Expand all | Collapse all


Jump to Best Answer
  • 1.  L2TP MX240 LNS

    Posted 09-13-2017 07:07

    Many apologies if this is the wrong area for this, but believe it is routing oriented:


    I am configuring a new ISP network and have the core configured and working with MPLS, IS-IS, IPv6 and Dual-Stacked.... Now I have to start the real work of the PE --> CE .....


    The PE also has to act as an LNS for L2TP Tunnels.... Now, I'm pretty much okay with eBGP but I am a complete newbie with regards to configuring the LNS for L2TP.


    I am struggling to find any "real World" configuration help with regards to setting up the LNS and can only find the following document:



    Which, in all honesty, is not really helping me that much. Can anyone point me in the right direction to get the required configs I can play with to understand exactly how to configure this?



  • 2.  RE: L2TP MX240 LNS

    Posted 09-14-2017 00:16

    As an add on question. Can I use an SRX1800 as a test LAC for the LNS?

  • 3.  RE: L2TP MX240 LNS

    Posted 09-18-2017 00:50



    You can refer below two KB. Let me know where exactly you're facing issue with LNS.



    Rahul N

  • 4.  RE: L2TP MX240 LNS

    Posted 09-18-2017 01:36

    Hi Mayar,


    Thank you for the links.... unfortunately neither of them work (Either I need a login ID or the document no longer exists)...


    My issue is that although I have worked on L2TP before, I have never had to configure one up from Scratch..... I would need to configure an LNS and a LAC so that I can test the configurations before this is placed into a production environment...


    I have configured the Core with MPLS, RSVP, IS-IS, IPv6 and IPv4 Dual Stacking and tested, and all of this works fine, but I am having problems with this LNS/LAC configuration and can find no real help regarding an initial configuraiton.



  • 5.  RE: L2TP MX240 LNS
    Best Answer

    Posted 09-18-2017 06:46

    Simple LAC configuration on MX.


    Interface configuration:

    jtac@MX-240-2-RE0# show interfaces ge-2/1/9
    description "Towards CLIENT;
        unit 100 {
        encapsulation ppp-over-ether;
        vlan-id 100;
    jtac@MX-240-2-RE0# show interfaces pp0.100
    ppp-options {
    pppoe-options {
        underlying-interface ge-2/1/9.100;
    family inet {
        unnumbered-address lo0.0;

    Access configuration:

    jtac@MX-240-2-RE0# show access domain
    map {
        tunnel-profile to-lns;
    jtac@MX-240-2-RE0# show access tunnel-profile to-lns  ----> L2TP Tunnel configuration
    tunnel 1 {
        preference 200;
        remote-gateway {
            gateway-name MX-240-1-RE1;
    source-gateway {
        gateway-name LAC1;
    secret "$9$kPz6pu1hclp0Eyrex7"; ## SECRET-DATA
    tunnel-type l2tp;
    jtac@MX-240-2-RE0# show access radius-server {
        port 1812;
        secret "$9$Sbie87ws4ZGiwYJDjHTQ"; ## SECRET-DATA
    jtac@MX-240-2-RE0# show access-profile
    jtac@MX-240-2-RE0# show access profile acc-prof
    authentication-order radius;
    radius {
        authentication-server [ ];

    Sample LNS configuration on MX

    dynamic-profiles { DYNAMIC-PROFILE-1 { interfaces { "$junos-interface-ifd-name" { unit "$junos-interface-unit" { dial-options { l2tp-interface-id l2tp-encapsulation; dedicated; } family inet { unnumbered-address lo0.0; } } } } } } chassis { fpc 2 { pic 0 { inline-services { bandwidth 10g; } } } network-services enhanced-ip; } si-2/0/0 { unit 100 { dial-options { l2tp-interface-id l2tp-encapsulation; --> Static configuration. } family inet { unnumbered-address ge-2/3/1.0; } } } ge-2/3/1 { -----> LAC facing interface unit 0 { family inet { address; } } } lo0 { unit 0 { family inet { address; } } unit 1 { family inet { address; } } } } access { radius-server { { secret "$9$F3LP/pBcSeW87cyMXxN2g"; ## SECRET-DATA source-address; } } group-profile ppp { ppp { idle-timeout 200; keepalive 30; } } profile l2tp { client LAC1 { l2tp { maximum-sessions-per-tunnel 1000; interface-id l2tp-encapsulation; shared-secret "$9$o-GHmzF/tpBz3A0O1rl"; ## SECRET-DATA } user-group-profile ppp; } } address-assignment { pool PPPoE-Subs { family inet { network; range FIRST { low; high; } } } } services { l2tp { tunnel-group to-lac { l2tp-access-profile l2tp; aaa-access-profile TEST-ACCESS-PROFILE; local-gateway { address; } service-interface si-2/0/0; dynamic-profile DYNAMIC-PROFILE-1; } } service-device-pools { pool PPPoE-Subs { interface si-2/0/0; } } }

  • 6.  RE: L2TP MX240 LNS

    Posted 09-19-2017 05:46

    Thank you Mayar,


    I have stumbled across an issue with regards to this configuration though (although I know it is only a sample)....


    The line near the end that says:  "set aaa-access-profile TEST-ACCESS-PROFILE" ..... when trying to commit with this command I get the following error:


    [edit services l2tp tunnel-group to-lac aaa-access-profile]
      'aaa-access-profile TEST-ACCESS-PROFILE'
        referenced access profile must be defined
    error: configuration check-out failed: (statements constraint check failed)


    Which when I look is right..... the TEST-ACCESS-PROFILE is not referenced anywhere so how is it going to work?


    I may be asking something really silly here and many apologies if I am, but, where do I place my config to get the commit to pass please?

  • 7.  RE: L2TP MX240 LNS

    Posted 09-19-2017 06:28



    You can configure simple test profile like below in case radius authentication is not required.


    labroot@ERX-MX960-NS-1# set access profile TEST-ACCESS-PROFILE authentication-order none 



    Rahul N