Which of the following statement is true when configuring a vpn server to use only l2tp?

Skip to main content

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

• Article
• 09/24/2021
• 2 minutes to read

In this article

This article discusses how to configure a preshared key for use with Layer 2 Tunneling Protocol (L2TP).

Applies to:   Windows Server 2003
Original KB number:   324258

Summary

To use L2TP in Microsoft Windows Server 2003, you must have a public key infrastructure (PKI) to issue computer certificates to the virtual private network (VPN) server and to clients so that the Internet Key Exchange (IKE) authentication process can occur.

With Windows Server 2003, you can use a preshared key for IKE authentication. This feature is useful in environments that do not currently have a PKI in place, or in situations where Windows Server 2003 L2TP servers are making connections to third-party VPN servers that only support the use of preshared keys.

Note

Microsoft does not encourage the use of preshared keys, because it is a less secure method of authentication than certificates. Preshared keys are not meant to replace the use of certificates; instead, preshared keys are another method for testing and internal operations. Microsoft strongly recommends that you use certificates with L2TP whenever possible.

The following sections describe how to configure the preshared keys on both the L2TP client and the server. If you use a Windows Server 2003 operating system for both client and VPN-based server, complete the instructions in both of these sections so that the L2TP that uses a preshared key can work. If you use a Windows Server 2003 VPN client and a third-party VPN-based server, you must follow the steps in the Configure a preshared key on a VPN client section of this article, and you must configure preshared keys on the third-party device.

1. In Control Panel, double-click Network Connections.

2. Under the Virtual Private Network section, right-click the connection for which you want to use a preshared key, and then click Properties.

3. Click the Security tab.

4. Click IPSec Settings.

   Note

   IPSec Settings may be shaded if on the Networking tab, Type of VPN is set to PPTP VPN. A preshared key can only be configured if this option is set to L2TP IPSec VPN or Automatic.

5. Click to select the Use preshared key for authentication check box.

6. In the Key box, type the preshared key value. This value must match the preshared key value that is entered on the VPN-based server.

7. Click OK two times.

1. Start the Routing and Remote Access snap-in. To do this, click Start, point to Administrative Tools, and then click Routing and Remote Access.
2. Right-click the server that you will configure with the preshared key, and then click Properties.
3. Click Security.
4. Click to select the Allow Custom IPSec Policy for L2TP connection check box.
5. In the Preshared key box, type the preshared key value. This value must match the preshared key value entered on the VPN-based client.
6. Click OK.

About This Document

Layer 2 Tunneling Protocol (L2TP) virtual private network (VPN) is an important VPN technology used in remote office scenarios to provide access for employees to remotely access intranet resources of enterprises. Users can dial up to establish L2TP VPN tunnels with enterprises through dialup clients on PCs so that they can remotely access servers of enterprises. A fault in L2TP VPN connections can affect the working efficiency of employees on business trips and deteriorates remote server access experience. This document describes common L2TP VPN faults that may occur on the live network and provides fault locating roadmaps and troubleshooting methods.

Application Scenarios of L2TP VPN

There are three L2TP VPN application scenarios: client-initiated, L2TP client-initiated, and NAS-initiated. After you determine the L2TP VPN application scenario and know the role of your AR router in the scenario, L2TP VPN fault troubleshooting can become easier.

Client-Initiated Scenario: Mobile Office Users Initiate L2TP Tunnel Connections to Access the Enterprise Intranet

Mobile office users (employees on business trips) of an enterprise access the Internet through Ethernet networks. The L2TP network server (LNS) functions as the egress gateway of the headquarters. The users can install a dialup client on their mobile terminals to directly establish L2TP tunnels with the LNS, with no need for an independent network access server (NAS). In this scenario, mobile office users can remotely access intranet resources of the enterprise, and flexibly, securely, and reliably work despite of geographical restrictions. Client-initiated L2TP VPN connections typically apply to the scenario where mobile office users of an enterprise need to access the headquarters.

In this scenario, an AR router functions as the LNS. Common L2TP VPN faults may occur on the LNS or dialup client.

L2TP Client-Initiated Scenarios: L2TP Clients Initiate L2TP Tunnel Connections for Intranet Interconnection

To allow users of an enterprise branch to access the headquarters, an L2TP client is deployed at the branch to automatically initiate dialup requests to the LNS to establish an L2TP tunnel and session. In this case, branch users do not need to perform dialup to trigger L2TP tunnel establishment. For branch users, they can access the headquarters network easily, without perceiving differences from that when they access their local branch network. In this scenario, an L2TP VPN tunnel is established between the enterprise headquarters and branch, facilitating enterprise management.

In this scenario, AR routers can function as the L2TP client and LNS, where common L2TP VPN faults may occur.

NAS-Initiated Scenario: Dialup Users Initiate L2TP Tunnel Connections Through the NAS to Access the Enterprise Intranet

To allow branch users of an enterprise to access the headquarters, a carrier deploys an L2TP tunnel between the NAS and LNS. Then users at branches can dial up to access the headquarters network through the NAS. Dialup users access the Internet through dialup. The NAS is deployed by a carrier to provide PPP or PPPoE access services for dialup users. Dialup users can access external networks through the NAS. The LNS is the egress gateway of the headquarters, which authenticates access users to ensure access security.

In this scenario, AR routers can function as the NAS and LNS, where common L2TP VPN faults may occur.

Implementation of L2TP VPN

L2TP VPN is implemented similarly in different scenarios. The following uses the Client-initiated scenario as an example to describe the process of establishing an L2TP tunnel. Figure 1-1 shows the entire tunnel negotiation process.

Figure 1-1 L2TP tunnel establishment process in client-initiated scenarios

1. The mobile office user establishes an L2TP tunnel with the LNS.

2. The mobile office user establishes an L2TP session with the LNS.

   The mobile office user will establish a PPP connection with the LNS in step 3, and the L2TP session records and manages the PPP connection status. Therefore, before a PPP connection is established, an L2TP session needs to be negotiated between the user and LNS. The session carries the LCP negotiation information and user authentication information of the mobile office user. After receiving such information, the LNS authenticates the information. After the authentication succeeds, the LNS notifies the NAS that the session is successfully established. The L2TP session is identified by the session ID.

3. The mobile office user establishes a PPP connection with the LNS.

   The mobile office user obtains the LNS-assigned enterprise intranet IP address using the PPP connection.

4. The mobile office user sends service packets to access the enterprise HQ server.

Troubleshooting When an L2TP User Fails to Go Online

Checking Whether an L2TP Tunnel Is Established

Troubleshooting Process

In the client-initiated, L2TP client-initiated, or NAS-initiated connection scenario, an L2TP VPN has been configured between devices but PCs connected to the devices cannot communicate with each other. In this case, you can run the display l2tp tunnel command on the faulty device to check information about L2TP tunnels established on it. The following shows a sample command output on the LNS:

<Huawei> display l2tp tunnel

 Total tunnel : 1
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
 1        1         10.1.2.3         1701   1        lns 

• If no tunnel information is displayed in the command output, run the display l2tp tunnel-down-reason command (in V200R010 and later versions) to locate the cause of the L2TP tunnel establishment failure. Then, perform troubleshooting according to Table 1 Possible causes of L2TP tunnel establishment failures and handling suggestions. You can also locate the fault according to the sections in this chapter.

  <Huawei> system-view 
  [Huawei] diagnose 
  [Huawei-diagnose] display l2tp tunnel-down-reason 
   *************** L2tp Tunnel Down reason: ***************   
    2019-05-25 00:06:14.540 Peer Addr[1.1.1.2]: L2TP tunnel-down-reason: the received SCCN packet failed to pass the check. [repeat times:50] 
    2019-05-25 00:13:03.050 Peer Addr[1.1.1.2]: L2TP tunnel-down-reason: a StopCCN packet was received. [repeat times:10] 

  Table 1-1 Possible causes of L2TP tunnel establishment failures and handling suggestions

  No.	Cause	Handling Suggestion
  1	The reset tunnel command was executed.	The tunnel is manually reset. No action is required.
  2	There was no session.	No user goes online in the L2TP client-initiated scenario and the tunnel ages out. No action is required.
  3	The received SCCRQ packet failed to pass the check.	Obtain SCCRQ messages to locate the fault.
  4	The received SCCRP packet failed to pass the check.	Obtain SCCRP messages to locate the fault.
  5	The received SCCCN packet failed to pass the check.	Obtain SCCCN messages to locate the fault.
  6	The tunnel has been set up when the SCCRQ packet was received	Check whether the peer device is faulty.
  7	The tunnel has been set up when the SCCRP packet was received.	Check whether the peer device is faulty.
  8	The tunnel has been set up or was idle when the SCCCN packet was received.	Check whether the peer device is faulty.
  9	The tunnel password was not configured in the L2TP group at the local end but peer device was configured.	Disable tunnel authentication on the peer device.
  10	Sending an SCCRQ packet failed.	Check the public network interface status and public network route on the local device.
  11	Sending an SCCRP packet failed.	Check the public network interface status and public network route on the local device.
  12	Sending an SCCCN packet failed.	Check the public network interface status and public network route on the local device.
  13	There was no SCCRP response from the peer and the packet retransmission count reached the limit.	Check whether the peer device receives SCCRP messages.
  14	A StopCCN packet was received.	Obtain packets or check logs to locate the fault.
  15	Sending a Hello packet failed.	Check whether the intermediate network is normal.
  16	The received packets have already been encapsulated with the L2TP header.	Check the peer device.
  17	The received SCCRQ packet failed to pass the remote name check.	Check configurations on the peer device.
  18	The received SCCRP packet failed to pass the tunnel authentication.	Disable tunnel authentication on the local device.
  19	The tunnel authentication was not configured in the L2TP group locally but was configured on peer device.	Disable tunnel authentication on the peer device.
  20	The received SCCRP packet failed to pass local check due to an unknown AVP.	Obtain SCCRP messages to locate the fault. It is recommended that the AVP field carried in the SCCRP messages be modified on the peer device.
  21	There was no SCCCN response from the peer and the packet retransmission count reached the limit.	Check the peer device and intermediate network.
  22	There was no route to send the packet.	Check the route configuration on the public network interfaces of the devices at both ends.
  23	The tunnel authentication was configured in the L2TP group locally but was not configured on peer device.	Disable tunnel authentication on the local device.

• If tunnel information is displayed in the command output, go to the next step.

Troubleshooting When an AR Router Functions as an L2TP Client

Context

In the L2TP client-initiated connection scenario where an AR router functions as an L2TP client, after an L2TP VPN is configured between the L2TP client and LNS, the L2TP client and LNS cannot communicate with each other.

Troubleshooting Procedure

1. Check whether the automatic dialup function is enabled on the L2TP client for initiating L2TP connection requests. Check whether the serial port of the L2TP client displays the Up/Down information about the corresponding VT interface and whether the terminal monitor command is configured.

   <L2TP-Client> 
   2018-4-13 10:01:21+00:00 Huawei %%01IFNET/4/LINK_STATE(1)[54]:The line protocol  
   PPP on the interface Virtual-Template1:0 has entered the UP state. 
   <L2TP-Client> 
   2018-4-13 10:01:21+00:00 Huawei %%01IFNET/4/LINK_STATE(1)[55]:The line protocol  
   PPP on the interface Virtual-Template1:1 has entered the UP state.

   • If no Up/Down information about the corresponding VT interface is displayed on the serial port for a long time and no tunnel is established, the automatic dialup function is disabled on the L2TP client for initiating L2TP connection requests. Run the l2tp-auto-client enable command in the VT interface view to enable the automatic dialup function on the L2TP client for initiating L2TP connection requests.
   • If the Up/Down information about the corresponding VT interface is displayed on the serial port but no tunnel is established, go to the next step.
2. Check whether the PPP user name configured on the VT interface of the L2TP client is the same as that configured in the L2TP group.

   [L2TP-Client] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1
    ppp chap user huawei    // Configure the user name for CHAP authentication.  ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#   // The tunnel password must be the same as that configured on the LNS.  ip address ppp-negotiate 
    l2tp-auto-client enable  

   [L2TP-Client] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    start l2tp ip 1.1.1.1 fullusername huawei    // Specify the LNS's public IP address and configure the user for establishing an L2TP connection to the LNS.  tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#    // The tunnel password must be the same as that configured on the LNS.  tunnel name LNS

   If the PPP user name is different from that configured in the L2TP group, change the PPP user name on the L2TP client to be the same.

3. Check whether the destination IP address of the L2TP tunnel is the LNS's IP address and reachable.

   [L2TP-Client] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    start l2tp ip 1.1.1.1 fullusername huawei    // Specify the LNS's public IP address and configure the user for establishing an L2TP connection to the LNS.  tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#    // The tunnel password must be the same as that configured on the LNS.  tunnel name L2TPClient

   If the specified destination IP address is not the LNS's public IP address, change it to the LNS's public IP address. If a firewall is deployed between the L2TP client and LNS, the ping operation may fail. Ensure that the firewall does not block L2TP packets.

4. Check whether the tunnel authentication mode configured on the L2TP client is the same as that configured on the LNS.

   [L2TP-Client] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1   // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the LNS. # 
   interface Virtual-Template2  // VT interface where automatic dialup is enabled  ppp chap user huawei   
    ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#   // The tunnel password must be the same as that configured on the LNS.  ip address ppp-negotiate 
    l2tp-auto-client enable  

   [LNS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1   // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the L2TP client.  remote address pool lns
    ip address 1.1.1.1 255.255.255.0 

   Ensure that the authentication configurations are the same on the L2TP client and LNS.

   • Authentication is not configured on the L2TP client and LNS.
   • Authentication is configured on the L2TP client and LNS, and the authentication modes are the same.
5. Check whether the tunnel name on the L2TP client is specified on the LNS.

   [LNS] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    allow l2tp virtual-template 1 remote L2TPClient  // L2TPClient is the name of the tunnel that allows the local device to receive L2TP connection requests. The tunnel name must be the same as that configured on the L2TP client.  tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%# 
    tunnel name LNS

   [L2TP-Client] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    start l2tp ip 1.1.1.1 fullusername huawei  
    tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#
   tunnel name L2TPClient  // Tunnel name configured on the L2TP client

   • If the tunnel name on the L2TP client is specified on the LNS, check whether the tunnel name is correct.
   • If tunnel name authentication is not enabled, you can specify the tunnel name on the L2TP client or not.

Troubleshooting When an AR Router Functions as an NAS

Context

In the NAS-initiated connection scenario where an AR router functions as an NAS, after an L2TP VPN is configured, the NAS and LNS cannot communicate with each other.

Troubleshooting Procedure

1. Check whether a PPP user accesses the NAS.

   Run the display pppoe-server session all command to view the PPPoE session status and statistics on the NAS.

   <NAS> display pppoe-server session all
   Total Session: 1                                                                  
   SID      Intf                    State   OIntf           RemMAC         LocMAC  
   1        Virtual-Template1        UP     GE1/0/0        00e0.fc03.0201 0819.a6cd.0680

   • If the PPPoE session is in DOWN state, no PPP user accesses the NAS. Check whether a PPP user has performed dialup to access the NAS.
   • If the PPPoE session is in UP state, go to the next step.
2. Check whether the user authentication information is correct.
   1. Check whether the PPP user name configured on the VT interface of the NAS is the same as that configured in the L2TP group.

      [NAS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1
       ppp chap user huawei    // Configure the user name for CHAP authentication.  ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#   // The tunnel password must be the same as that configured on the LNS.  ip address ppp-negotiate 
       l2tp-auto-client enable  

      [NAS] display current-configuration | begin l2tp-group                    
      l2tp-group 1                                                                                                                                      
       start l2tp ip 1.1.1.1 fullusername huawei    // Specify the LNS's public IP address and configure the user for establishing an L2TP connection to the LNS.  tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#    // The tunnel password must be the same as that configured on the LNS.  tunnel name LNS

      If the PPP user name is different from that configured in the L2TP group, change the PPP user name on the NAS to be the same.

3. Check whether the destination IP address of the L2TP tunnel is the LNS's IP address and reachable.

   [NAS] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    start l2tp ip 1.1.1.1 fullusername huawei    // Specify the LNS's public IP address and configure the user for establishing an L2TP connection to the LNS.  tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#    // The tunnel password must be the same as that configured on the LNS.  tunnel name NAS

   If the specified IP address is not the LNS's public IP address, change it to the LNS's public IP address. If a firewall is deployed between the NAS and LNS, the ping operation may fail. Ensure that the firewall does not block L2TP packets.

4. Check whether the tunnel authentication mode configured on the NAS is the same as that configured on the LNS.

   [NAS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1   // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the LNS. # 
   interface Virtual-Template2 // VT interface where automatic dialup is enabled  ppp chap user huawei   
    ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#   // The tunnel password must be the same as that configured on the LNS.  ip address ppp-negotiate 
    l2tp-auto-client enable  

   [LNS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1   // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the NAS.  remote address pool lns
    ip address 1.1.1.1 255.255.255.0 

   Ensure that the authentication configurations are the same on the NAS and LNS.

   • Authentication is not configured on the NAS and LNS.
   • Authentication is configured on the NAS and LNS, and the authentication modes are the same.
5. Check whether the tunnel name on the NAS is specified on the LNS.

   [LNS] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    allow l2tp virtual-template 1 remote NAS  // NAS is the name of the tunnel that allows the local device to receive L2TP connection requests. The tunnel name must be the same as that configured on the NAS.  tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%# 
    tunnel name LNS

   [NAS] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    start l2tp ip 1.1.1.1 fullusername huawei  
    tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#
    tunnel name NAS // Tunnel name configured on the NAS

   • If the tunnel name configured on the NAS is specified on the LNS, check whether the tunnel name on the NAS is correct.
   • If tunnel name authentication is not enabled, you can specify the tunnel name on the NAS or not.

Troubleshooting When an AR Router Functions as an LNS

Context

In scenarios where an AR router functions as an LNS, after an L2TP VPN is configured, the LNS cannot communicate with the peer device.

Troubleshooting Procedure

1. Check whether an L2TP VPN tunnel is being established on the LNS.

   <LNS> debugging l2tp all
   <LNS> terminal debugging
   Info: Current terminal debugging is on.

   If L2TP has been configured on the LNS but no debugging information is displayed in the command output, check whether the peer device or intermediate network is faulty.

2. Check whether the tunnel authentication mode configured on the LNS is the same as that configured on the peer device.

   [LNS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1  
    ppp authentication-mode chap   // The authentication mode must be the same as that configured on the peer device.  remote address pool lns
    ip address 1.1.1.1 255.255.255.0 

   [NAS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1  
    ppp authentication-mode chap  // The authentication mode must be the same as that configured on the LNS. # 
   interface Virtual-Template2  // VT interface where automatic dialup is enabled  ppp chap user huawei   
    ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# 
    ip address ppp-negotiate 
    l2tp-auto-client enable  

   Ensure that the authentication configurations are the same on the LNS and peer device.

   • Authentication is not configured on the LNS and peer device.
   • Authentication is configured on both the LNS and peer device, and the authentication modes are the same.
3. Check whether the tunnel name on the peer device is specified on the LNS.

   [LNS] display current-configuration | begin l2tp-group                    
   l2tp-group 1                                                                                                                                      
    allow l2tp virtual-template 1 remote NAS  // NAS is the name of the tunnel that allows the local device to receive L2TP connection requests. The tunnel name must be the same as that configured on the peer device.  tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%# 
    tunnel name LNS

   • If the tunnel name on the peer device is specified on the LNS, check whether the tunnel name is correct.
   • If tunnel name authentication is not enabled on the peer device, you can specify the tunnel name on the peer device or not.
4. Check whether a VPN instance is configured on the interface connecting the LNS to the peer device.

   [LNS-GigabitEthernet0/0/1] display this
   [V200R009C00SPC500] 
   #
   interface GigabitEthernet0/0/1
    ip binding vpn-instance a
    ip address 1.1.1.1 255.255.255.0
    dhcp select relay
    dhcp relay server-ip 1.1.1.1                                                                            
   #                                                                               
   return

   If a VPN instance is configured, you need to add the VPN instance configuration to the L2TP configuration.

   [LNS] l2tp-group 1 
   [LNS-l2tp1] allow l2tp virtual-template 1 remote lac vpn-instance a

Checking Whether an L2TP Session Is Established

Troubleshooting Process

In the client-initiated, L2TP client-initiated, or NAS-initiated connection scenario, an L2TP VPN has been configured between devices but PCs connected to the devices cannot communicate with each other In this case, you can run the display l2tp session command on the faulty device to check information about L2TP sessions established on it. The following shows a sample command output on the LNS:

<LNS> display L2TP session 
Total session : 1                                                                
LocalSID  RemoteSID  LocalTID  Interface            LclTAddr        RmtTAddr        LclSAddr        RmtSAddr    
1         1          4         Virtual-Template0:1  3.3.40.132      3.3.40.140      5.5.5.1         5.5.5.201

• If no session information is displayed in the command output, run the display l2tp session-down-reason command (in V200R009 and later versions) to locate the cause of the L2TP session establishment failure. Then, perform troubleshooting according to Table 1-2 You can also locate the fault according to the sections in this chapter.

  <Huawei> system-view 
  [Huawei] diagnose 
  [Huawei-diagnose] display l2tp session-down-reason  
     2019-05-25 00:13:02.940 Peer Addr[1.1.1.2]: L2TP session-down-reason: Physical interface is down. [repeat times:108]

  Table 1-2 Possible causes of L2TP session establishment failures and handling suggestions

  No.	Cause	Handling Suggestion
  1	the reset session command was executed.	No action is required. Wait for the session to be renegotiated.
  2	the number of sessions reached the limit.	To support more concurrent sessions, replace the device with another one with higher specifications.
  3	sending packets failed.	Check whether there is a route to the peer device.
  4	the received ICRQ packet failed to pass the check.	Check whether the format of the ICRQ message and AVP field in the ICRQ message meet the protocol requirements.
  5	the received ICRP packet failed to pass the check.	Check whether the format of the ICRP message and AVP field in the ICRP message meet the protocol requirements.
  6	the received ICCN packet failed to pass the check.	Check whether the format of the ICCN message and AVP field in the ICCN message meet the protocol requirements.
  7	the session has been established when the ICRQ packet was received.	Check whether the tunnel ID or session ID in the ICRQ message sent by the peer device is incorrect.
  8	the session has been established when the ICRP packet was received.	Check whether the tunnel ID or session ID in the ICRP message sent by the peer device is incorrect.
  9	the session has been established when the ICCN packet was received.	Check whether the tunnel ID or session ID in the ICCN message sent by the peer device is incorrect.
  10	the session was idle when the ICRP packet was received.	Check whether the tunnel ID or session ID in the ICRP message sent by the peer device is incorrect.
  11	the session was idle when the ICCN packet was received.	Check whether the tunnel ID or session ID in the ICCN message sent by the peer device is incorrect.
  12	processing the ICRP packet failed.	Check whether the format of the ICRP message and AVP field in the ICRP message meet the protocol requirements.
  13	an error occurred during data preparation.	The virtual access interface corresponding to the session fails to be created on the local device. Contact technical support personnel.
  14	a CDN packet was received.	Check why the peer device requests to disconnect the tunnel.
  15	there was no response for the ICRQ or ICRP packet.	The peer device does not respond to the ICRQ or ICRQ message. Check whether the configuration on the peer device and the return route are correct.
  16	the PPP link was terminated.	If a PPP Terminate Request is received from the peer device, check why the peer device requests to terminate the session.
  17	the Multichassis-MP bundle does not exist.	The negotiation fails or the peer device terminates the session. If services are affected, contact technical support personnel.
  18	the session was Multichassis-MP temp call to find the bundle.	The MP service is processed normally, and no action is required.
  19	Physical interface is down.	The physical interface alternates between Up and Down. Check whether the physical connection is normal.
  20	PPP Authentication of peer device failed.	Check whether the user name and password configured on the local device are correct.
  21	PPP Authentication failed from AAA Server.	Check whether the user name and password for L2TP dialup are correct and whether the authentication configurations on the AAA server are correct.
  22	The IP Address of interface hasn't been configured.	If no IP address of the VT interface is configured when the device functions as an LNS, configure an IP address for the VT interface.
  23	The IP Address conflicts.	When the IP address allocated to the device functioning as the LAC conflicts with the IP address of another interface, check the address pool configuration on the LNS or change the IP address of another interface on the local device.

• If session information is displayed in the command output, go to the next step.

Troubleshooting When an AR Router Functions as an L2TP Client

Context

In the L2TP client-initiated connection scenario where an AR router functions as an L2TP client, after an L2TP VPN is configured between the L2TP client and LNS, the L2TP client and LNS cannot communicate with each other.

Troubleshooting Procedure

1. Check whether user authentication is successful.

   Check whether an authentication failure log is recorded.

   2018-4-13 11:50:09+00:00 Huawei %%01PPP/4/CHAPAUTHFAIL(1)[202]:On the interface Virtual-Template1:0, PPP link was closed because CHAP authentication failed.

   If a log is recorded indicating that CHAP authentication fails, the PPP link is disconnected. Check whether the user name and password configured on the VT interface are correct.

   [L2TP-Client] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1
    ppp chap user huawei   // Configure the user name for CHAP authentication.  ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#   // The tunnel password must be the same as that configured on the LNS.  ip address ppp-negotiate 
    l2tp-auto-client enable  

   • If the user name or password is incorrect, configure it correctly.
   • If the user name and password are correct, check whether authentication is enabled on the L2TP client.
2. Check whether the authentication modes are the same on the L2TP client and LNS.

   [L2TP-Client] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1   // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the LNS. # 
   interface Virtual-Template2 // VT interface where automatic dialup is enabled  ppp chap user huawei   
    ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#   // The tunnel password must be the same as that configured on the LNS.  ip address ppp-negotiate 
    l2tp-auto-client enable  

   [LNS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1  // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the L2TP client.  remote address pool lns
    ip address 1.1.1.1 255.255.255.0 

   Ensure that the authentication configurations are the same on the L2TP client and LNS.

   • Authentication is not configured on the L2TP client and LNS.
   • Authentication is configured on the L2TP client and LNS, and the authentication modes are the same.

Troubleshooting When an AR Router Functions as an NAS

Context

In the NAS-initiated connection scenario where an AR router functions as an NAS, after an L2TP VPN is configured, the NAS and LNS cannot communicate with each other.

Troubleshooting Procedure

1. Check whether user authentication is successful.

   Check whether an authentication failure log is recorded.

   2018-4-13 11:50:09+00:00 Huawei %%01PPP/4/CHAPAUTHFAIL(1)[202]:On the interface Virtual-Template1:0, PPP link was closed because CHAP authentication failed.

   If a log is recorded indicating that CHAP authentication fails, the PPP link is disconnected. Check whether the user name and password configured on the VT interface are correct.

   [LAC-Virtual-Template1] display this                                          
   #                                                                                
   interface Virtual-Template1 
    ppp chap user huawei1    // Configure the user name for CHAP authentication.  ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# 
    ip address ppp-negotiate 
    l2tp-auto-client enable

   • If the user name or password is incorrect, configure it correctly.
   • If the user name and password are correct, check whether authentication is enabled on the NAS.
2. Check whether the tunnel authentication modes are the same on the NAS and LNS.

   [NAS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1   // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the LNS. # 
   interface Virtual-Template2 // VT interface where automatic dialup is enabled  ppp chap user huawei   
    ppp chap password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#   // The tunnel password must be the same as that configured on the LNS.  ip address ppp-negotiate 
    l2tp-auto-client enable  

   [LNS] display current-configuration interface virtual-template                                                                                                                   interface Virtual-Template1   // VT interface that receives L2TP connection requests  ppp authentication-mode chap   // The authentication mode must be the same as that configured on the NAS.  remote address pool lns
    ip address 1.1.1.1 255.255.255.0 

   Ensure that the authentication configurations are the same on the NAS and LNS.

   • Authentication is not configured on the NAS and LNS.
   • Authentication is configured on the NAS and LNS, and the authentication modes are the same.

Troubleshooting When an AR Router Functions as an LNS

Context

In scenarios where an AR router functions as an LNS, after an L2TP VPN is configured, the LNS cannot communicate with the peer device.

Troubleshooting Procedure

1. Check whether user authentication is successful.

   Check whether an authentication failure log is recorded.

   2018-4-13 11:50:09+00:00 Huawei %%01PPP/4/CHAPAUTHFAIL(1)[202]:On the interface Virtual-Template1:0, PPP link was closed because CHAP authentication failed.

   If a log is recorded indicating that CHAP authentication fails, the PPP link is disconnected. Check whether the user name, password, and authentication mode configured in the AAA view on the LNS are the same as those on the peer device.

   [Huawei-aaa] display this                                                                                               
   [V300R019C11SPC300]                                                                                                       
   #
   aaa
    local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
    local-user huawei privilege level 0
    local-user huawei service-type ppp                                                                                       
   #                                                                                                                          
   return                               

   Ensure that the authentication configurations are the same on the LNS and peer device.

   • Authentication is not configured on the LNS and peer device.
   • Authentication is configured on the LNS and peer device, and the user name, password, and authentication mode are the same.
2. Check whether the correct address pool is specified on the VT interface of the LNS for assigning an IP address for the peer device.

   [LNS] display current-configuration interface virtual-template                              
   interface Virtual-Template1   
    ppp authentication-mode chap
    remote address pool lns   // Specify an address pool for assigning an IP address for the peer device.  ip address 1.1.1.1 255.255.255.0 

   • If the address pool is incorrect, run the remote address command to specify the correct address pool.
   • If the address pool is correct, go to the next step.

Checking the L2TP Dialup Configuration on the PC

In the client-initialized scenario, when a PC uses the built-in dialup software to establish an L2TP VPN connection with the LNS, the dialup may fails. Table 1-3 provides common L2TP VPN connection faults on PCs and troubleshooting suggestions to help you quickly rectify faults and recover network services. If the fault persists, go to Troubleshooting Procedure for detailed troubleshooting procedure. The following uses a Windows 10 PC as an example.

Table 1-3 Common L2TP VPN faults and troubleshooting suggestions

Troubleshooting Procedure

1. Check whether the tunnel name configured on the LNS is the same as that configured on the dialup client.
   • Check the tunnel name configured on the dialup client. Access VPN, select the L2TP VPN configuration file, and click Advanced options.
   • Check whether the LNS has the same tunnel name.

     <LNS> display l2tp tunnel
     
      Total tunnel : 1 
      LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
      1        1         10.1.2.3         1701   1        L2TP 

   If the tunnel names are different, run the allow l2tp command in the L2TP group view on the LNS to specify the same tunnel name. Alternatively, on the L2TP page of the PC, click Edit. On the Edit VPN connection page that is displayed, enter the server name or address, and click Save. A connection is then re-established.

2. Check whether tunnel authentication is enabled on both the dialup client and LNS.
   • Check whether tunnel authentication is enabled on the LNS. If so, the tunnel authentication mode and ciphertext password are displayed in the display this command output.

     [LNS-l2tp1] display this 
     #                                                                                
     l2tp-group 1  
      tunnel name LNS
      tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@ 
      allow l2tp virtual-template 1 remote lac
     #                                                                               
     return

   • Check whether tunnel authentication is enabled on the dialup client. Right-click Start and choose Network Connections. Click Change adapter settings, right-click your VPN connection, and choose Properties from the shortcut menu. On the Security tab page, check the data encryption setting.

   If tunnel authentication is enabled on the LNS but disabled on the dialup client, enable tunnel authentication on the dialup client. The tunnel authentication password on the dialup client must be the same as that configured on the LNS.

3. Check whether the tunnel authentication password configured on the dialup client is the same as that on the LNS. If not, enter the correct tunnel authentication password on the dialup client.
4. Check whether the pre-shared key on the dialup client is correct..

   If the pre-shared key is incorrect, enter the correct pre-shared key as follows: Click Edit on the L2TP page. On the Edit VPN connection page that is displayed, enter the correct pre-shared key, and click Save to set up the connection again.

5. Check whether the encryption settings on the dialup client are correct. Right-click Start and choose Network Connections. Click Change adapter settings, right-click your VPN connection, and choose Properties from the shortcut menu. On the Security tab page, select Optional encryption (connect even if no encryption) from the Data encryption drop-down list box, and then click OK.
6. Check whether the authentication settings on the dialup client are correct. Right-click Start and choose Network Connections. Click Change adapter settings, right-click your VPN connection, and choose Properties from the shortcut menu. On the Security tab page, select Allow these protocols, Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP Version 2（MS-CHAP v2）, and then click OK.
7. Check whether the LNS and the dialup client are deployed behind a NAT device (such as a home router). If so, check whether the registry table of the PC is correct. If not, modify the registry table correctly. Click Start and then Run. Enter regedit in the Open box and press Enter to open the Registry Editor. Locate and click HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent. Create a DWORD value named AssumeUDPEncapsulationContextOnSendRule, and set the value to 2. Locate and click HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters, create a DWORD value named ProhibitIpSec and set the value to 0. Then, restart the PC.

Troubleshooting When an L2TP User Goes Online Successfully but Services Are Unavailable

Context

In the client-initiated, L2TP client-initiated, or NAS-initiated scenario, after an L2TP VPN is configured between devices, services are interrupted, and access users on the devices cannot access intranet resources.

Troubleshooting Procedure

Perform a ping or tracert operation to check whether the local and peer devices can communicate with each other.

<Huawei> ping 192.168.101.1
  PING 192.168.101.1: 56  data bytes, press CTRL_C to break                                                                         
    Reply from 192.168.101.1: bytes=56 Sequence=1 ttl=127 time=8 ms                                                                 
    Reply from 192.168.101.1: bytes=56 Sequence=2 ttl=127 time=4 ms                                                                 
    Reply from 192.168.101.1: bytes=56 Sequence=3 ttl=127 time=2 ms                                                                 
    Reply from 192.168.101.1: bytes=56 Sequence=4 ttl=127 time=3 ms                                                                 
    Reply from 192.168.101.1: bytes=56 Sequence=5 ttl=127 time=3 ms                                                                 

  --- 192.168.101.1 ping statistics ---                                                                                             
    5 packet(s) transmitted                                                                                                         
    5 packet(s) received                                                                                                            
    0.00% packet loss                                                                                                               
    round-trip min/avg/max = 2/4/8 ms 

• If they can communicate with each other, check whether they have obtained the correct IP addresses and gateway information from the carrier and whether the peer device can communicate with the carrier's gateway. For details, see Troubleshooting: IP Unicast Routing.
• If they cannot communicate with each other, go to the next step.

Troubleshooting When an L2TP User Goes Online and Offline Repeatedly Causing Frequent Service Interruption

Context

In the client-initiated, L2TP client-initiated, or NAS-initiated connection scenario, an L2TP VPN has been configured between devices but PCs connected to the devices cannot communicate with each other. In this case, check whether the following logs are recorded: IFNET/4/LINK_STATE:The line protocol [line-protocol] on the interface [interface-name] has entered the [state] state and PPP/4/CHAPAUTHFAIL:On the interface [interface-name], PPP link was closed because CHAP authentication failed. These logs show that the L2TP tunnel frequently alternate between Up and Down, causing frequent service interruptions.

2020-4-13 14:40:02+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1233]:The line protocol PPP on the interface Virtual-Template1:0 has entered the UP state.
2020-4-13 14:40:02+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1234]:The line protocol PPP on the interface Virtual-Template1:1 has entered the UP state.
2020-4-13 14:41:22+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1237]:The line protocol PPP on the interface Virtual-Template1:1 has entered the DOWN state.
2020-4-13 14:41:22+00:00 Huawei %%01PPP/4/PHYSICALDOWN(l)[1238]:On the interface Virtual-Template1:0, PPP link was closed because the status of the physical layer was Down.                       
2020-4-13 14:41:22+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1239]:The line protocol PPP on the interface Virtual-Template1:0 has entered the DOWN state.
2020-4-13 14:41:22+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1240]:The line protocol PPP IPCP on the interface Virtual-Template1:0 has entered the DOWN state.

Troubleshooting Procedure

1. Check whether the CPU usage of the devices is high. If the CPU usage exceeds 70%, PPP heartbeat packets time out.

   [Huawei-diagnose] display cpu-usage  
   CPUUsage Stat. Cycle: 10 (Second)                                             
   CPUUsage Stat. Time : 2013-09-24  10:11:55                                    
   Control Plane               
       CPU Usage: 23.3%   Max: 100%                                               
       User: 10.7%   System:  6.9%   SoftIrq:  0.0%   HardIrq:  5.5%   Idle: 76.7%                       
   
       CPU utilization for ten seconds: 23.3%  one minute:  22.0%  five minutes:  2 3.0% .                       
   Data    Plane              
       CPU Usage:  1.7%   Max: 100%                                               
       CPU utilization for ten seconds:  1.7%  one minute:   1.6%  five minutes:    1.6% .    
   PID   ProcessName         CPU%     CoreIndex      Runtime     State              
   194   cap32            1.7%      CPU1           26132042    R                 
   193   vrp                20.0%      CPU0           11216335    S                 
   191   monitor             0.0%      CPU0           2324        S  
   .......               

   If the CPU usage is too high, rectify the fault by referring to CPU Usage Is High.

2. Run the following command multiple times to check the statistics on the packets sent to the CPU and determine whether number of dropped L2TP packets increases.

   <Huawei> display cpu-defend statistics
   ----------------------------------------------------------------------- 
   Packet Type               Pass Packets        Drop Packets 
   ----------------------------------------------------------------------- 
   8021X                                0                   0 
   arp-miss                             5                   0
   ......
   l2tp                            0                 0
   ---------------------------------------------------------------------

   If L2TP packets are lost, run the following commands to configure a larger rate limit for L2TP and PPP packets to be sent to the CPU.

   [Huawei] cpu-defend policy devicesafety
   [Huawei-cpu-defend-policy-devicesafety] packet-type l2tp rate-limit 64
   [Huawei-cpu-defend-policy-devicesafety] quit
   [Huawei] cpu-defend-policy devicesafety

Collecting Information About Common L2TP Faults

If the fault persists after the preceding steps, collect relevant information and contact technical support personnel.

1. Collect fault information.
   • Collect operation results of the preceding steps and record the results in a file.
   • Obtain packet headers or run the debugging l2tp all command to collect information about packets generated during L2TP tunnel and session establishment.

     <Huawei> terminal monitor 
     Info: Current terminal monitor is on. 
     <Huawei> terminal debugging 
     Info: Current terminal debugging is on. 
     <Huawei> debugging l2tp all

   • Run the debugging ppp all command to collect information about PPP negotiation.

     <Huawei> terminal monitor 
     Info: Current terminal monitor is on. 
     <Huawei> terminal debugging 
     Info: Current terminal debugging is on. 
     <Huawei> debugging ppp all

   • After collecting debugging information, run the undo debugging all command to disable debugging to prevent it from affecting the system performance.
   • Collect all diagnostic information and export the information to a file.

     1. Run the display diagnostic-information file-name command in the user view to collect diagnostic information and save the information to a file.

        <HUAWEI> display diagnostic-information dia-info.txt
          This operation will take several minutes, please wait.........................
        ..................................................................              
        Info: The diagnostic information was saved to the device successfully.. 

     2. After the diagnostic information file is generated, you can export the file from the device using TFTP, FTP, or SFTP. For details, see Local File Management.

        • You can run the dir command in the user view to check whether the file is generated.

        • You can also run the display diagnostic-information command and save terminal logs in a diagnostic file on a disk. For details, see Diagnostic File Obtaining Guide.

        • If this command output is too long, press Ctrl+C to abort this command.

        • The display diagnostic-information command displays system diagnostic information, which helps you locate faults but may affect system performance. For example, the CPU usage may become high. Therefore, do not use this command when the system is running properly.

        • Do not run the display diagnostic-information command simultaneously on multiple terminals connected to a device. This is because doing so may cause the CPU usage of the device to become high and the device performance to deteriorate.

   • Collect the log and alarm information on the device, and export the information to a file.

     1. Run the save logfile command in the user view to save the log and alarm information in the buffer to a file.

        <HUAWEI> save logfile
        Info: It may take several seconds,please wait...
        Save log file successfully.

     2. After the diagnostic information file is generated, export the file from the device using TFTP, FTP, or SFTP. For details, see Local File Management.

        You can also run the display logbuffer and display trapbuffer commands to view the log and alarm information on the device, and save terminal logs in a diagnostic file on a disk. For details, see Diagnostic File Obtaining Guide.

2. Seek technical support.

   Visit http://e.huawei.com/en/how-to-buy/contact-us to seek technical support.

   Technical support personnel will provide instructions for you to submit all the collected information and files, so that they can locate faults.

Reference Documents for Troubleshooting L2TP Faults

• About This Document
• Application Scenarios of L2TP VPN
• Implementation of L2TP VPN
• Troubleshooting When an L2TP User Fails to Go Online
  • Checking Whether an L2TP Tunnel Is Established
    • Troubleshooting When an AR Router Functions as an L2TP Client
    • Troubleshooting When an AR Router Functions as an NAS
    • Troubleshooting When an AR Router Functions as an LNS
  • Checking Whether an L2TP Session Is Established
    • Troubleshooting When an AR Router Functions as an L2TP Client
    • Troubleshooting When an AR Router Functions as an NAS
    • Troubleshooting When an AR Router Functions as an LNS
  • Checking the L2TP Dialup Configuration on the PC
• Troubleshooting When an L2TP User Goes Online Successfully but Services Are Unavailable
• Troubleshooting When an L2TP User Goes Online and Offline Repeatedly Causing Frequent Service Interruption
• Collecting Information About Common L2TP Faults
• Reference Documents for Troubleshooting L2TP Faults

Which of the following VPNs can be used with L2TP VPN together to improve security?

Which of the following features is not available in L2TP?

Which of the following message is used to encapsulate L2TP VPN?

What type of VPN is L2TP?