Configuring Additional VPDN Features

This sequence of events occurs during session establishment:

1. The tunnel server receives PPP packets and forwards them to its dialer interface. The dialer interface can be either a dialer profile dialer pool or dial-on-demand routing (DDR) rotary group. The dialer issues a dial call request to the VPDN group, and the tunnel server creates a virtual access interface. If the dialer is a dialer profile, this interface becomes a member of the dial pool. If the dialer is DDR, the interface becomes a member of the rotary group. The VPDN group creates a VPDN session for this connection and sets it in the pending state.
2. The tunnel server and NAS establish an L2TP tunnel (unless a tunnel is already open) by exchanging Start Control Connection Request (SCCRQ) and Start Control Connection Reply (SCCRP) messages.
3. The tunnel server sends an Outgoing Call Request (OCRQ) packet to the NAS, which checks if it has a dial resource available. If the resource is available, the NAS responds to the tunnel server with an Outgoing Call Reply (OCRP) packet. If the resource is not available, the NAS responds with a Call Disconnect Notification (CDN) packet, and the session is terminated.
4. If the NAS has an available resource, it creates a VPDN session and sets it in the pending state.
5. The NAS then initiates a call to the PPP client. When the NAS call connects to the PPP client, the NAS binds the call interface to the appropriate VPDN session.
6. The NAS sends an Outgoing Call Connected (OCCN) packet to the tunnel server. The tunnel server binds the call to the appropriate VPDN session and then brings the virtual access interface up.
7. The dialer on the tunnel server and the PPP client can now exchange PPP packets. The NAS acts as a transparent packet forwarder.

If the dialer interface is a DDR and a virtual profile is configured, the PPP endpoint is the tunnel server virtual access interface, not the dialer. All Layer 3 routes point to this interface instead of to the dialer.

In Cisco IOS software prior to Release 12.2(15)T or 12.2(28)SB, load balancing and redundancy for dial-out VPDNs could be configured only with L2TP large-scale dial-out (LSDO) using Stack Group Bidding Protocol (SGBP). This method of load balancing and redundancy requires that the primary NAS is up and running for dial-out to take place, because the IP address of only that NAS is configured on the tunnel server. When the primary NAS is down, no dial-out can take place. When the primary NAS is up, the NAS determines among itself and the secondary NASs which NAS has the least congestion, and then inform the tunnel server to use the selected NAS for dial-out. Because the tunnel server cannot contact any other NASs when the primary NAS is down, failover is not supported for dial-out calls by this mechanism .

The ability to configure a tunnel server with the IP addresses of multiple NASs was introduced in Cisco IOS Release 12.2(15)T and Cisco IOS Release 12.2(28)SB. Load balancing, redundancy, and failover can all be controlled by assigning each NAS the desired priority settings on the tunnel server. Load balancing occurs between NASs with identical priority settings. When NASs are assigned different priority settings, if the NAS with the highest priority goes down the tunnel server will fail over to a lower priority NAS.

L2TP security can be configured to protect VPDN tunnels between the NAS and the tunnel server in NAS-initiated VPDN deployments. A NAS-initiated tunneling scenario with L2TP security protection is depicted in the figure below.

Figure 1. L2TP Security for a NAS-Initiated Tunneling Scenario

The client connects to the NAS through a medium that supports PPP, such as a dialup modem, digital subscriber line (DSL), ISDN, or a cable modem. If the connection from the client to the NAS is considered secure--such as a modem, ISDN, or a DSL connection--the client might choose not to provide additional security. The PPP session is securely tunneled from the NAS to the tunnel server without any required knowledge or interaction by the client. L2TP security protects the L2TP tunnel between the NAS and the tunnel server with IPSec.

L2TP security can be configured to protect VPDN tunnels between the client and the tunnel server in client-initiated VPDN deployments. A client-initiated tunneling scenario with L2TP security protection is depicted in the figure below.

Figure 2. L2TP Security for a Client-Initiated Tunneling Scenario

The client initiates an L2TP tunnel to the tunnel server without the intermediate NAS participating in tunnel negotiation or establishment. The client must manage the software that initiates the tunnel. Microsoft Windows 2000 supports this VPDN scenario. In this scenario, extended services processor (ESP) with authentication must always be used. L2TP security protects the L2TP tunnel between the client and the tunnel server with IPSec.

The IP MTU configuration controls the maximum size of a packet allowed to be encapsulated by a Layer 2 protocol. The IP MTU of an interface can be manually lowered to compensate for the size of the L2TP header if the path MTU is known.

A router can also be configured to automatically adjust the IP MTU of an interface to compensate for the size of the L2TP header. The automatic adjustment corrects for the size of the L2TP header based on the MTU of the egress interface of that device. This configuration is effective only in preventing fragmentation when the MTU of that interface is the same as the path MTU.

If the path MTU between the NAS and the tunnel server is unknown, or if it changes, path MTU discovery (PMTUD) can be used to perform MTU tuning. PMTUD uses the Don't Fragment (DF) bit in the IP header to dynamically discover the smallest MTU among all the interfaces along a routing path.

The source host initially assumes that the path MTU is the known MTU of the first egress interface, and sends all packets on that path with the DF bit in the IP header set. If any of the packets are too large to be forwarded without fragmentation by the interface of a device along the path, that device will discard the packet and return an Internet Control Message Protocol (ICMP) Destination Unreachable message to the source host. The ICMP Destination Unreachable message includes code 4, which means “fragmentation needed and DF set,” and indicates the IP MTU of the interface that was unable to forward the packet without fragmentation. This information allows the source host to reduce the size of the packet before retransmission to allow it to fit through that interface.

Enabling PMTUD makes VPDN deployments vulnerable to Denial of Service (DoS) attacks that use crafted ICMP messages to set a connection’s path MTU to an impractically low value. This will cause higher layer protocols to time out because of a very low throughput, even though the connection is still in the established state. This type of attack is classified as a throughput-reduction attack. For more information on throughput-reduction attacks against L2TP VPDN deployments, see the “Additional References” section.

To protect against a throughput-reduction attack, a range of acceptable values for the path MTU can be specified. If the device receives an ICMP code 4 message that advertises a next-hop path MTU that falls outside the configured size range, the device will ignore the message.

PMTUD can be unreliable and might fail when performed over the Internet because some routers or firewalls are configured to filter out all ICMP messages. When the source host does not receive an ICMP destination unreachable message from a device that is unable to forward a packet without fragmentation, it will not know to reduce the packet size. The source host will continue to retransmit the same large packet. Because the DF bit is set, these packets will be continually dropped because they exceed the path MTU, and the connection will stop responding.

Because PMTUD can be unreliable, an alternate method of performing MTU tuning was introduced. This method of MTU tuning takes advantage of TCP Maximum Segment Size (MSS) advertisements in the incoming and outgoing synchronize (SYN) packets sent by the end hosts.

The TCP MSS defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

If you configure a lower TCP MSS than the usual default of 1460, the size of TCP segments will be reduced to compensate for the information added by the L2TP header.

Another option for reducing fragmentation in an L2TP VPDN network requires that Maximum Receive Unit (MRU) negotiation is supported by the PPP client. One known client which supports MRU negotiations is the Windows XP PPP client. Unfortunately, other commonly deployed PPP clients do not adhere to the advertised PPP MRU as they should. To determine if your PPP client properly responds to the advertised PPP MRU, see the PPP client documentation.

PPP MRU allows a peer to advertise its maximum receive unit, which is derived from the MTU configuration on the virtual template interface. A device will not process a PPP frame with a payload larger than its advertised MRU. The Cisco PPP implementation uses the MTU of the interface as the advertised MRU value during PPP negotiations.

The MTU of a virtual template interface can be manually lowered to compensate for the size of the L2TP header. If the PPP peer listens to the MRU advertised during PPP negotiation, it will adjust its MTU (and indirectly its IP MTU) for that PPP link. This in turn will modify the TCP MSS that the peer advertises when opening up TCP connections.

Because the default MTU for an interface is 1500 bytes, the default MRU is 1500 bytes. Setting the MTU of an interface to 1460 changes the advertised MRU to 1460. This configuration would tell the peer to allow room for a 40-byte L2TP header.

One issue with lowering the MTU on the virtual-template interface is that the IP MTU is automatically lowered as well. It is not possible to configure an IP MTU greater than the MTU on a virtual template interface. This can be an issue if there is a mixture of peer devices that do and do not adjust their MTU based on the advertised MRU. The clients that are unable to listen to MRU advertisements and adjust accordingly will continue to send full-sized packets to the peer. Packets that are larger than the lowered IP MTU, yet smaller than the normal default IP MTU, will be forced to fragment. For example, an L2TP packet that is 1490 bytes would normally be transmitted without fragmentation. If the MTU has been lowered to 1460 bytes, this packet will be unnecessarily fragmented. In this situation, it would be optimal to advertise a lower MRU to those clients that are capable of listening and adjusting, yet still allow full-sized packets for those clients that are unable to adjust.

Clients that ignore the advertised MRU might experience the PMTUD problems described in the MTU Tuning Using IP MTU Adjustments. PMTUD can be turned off by clearing the DF bit on the inner IP packet.

When Layer 2 packets are created the ToS byte value is set to zero by default, indicating normal service. This setting ignores the values of the ToS byte of the encapsulated IP packets that are being tunneled. The tunnel server can be configured to copy the contents of the ToS field of the inner IP packets to the ToS byte of the Layer 2 header. Copying the ToS field from the IP header to the Layer 2 header preserves end-to-end QoS for tunneled packets.

IP precedence settings mark the class of service (CoS) for a packet. The three precedence bits in the ToS field of the IP header can be used to define up to six classes of service. If you choose to manually configure a specific IP precedence value for Layer 2 packets, QoS will not be preserved end-to-end across the tunnel.

The ToS bits mark the ToS classification for a packet. Each of the four bits controls a particular aspect of the ToS--reliability, throughput, delay, and cost. If you choose to manually configure a specific ToS value for Layer 2 packets, QoS will not be preserved end-to-end across the tunnel.

The VPDN Group Selection feature allows SPs to support multiple VPDN groups or tunnels between a LAC and LNS by using the new VPDN group selection keys destination IP address or VRF ID, in addition to the previously supported hostname selection key. Prior to Cisco IOS Release 12.4(20)T, the key to select the VPDN group was only the LAC hostname, preventing the use of separate VPDN groups for each tunnel. Beginning with Cisco IOS Release 12.4(20)T, the VPDN Group Selection feature enables SPs to provide customize configurations for each VPDN tunnel.

Complete the required tasks in the Configuring AAA for VPDNs module.

• L2TP is the only Layer 2 protocol that can be used to tunnel dial-out VPDNs.
• Large-scale dial-out, Bandwidth Allocation Protocol (BAP), and Dialer Watch are not supported with dial-out VPDNs.
• When you configure the tunnel server to dial-out to multiple NASs, because each NAS is configured using the same VPDN group, all of the NASs must have the same tunnel configuration settings (the same L2TP tunnel password, for example).

1.    enable

2.    configure terminal

3.    vpdn-group name

4.    description string

5.    request-dialout

6.    protocol l2tp

7.    pool-member pool-number

8.    exit

9.    initiate-to ip ip-address [limit limit-number] [priority priority-number]

• What to Do Next
  

1.    enable

2.    configure terminal

3.    interface dialer dialer-rotary-group-number

4.    ip address ip-address mask [secondary]

5.    encapsulation ppp

6.    dialer remote-name user-name

7.    dialer-string dial-string

8.    dialer vpdn

9.    dialer pool number

10.    dialer-group group-number

11.    ppp authentication protocol1 [protocol2...] [if-needed] [list-name | default] [callin] [one-time] [optional]

• What to Do Next
  

1.    enable

2.    configure terminal

3.    vpdn-group name

4.    description string

5.    accept-dialout

6.    protocol l2tp

7.    dialer dialer-interface

8.    exit

9.    terminate-from hostname hostname

10.    l2tp tunnel bearer capabilities {none | digital | analog | all}

11.    l2tp tunnel framing capabilities {none | synchronous | asynchronous | all}

• What to Do Next
  

L2TP security provides enhanced security for tunneled PPP frames between the NAS and the tunnel server, increasing the integrity and confidentiality of tunneled PPP sessions within a standardized, well-deployed Layer 2 tunneling solution. The security features of IPSec and IKE include confidentiality, integrity checking, replay protection, authentication, and key management. Additional benefits include built-in keepalives and standardized interfaces for user authentication and accounting to AAA servers, interface statistics, standardized MIBs, and multiprotocol support.

L2TP security can be configured for both NAS-initiated L2TP tunneling scenarios and client-initiated L2TP tunneling scenarios.

To configure L2TP security for VPDN tunnels, perform these tasks:

• Prerequisites for L2TP Security
  
• Configuring IPSec Protection of an L2TP Tunnel
  
• Creating the Security Profile
  

• Verifying Establishment of the Crypto Socket
  
• Verifying the Crypto Map Configuration
  
• Verifying Encryption and Decryption of L2TP Packets
  

Before You Begin

• You must be running Cisco IOS Release 12.2(8)T, Cisco IOS Release 12.2(28)SB, or a later release to configure a VPDN template.
• You must be running Cisco IOS Release 12.2(13)T, Cisco IOS Release 12.2(28)SB, or a later release to configure named VPDN templates.

Note

An L2TP or Layer 2 Forwarding Protocol (L2F) tunnel must be established for the VPDN template settings to be used. Once a tunnel has been established, changes in the VPDN template settings will not have an effect on the tunnel until it is brought down and reestablished. Effective with Cisco Release 12.4(11)T, the L2F protocol was removed in Cisco IOS software. Not all commands that are available for configuring a VPDN group can be used to configure a VPDN template. For a list of the commands that can be used in VPDN template configuration mode, use the ? command in VPDN template configuration mode.

1.    enable

2.    configure terminal

3.    vpdn-template [name]

1.    enable

2.    configure terminal

3.    vpdn-group name

4.    source vpdn-template [name]

1.    enable

2.    configure terminal

3.    vpdn-group name

4.    no source vpdn-template [name]

Perform one of these tasks to configure a source IP address on a NAS or a tunnel server:

• Configuring the Global VPDN Source IP Address
  
• Configuring the Source IP Address for a VPDN Group
  

VRF-aware VPDN tunneling can be configured locally on a NAS, tunnel server, or multihop tunnel switch, or it can be configured in the remote RADIUS server profile. Configuring VRF-aware VPDN tunneling in the RADIUS server profile will propagate the configuration only to a NAS or multihop tunnel switch. To configure VRF-aware VPDN tunnels on a tunnel server, you must configure the tunnel server locally.

Perform one of these tasks to configure a VRF-aware VPDN tunnel:

• Configuring VRF-Aware VPDN Tunneling Locally
  
• Configuring VRF-Aware VPDN Tunneling on the Remote RADIUS AAA Server
  

MTU tuning reduces or prevents packet fragmentation and reassembly of L2TP packets in a VPDN deployment. Because the tunnel server is typically the device that aggregates large numbers of sessions and traffic flows in a VPDN deployment, the performance impact of the process switching required for packet fragmentation and reassembly is most dramatic, and least desirable, on this device.

A number of different methods are available to perform MTU tuning. The goal is to prevent fragmentation of packets after they have been encapsulated for tunneling. The most reliable method of MTU tuning is manually configuring the advertised TCP MSS.

Perform one of these tasks to perform MTU tuning:

• Manually Configuring the IP MTU for VPDN Deployments
  
• Enabling Automatic Adjustment of the IP MTU for VPDN Deployments
  
• Enabling Path MTU Discovery for VPDNs
  
• Manually Configuring the Advertised TCP MSS
  
• Configuring MRU Advertising
  

• Configuring VPDN Group Selection Based on a Hostname
  
• Configuring VPDN Group Selection Based on a Source IP Address
  
• Configuring VPDN Group Selection Based on VRF
  

1.    enable

2.    show vpdn group-select

3.    exit

Depending on the VPDN deployment, instead of using the default setting you can choose to configure your VPDN network to preserve QoS end to end by copying the contents of the ToS byte from the IP header to the Layer 2 header, or to manually configure custom packet classifications for the VPDN network.

QoS configurations are generally required only on the tunnel server, the device that must manage and prioritize large volumes of outbound traffic.

Perform this task if you choose to preserve end-to-end QoS:

Perform either or both of these tasks to manually configure custom packet classifications for your VPDN deployment:

• Configuring Preservation of QoS Classifications in the ToS Byte
  
• Manually Configuring the IP Precedence for VPDNs
  
• Manually Configuring the ToS for VPDN Sessions
  

• Example Configuring VPDN Group Selection Based on Hostname
  
• Example Configuring VPDN Group Selection Based on an IP Address
  
• Example Configuring VPDN Group Selection Based on VRF
  
• Example Configuring VPDN Group Selection Based on a Hostname and IP Address
  
• Example Configuring VPDN Group Selection Based on Hostname and VRF
  
• Example Configuring VPDN Group Selection Based on an IP Address and VRF
  
• Example Configuring VPDN Group Selection Based on Hostname VRF and IP Address
  

• Examples Displaying VPDN Group-Select Summaries