The remote user initiates a PPP connection to the ISP using the analog telephone system or ISDN.
The ISP network access server accepts the connection.
The ISP network access server authenticates the end user with CHAP or PAP. The username is used to determine whether the user is an VPDN client. If the user is not a VPDN client, the client accesses the Internet or other contacted service.
The tunnel endpoints--the network access server and the home gateway--authenticate each other before any sessions are attempted within a tunnel.
If no L2F tunnel exists between the network access server and the remote users' home gateway, a tunnel is created. Once the tunnel exists, an unused slot within the tunnel is allocated.
The home gateway accepts or rejects the connection. Initial setup can include authentication information required to allow the home gateway to authenticate the user.
The home gateway sets up a virtual interface. Link-level frames can now pass through this virtual interface through the L2F tunnel.