 (line 2) *Jun 5 19:49:06.731: Tnl 12726 L2TP: Control channel retransmit delay set to 1 seconds *Jun 5 19:49:06.735: Tnl 12726 L2TP: Tunnel state change from idle to wait-ctl-reply *Jun 5 19:49:06.735: Tnl 12726 L2TP: Socket MTU changed to 1462 *Jun 5 19:49:06.735: Tnl 12726 L2TP: Secure socket up event *Jun 5 19:49:06.743: Tnl 12726 L2TP: I SCCCN from markxp1 tnl 3 (line 3) *Jun 5 19:49:06.743: Tnl 12726 L2TP: Tunnel state change from wait-ctl-reply to established *Jun 5 19:49:06.743: Tnl 12726 L2TP: SM State established *Jun 5 19:49:06.743: Tnl 12726 L2TP: I ICRQ from markxp1 tnl 3 (line 4) *Jun 5 19:49:06.743: Tnl/Sn 12726/3 L2TP: Session state change from idle to wait-connect *Jun 5 19:49:06.743: Tnl/Sn 12726/3 L2TP: Accepted ICRQ, new session created *Jun 5 19:49:06.743: uid:2 Tnl/Sn 12726/3 L2TP: O ICRP to markxp1 3/1 (line 5) *Jun 5 19:49:06.743: Tnl 12726 L2TP: Control channel retransmit delay set to 1 seconds *Jun 5 19:49:06.767: uid:2 Tnl/Sn 12726/3 L2TP: I ICCN from markxp1 tnl 3, cl 1 (line 6) *Jun 5 19:49:06.767: uid:2 Tnl/Sn 12726/3 L2TP: Session state change from wait-connect to wait-for-service-selection-iccn |
Highlighted lines 1 to 3 show the exchange of SCCRQ, SCCRP, and SCCCN messages between the remote access VPN client and the VPN gateway. L2TPv2 control connection establishment has been completed.
By the way, you might notice the machine name (as distinct from the username) of the remote access VPN client in the highlighted lines (markxp1).
ICRQ, ICRP, and ICCN messages are then exchanged in highlighted lines 4 to 6. These messages comprise L2TPv2 session setup.
The L2TPv2 tunnel and session have now both been established, and in Example 8-3, PPP negotiation between the remote access VPN client and the VPN gateway begins (Steps 5 to 7 in Figure 8-6).
Example 8-3. L2TP/IPsec Remote Access VPN Setup: PPP Negotiation (Steps 5 to 7 in Figure 8-6)
*Jun 5 19:49:06.767: ppp2 PPP: Using vpn set call direction *Jun 5 19:49:06.767: ppp2 PPP: Treating connection as a callin *Jun 5 19:49:06.767: ppp2 PPP: Phase is ESTABLISHING, Passive Open (line 1) *Jun 5 19:49:06.767: ppp2 LCP: State is Listen *Jun 5 19:49:06.895: ppp2 LCP: I CONFREQ [Listen] id 0 len 21 *Jun 5 19:49:06.895: ppp2 LCP: MRU 1400 (0x01040578) *Jun 5 19:49:06.895: ppp2 LCP: MagicNumber 0x1B24034B (0x05061B24034B) *Jun 5 19:49:06.895: ppp2 LCP: PFC (0x0702) *Jun 5 19:49:06.895: ppp2 LCP: ACFC (0x0802) *Jun 5 19:49:06.895: ppp2 LCP: Callback 6 (0x0D0306) *Jun 5 19:49:06.919: ppp2 LCP: State is Open *Jun 5 19:49:06.919: ppp2 PPP: Phase is AUTHENTICATING, by this end (line 2) *Jun 5 19:49:06.919: ppp2 CHAP: O CHALLENGE id 1 len 42 from "mjlnet.VPN.Gateway.03" *Jun 5 19:49:06.923: ppp2 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x1B24034B MSRASV5.10 *Jun 5 19:49:06.927: ppp2 LCP: I IDENTIFY [Open] id 5 len 23 magic 0x1B24034B MSRAS- 0-MARKXP1 *Jun 5 19:49:06.927: ppp2 CHAP: I RESPONSE id 1 len 25 from "mark@mjlnet.com" (line 3) *Jun 5 19:49:06.927: ppp2 PPP: Phase is FORWARDING, Attempting Forward *Jun 5 19:49:06.927: ppp2 PPP: Phase is AUTHENTICATING, Unauthenticated User *Jun 5 19:49:06.931: ppp2 PPP: Phase is FORWARDING, Attempting Forward *Jun 5 19:49:06.931: Vi2.1 Tnl/Sn 12726/3 L2TP: Session state change from wait-for-service-selection-iccn to established *Jun 5 19:49:06.931: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User *Jun 5 19:49:06.931: Vi2.1 CHAP: O SUCCESS id 1 len 4 *Jun 5 19:49:06.931: Vi2.1 PPP: Phase is UP (line 4) *Jun 5 19:49:06.931: Vi2.1 IPCP: O CONFREQ [Closed] id 1 len 10 *Jun 5 19:49:06.935: Vi2.1 IPCP: Address 10.40.10.1 (0x03060A0A0A48) *Jun 5 19:49:06.935: Vi2.1 PPP: Process pending ncp packets *Jun 5 19:49:06.959: Vi2.1 CCP: I CONFREQ [Not negotiated] id 6 len 10 *Jun 5 19:49:06.959: Vi2.1 CCP: MS-PPC supported bits 0x01000001 (0x120601000001) *Jun 5 19:49:06.959: Vi2.1 LCP: O PROTREJ [Open] id 2 len 16 protocol CCP (0x80FD0106000A120601000001) *Jun 5 19:49:06.959: Vi2.1 IPCP: I CONFREQ [REQsent] id 7 len 34 *Jun 5 19:49:06.959: Vi2.1 IPCP: Address 0.0.0.0 (0x030600000000) *Jun 5 19:49:06.959: Vi2.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) *Jun 5 19:49:06.963: Vi2.1 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) *Jun 5 19:49:06.963: Vi2.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) *Jun 5 19:49:06.963: Vi2.1 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) *Jun 5 19:49:06.963: Vi2.1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0 *Jun 5 19:49:06.963: Vi2.1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0 *Jun 5 19:49:06.963: Vi2.1 IPCP: Pool returned 10.20.10.1 *Jun 5 19:49:06.979: Vi2.1 IPCP: State is Open (line 5) *Jun 5 19:49:06.979: Vi2.1 IPCP: Install route to 10.20.10.1 *Jun 5 19:49:06.979: Vi2.1 IPCP: Add link info for cef entry 10.20.10.1 mjlnet.VPN.Gateway.03# |
Highlighted line 1 shows that the PPP phase is ESTABLISHINGLCP negotiation is about to begin. Then, in highlighted line 2, the LCP negotiation is complete, and the PPP phase changes to AUTHENTICATING. PPP authentication is next.
If you take a look at the remote access VPN client's CHAP response in highlighted line 3, you can see the remote access VPN client's username (rather than machine name) is mark@mjlnet.com.
The PPP phase changes to UP in highlighted line 4. This indicates that user authentication has completed successfully, and NCP is ready to start.
Highlighted line 5 shows that the IPCP state has changed to OPENIPCP negotiation has completed successfully, and IP communication can begin between the remote access VPN client and the VPN gateway.
You might be interesting to note the type of remote access VPN client involved in the VPN setup shown in Examples 8-1 to 8-3. There is a hint to its type between highlighted lines 2 and 3 in Example 8-3there is an LCP Identification (IDENTIFY) message, which shows MSRASV5.10. This is a fairly hefty hint, and in fact, the remote access VPN client is a Windows XP workstation.
Part I: Understanding VPN Technology
What Is a Virtual Private Network?
Part II: Site-to-Site VPNs
Designing and Deploying L2TPv3-Based Layer 2 VPNs
Designing and Implementing AToM-Based Layer 2 VPNs
Designing MPLS Layer 3 Site-to-Site VPNs
Advanced MPLS Layer 3 VPN Deployment Considerations
Deploying Site-to-Site IPsec VPNs
Scaling and Optimizing IPsec VPNs
Part III: Remote Access VPNs
Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs
Designing and Deploying IPsec Remote Access and Teleworker VPNs
Designing and Building SSL Remote Access VPNs (WebVPN)
Part IV: Appendixes
Designing and Building SSL Remote Access VPNs (WebVPN)
Appendix B. Answers to Review Questions