L2TP机制

 

1.ccie@cisco.com初始化一个到lac的ppp连接，接收到客户的连接请求，lac和客户进行lcp协商并要求客户提供身份认证的凭证，客户提供凭证（用户名，域名，密码）。进行PAP或者CHAP的PPP认证机制。

2.lac使提取cisco.com域名并将它传给认证的RADIUS服务器来验证（这个radius server要求在lac的路由表可达），如果验证成功，这个RADIUS服务器为cisco.com传回相关的LNS的ip地址，就是决定需要和哪个lns联系，因为建立l2tp是要和多个域或者不同的公司进行交互，他们中的每一个可能都有单独的lns，这个查找可以在lac local或者aaa完成，如果L2TP隧道还不存在，LAC使用L2TP的控制信息建立一条去往LNS的隧道，（PS）. 建立lac和lns的控制连接，控制连接是lac和lns建立回话之前必须建立的初始化连接，它包括 保护对等体的标识，同时确认对等体的l2tp版本，成帧和传输能力。

3.在隧道建立期间，L2TP提供一个可选的类似CHAP的验证机制，LNS能够检查LAC是否可以建立一条通向它的隧道（通过本地配置）而且LAC和LNS可以通过本地配置或者在RADIUS服务器上的共享密钥来验证彼此。

4．在创建隧道以后，在cisco.com这个domain的L2TP隧道上为 ccie@cisco.com 远程用户创建VPDN会话。建立回话，lac要求lns接受一个入口呼叫的回话，而lns要求lac接受放置一个出口呼叫的回话。

5．LAC转发来自ccie@cisco.com的部分CHAP响应（用户名，密码，LCP协商参数）。

6．LNS/VHG通过使用virtual 模板或者virtual 面来终止L2TP隧道,为VPDN会话创建一个基于虚拟模板的虚拟访问接口，通过FASTFOOD的RADIUS服务器（下载用来创建这个虚拟访问接口所需的参数）。或者也可以在LNS上静态配置的用户/密码 验证远程用户信息。

 

7 .LNS通过L2TP隧道向ccie@cisco.com远程用户返回一条CHAP响应信息。

8在CHAP响应成功之后，执行NCP阶段，在这个例子中使用的是IPCP，在PPP回话运行的时候，LAC在ccie@cisco.com远程客户和LNS之间担任中介。

 

PS:（1）为每个domain建立一个L2TP隧道，每个L2TP隧道承载多个VPDN的回话。 

 

相关术语：LAC：L2TP访问中心，

LNS（VHG）:虚拟本地网关，术语VHG是在PE路由器上而不是执行标准LNS功能的router。？

L2TP: Layer 2 Tunnel Protocol. Point−to−Point Protocol (PPP) defines an encapsulation mechanismfor transporting multiprotocol packets across layer 2 (L2) point−to−point links. Typically, a userobtains an L2 connection to a Network Access Server (NAS) using a technique such as dialup plainold telephone service (POTS), ISDN or Asymmetric Digital Subscriber Line (ADSL) and then runsPPP over that connection. In such a configuration, the L2 termination point and PPP session endpoint. reside on the same physical device (the NAS). L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devicesinterconnected by a network. With L2TP, a user has an L2 connection to an access concentrator, andthe concentrator then tunnels individual PPP frames to the NAS. This allows the actual processing of PPP packets to be divorced from the termination of the L2 circuit.

L2F: Layer 2 Forwarding Protocol. L2F is a tunneling protocol older than L2TP. 

LAC: L2TP Access Concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the LNS. The LAC sits between an LNS and a client and forwards packets to and from each. Packets sent from the LAC to the LNS require tunneling with the L2TP protocol. The connectionfrom the LAC to the client is typically through ISDN or analog.

LNS: L2TP Network Server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to  the LAC. The LNS is the logical termination point of a PPP session that is being tunneled from the client by the LAC.

Home Gateway: Same definition as LNS in L2F terminology.

NAS: Same definition as LAC in L2F terminology. 

Tunnel: In L2TP terminology, a Tunnel exists between a LAC−LNS pair. The Tunnel consists of acontrol connection and zero or more L2TP Sessions. The Tunnel carries encapsulated PPP datagrams and control messages between the LAC and the LNS. The process is the same for L2F.

Session: L2TP is connection−oriented. The LNS and LAC maintain a state for each call that isinitiated or answered by an LAC. An L2TP Session is created between the LAC and LNS when an end−to−end PPP connection is established between a client and the LNS. Datagrams related to the PPP connection are sent over the Tunnel between the LAC and LNS. There is a one−to−one relationship between established L2TP Sessions and their associated calls. The process is the same for L2F.

                                                                                                                                                                       cunshen 2005年1月1号 10:12