No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


Figure 1-2 shows a typical L2TP networking. Basic concepts related to L2TP are listed as follows:
Figure 1-2  L2TP networking diagram


VPDN, as a VPN that carries PPP packets, provides access services for enterprise users, small-scale ISPs, and traveling employees.

The PPP terminal accesses a dial-up network and dials up to the NAS. After receiving a PPP packet, the NAS implements L2TP encapsulation, and forwards the packet with an outer IP header over the public network to the LNS. After receiving the packet, the LNS decapsulates the packet to obtain the original PPP packet, implementing transparent transmission of the PPP packet over the public network. In this manner, a VPDN connection is set up between the PPP terminal and the LNS.

As the Ethernet becomes popular, PPP terminals can be used on the traditional dial-up networks and can also connect to the LAC over the Ethernet using the PPPoE technology.

PPP Terminal

In L2TP applications, PPP terminals are the devices that initiate dial-up calls and perform PPP encapsulation on data. For example, the PPP terminal can be a remote PC or a gateway in the branch.


A network access server (NAS) is maintained by the ISP and connected to a dial-up network. It is an access point geographically closest to the PPP terminal. The NAS works on a traditional dial-up network to provide VPDN services for remote dial-up users to set up tunnel connections with the enterprise headquarters network.


An L2TP access concentrator (LAC) provides PPP and L2TP processing capabilities on the packet switched network. The LAC establishes an L2TP connection with the L2TP network server (LNS) based on the user name or domain name in PPP packets so that PPP frames can be transmitted to the LNS.

The LAC can be deployed on different devices on various networks.
  • On a traditional dial-up network, the ISP usually deploys an LAC on the NAS.

  • On an Ethernet in an enterprise branch, an LAC is deployed on the gateway for PPP terminals and also functions as a PPPoE server.

  • A traveling employee uses a PC to access the Internet. The L2TP dial-up software installed on the PC functions as the LAC.

An LAC can establish different L2TP tunnels to isolate data flows. That is, multiple VPDN connections can be set up on the LAC.

An LAC transmits data between the LNS and PPP terminal. The LAC encapsulates data received from the PPP terminal based on L2TP, sends data to the LNS, decapsulates the data received from the LNS, and sends it to the PPP terminal.


PPP sessions are initiated by user devices and received by the LNS. After being authenticated by the LNS, remote users successfully set up PPP sessions with the LNS and can access resources in the enterprise headquarters. As the other endpoint of an L2TP tunnel, the LNS is a peer device of the LAC, and sets up an L2TP tunnel with the LAC. Additionally, the LNS is the logical termination point of a PPP session; therefore, the PPP client (user device) and the LNS establish a virtual point-to-point link.

The LNS is located at the border between the headquarters' private network and the public network, and is often used as the gateway of the enterprise headquarters. In addition, the LNS provides the network address translation (NAT) function to translate private IP addresses in the enterprise headquarters network into public IP addresses.

Tunnel and Session

There are two types of connections during the L2TP tunnel establishment between the LAC and LNS.

  • Tunnel connection

    Multiple L2TP tunnels can be set up between an LNS and an LAC. A tunnel consists of one or more sessions.

  • Session connection

    An L2TP session can be set up only after a tunnel is created successfully, and represents a PPP session over the tunnel.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153100

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next