L2TP Tunnel Establishment Process

L2TP tunnel establishment involves the following messages:

  • Start-Control-Connection-Request (SCCRQ): is a request message sent to the peer for establishing a control connection.

  • Start-Control-Connection-Reply (SCCRP): is a reply message sent to the peer to inform that an SCCRQ message was received and a control connection is allowed to be established.

  • Stop-Control-Connection-Notification (StopCCN): is a control message sent to inform the peer that the control connection should be closed.

  • Start-Control-Connection-Connected (SCCCN): is a control message sent to inform the peer that an SCCRP message was received and an L2TP tunnel has been established on the LAC.

  • Hello: is used to detect the connectivity of a tunnel.

  • Zero-Length Body (ZLB): is sent to the peer if there are no further messages waiting in queue for the peer. During the teardown of a control connection, the receiver of a StopCCN message must send a ZLB message to acknowledge receipt of the StopCCN message. A ZLB message gets its name because it has only an L2TP header but no payload.

Control Connection Establishment

A control connection is established prior to a session connection. A session can be established only after a control connection is successfully established. Figure 1 shows the process of establishing an L2TP control connection.

Figure 1 Three-way handshake during control connection establishment

  • After routes between the LAC and LNS are reachable, the corresponding AVPs are configured on the LAC. The LAC then sends an SCCRQ message carrying the AVPs to the LNS to request for control connection establishment.

  • After receiving the SCCRQ message, the LNS determines whether to accept control connection establishment based on the AVPs in the message. If the LNS accepts control connection establishment, the LNS sends an SCCRP message to the LAC.

  • The LAC checks the received SCCRP message, extracts the tunnel information from the SCCRP message, and then sends the LNS an SCCCN message indicating that a control connection has been successfully established.

  • When no message exists in the queue of the LNS, it sends a ZLB message to the LAC.

You can run the display command on the LAC or LNS to view the control connections that have been successfully established.

Process of Tunnel Authentication

Tunnel authentication is performed in parallel with tunnel establishment.

The process of tunnel authentication is as follows:

  1. The LAC sends the LNS an SCCRQ message that carries a randomly-generated character string as the local CHAP Challenge.

  2. After receiving the SCCRQ message, the LNS generates a 16-byte Response message based on the CHAP Challenge sent by the LAC and the locally configured password. At the same time, the LNS generates a random character string (CHAP Challenge), adds the CHAP Challenge and the Response message to an SCCRP message, and sends the SCCRP message to the LAC.

  3. After receiving the SCCRP message, the LAC authenticates the information sent by the LNS as follows:

    • Generates a new 16-byte character string based on the local CHAP Challenge and the locally configured password.

    • Compares the newly generated 16-byte character string with the CHAP Response carried in the SCCRP message sent by the LNS. If they are the same, tunnel authentication succeeds; otherwise, tunnel authentication fails, and the tunnel is torn down.

  4. If tunnel authentication succeeds, the LAC sends an SCCCN message carrying the local CHAP Response to the LNS.

  5. After receiving the SCCCN message, the LNS authenticates the information sent by the LAC as follows:

    • Generates a 16-byte character string based on the local CHAP Challenge and the locally configured password.

    • Compares the 16-byte character string with the CHAP Response carried in the SCCCN message sent by the LAC. If they are the same, tunnel authentication succeeds. Otherwise, the tunnel needs to be torn down.

Control Connection Maintenance

Hello messages are used to check L2TP tunnel connectivity. The LAC and LNS periodically send Hello messages to each other. If no response message is received within a certain period of time, they retransmit Hello messages. If Hello messages are retransmitted more than five times, the L2TP tunnel is considered torn down, and the PPP session will be cleared. The LAC and LNS then need to re-establish an L2TP tunnel.

The interval for sending Hello messages can be specified. By default, Hello messages are sent every 60 seconds. The LNS and LAC can be configured with different intervals for sending Hello messages.

Control Connection Teardown

Either the LAC or LNS can initiate a request for control connection teardown. The initiator sends a StopCCN message, requesting the peer to tear down a control connection. After receiving the StopCCN message, the peer sends a ZLB ACK message and retains the control connection for a specified period of time to prevent loss of the ZLB ACK message. Figure 2 shows the process of control connection teardown initiated by the LAC.

Figure 2 Process of L2TP control connection teardown

Parent Topic: Understanding L2TP Access
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >