...
Layer Two Tunneling Protocol "L2TP" extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched network. L2TP includes PPP authentication and accounting for each L2TP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally. L2TP traffic uses UDP protocol for both control and data packets. UDP port 1701 is used only for link establishment, further traffic is using any available UDP port (which may or may not be 1701). This means that L2TP can be used with most firewalls and routers (even with NAT) by enabling UDP traffic to be routed through the firewall or router. L2TP standard is defined in RFC 2661. The L2TPv3 support added in 7.1 version.
Introduction
It may be useful to use L2TP just as any other tunneling protocol with or without encryption. The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note that it is the default mode for Microsoft L2TP client) as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP/IP data packets to the IPsec system.
...
| Property | Description | |||||
|---|---|---|---|---|---|---|
| add-default-route (yes | no; Default: no) | Whether to add L2TP remote address as a default route. | |||||
| allow (mschap2 | mschap1 | chap | pap; Default: mschap2, mschap1, chap, pap) | Allowed authentication methods. | |||||
| connect-to (IP; Default: ) | Remote address of L2TP server (if the address is in VRF table, VRF should be specified)
| |||||
| comment (string; Default: ) | Short description of the tunnel. | |||||
| default-route-distance (byte; Default: ) | Since v6.2, sets distance value applied to auto created default route, if add-default-route is also selected | |||||
| dial-on-demand (yes | no; Default: no) | connects only when outbound traffic is generated. If selected, then route with gateway address from 10.112.112.0/24 network will be added while connection is not established. | |||||
| disabled (yes | no; Default: yes) | Enables/disables tunnel. | |||||
| keepalive-timeout (integer [1..4294967295]; Default: 60s) | Since v6.0rc13, tunnel keepalive timeout in seconds. | |||||
| max-mru (integer; Default: 1450) | Maximum Receive Unit. Max packet size that L2TP interface will be able to receive without packet fragmentation. | |||||
| max-mtu (integer; Default: 1450) | Maximum Transmission Unit. Max packet size that L2TP interface will be able to send without packet fragmentation. | |||||
| mrru (disabled | integer; Default: disabled) | Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. | |||||
| name (string; Default: ) | Descriptive name of the interface. | |||||
| password (string; Default: "") | Password used for authentication. | |||||
| profile (name; Default: default-encryption) | Specifies which PPP profile configuration will be used when establishing the tunnel. | |||||
| user (string; Default: ) | User name used for authentication. | |||||
| use-ipsec (yes | no; Default: no) | When this option is enabled, dynamic IPSec peer configuration and policy is added to encapsulate L2TP connection into IPSec tunnel. | |||||
| allow-fast-path (yes | no; Default: ) | ||||||
| l2tp-proto-version ( l2tpv2 | l2tpv3-ip | l2tpv3-udp | l2tpv; Default: ) | ||||||
| l2tpv3-cookie-length ( 0 | 4-bytes | 8-bytes ; Default: ) | ||||||
| l2tpv3-digest-hash (md5 | none | sha1 ; Default: ) | ||||||
| use-peer-dns (yes | no | exclusively; Default: ) | ||||||
| copy-from | ||||||
| src-address | ||||||
| l2tpv3-circuit-id | ||||||
| ipsec-secret (string; Default: ) | Preshared key used when use-ipsec is enabled. |
L2TP Server
An interface is created for each tunnel established to the given server. There are two types of interfaces in the L2TP server's configuration
...
| Property | Description |
|---|---|
| authentication (pap | chap | mschap1 | mschap2; Default: mschap1,mschap2) | Authentication methods that server will accept. |
| default-profile (name; Default: default-encryption) | default profile to use |
| enabled (yes | no; Default: no) | Defines whether L2TP server is enabled or not. |
| max-mru (integer; Default: 1450) | Maximum Receive Unit. Max packet size that L2TP interface will be able to receive without packet fragmentation. |
| keepalive-timeout (integer; Default: 30) | If server during keepalive-timeout period does not receive any packets, it will send keepalive packets every second, five times. If the server still does not receive any response from the client, then the client will be disconnected after 5 seconds. Logs will show 5x "LCP missed echo reply" messages and then disconnect. |
| max-mtu (integer; Default: 1450) | Maximum Transmission Unit. Max packet size that L2TP interface will be able to send without packet fragmentation. |
| use-ipsec (no | yes | require; Default: no) | When this option is enabled, dynamic IPSec peer configuration is added to suite most of the L2TP road-warrior setups. When require is selected server will accept only those L2TP connection attempts that were encapsulated in the IPSec tunnel. |
| ipsec-secret (string; Default: ) | Preshared key used when use-ipsec is enabled |
| accept-proto-version ( all| l2tpv2 | l2tpv3; Default: ) | |
| accept-pseudowire-type ( all | ether | ppp; Default: ) | |
| allow-fast-path (no | yes; Default: ) | |
| caller-id-type ( ip-address | number; Default: ) | |
| max-sessions ( unlimited; Default: ) | |
| one-session-per-host ( no | yes | ; Default: ) | |
| l2tpv3-circuit-id | |
| l2tpv3-cookie-length (0 | 4-bytes | 8-bytes; Default: ) | |
| l2tpv3-digest-hash ( md5 | none | sha1; Default: ) | |
| l2tpv3-ether-interface-list | |
| mrru (disabled | integer; Default: disabled) | Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. |
...