Panasonic NN46240-710 User Manual

Nortel Secure Router 8000 Series

Troubleshooting - VPN___________

1 L2TP troubleshooting

- In other cases, the authentication mode sent by the LAC is used regardless of the type

of authentication mode configured on the VT.

When the LCP is configured for renegotiation and no authentication is configured on the
VT, the user is authenticated once. In other cases, the user is authenticated twice.

Q: What is the process of the L2TP tunnel authentication?

A: If two ends are configured with tunnel authentication, the L2TP tunnel authentication
process is as follows. The tunnel authentication and the tunnel establishment are
performed simultaneously.

- When the LAC sends the request for SCCRQ to the LNS, a random character string is

generated and sent to the LNS as the local CHAP challenge.

- After the LNS receives the challenge, it generates a new character string by adding

the locally configured password and SCCRP to the random character string,

determines a 16-byte response by MD5, and sends the response in the SCCRP

message with one random character string LNS Challenge to the LAC.

- The LAC adds the locally configured password and the SCCRP to its CHAP

challenge to generate a new character string. The LAC determines a 16-byte character

string by MD5. The LAC compares the 16-byte character string with the LNS CHAP

response received from the SCCRP. If they are identical, the LNS passes the

authentication. Otherwise, the tunnel is disconnected.

- The LNS authenticates the LAC in the same way: After the LAC finds the LNS

CHAP challenge in the SCCRP, it adds the local password and the SCCN to the

character string to generate a new character string. The LAC determines a 16-byte
character string by MD5 and sends it, as the LAC CHAP response, to the LNS in the

SCCCN message.

- After the LNS receives the SCCCN message, it adds the local password and the

SCCCN to the local CHAP challenge to make a character string. Then the LNS

determines a 16-byte character string by MD5 and compares it with the LAC CHAP

response received from the SCCCN message. If they are identical, the LAC passes
the authentication; if not, the tunnel is disconnected.

Q: Are there special considerations if the LNS end is a Nortel router and the LAC

end is not?

A: It is possible that the LNS end does not support certain parameters that are obtained

through PPP prenegotiation between the LAC end and the client end, so the PPP session

on the LNS end cannot be established. You need to configure the parameters of the PPP

renegotiation on the LNS end and force the LNS and the client end to perform the PPP
negotiation.

Q: Are there special considerations if the LAC end is a Nortel router and the LNS

end is not?

A: It is possible that the LAC end does not support certain parameters that are obtained

through PPP prenegotiation between the LNS end and the client end, so the PPP session

on the LAC end cannot be established. During configuration, examine the parameters of

the negotiation between the LNS end and the client end and ensure that these parameters

are supported.

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

1-19