The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of RFI Engineering B.V.
Page: 7(
8)
as the default maximum for an Ethernet packet (which is 1500), and the size of the L2TP/PPP
information that is pre-pended to every packet sent over the tunnel (16 bytes). It is important
not to change this value.
The second setting specifies an IP address to send to the C-router/G-router as the tunnel IP
address to use at the Cisco end of the tunnel. For this, a Loopback interface is used, which is
specified using the 'interface Loopback 0' command. Note that this IP address affects the setting
available as
Configuration
→
Network Configuration
→
L2TP VPN
→
Route all traffic over tunnel
.
When enabled, then any traffic from the C-router/G-router is sent over the L2TP VPN to the
tunnel terminator. If disabled, the C-router/G-router will only route traffic to the Cisco router
over the L2TP VPN, at the IP address specified on this interface. The tunnel IP address to use at
the C-router/G-router end of the tunnel is specified using the
'peer default ip address pool'
command. The Cisco router will assign an IP address out of the pool to every new tunnel
established. In this case, the pool is called 'lac' and ranges from 10.0.0.2 to 10.0.0.99. The C-
router/G-router will accept automatic assignment from the Cisco router. This is arranged by
setting the
Configuration
→
Network Configuration
→
L2TP VPN
→
IP Address
setting to '
Automatic
'. If
set to 'Static', the user is allowed to enter an IP address. The 'peer default ip address pool'
setting is not necessary in this case. It can be disabled by entering:
Router(config)#interface Virtual-Template1
Router(config-if)#no peer default ip address
Router(config-if)#^Z
Router#
The C-router and G-router are both able to perform PPP authentication as part of the tunnel
process. This requires settings to be changed both on the C-router/Grouter and on the Cisco IOS
router. At this moment, PAP, MS-CHAPv1 and MSCHAPv2 are the only authentication options
available. The sample configuration assumes no authentication. In order to perform
authentication, the Cisco router must be configured to perform authentication. It is assumed
RADIUS is used for this purpose. In order to configure a RADIUS server, execute the following
commands on the Cisco Router:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#radius-server host 172.16.0.5 auth-port 1812 acct-port 1813 key KEY
l2tp(config-sg-radius)#aaa group server radius RAS
Router(config)#server 172.16.0.5 auth-port 1812 acct-port 1813
Router(config)#exit
Router(config)#aaa authentication ppp L2TP group RAS
Router(config)#^Z
These commands configure a RADIUS server at IP address 172.16.0.5, at port 1812 (for
authentication) and port 1813 (for accounting), using the encryption/authentication key KEY.
Next, the Cisco router must be configured for the chosen PPP authentication method. This is
done as follows, for PAP:
Router(config)#interface Virtual-Template1
Router(config-if)#ppp authentication pap L2TP
Router(config-if)#^Z
Router#
For MS-CHAPv1:
Router(config)#interface Virtual-Template1
Router(config-if)#ppp authentication ms-chap L2TP
Router(config-if)#^Z
Router#
For MS-CHAPv2:
Router(config)#interface Virtual-Template1
Router(config-if)#ppp authentication ms-chap-v2 L2TP
Router(config-if)#^Z
Router#
After these changes have been made, configure the C-router or G-router by changing
Configuration
→
Network
Configuration
→
L2TP
VPN
→
Authentication
Method
to
the
chosen
authentication method.