Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this articleThis article discusses how to configure a preshared key for use with Layer 2 Tunneling Protocol (L2TP). Applies to: Windows Server 2003 SummaryTo use L2TP in Microsoft Windows Server 2003, you must have a public key infrastructure (PKI) to issue computer certificates to the virtual private network (VPN) server and to clients so that the Internet Key Exchange (IKE) authentication process can occur. With Windows Server 2003, you can use a preshared key for IKE authentication. This feature is useful in environments that do not currently have a PKI in place, or in situations where Windows Server 2003 L2TP servers are making connections to third-party VPN servers that only support the use of preshared keys. Note Microsoft does not encourage the use of preshared keys, because it is a less secure method of authentication than certificates. Preshared keys are not meant to replace the use of certificates; instead, preshared keys are another method for testing and internal operations. Microsoft strongly recommends that you use certificates with L2TP whenever possible. The following sections describe how to configure the preshared keys on both the L2TP client and the server. If you use a Windows Server 2003 operating system for both client and VPN-based server, complete the instructions in both of these sections so that the L2TP that uses a preshared key can work. If you use a Windows Server 2003 VPN client and a third-party VPN-based server, you must follow the steps in the Configure a preshared key on a VPN client section of this article, and you must configure preshared keys on the third-party device.
About This DocumentLayer 2 Tunneling Protocol (L2TP) virtual private network (VPN) is an important VPN technology used in remote office scenarios to provide access for employees to remotely access intranet resources of enterprises. Users can dial up to establish L2TP VPN tunnels with enterprises through dialup clients on PCs so that they can remotely access servers of enterprises. A fault in L2TP VPN connections can affect the working efficiency of employees on business trips and deteriorates remote server access experience. This document describes common L2TP VPN faults that may occur on the live network and provides fault locating roadmaps and troubleshooting methods. Application Scenarios of L2TP VPNThere are three L2TP VPN application scenarios: client-initiated, L2TP client-initiated, and NAS-initiated. After you determine the L2TP VPN application scenario and know the role of your AR router in the scenario, L2TP VPN fault troubleshooting can become easier. Client-Initiated Scenario: Mobile Office Users Initiate L2TP Tunnel Connections to Access the Enterprise IntranetMobile office users (employees on business trips) of an enterprise access the Internet through Ethernet networks. The L2TP network server (LNS) functions as the egress gateway of the headquarters. The users can install a dialup client on their mobile terminals to directly establish L2TP tunnels with the LNS, with no need for an independent network access server (NAS). In this scenario, mobile office users can remotely access intranet resources of the enterprise, and flexibly, securely, and reliably work despite of geographical restrictions. Client-initiated L2TP VPN connections typically apply to the scenario where mobile office users of an enterprise need to access the headquarters. In this scenario, an AR router functions as the LNS. Common L2TP VPN faults may occur on the LNS or dialup client. L2TP Client-Initiated Scenarios: L2TP Clients Initiate L2TP Tunnel Connections for Intranet InterconnectionTo allow users of an enterprise branch to access the headquarters, an L2TP client is deployed at the branch to automatically initiate dialup requests to the LNS to establish an L2TP tunnel and session. In this case, branch users do not need to perform dialup to trigger L2TP tunnel establishment. For branch users, they can access the headquarters network easily, without perceiving differences from that when they access their local branch network. In this scenario, an L2TP VPN tunnel is established between the enterprise headquarters and branch, facilitating enterprise management. In this scenario, AR routers can function as the L2TP client and LNS, where common L2TP VPN faults may occur. NAS-Initiated Scenario: Dialup Users Initiate L2TP Tunnel Connections Through the NAS to Access the Enterprise IntranetTo allow branch users of an enterprise to access the headquarters, a carrier deploys an L2TP tunnel between the NAS and LNS. Then users at branches can dial up to access the headquarters network through the NAS. Dialup users access the Internet through dialup. The NAS is deployed by a carrier to provide PPP or PPPoE access services for dialup users. Dialup users can access external networks through the NAS. The LNS is the egress gateway of the headquarters, which authenticates access users to ensure access security. In this scenario, AR routers can function as the NAS and LNS, where common L2TP VPN faults may occur. Implementation of L2TP VPNL2TP VPN is implemented similarly in different scenarios. The following uses the Client-initiated scenario as an example to describe the process of establishing an L2TP tunnel. Figure 1-1 shows the entire tunnel negotiation process. Figure 1-1 L2TP tunnel
establishment process in client-initiated scenarios
Troubleshooting When an L2TP User Fails to Go OnlineChecking Whether an L2TP Tunnel Is EstablishedTroubleshooting ProcessIn the client-initiated, L2TP client-initiated, or NAS-initiated connection scenario, an L2TP VPN has been configured between devices but PCs connected to the devices cannot communicate with each other. In this case, you can run the display l2tp tunnel command on the faulty device to check information about L2TP tunnels established on it. The following shows a sample command output on the LNS: <Huawei> display l2tp tunnel
Total tunnel : 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
1 1 10.1.2.3 1701 1 lns
Troubleshooting When an AR Router Functions as an L2TP ClientContextIn the L2TP client-initiated connection scenario where an AR router functions as an L2TP client, after an L2TP VPN is configured between the L2TP client and LNS, the L2TP client and LNS cannot communicate with each other. Troubleshooting Procedure
Troubleshooting When an AR Router Functions as an NASContextIn the NAS-initiated connection scenario where an AR router functions as an NAS, after an L2TP VPN is configured, the NAS and LNS cannot communicate with each other.
Troubleshooting Procedure
Troubleshooting When an AR Router Functions as an LNSContextIn scenarios where an AR router functions as an LNS, after an L2TP VPN is configured, the LNS cannot communicate with the peer device. Troubleshooting Procedure
Checking Whether an L2TP Session Is EstablishedTroubleshooting ProcessIn the client-initiated, L2TP client-initiated, or NAS-initiated connection scenario, an L2TP VPN has been configured between devices but PCs connected to the devices cannot communicate with each other In this case, you can run the display l2tp session command on the faulty device to check information about L2TP sessions established on it. The following shows a sample command output on the LNS: <LNS> display L2TP session Total session : 1 LocalSID RemoteSID LocalTID Interface LclTAddr RmtTAddr LclSAddr RmtSAddr 1 1 4 Virtual-Template0:1 3.3.40.132 3.3.40.140 5.5.5.1 5.5.5.201
Troubleshooting When an AR Router Functions as an L2TP ClientContextIn the L2TP client-initiated connection scenario where an AR router functions as an L2TP client, after an L2TP VPN is configured between the L2TP client and LNS, the L2TP client and LNS cannot communicate with each other. Troubleshooting Procedure
Troubleshooting When an AR Router Functions as an NASContextIn the NAS-initiated connection scenario where an AR router functions as an NAS, after an L2TP VPN is configured, the NAS and LNS cannot communicate with each other. Troubleshooting Procedure
Troubleshooting When an AR Router Functions as an LNSContextIn scenarios where an AR router functions as an LNS, after an L2TP VPN is configured, the LNS cannot communicate with the peer device.
Troubleshooting Procedure
Checking the L2TP Dialup Configuration on the PCIn the client-initialized scenario, when a PC uses the built-in dialup software to establish an L2TP VPN connection with the LNS, the dialup may fails. Table 1-3 provides common L2TP VPN connection faults on PCs and troubleshooting suggestions to help you quickly rectify faults and recover network services. If the fault persists, go to Troubleshooting Procedure for detailed troubleshooting procedure. The following uses a Windows 10 PC as an example. Table 1-3 Common L2TP VPN faults and troubleshooting suggestions
Troubleshooting Procedure
Troubleshooting When an L2TP User Goes Online Successfully but Services Are UnavailableContextIn the client-initiated, L2TP client-initiated, or NAS-initiated scenario, after an L2TP VPN is configured between devices, services are interrupted, and access users on the devices cannot access intranet resources. Troubleshooting ProcedurePerform a ping or tracert operation to check whether the local and peer devices can communicate with each other. <Huawei> ping 192.168.101.1 PING 192.168.101.1: 56 data bytes, press CTRL_C to break Reply from 192.168.101.1: bytes=56 Sequence=1 ttl=127 time=8 ms Reply from 192.168.101.1: bytes=56 Sequence=2 ttl=127 time=4 ms Reply from 192.168.101.1: bytes=56 Sequence=3 ttl=127 time=2 ms Reply from 192.168.101.1: bytes=56 Sequence=4 ttl=127 time=3 ms Reply from 192.168.101.1: bytes=56 Sequence=5 ttl=127 time=3 ms --- 192.168.101.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/4/8 ms
Troubleshooting When an L2TP User Goes Online and Offline Repeatedly Causing Frequent Service InterruptionContextIn the client-initiated, L2TP client-initiated, or NAS-initiated connection scenario, an L2TP VPN has been configured between devices but PCs connected to the devices cannot communicate with each other. In this case, check whether the following logs are recorded: IFNET/4/LINK_STATE:The line protocol [line-protocol] on the interface [interface-name] has entered the [state] state and PPP/4/CHAPAUTHFAIL:On the interface [interface-name], PPP link was closed because CHAP authentication failed. These logs show that the L2TP tunnel frequently alternate between Up and Down, causing frequent service interruptions. 2020-4-13 14:40:02+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1233]:The line protocol PPP on the interface Virtual-Template1:0 has entered the UP state. 2020-4-13 14:40:02+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1234]:The line protocol PPP on the interface Virtual-Template1:1 has entered the UP state. 2020-4-13 14:41:22+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1237]:The line protocol PPP on the interface Virtual-Template1:1 has entered the DOWN state. 2020-4-13 14:41:22+00:00 Huawei %%01PPP/4/PHYSICALDOWN(l)[1238]:On the interface Virtual-Template1:0, PPP link was closed because the status of the physical layer was Down. 2020-4-13 14:41:22+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1239]:The line protocol PPP on the interface Virtual-Template1:0 has entered the DOWN state. 2020-4-13 14:41:22+00:00 Huawei %%01IFNET/4/LINK_STATE(l)[1240]:The line protocol PPP IPCP on the interface Virtual-Template1:0 has entered the DOWN state. Troubleshooting Procedure
Collecting Information About Common L2TP FaultsIf the fault persists after the preceding steps, collect relevant information and contact technical support personnel.
Reference Documents for Troubleshooting L2TP Faults
Which of the following VPNs can be used with L2TP VPN together to improve security?L2TP combined with IPSec provides a strong level of security: As we've mentioned earlier, L2TP on its own doesn't encrypt and authenticate data. It's almost always bundled with IPSec, which offers a decent level of security.
Which of the following features is not available in L2TP?L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity.
Which of the following message is used to encapsulate L2TP VPN?Data messages are used to encapsulate PPP frames and are transmitted over tunnels.
What type of VPN is L2TP?Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by internet service providers (ISPs) to enable virtual private networks (VPNs). To ensure security and privacy, L2TP must rely on an encryption protocol to pass within the tunnel.
|