3 troubleshooting l2tp access to the layer 3 vpn, 1 networking environment, 1 networking environment -5 – Panasonic NN46240-710 User Manual

Nortel Secure Router 8000 Series

Troubleshooting - VPN___________

1 L2TP troubleshooting

Checking the status of PPP negotiation on the LAC side

The user needs to pass the PPP authentication on the LAC end before the L2TP tunnel and
session are established. The methods are as follows:

1.

If the LAC end uses local authentication, you can use the local-user user-name
password { simple | cipher } password command in the AAA mode to check that the
correct user name and password are configured on the LAC end.

2.

If the LAC end uses RADIUS authentication, see the section about VAS troubleshooting
in Nortel Secure Router 8000 Series Troubleshooting - VAS (NN46240-709).

3.

If access with the full user name is used, you can use the display local-user command to
check that the corresponding user is configured and the user matches with the name of

the client. If not, modify the user name of either end. Use the start l2tp ip ip-address

fullusername user-name command to modify the user name on the LAC end.

4.

If access with the domain name is used, check that the postfix of the domain name

matches the domain name of the end user, and check if the list separator of the domain
name postfix corresponding with the end user is configured. If they do not match, modify
the postfix of the domain name with the start l2tp ip ip-address domain domain-name
command. If no list separator of the domain name postfix exists, use the l2tp domain

suffix-separator command to configure it.

5.

Check whether the PPP authentication mode configured on the user interface on the LAC

end is consistent with that on the LNS side. The command for PPP authentication is ppp

authentication { pap | chap }.

6.

Check whether the authentication mode on the LAC end is consistent with that on the

user end. If not, modify the authentication end on one end. For example, the default

authentication mode of the VPN connection created by Windows 2000 is MSCHAP. If

the LAC does not support MSCHAP, change the mode to CHAP.

If the preceding configurations are correct, the user can pass the authentication on the LAC
end. If you still cannot resolve the L2TP faults, contact Nortel technical support.

1.3 Troubleshooting L2TP access to the Layer 3 VPN

The section describes the following topics:

•

Networking environment

•

Configuration notes

•

Diagnostic flowchart

•

Troubleshooting procedure

1.3.1 Networking environment

If many enterprises use one LNS and users of an enterprise need to communicate with their
own headquarters, but the network address is a private IP address, for example 10.8.0.0, the

users cannot access the internal server of the enterprise through the Internet. To enable users
to access the internal network of the enterprise, you can establish a VPN that supports
multiple instances.

As shown in Figure 1-5, the domain name of headquarters of the 01 enterprise is 263.net and

PC1 is the user of the enterprise. The domain name of headquarters of the 02 enterprise is

163.net and PC2 is the user of the enterprise.

Issue 5.3 (19 January 2009)

Nortel Networks Inc.

1-11