ProL2TP Getting Started Guide

Installation

RPM Based Systems

To install ProL2TP on rpm based systems execute the command:

> rpm -Uvh prol2tp-version-release.distro.arch.rpm
To ensure that ProL2TP is started when your system boots, run chkconfig:
> chkconfig prol2tpd on
To start prol2tpd immediately, run:
> service prol2tpd start

DPKG Based Systems

To install ProL2TP on dpkg based systems execute the command:

> dpkg -i ./prol2tp_version-release_arch.deb
ProL2TP will be automatically started and added to default runlevels.

License Installation

Copy the license file license.dat (supplied as part of your release) to the ProL2TP configuration directory /etc/prol2tp/:

> cp license.dat /etc/prol2tp/
Send the ProL2TP daemon an HUP signal, this will cause it to start using the newly installed license file:
> kill -s SIGHUP `cat /var/run/prol2tp/prol2tpd.pid`
You can check the licensing status of ProL2TP with the following command:
> prol2tp show license
License info:-
  App Fu Ltd
  max tunnels: 20, max sessions: 200
  features: L2TPv2 L2TPv3 PPP ETHERNET

Testing the Installation

A simple way to test the operation of ProL2TP and associated components is to create a loopback tunnel in which ProL2TP is both LAC and LNS (both LCCEs in L2TPv3 terminology).

There are two sets of instructions below. Which set you should follow depends upon the type(s) of pseudowire session you will use with ProL2TP. This may be either one or both of PPP pseudowires (the only option available for L2TPv2 tunnels) and Ethernet pseudowires. If you intend to use only one of the pseudowire types, then follow only the relevant section below, if you anticipate using both, then please follow both sets of instructions.

PPP Pseudowire

The following instructions will create a loopback tunnel, and a PPP pseudowire session inside that tunnel. ProL2TP will start an instance of pppd for both ends of the session, and one ppp interface will also be created for each end.

If you are licensed for L2TPv3 tunnels, and you have a recent L2TP kernel driver (Kernel version 2.6.35 or later). Then ProL2TP will default to creating an L2TPv3 tunnel. If you are using an older kernel driver than this, or you are only licensed for L2TPv2 tunnels then ProL2TP will create L2TPv2 tunnels instead

Copy the following minimal configuration to /etc/prol2tp/prol2tp.conf:

system {
    debug all
}

peer profile "one" {
    ppp_profile_name "one"
}

ppp profile "default" {
    auth_none yes
}

session profile "default" {
    pseudowire_type ppp
}    

ppp profile "one" {
    local_ipaddr 10.5.1.1
    peer_ipaddr 10.5.1.2
    auth_none yes
}

tunnel "one" {
    peer_ipaddr 127.0.0.1
    host_name "one"
        session "one" {
    }
} 
Then send the ProL2TP daemon an HUP signal, which will cause it to reread it's configuration file:
> kill -s SIGHUP `cat /var/run/prol2tpd.pid`

There are a couple of methods to confirm whether the session has been successfully created. Either by checking for the presence of the ppp interfaces:

> ifconfig -s | grep -E "^(Iface|ppp)"
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
ppp0       1500 0         3      0      0 0             3      0      0      0 MOPRU
ppp1       1500 0         3      0      0 0             3      0      0      0 MOPRU

Or by querying the ProL2TP management interface:

> prol2tp show session
       TunId     SessId PeerSessId Type                       Name        State
*      46502       3155      53183  PPP                             ESTABLISHED
       54064      53183       3155  PPP                        one  ESTABLISHED

Ethernet Pseudowire

The following instructions will create a loopback tunnel, and an Ethernet pseudowire session inside that tunnel. ProL2TP will create an l2tpeth interface for each end of the session.

Your license must permit L2TPv3 tunnels, and you will require a recent L2TP kernel driver (Kernel version 2.6.35 or later).

Copy the following minimal configuration to /etc/prol2tp/prol2tp.conf:

session profile "default" {
    pseudowire_type eth
}

tunnel "one" {
    peer_ipaddr 127.0.0.1
    session "one" {
    }
}
Then send the ProL2TP daemon an HUP signal, which will cause it to reread it's configuration file:
> kill -s SIGHUP `cat /var/run/prol2tpd.pid`

There are a couple of methods to confirm whether the session has been successfully created. Either by checking for the presence of the l2tpeth interfaces:

> ifconfig -a -s | grep -E "^(Iface|l2tp)"
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
l2tpeth0   1460 0         0      0      0 0             0      0      0      0 BM
l2tpeth1   1460 0         0      0      0 0             0      0      0      0 BM

Or by querying the ProL2TP management interface:

> prol2tp show session
       TunId     SessId PeerSessId Type                       Name        State
       47633  696153178 1707941127  ETH                        one  ESTABLISHED
*      55704 1707941127  696153178  ETH                             ESTABLISHED

Configuration

ProL2TP is configured via the file /etc/prol2tp/prol2tpd.conf. The manual page prol2tpd.conf(5) documents the syntax used in this file. The following section aims to introduce you to the sections which may be used in the configuration file, and to discuss some sample configurations.

Profiles

Configuration of ProL2TP is based around the idea of profiles. Profiles are named sets of configuration parameters. They define the parameters to be used when creating new tunnels and sessions as a result of a request from an L2TP client, and they can also define a parameter set for locally created tunnels and sessions. Each profile must have a name which is unique (within that type of profile).

Tunnel Profile

The tunnel contains parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request.

tunnel profile "name" {
    params...
}

Session Profile

The session profile contains parameters which may be used when creating sessions locally (by specifying the session profile name when the session is created) or when sessions are created by remote request.

session profile "name" {
    params...
}

PPP Profile

The PPP profile contains parameters which are used when creating PPP sessions in L2TP tunnels.

ppp profile "name" {
    params...
}

Ethernet Profile

The Ethernet profile contains parameters which are used when creating L2TPv3 ethernet pseudowires.

ethernet profile "name" {
    params...
}

Default Profiles

Each of the profile types listed above also has an associated default profile, the existence of these profiles is implicit (i.e.: they do not normally appear in the configuration file). The default profiles contain all of the default values for each profile type as documented in the prol2tpd.conf manual page.

It is possible to override these default values in the configuration file by setting one or more parameters in profiles named "default":

tunnel profile "default" {
    our_udp_port  1701
}

ppp profile "default" {
    mtu 1462
}
Parameters not set in these default blocks retain their default values.

Static Client Sessions

It is possible to configure static client (LAC) sessions which are created by prol2tpd when prol2tpd.conf is read, i.e.: on startup or when prol2tpd receives a SIGHUP. This is achieved using tunnel and session blocks.

For example, the following block creates a new session (named "session_one") using the session profile "example" within a tunnel (named "tunnel_one") to the host lns.example.com:

tunnel "tunnel_one" {
    peer_ipaddr lns.example.com
    session "session_one" {
        session_profile_name "example"
    }
}

Profile Selection

ProL2TP selects which profile(s) will be used in three ways, depending on context:

  • When acting as LNS, ProL2TP selects which set of profiles will be used by matching the LAC to a defined peer profile.
  • When acting as LAC the tunnel and/or session profiles may be specified as parameters of the create request (via a static tunnel and session configuration, or via the ProL2TP management interface)
  • The selected tunnel profile may select the session profile to use (via the session_profile_name parameter), which in turn may select the PPP (ppp_profile_name) and/or Ethernet profile (ethernet_profile_name) to use.

Peer Profile

The peer profile is used by ProL2TP when acting as LNS to select the parameters used to create tunnels and sessions for that peer. The peer profile has two types of parameter. Those which are used to match an incoming tunnel setup request, and those which select which profiles to use for that incoming request.

An incoming tunnel request is matched to a peer profile by the Router ID AVP (L2TPv3 only), then by hostname, then by IP address (or IP address range if netmask is specified).

Once an incoming peer is matched to a peer profile, then the *_profile parameters of the peer profile select the tunnel, session, ppp and ethernet profiles to use for that tunnel.

peer profile "plato.example.com" {
    tunnel_profile "plato_tunnel"
}

Matches incoming requests which include the Host Name AVP with value "plato.example.com", and selects the tunnel profile "plato_tunnel".

peer profile "example hosts" {
    peer_ipaddr 10.0.5.0
    netmask 255.255.255.0
    tunnel_profile "example_tunnel"
}

Matches incoming requests from a host with an IP address in the 10.0.5.0/24 subnet, and selects the tunnel profile "example_tunnel" for tunnels from that host.

Sample Configurations

The following samples demonstrate some common ProL2TP configurations. Hovering over a configuration keyword will display a short description of the function of that keyword.

L2TPv2 server

The following file configures ProL2TP to act as an L2TPv2 server, suitable for use as a VPN server.

PPP interface IP addresses are assigned from IP range specified 10.1.1.1 to 10.2.1.100. Debug is enabled for IP pool allocation.

The authentication methods which pppd will use can be configured as outlined in the comments in the file, depending on what is in use at the deployment site.

systemContains attributes that may be used to control the system behavior of ProL2TP, i.e. tunnel instance limits, UDP port number, debug logging options etc. There is always one instance of this object and it has no name. {
    # Don't let this system be used as a LAC
    deny_local_tunnel_createsDeny the creation of new tunnels by local request. yes
    operational_mode lns

    # Optional list of IP addresses that we listen on.
    # Default is to listen on all interfaces.
    # listenSpecifies a comma-separated list of IP addresses that prol2tpd will listen on. Default is any IP address. 1.2.3.4,10.11.12.13
}

tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "default" {
    # Force L2TPv2
    proto_versionThe protocol version of a tunnel. 2 means L2TPv2. 3 means L2TPv3. Default is 0, which means either L2TPv2 or L2TPv3 is acceptable. For clients, the value 0 causes ProL2TP to send its tunnel setup request in a form that will work with both L2TPv2 and L2TPv3 peers. 2
}

ppp profileProvides a named set of PPP parameters which are to be used when creating PPP sessions in L2TP tunnels. "default" {
    ip_pool_nameThe name of an IP pool from which to allocate local and remote IP addresses if not otherwise assigned.  This value may be passed to RADIUS if RADIUS is configured, or used to locate a local IP pool defined using an ip pool block. "one"

    lcp_echo_intervalSend LCP echo-request to peer every N seconds. Default=0 (don't send). 60
    local_ipaddrThe IP address to assign to the local end of the PPP link. If not set, an address may be obtained by PPP, or from a local IP address pool. 10.5.1.1

    # require ppp peer to authenticate using any auth protocol supported by pppd
    auth_peerRequire PPP authentication. Refuse connection if peer does not want to authenticate. Default=YES for network-created sessions (e.g. servers), and NO for locally created sessions (e.g. clients). yes

    # If the auth protocols are to be limited, use one or more auth_refuse_ options
    # auth_refuse_papRefuse PPP PAP authentication. Default=NO yes
    # auth_refuse_chapRefuse PPP CHAP authentication. Default=NO yes
    # auth_refuse_mschap yes
    # auth_refuse_mschapv2Refuse PPP MSCHAPV2 authentication. Default=NO yes
    # auth_refuse_eapRefuse PPP EAP authentication. Default=NO yes

    # If a specific auth protocol is to be used, use an auth_require_ option
    # auth_require_papRequire PPP PAP authentication. Default=NO yes
    # auth_require_chapRequire PPP CHAP authentication. Default=NO yes
    # auth_require_mschap yes
    # auth_require_mschapv2Require PPP MSCHAPV2 authentication. Default=NO yes
    # auth_require_eapRequire PPP EAP authentication. Default=YES yes
}

ip poolDefines a named IP address pool. The prol2tpd daemon assigns IP addresses from a named pool when configured to do so using the ip_pool_name parameter in ppp or ethernet profiles. "one" {
    ip_rangeA range of IP addresses assigned to the pool. The range is defined as the first and last IP address (inclusive). Multiple first/last address pairs may be specified. {
    	10.1.1.1 10.1.1.254
    	10.2.1.1 10.2.1.100
    }
}

L2TPv2 server using RADIUS authentication

This configuration sets ProL2TP up as an L2TPv2 only server, and configures pppd to use RADIUS for authentication. We restrict the authentication protocols that pppd will advertise to match those supported by RADIUS

systemContains attributes that may be used to control the system behavior of ProL2TP, i.e. tunnel instance limits, UDP port number, debug logging options etc. There is always one instance of this object and it has no name. {
    # Don't let this system be used as a LAC
    deny_local_tunnel_createsDeny the creation of new tunnels by local request. yes
    operational_mode lns

    # Optional list of IP addresses that we listen on
    # Default is to listen on all interfaces.
    listenSpecifies a comma-separated list of IP addresses that prol2tpd will listen on. Default is any IP address. 1.2.3.4,10.11.12.13
}

tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "default" {
    # Force L2TPv2. By default, ProL2TP supports both L2TPv2 and L2TPv3.
    proto_versionThe protocol version of a tunnel. 2 means L2TPv2. 3 means L2TPv3. Default is 0, which means either L2TPv2 or L2TPv3 is acceptable. For clients, the value 0 causes ProL2TP to send its tunnel setup request in a form that will work with both L2TPv2 and L2TPv3 peers. 2
}

ppp profileProvides a named set of PPP parameters which are to be used when creating PPP sessions in L2TP tunnels. "default" {
    # Use RADIUS to authenticate all PPP users
    use_radiusSays whether PPP should use RADIUS to authenticate the user and obtain user parameters for the connection.  RADIUS is the preferred method to derive values for IP addresses, DNS etc rather than using fixed values in PPP profiles. yes

    # Enable PAP and CHAP only, since that is all RADIUS supports
    auth_refuse_mschap yes
    auth_refuse_mschapv2Refuse PPP MSCHAPV2 authentication. Default=NO yes
    auth_refuse_eapRefuse PPP EAP authentication. Default=NO yes
}

L2TP server accepting tunnels from 2 peers


systemContains attributes that may be used to control the system behavior of ProL2TP, i.e. tunnel instance limits, UDP port number, debug logging options etc. There is always one instance of this object and it has no name. {
    deny_local_tunnel_createsDeny the creation of new tunnels by local request. yes
    operational_mode lns

    # Optional list of IP addresses that we listen on.
    # Default is to listen on all interfaces.
    # listenSpecifies a comma-separated list of IP addresses that prol2tpd will listen on. Default is any IP address. 1.2.3.4,10.11.12.13

    max_sessionsMaximum number of sessions permitted. Default=0 (no limit). 200
}

# Match Site-A using its IP address
peer profileIdentifies parameters to be used when connecting with an L2TP peer. Peers are identified by name or by IP address / netmask.  The peer profile specifies default tunnel, session, PPP and ethernet profile names which are to be used for the peer, unless overridden by other settings. Peer profiles are matched by IP address or peer identifier, which is provided in the L2TP tunnel setup request. They are the core mechanism used in servers to identify specific tunnel, session, ppp and ethernet profiles for incoming requests from clients. "site-A" {
     tunnel_profile_nameName of default Tunnel Profile. Default="default" "site-A"
     peer_ipaddrIP address of peer. May be specified as an IPv4 or IPv6 address. 1.2.3.42
}

# Match Site-B using its advertised hostname "site-B"
peer profileIdentifies parameters to be used when connecting with an L2TP peer. Peers are identified by name or by IP address / netmask.  The peer profile specifies default tunnel, session, PPP and ethernet profile names which are to be used for the peer, unless overridden by other settings. Peer profiles are matched by IP address or peer identifier, which is provided in the L2TP tunnel setup request. They are the core mechanism used in servers to identify specific tunnel, session, ppp and ethernet profiles for incoming requests from clients. "site-B" {
     tunnel_profile_nameName of default Tunnel Profile. Default="default" "site-B"
}

# Prevent unauthenticated tunnels
tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "default" {
     auth_modeTunnel authentication mode:- 
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
authenticated } # Define tunnel parameters to be used for each peer tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "site-A" { auth_modeTunnel authentication mode:-
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
authenticated secretOptional secret which is shared with tunnel peer. Must be specified when hide_avps is enabled. Default=NONE (no secret). "site-A-super-secret" hide_avpsHide AVPs. The L2TP protocol allows some L2TP Attribute Value Pairs (AVPs) contained in L2TP control protocol messages to be obscured from network sniffers. This adds some overhead with L2TP message transmit and receive. Requires a tunnel secret to be configured. Default OFF. yes } tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "site-B" { auth_modeTunnel authentication mode:-
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
authenticated secretOptional secret which is shared with tunnel peer. Must be specified when hide_avps is enabled. Default=NONE (no secret). "site-B-super-secret" hide_avpsHide AVPs. The L2TP protocol allows some L2TP Attribute Value Pairs (AVPs) contained in L2TP control protocol messages to be obscured from network sniffers. This adds some overhead with L2TP message transmit and receive. Requires a tunnel secret to be configured. Default OFF. yes hello_timeoutSet timeout used for periodic L2TP Hello messages (in seconds). Hello messages are sent only if no data or control frames have been sent or received since the last Hello was sent and are therefore useful as a tunnel keepalive. Default=60. 120 } # Use RADIUS and assign IP addresses using a local IP pool ppp profileProvides a named set of PPP parameters which are to be used when creating PPP sessions in L2TP tunnels. "default" { ip_pool_nameThe name of an IP pool from which to allocate local and remote IP addresses if not otherwise assigned. This value may be passed to RADIUS if RADIUS is configured, or used to locate a local IP pool defined using an ip pool block. "one" auth_require_papRequire PPP PAP authentication. Default=NO yes use_radiusSays whether PPP should use RADIUS to authenticate the user and obtain user parameters for the connection. RADIUS is the preferred method to derive values for IP addresses, DNS etc rather than using fixed values in PPP profiles. yes radius_hintAn arbitrary string that is passed to PPP when RADIUS is enabled. The PPP implementation may use this string in any way. The bundled ppp_unix plugin for use with pppd applies this value to pppd's radius-config-file parameter. "/etc/ppp/radclient/radclient.conf" local_ipaddrThe IP address to assign to the local end of the PPP link. If not set, an address may be obtained by PPP, or from a local IP address pool. 10.1.1.1 } ip poolDefines a named IP address pool. The prol2tpd daemon assigns IP addresses from a named pool when configured to do so using the ip_pool_name parameter in ppp or ethernet profiles. "one" { ip_rangeA range of IP addresses assigned to the pool. The range is defined as the first and last IP address (inclusive). Multiple first/last address pairs may be specified. { 10.1.1.2 10.1.1.254 } }

L2TPv3 Layer 2 tunnel between two sites

Layer 2 tunnels bridge two networks together using L2TPv3 ethernet pseudowires.

At site-A, setup ProL2TP to accept tunnels from site-B. This config will create an interface l2tpethB and attach it to bridge brB when the peer establishes the tunnel.

# Set parameters to be used for tunnels from site-B
peer profileIdentifies parameters to be used when connecting with an L2TP peer. Peers are identified by name or by IP address / netmask.  The peer profile specifies default tunnel, session, PPP and ethernet profile names which are to be used for the peer, unless overridden by other settings. Peer profiles are matched by IP address or peer identifier, which is provided in the L2TP tunnel setup request. They are the core mechanism used in servers to identify specific tunnel, session, ppp and ethernet profiles for incoming requests from clients. "site-B" {
     tunnel_profile_nameName of default Tunnel Profile. Default="default" "site-B"
     ethernet_profile_nameName of default Ethernet Profile. Default="default" "site-B"
}

# Require tunnel authentication. Prevent connections from other peers.
tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "default" {
     proto_versionThe protocol version of a tunnel. 2 means L2TPv2. 3 means L2TPv3. Default is 0, which means either L2TPv2 or L2TPv3 is acceptable. For clients, the value 0 causes ProL2TP to send its tunnel setup request in a form that will work with both L2TPv2 and L2TPv3 peers. 3
     auth_modeTunnel authentication mode:- 
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
authenticated } # Tunnel parameters, including the shared secret tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "site-B" { auth_modeTunnel authentication mode:-
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
authenticated secretOptional secret which is shared with tunnel peer. Must be specified when hide_avps is enabled. Default=NONE (no secret). "site-B-super-secret" proto_versionThe protocol version of a tunnel. 2 means L2TPv2. 3 means L2TPv3. Default is 0, which means either L2TPv2 or L2TPv3 is acceptable. For clients, the value 0 causes ProL2TP to send its tunnel setup request in a form that will work with both L2TPv2 and L2TPv3 peers. 3 hide_avpsHide AVPs. The L2TP protocol allows some L2TP Attribute Value Pairs (AVPs) contained in L2TP control protocol messages to be obscured from network sniffers. This adds some overhead with L2TP message transmit and receive. Requires a tunnel secret to be configured. Default OFF. yes } # Use L2TPv3 ethernet pseudowire and give the interface a specific name session profileProvides a named set of L2TP session parameters which may be used when creating sessions locally (by specifying the session profile name when the session is created) or when sessions are created by remote request. "site-B" { pseudowire_typeIndicates the type of data to be carried in an L2TPv3 pseudowire. Valid values are ppp, eth or vlan, corresponding to PPP, Ethernet and VLAN pseudowires. Valid for L2TPv3 only. For vlan pseudowire types, vlan_id must also be specified. Required parameter for locally created L2TPv3 sessions. For network-created sessions, the pseudowire type is set by the remote peer requesting the session. This is a required parameter of SESSION blocks for L2TPv3 sessions. Default=NONE. eth interface_nameinterface name of session interface. If this is specified in the session profile, the session profile cannot be used to define parameters for more than one session, since sessions must have unique interface names. Default pppN for PPP pseudowires, l2tpethN for ethernet pseudowires, or l2tpethN.M for vlan pseudowires (where M is the vlan id). "l2tpethB" } # Configure the interface ethernet profileProvides a named set of ethernet parameters which are to be used when creating L2TPv3 ethernet pseudowires. "site-B" { bridge_nameInstead of assigning IP addresses to the ethernet interface, it can be added to a named bridge instance if this parameter is set. Use this to bridge ethernet frames over L2TP. The bridge must already exist. brB mtuThe MTU of the ethernet interface. By default, the MTU is derived from the MTU of the L2TP session, which is itself derived from the tunnel. 1488 }

At site-B, we configure a tunnel to site-A.

# Allow use as a client only.
systemContains attributes that may be used to control the system behavior of ProL2TP, i.e. tunnel instance limits, UDP port number, debug logging options etc. There is always one instance of this object and it has no name. {
     deny_remote_tunnel_createsDeny the creation of new tunnels by remote peers. yes
}

# Configure the interface
ethernet profileProvides a named set of ethernet parameters which are to be used when creating L2TPv3 ethernet pseudowires. "one" {
     bridge_nameInstead of assigning IP addresses to the ethernet interface, it can be added to a named bridge instance if this parameter is set. Use this to bridge ethernet frames over L2TP. The bridge must already exist. brB
     mtuThe MTU of the ethernet interface. By default, the MTU is derived from the MTU of the L2TP session, which is itself derived from the tunnel. 1488
}

tunnelContains parameters of a locally initiated L2TP tunnel.  A tunnel is identified by a unique name and may contain tunnel parameters and one or more session blocks, one per session within the tunnel. Tunnel parameters may be derived from a named tunnel profile. A tunnel block is used only in client configurations to create one or more tunnels. "site-B" {
     peer_ipaddr site-A.mycompany.com
     host_name "site-B"
     auth_mode authenticated
     secret "site-B-super-secret"     
     proto_version 3
     hide_avps yes
     sessionContains parameters of an L2TP session within a tunnel, such as data link options and whether to use data sequence numbers. A session is scoped by a tunnel block and is identified by a tunnel-unique name. "one" {
         pseudowire_type eth
         ethernet_profile_name "one"
         interface_name "l2tpethB"
     }
}

L2TPv3 Ethernet Pseudowire, Cisco peer

The L2TPv3 implementation in some cisco routers does not fully comply with the L2TPv3 protocol standard. Some special handling in ProL2TP is needed in order to interoperate successfully. Specifically:-

  1. Cisco send vendor-specific (proprietary) AVPs in tunnel setup messages with the Mandatory bit set. With Mandatory set, L2TP peers must reject the message if they don't support the cisco vendor AVPs. So L2TP peers must accept cisco vendor AVPs in order to interoperate with cisco.
  2. Cisco require SCCRP tunnel setup response messages sent by the peer to include a cisco draft_version vendor AVP. This is cisco proprietary.
  3. Cisco require SCCRP messages to include a protocol_version AVP. The L2TP protocol specification does not list this as a valid AVP for SCCRP so ProL2TP does not send it by default.
  4. Cisco require ICRP session setup response messages to include a pseudowire_type AVP. The L2TP protocol specification does not list this as a valid AVP for ICRP so ProL2TP does not send it by default.

ProL2TP must be configured to modify its behaviour to handle all 4 cases. A new interop_flags config file parameter was introduced in prol2tp-1.5.4 to allow behaviour quirks to be selectively enabled per tunnel. The cisco vendor AVPs are supported by a ProL2TP plugin: cisco_avp.so. This is enabled by adding "-p cisco_avp.so" to the startup arguments. On debian systems, this is achieved by editing /etc/default/prol2tp.

With the interop_flags setting and cisco_avp.so plugin, prol2tpd should accept L2TPv3 connections from cisco routers.

The sample ProL2TP configuration below will accept L2TPv3 tunnels from cisco peers.

# Configuration file for prol2tp, enabling cisco workarounds.

systemContains attributes that may be used to control the system behavior of ProL2TP, i.e. tunnel instance limits, UDP port number, debug logging options etc. There is always one instance of this object and it has no name. {
	listenSpecifies a comma-separated list of IP addresses that prol2tpd will listen on. Default is any IP address. 192.168.1.15
}

tunnel profileProvides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request. "default" {
	proto_versionThe protocol version of a tunnel. 2 means L2TPv2. 3 means L2TPv3. Default is 0, which means either L2TPv2 or L2TPv3 is acceptable. For clients, the value 0 causes ProL2TP to send its tunnel setup request in a form that will work with both L2TPv2 and L2TPv3 peers. 3
	auth_modeTunnel authentication mode:- 
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
none mtuDefault MTU for all sessions in tunnel. Usually overridden by an quivalent mtu setting in the session. Default=1460. 1500 # cisco uses ip encapsulation only encap_typeIf the tunnel is L2TPv3, this parameter specifies the tunnel transport encapsulation type: udp or ip. For L2TPv2 tunnels, this parameter is ignored, since L2TPv2 is UDP only. Default=udp. ip # enable cisco L2TP protocol quirks interop_flagsSpecifies a bitmask of flags to control non-standard behaviour for interopability with other L2TP implementations. It is specified as an integer value and used as a bitmask to enable or disable options individually. Default=0 (no options enabled). 3 } session profileProvides a named set of L2TP session parameters which may be used when creating sessions locally (by specifying the session profile name when the session is created) or when sessions are created by remote request. "default" { pseudowire_typeIndicates the type of data to be carried in an L2TPv3 pseudowire. Valid values are ppp, eth or vlan, corresponding to PPP, Ethernet and VLAN pseudowires. Valid for L2TPv3 only. For vlan pseudowire types, vlan_id must also be specified. Required parameter for locally created L2TPv3 sessions. For network-created sessions, the pseudowire type is set by the remote peer requesting the session. This is a required parameter of SESSION blocks for L2TPv3 sessions. Default=NONE. eth } ethernet profileProvides a named set of ethernet parameters which are to be used when creating L2TPv3 ethernet pseudowires. "default" { bridge_nameInstead of assigning IP addresses to the ethernet interface, it can be added to a named bridge instance if this parameter is set. Use this to bridge ethernet frames over L2TP. The bridge must already exist. "br0" mtuThe MTU of the ethernet interface. By default, the MTU is derived from the MTU of the L2TP session, which is itself derived from the tunnel. 1500 }

The corresponding cisco configuration fragment to establish a single L2TPv3 ethernet pseudowire to the ProL2TP server at 192.168.1.15, bridged to the cisco's FastEthernet0/1 interface, is below.

!
ip cef
!
no ip domain lookup
!
l2tp-class l2tp-noauth
!
pseudowire-class ether-pw-dynamic
 encapsulation l2tpv3
 protocol l2tpv3 l2tp-noauth
 ip local interface fastethernet 0/0
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 no ip address
 no ip directed-broadcast
 no shutdown
 duplex auto
 speed auto
 no cdp enable
 xconnect 192.168.1.15 1 encapsulation l2tpv3 pw-class ether-pw-dynamic
!

Index

Installation
RPM Based Systems
DPKG Based Systems
License Installation
Testing the Installation
PPP Pseudowire
Ethernet Pseudowire
Configuration
Profiles
Tunnel Profile
Session Profile
PPP Profile
Ethernet Profile
Default Profiles
Static Client Sessions
Peer Profile
Sample Configurations