The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI Engineering B.V.
Page: 3(
8)
1 Introduction
This document describes how to set up a L2TP (VPN) connection between a G-router/C-router
and a Cisco LNS.
1.1 Purpose
Devices, such as the G-router and the C-router, that communicate via a mobile network, such as
GSM or CDMA, are able to set up a packet oriented data connection to the Internet using GPRS
or CDMA1x. As internet connectivity is becoming more popular in mobile networks, some mobile
network operators (MNO’s) prefer to minimize the number of IP addresses by utilizing NAT
(Network Address Translation), a technology that will allow many users to 'share' one single
Internet IP address for outbound traffic. These users each have a different “private” IP address,
but share the same “public” IP address.
From the internet, traffic can only be routed to the public IP address, which however does not
provide “transit” traffic to a selected private address, thereby rendering it not feasible to access
e.g. the serial port of a C-router or G-router.
When the G-router or C-router is deployed on many sites by a Telco to monitor CPE
configurations, the problem can be overcome by installing a Telco specific APN in the Mobile
Network, whereby each router is identified and accessible. When smaller numbers are deployed,
e.g. the Telco wants to run a pilot test over a smaller number of sites, setting up an own APN
might not be attractive.
An alternative to establish communication from two sides is to establish a VPN tunnel between
each router and the Telco’s VPN server, as VPN servers are much more commonplace and far
more economical than any APN. For this purpose, L2TP (Layer 2 Tunneling Protocol) VPN client
support was added to the feature set of the G-router and C-router. Network service providers
can access the C-router or G-router directly, using their own L2TP VPN server. The C-router or
G-router will establish (independently and automatically) a VPN connection to the VPN server,
allowing for 2-way communication, overcoming any restriction through the possible use of NAT
by the MNO.
For security purposes, tunnel authentication and session authentication are provided respectively
through a shared secret and through username/password authentication using the PAP and MS-
CHAP protocols.
1.2 Prerequisites
•
C-router or G-router firmware version 1.2.0 or later
•
A Cisco router supporting L2TP and VPDN tunnel termination.
•
This document assumes that the reader is familiar with Cisco IOS router configuration.
The network configuration in this document was tested using a G-router running software
version 1.2.0 and a Cisco 2651XM running Cisco IOS Release 12.3.
1.3 Terminology
The C-router and G-router have been equipped with the possibility of establishing an L2TP VPN
connection to a central VPN router. The L2TP VPN tunnel terminator is called the LNS (L2TP
Network Server). Conversely, the client end of the tunnel is called the LAC (L2TP Access Client).
Connections can be initiated by both ends of the tunnel, the direction indicating the initiating
end. Directions are given with respect to the view of the LNS. On top of a L2TP tunnel, a PPP
session is established. It is the PPP session that performs the forwarding of the IP traffic.
