L2TP does not support the router-to-router configuration.This chapter describes how to configure a NETBuilder bridge/router as a tunnel terminator packet processor, how to configure a bridge/router as a tunnel initiator/terminator in a router-to-router configuration, and how to configure virtual leased lines with the Point-to-Point Tunnelling Protocol (PPTP) and Layer 2 Tunnelling Protocol (L2TP).
PPTP/L2TP defines a method for transferring Point-to-Point Protocol (PPP) datagrams through a tunnel over IP. Tunneling PPP does not change PPP but provides a vehicle by which PPP data units (PDUs) can be carried between two peers: a line server (LS) and a packet processor (PP). The LS-PP pair defines the endpoints of a PPTP/L2TP connection.
A PPTP/L2TP connection is defined by two parallel components: a control connection and a data pipe. Both operate between the same LS-PP pair. For PPTP, the control connection operates over TCP and passes call control and management packets over the TCP session. The data pipe operates over IP to transfer data packets encapsulated using Generic Routing Encapsulation Protocol Version 2 (GRE V2). For L2TP, both the control connection and the data pipe operate over the UDP session.
When the NETBuilder bridge/router adopts the PPTP/L2TP protocol, it functions as a packet processor. You can configure PPTP/L2TP tunnel connections between a NETBuilder bridge/router and a 3Com AccessBuilder® server (PPTP only) or a Total Control Hub (acting as a line server). In this scenario, the NETBuilder bridge/router is acting as a tunnel terminator, which only receives inbound calls. A NETBuilder bridge/router can also receive inbound calls from VPN capable RAS clients (Windows 98/NT) to provide remote access services. See Chapter 11 for configuration information.
In addition, a NETBuilder bridge/router expands the use of PPTP so a tunnel can be established between two peer NETBuilder bridge/routers. In this scenario, the NETBuilder bridge/router is able to issue outbound calls so either side can be the tunnel initiator or tunnel terminator. This is a router-to-router configuration, and both peers play the same role.
L2TP does not support the router-to-router configuration.
When using a NETBuilder bridge/router as a packet processor, you can choose the following hubs as a line server:
In Figure 50, the PPTP/L2TP tunnel connections are configured between NETBuilder bridge/router and a Total Control.
Figure 50 PPTP Tunnel Connections Between a Bridge/Router and Hub
By default, the LS with any IP address will be able to connect to the bridge/router using PPTP/L2TP. Flow control for all PPTP/L2TP sessions is disabled by default. If you need to enable flow control or if you want to restrict which line servers can have PPTP/L2TP connections with the bridge/router, you can configure an access list. After you have configured an access list, the bridge/router accepts PPTP/L2TP connections only from an LS whose IP address has been specified. The flow control for each PPTP/L2TP connection is configurable.
The configuration for L2TP is identical to that for PPTP, except that L2TP has its own flow control mechanism embedded in the L2TP protocol. No flow control configuration is required for L2TP tunnels.
To configure NETBuilder bridge/router as a tunnel terminator (PP), follow these steps:
1 . Enable the L2Tunnel service by entering:
SETDefault -L2Tunnel CONTrol = Enabled Protocol = PPTP
SETDefault -L2Tunnel CONTrol = Enabled Protocol = L2TP
2 . Configure the access list if you want to restrict the incoming peer tunnel initiators or if you want to enable the PPTP flow control using:
ADD -L2Tunnel AccessList <IP Address> [Net Mask][Protocol=PPTP] [FlowControl = ENabled | DISabled]
ADD -L2Tunnel AccessList 129.213.48.6 255.255.255.255
ADD -L2Tunnel AccessList 129.213.48.0 255.255.255.0 Protocol = ALL
3 . Repeat step 2 for each IP address or IP address range you want to add to the access list. To display the access list being configured, enter:
SHow -L2Tunnel AccessList
DELete -L2Tunnel AccessList <IP Address>
4 . If not yet configured, configure either SysCallerID or AuthRemoteUser of the virtual port you have chosen to be bound to the incoming virtual path using:
ADD !<port> -PORT VirtualPort SCID "<SysCallerID>"
ADD !<port> -PORT VirtualPort PPP
ADD !<port> -PPP AuthRemoteUser ("<userid>", "<password>")
ADD !V1 -PORT VirtualPort SCID"LS1"
ADD !V1 -PORT VirtualPort PPP
ADD !V1 -PPP AuthRemoteUser ("LS1", "LS1PW")
5 . If a SysCallerID is used in step 4, configure SysCallerID of the bridge/router using:
SETDefault -SYS SysCallerID="<string>"
SETDefault -SYS SysCallerID="NB"
SETDefault !<port> -PPP AuthLocalUser ("userid", "password")
SETDefault !V1 -PPP AuthLocalUser=("NB,"NBPW")
See the L2Tunnel Service Parameters chapter in Reference for NETBuilder Family Software for additional parameters that you can optionally use to configure the L2TP connection.
6 . To display statistics for all PPTP connections that are currently active, enter:
SHow -L2Tunnel STATS
7 . To display information about the state of each PPTP connection, enter:
SHow -L2Tunnel STATUS
8 . To display information about the state and statistics of L2TP connections, enter:
SHow -L2Tunnel L2tpTunnels
SHow -L2Tunnel L2tpStats
9 . If L2TP is used as the tunneling protocol, you need to set the system name of the NETBuilder bridge/router using:
SETDefault -SYS SysName = "Name"
When two NETBuilder bridge/routers are used in a router-to-router configuration, either NETBuilder bridge/router can issue dial commands. When a bridge/router issues a dial command, an outgoing call request message is sent to the peer. The peer responds by sending back an outgoing call reply message. A session is established within a PPTP tunnel. (This setup mechanism is unlike the LS-PP scenario where incoming call messages are exchanged.)
Router-to-router over L2TP is not supported.
To configure a NETBuilder bridge/router as a tunnel initiator/terminator, follow these steps:
1 . Repeat steps 1 through 5 of the procedure "Configuring a NETBuilder as a Tunnel Terminator (PP)" on page 163.
2 . The DialNoList contains the IP address of the physical interface of the peer bridge/router. Configure a DialNoList for each dial out virtual port using:
ADD !<port> -PORT DialNoList "<@IP Address>" Type=PPTP
ADD !V1 -PORT DialNoList "@129.213.48.6" Type=PPTP
3 . To establish the PPTP connection, either NETBuilder bridge/router must issue a dial command using:
DIal !<port>
DIal !V1
When configuring a NETBuilder bridge/router as a tunnel initiator/terminator (router-to-router scenario), the DIal command establishes the tunnel. In this scenario, tunnel usage may be disrupted due to heavy traffic or poor line quality. In reliability sensitive environments, you may choose to configure the PPTP tunnel to operate as a leased line. If the tunnel goes down, the environment can be preconfigured so that a backup line can be dialed as shown in Figure 51. All traffic is then sent through the backup line. While the backup line is in use, the bridge/router tries to reestablish the PPTP tunnel. When the tunnel is reestablished, all the traffic is switched from the backup line to the tunnel. The backup line is then automatically torn down.
Virtual Leased Line over L2TP is not supported.
Figure 51 Virtual Leased Line and Backup Connection
The PPTP virtual leased line is brought up automatically after it has been configured. Parameters must be configured on both bridge/routers in order to bring up the line.
To configure a PPTP virtual leased line, follow these steps:
1 . If not enabled, enable the L2Tunnel service to provide PPTP support by entering:
SETDefault -L2Tunnel CONTrol = Enabled
2 . Add a virtual leased line using:
ADD -L2Tunnel VLeasedLine <IP Address>
ADD -L2Tunnel VLeasedLine 129.213.48.6
In some environments, the IP addresses of the remote peers may not be known beforehand. For instance, the remote peer is located across the internet and its IP address is assigned dynamically by an Internet Service Provider (ISP). There is no way that you can preconfigure the IP address of the peer's physical port in step 2. In this case, you can configure a VLeasedLine IP address entry of 0.0.0.0, meaning that any IP address from a remote peer will be accepted. There should be one 0.0.0.0 IP address entry for each incoming remote peer with an unknown IP address.
3 . To configure the backup line for virtual port under which PPTP is running, use:
SETDefault !<port> -PORT DialCONTrol = DisasterRcvry
SETDefault !V1 -PORT DialCONTrol = DisasterRcvry
4 . Add the dial number for the backup line, using:
ADD !<port> DialNoList "<phone-no>" [Type = Modem | Bri | Sw56 | WE]
ADD !V1 DialNoList "9241234" Type=Modem
5 . If not yet configured, configure either SysCallerID or AuthRemoteUser of the virtual port that you choose to be bound to the incoming virtual path using:
ADD !<port> -PORT VirtualPort SCID"<sysCallerID>"
ADD !<port> - PORT VirtualPort PPP
ADD !<port> -PPP AuthRemoteUser ("<userid>", "<password>")
ADD !V1 -PORT VirtualPort SCID"LS1"
ADD !V1 -PORT VirtualPort PPP
ADD !V1 -PPP AuthRemoteUser ("LS1", "LS1PW")
At least one endpoint has to use SysCallID to authenticate, the other endpoint can choose to use either SysCallID or AuthRemoteUser.
6 . If SysCallerID is used in step 5, configure SysCallerID of this bridge/router using:
SETDefault -SYS SysCallerID="<srting>"
SETDefault -SYS SysCallerID="NB"
SETDefault !<port> -PPP AuthLocalUser = (["<userid>" | None], "<password>")
SETDefault !V1 -PPP AuthLocalUser = ("NB,"NBPW")
7 . Configure the parameters of the path from which the backup line will be dialed from.
8 . If the physical interface is a dial-up line, you need to configure your communication resources to use this line before issuing the DIal command. See the Configuring Port Bandwidth Management chapter in Using NETBuilder Family Software Version 11.0 for information about configuring communication resources for dial-up use.
You should not configure an access list in this configuration unless you know the range of the IP addresses that the ISP will assign to the remote peer.
![[previous]](../../../graphics/prev.gif)
![[next]](../../../graphics/next.gif)