VPN on L2TP technology
L2TP is a tunneling protocol used to create virtual networks. Its main advantage is the ability to create virtual networks not only over IP networks, but also in Frame Relay, X.25 and ATM networks. Despite being similar to the OSI link layer protocol, L2TP is a session layer protocol using UDP port 1701.
The development of the protocol can be traced back to 1997, and in 1999, the RFC2661 standard appeared, describing it. It is believed that L2TP combined the best of both L2F and PPTP.
Scheme of work
To establish a connection, the remote system through the PSTN telephone network initiates a PPP connection to the LAC. Next, for a PPP connection, the LAC tunnel through the LNS, Frame Relay, ATM, or Internet, accessing the original LAN. The remote system receives addresses from the source LAN by negotiation with NCP. Authorization and authentication are provided as if the remote user was directly connected to the NAS server.
A LAC client using the L2TP program can connect to the tunnel to the original local network if the machine with the LAC client is already connected to the Internet, and the use of a separate LAC is optional. In this case, a virtual PPP connection is created in which the local L2TP LAC creates a tunnel to the LNS. As in the previous case, authorization, addressing, and authentication will be provided by the management area of the source LAN.
The L2TP protocol uses 2 types of packets: information and control messages. The former are used to encapsulate PPP frames that are sent through the tunnel. The second – in the establishment, maintenance and destruction of calls and tunnels. To guarantee delivery, control messages use a reliable control channel within the L2TP itself, and information messages in case of loss are sent again. Additionally, to ensure guaranteed delivery, the control messages are assigned a serial number. Informational messages use sequence numbers to determine frame loss and restore packet order.
Information from this block may be of interest to specialists. For educational purposes, this block can be skipped, and immediately start reading the next.
Both the control and information channels L2T0050 use a single header format. Let us briefly list the values of bits in a 32-bit sequence:
0 – bit (T) of the packet type characterizes its variety and is assigned the value 0 for information and 1 for control messages.
1 – bit (L) of the packet length. If it is 1 (required for control messages), then the “Length” field is present in the packet (from 16 to 31 bits).
2-3 – these bits are reserved and should be set to 0 for outgoing and ignored in incoming packets.
4 – bit (S) of the sequence. In control messages, it is 1. In this case, the fields Nr and Ns are present in the packet.
5 – bit reserved
6 – bit (O) offset. If it is equal to 1, then there is a field that determines the amount of displacement.
7 – bit (P) priority. For control messages, it is 0. If it is 1 for an informational message, then it takes priority in the queue.
8-11 – bits are reserved 12-15 – the “Version” (Ver) field determines the version of the L2TP information message headers. In this case, the value 1 is intended to determine L2F packets, if they go mixed with L2TP packets. Packets with unknown Ver values should be discarded.
16-31 – packet length field indicating (in octets) the length of the message.
The tunnel ID field contains the connection identifier. They have local meaning, so the different ends of the tunnel have different identifiers. In this case, the tunnel ID for each message should be exactly the same as the recipient is waiting for it. This identifier is created during the formation of the data transmission tunnel.
The Session ID field identifies the tunnel session ID. Session identifiers also have local meaning and should be exactly what the recipient expects. This identifier is created when forming a data transfer session.
The Ns field contains the serial number of the control or informational message from 0 and increases further by 1 for each subsequent message. The Nr field contains the sequence number of the next expected message. Therefore, Nr is equal to Ns of the last message received plus 1.
If the “Offset value” field is present in the packet, it determines the location of the beginning of the data field, while the content of the offset is not determined.
The procedure for establishing a PPP L2TP tunneling session consists of two steps:
Establishment of a control channel for the tunnel.
Creating a session upon request of an outgoing or incoming call.
Both the tunnel and the corresponding control channel are created before the calls are initiated. That is, the L2TP session must exist before the start of the transfer of PPP frames through the tunnel. At the same time, several sessions between LAC and LNS can coexist in a single tunnel.