Configuring Virtual Private Networks
VPN Technology Overview
DNC-149
Cisco IOS Dial Services Configuration Guide: Network Services
Figure 14 Protocol Negotiation Events Between Access VPN Devices
Table 11 explains the sequence of events shown in Figure 14.
LCP Conf-Req
LCP Conf-Ack
LCP Conf-Req
LCP Conf-Ack
CHAP or PAP
Negotiation
L2F or L2TP Tunnel Negotiation
CHAP or PAP Negotiation Completed
PPP Packets
18989
L2F or L2TP Session Negotiation
1
2
3
4
5
76
NAS
Client
Home gateway
Table 11 Protocol Negotiation Event Descriptions
Event Description
1. The user client and the NAS conduct a standard PPP Link Control Protocol (LCP) negotiation.
2. The NAS begins PPP authentication by sending a Challenge Handshake Authentication
Protocol (CHAP) challenge to the client.
3. The client replies with a CHAP response.
4. When the NAS receives the CHAP response, either the phone number the user dialed in from
(when using DNIS-based authentication) or the user domain name (when using domain
name-based authentication) matches a configuration on either the NAS or its AAA server.
This configuration instructs the NAS to create a VPN to forward the PPP session to the tunnel
server by using an L2F tunnel.
Because this is the first L2F session with the tunnel server, the NAS and the tunnel server
exchange L2F_CONF packets, which prepare them to create the tunnel. Then they exchange
L2F_OPEN packets, which open the L2F tunnel.
5. Once the L2F tunnel is open, the NAS and tunnel server exchange L2F session packets. The
NAS sends an L2F_OPEN (Mid) packet to the tunnel server that includes the client
information from the LCP negotiation, the CHAP challenge, and the CHAP response.
The tunnel server forces this information on to a virtual access interface it has created for the
client and responds to the NAS with an L2F_OPEN (Mid) packet.
Configuring Virtual Private Networks
VPN Technology Overview
DNC-150
Cisco IOS Dial Services Configuration Guide: Network Services
L2F Tunnel Authentication Process
When the NAS receives a call from a client that is to be tunneled to a tunnel server, it first sends a
challenge to the tunnel server. The tunnel server then sends a combined challenge and response to the
NAS. Finally, the NAS responds to the tunnel server challenge, and the two devices open the L2F tunnel.
Before the NAS and tunnel server can authenticate the tunnel, they must have a common “tunnel secret.”
A tunnel secret is a common shared secret that is configured on both the NAS and the tunnel server. For
more information on tunnel secrets, see the “Configuring VPN Tunnel Authentication” section later in
this chapter. By combining the tunnel secret with random value algorithms, which are used to encrypt
the tunnel secret, the NAS and tunnel server authenticate each other and establish the L2F tunnel.
Figure 15 shows the tunnel authentication process.
Figure 15 L2F Tunnel Authentication Process
Table 12 explains the sequence of events shown in Figure 15.
6. The tunnel server authenticates theCHAP challenge and response (using either localor remote
AAA) and sends a CHAP Auth-OK packet to the client. This completes the three-way CHAP
authentication.
7. When the client receives the CHAP Auth-OK packet, it can send PPP encapsulated packets to
the tunnel server.
8. The client and the tunnel server can now exchange I/O PPP encapsulated packets. The NAS
acts as a transparent PPP frame forwarder.
9. Subsequent PPP incoming sessions (designated for the same tunnel server) do not repeat the
L2F tunnel negotiation because the L2F tunnel is already open.
Table 11 Protocol Negotiation Event Descriptions
Event Description
L2F_CONF name = ISP_NAS challenge = A
1
2
3
4
5
6
L2F_CONF name = ENT_HGW challenge = B key=A=MD5 {A+ ISP_NAS secret}
L2F_OPEN key = B' =MD5 {B + ENT_HGW secret}
L2F_OPEN key = A'
All subsequent messages have key = B'
All subsequent messages have key = A'
18988
NAS
Home gateway
Configuring Virtual Private Networks
VPN Technology Overview
DNC-151
Cisco IOS Dial Services Configuration Guide: Network Services
Once the tunnel server authenticates the client, the access VPN is established. The L2F tunnel creates a
virtual point-to-point connection between the client and the tunnel server. The NAS acts as a transparent
packet forwarder.
When subsequent clients dial in to the NAS to be forwarded to the tunnel server, the NAS and tunnel
server need not repeat the L2F tunnel negotiation because the L2F tunnel is already open.
L2TP Dial-In
L2TP is an emerging Internet Engineering Task Force (IETF) standard that combines the best features
of two existing tunneling protocols: Cisco L2F (L2F) and Microsoft Point-to-Point Tunneling Protocol
(PPTP).
L2TP offers the same full-range spectrum of features as L2F, but offers additional functionality. An
L2TP-capable tunnel server will work with an existing L2F network access server and will concurrently
support upgraded components running L2TP. Tunnel servers do not require reconfiguration each time an
individual NAS is upgraded from L2F to L2TP. Table 13 offers a comparison of L2F and L2TP feature
components.
Table 12 L2F Tunnel Authentication Event Descriptions
Event Description
1. Before the NAS and tunnel server open an L2F tunnel, both devices must have a common
tunnel secret in their configurations.
2. The NAS sends an L2F_CONF packet that contains the NAS name and a random challenge
value, A.
3. After the tunnel server receives the L2F_CONF packet, it sends an L2F_CONF packet back
to the NAS with the tunnel server name and a random challenge value, B. This message also
includes a key containing A' (the MD5 of the NAS secret and the value A).
4. When the NAS receives the L2F_CONF packet, it compares the key A' with the MD5 of the
NAS secret and the value A. If the key and value match, the NAS sends an L2F_OPEN packet
to the tunnel server with a key containing B' (the MD5 of the tunnel server secret and the value
B).
5. When the tunnel server receives the L2F_OPEN packet, it compares the key B' with the MD5
of the tunnel server secret and the value B. If the key and value match, the tunnel server sends
an L2F_OPEN packet to the NAS with the key A'.
6. All subsequent messages from the NAS include key = B'; all subsequent messages from the
tunnel server include key = A'.
Table 13 L2F and L2TP Feature Comparison
Function L2F L2TP
Flow Control No Yes
AVP hiding No Yes
Tunnel server load sharing Yes Yes
Tunnel server stacking/multihop
support
Yes Yes
Configuring Virtual Private Networks
VPN Technology Overview
DNC-152
Cisco IOS Dial Services Configuration Guide: Network Services
Traditional dialup networking services only support registered IP addresses, which limits the types of
applications that are implemented over VPNs. L2TP supports multiple protocols and unregistered and
privately administered IP addresses over the Internet. This allows the existing access infrastructure, such
as the Internet, modems, access servers, and ISDN terminal adapters (TAs), to be used. It also allows
customers to outsource dial-out support, thusreducing overhead for hardware maintenance costs and 800
number fees, and allows them to concentrate corporate gateway resources. Figure 16 shows the L2TP
architecture in a typical dialup environment.
Figure 16 L2TP Architecture
The following sections supply additional detail about the interworkings and Cisco implementation of
L2TP. Using L2TP tunneling, an Internet service provider (ISP), or other access service, can create a
virtual tunnel to link customer’s remote sites or remote users with corporate home networks. The NAS
located at the ISP’s POP exchanges PPP messages with remote users and communicates by way of L2TP
requests and responses with the customer tunnel server to set up tunnels. L2TP passes protocol-level
packets through the virtual tunnel between endpoints of a point-to-point connection. Frames from
remote users are accepted by the ISP’s POP, stripped of any linked framing or transparency bytes,
encapsulated in L2TP and forwarded over the appropriate tunnel. The customer's tunnel server accepts
Tunnel server primary and secondary
backup
Yes Yes
DNS name support Yes Yes
Domain name flexibility Yes Yes
Idle and absolute timeout Yes Yes
Multilink PPP support Yes Yes
Multichassis Multilink PPP support Yes Yes
Security • All security benefits of
PPP, including multiple
per-user authentication
options (CHAP,
MS-CHAP, PAP).
• Tunnel authentication
mandatory
• All security benefits of
PPP, including multiple
per user authentication
options (CHAP,
MS-CHAP, PAP).
• Tunnel authentication
optional
Table 13 L2F and L2TP Feature Comparison (continued)
Function L2F L2TP
PSTN or ISDN
Corporate
network
ISP or public network
L2TP tunnel
LAC
16521
Dial client
(PPP peer)
LNS
AAA server
(Radius/TACACS+)
AAA server
(Radius/TACACS+)
Configuring Virtual Private Networks
VPN Technology Overview
DNC-153
Cisco IOS Dial Services Configuration Guide: Network Services
these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames for the
appropriate interface. Figure 17 shows the L2TP tunnel detail and how user “lsmith” connects to the
tunnel server to access the designated corporate intranet.
Figure 17 L2TP Tunnel Structure
Incoming Call Sequence
A VPN connection between a remote user, a NAS at the ISP POP, and the tunnel server at the home LAN
using an L2TP tunnel is accomplished as follows:
LAC LNS
ISP
PSTN cloud
Internet cloud
Client:
lsmith
Corporate
network
= LT2P
= PPP
= IP
22110
Event Description
1. The remote user initiates a PPP connection to the ISP, using the analog telephone system or
ISDN.
2. The ISP network NAS accepts the connection at the POP, and the PPP link is established.
3. After the end user and NAS negotiate LCP, the NAS partially authenticates the end user with
CHAP or PAP. The username, domain name, or DNIS is used to determine whether the user is
a VPN client. If the user is not a VPN client, authentication continues, and the client will
access the Internet or other contacted service. If the username is a VPN client, the mapping
will name a specific endpoint (the tunnel server).
4. The tunnel end points, the NAS and the tunnel server, authenticate each other before any
sessions are attempted within a tunnel. Alternatively, the tunnel server can accept tunnel
creation without any tunnel authentication of the NAS.
5. Once the tunnel exists, an L2TP session is created for the end user.
6. The NAS will propagate the LCP negotiated options and the partially authenticated
CHAP/PAP information to the tunnel server. The tunnel server will funnel the negotiated
options and authentication information directly to the virtual access interface. If the options
configured on the virtual template interface do not match the negotiated options with the NAS,
the connection will fail, and a disconnect will be sent to the NAS.
Configuring Virtual Private Networks
VPN Technology Overview
DNC-154
Cisco IOS Dial Services Configuration Guide: Network Services
The result is that the exchange process appears to be between the dialup client and the remote tunnel
server exclusively, as if no intermediary device (the NAS) is involved. Figure 18 offers a pictorial
account of the L2TP incoming call sequence with its own corresponding sequence numbers. Note that
the sequence numbers in Figure 18 are not related to the sequence numbers described in the previous
table.
Figure 18 L2TP Incoming Call Flow
LNSLAC
PSTN/ISDN
WAN
LAC RADIUS server LNS RADIUS server
(6) Tunnel info in AV Pairs
Local name (LAC)
Tunnel Password
Tunnel type
LNS IP Address
Request tunnel info (5)
user = domain
password = cisco
(15)
(20)
(16)
(21)
Access request
(15) (20)
Access response
(16) (21)
Tunnel setup (7)
Tunnel authentication CHAP challenge (8)
Call setup (1)
PPP LCP setup (2)
Pass (10)
User CHAP response (4)
Pass (13)
LAC CHAP response (12)
CHAP response (19)
PASS (22)
User CHAP response + response indentifier + PPP negotiated parameters (14)
LNS CHAP response (9)
User CHAP challenge (3)
Pass (17)
Optional second CHAP challenge (18)
CHAP challenge (11)
22106
Configuring Virtual Private Networks
VPN Technology Overview
DNC-155
Cisco IOS Dial Services Configuration Guide: Network Services
VPN Tunnel Authorization Search Order
When a user dials in to an NAS to be tunneled to a tunnel server, the NAS must identify the tunnel server
to which the user's call is to be forwarded. You can configure the router to authenticate users and also to
select the outgoing tunnel based on the following criteria:
• The user domain name
• The DNIS information in the incoming calls
• Both the domain name and the DNIS information
VPN Tunnel Lookup Based on Domain Name
When an NAS is configured to forward VPN calls based on the user domain name, the user must use a
username of the form username@domain. The NAS then compares the user domain name to the domain
names it is configured to search for. When the NAS finds a match, it forwards the user call to the proper
tunnel server.
VPN Tunnel Lookup Based on DNIS Information
When an NAS is configured to forward VPN calls based on the user DNIS information, the NAS
identifies the user DNIS information, which is provided on ISDN lines, and then forwards the call to the
proper tunnel server.
The ability to select a tunnel based on DNIS provides additional flexibility to network service providers
that offer VPN services and to the corporations that use the services. Instead of having to use only the
domain name for tunnel selection, tunnel selection can be based on the dialed number.
With this feature, a corporation—which might have only one domain name—can provide multiple
specific phone numbers for users to dial in to the network access server at the service provider POP. The
service provider can select the tunnel to the appropriate services or portion of the corporate network
based on the dialed number.
VPN Tunnel Lookup Based on Both Domain Name and DNIS Information
When a service provider has multiple AAA servers configured, VPN tunnel authorization searches based
on domain name can be time consuming and might cause the client session to time out.
To provide more flexibility, service providers can now configure the NAS to perform tunnel
authorization searches by domain name only, by DNIS only, or by both in a specified order.
Configuring Virtual Private Networks
VPN Technology Overview
DNC-156
Cisco IOS Dial Services Configuration Guide: Network Services
NAS AAA Tunnel Definition Lookup
AAA tunnel definition lookup allows the NAS to look up tunnel definitions using keywords. Two new
Cisco AV pairs are added to support NAS tunnel definition lookup: tunnel type and
l2tp-tunnel-password. These AV pairs are configured on the RADIUS server. Descriptions of the values
are as follows:
• tunnel type—Indicates the tunnel type is either L2F or L2TP. This is an optional AV pair and if not
defined, reverts to L2F, the default value. If you want to configure an L2TP tunnel, you must use the
L2TP AV pair value. This command is case sensitive.
• l2tp-tunnel-password—This value is the secret (password) used for L2TP tunnel authentication and
L2TP AV pair hiding. This is an optional AV pair value; however, if it is not defined, the secret will
default to the password associated with the local name on the NAS local username-password
database. This AV pair is analogous to the l2tp local secret command. For example:
request dialin l2tp ip 172.21.9.13 domain cisco.com
l2tp local name dustie
l2tp local secret partner
is equivalent to the following RADIUS server configuration:
cisco.com Password = “cisco”
cisco-avpair = “vpdn: tunnel-id=dustie”,
cisco-avpair = “vpdn: tunnel-type=l2tp”,
cisco-avpair = “vpdn: l2tp-tunnel-password=partner’,
cisco-avpair = “vpdn: ip-addresses=172.21.9.13”
L2TP Dial-Out
The L2TP dial-out feature enables tunnel servers to tunnel dial-out VPN calls using L2TP as the
tunneling protocol. This feature enables a centralized network to efficiently and inexpensively establish
a virtual point-to-point connection with any number of remote offices.
Note Cisco routers can carry both dial-in and dial-out calls in the same L2TP tunnels.
L2TP dial-out involves two devices: a tunnel server and an NAS. When the tunnel server wants to
perform L2TP dial-out, it negotiates an L2TP tunnel with the NAS. The NAS then places a PPP call to
the client(s) the tunnel server wants to dial out to.
Configuring Virtual Private Networks
VPN Technology Overview
DNC-157
Cisco IOS Dial Services Configuration Guide: Network Services
Figure 19 shows a typical L2TP dial-out scenario.
Figure 19 L2TP Dial-Out Process
Table 14 explains the sequence of events described in Figure 19.
SCCRD
SCCN
OCRQ
OCRP
LAC calls PPP client
PPP Packets
26311
SCCRQ
OCCN
2
1
4
5
6
7
3
LAC
LNS
PC
VPDN Session created
VPDN Session created
Table 14 L2TP Dial-Out Event Descriptions
Event Description
1. The tunnel server receives Layer 3 packets, which are to be dialed out, and forwards them to
its dialer interface (either a dialer profile or DDR).
The dialer issues a dial call request to the VPN group, and the tunnel server creates a virtual
access interface. If the dialer is a dialer profile, this interface becomes a member of the dial
pool. If the dialer is DDR, the interface becomes a member of the rotary group.
The VPN group creates a VPN session for this connection and sets it in the pending state.
2. The tunnel server and NAS establish an L2TP tunnel (unless a tunnel is already open).
3. The tunnel server sends an Outgoing Call ReQuest (OCRQ) packet to the NAS, which checks
if it has a dial resource available.
If the resource is available, the NAS responds to the tunnel server with an Outgoing Call RePly
(OCRP) packet. If the resource is not available, the NAS responds with a Call Disconnect
Notification (CDN) packet, and the session is terminated.
4. If the NAS has an available resource, it creates a VPN session and sets it in the pending state.
5. The NAS then initiates a call to the PPP client. When the NAS call connects to the PPP client,
the NAS binds the call interface to the appropriate VPN session.
Configuring Virtual Private Networks
VPN Technology Overview
DNC-158
Cisco IOS Dial Services Configuration Guide: Network Services
Note Large scale dial-out, BAP, and Dialer Watch are not supported. All configuration must be
local on the router.
VPN Configuration Modes Overview
Cisco VPN is configured using the VPN group configuration mode. VPN groups can now support the
following:
• One or both of the following tunnel server VPN subgroup configuration modes:
–
accept dialin
–
request dialout
• One or both of the following NAS VPN subgroup configuration modes:
–
request dialin
–
accept dialout
• One of the four VPN subgroup configuration modes
A VPN group can act as either a tunnel server or an NAS, but not both. But individual routers can have
both tunnel server VPN groups and NAS VPN groups.
The VPN group contains the four corresponding command modes listed in Table 15. These command
modes are accessed from VPN group mode; therefore, they are generically referred to as VPN
subgroups.
The keywords and arguments for the previous accept-dialin and request-dialin commands are now
independent accept-dialin mode and request-dialin mode commands.
6. The NAS sends an Outgoing Call CoNnected (OCCN) packet to the tunnel server. The tunnel
server binds the call to the appropriate VPN session and then brings the virtual access
interface up.
7. The dialer on the tunnel server and the PPP client can now exchange PPP packets. The NAS
acts as a transparent packet forwarder.
If the dialer interface is a DDR and a virtual profile is configured, the PPP endpoint is the
tunnel server virtual-access interface, not the dialer. All Layer 3 routes point to this interface
instead of the dialer.
Table 14 L2TP Dial-Out Event Descriptions (continued)
Event Description
Table 15 New VPN Group Command Modes
Command Mode Router Prompt Type of Service
accept-dialin router(config-vpdn-acc-in)# tunnel server
request-dialout router(config-vpdn-req-ou)# tunnel server
request-dialin router(config-vpdn-req-in)# NAS
accept-dialout router(config-vpdn-acc-ou)# NAS
Không có nhận xét nào:
Đăng nhận xét