L2TPv2 and L2TPv3 in one package

L2TPv2 and L2TPv3 tunnels can be in use simultaneously. When used as a server, ProL2TP will accept connections from either L2TPv2 or L2TPv3 peers, unless configured to require a specific version. The tunnel version may be configured per peer, which is useful to support legacy implementations.

When used as a client, ProL2TP can open tunnels to L2TPv2 or L2TPv3 servers. The tunnel version can be configured in per tunnel configuration parameters. The default behaviour of ProL2TP is to send version-agnostic tunnel setup requests. If the remote server does not support L2TPv3 and responds with L2TPv2 response, ProL2TP sets up an L2TPv2 tunnel automatically. If the server supports L2TPv3, it responds with an L2TPv3 response and ProL2TP sets up an L2TPv3 tunnel. This simplifies network upgrades since L2TP nodes can be upgraded one at a time.

ProL2TP is able to operate as both an L2TPv2/L2TPv3 server and client simultaneously. This makes ProL2TP suitable for use as an L2TP router, accepting L2TP connections from peers and routing the traffic on to other L2TP peers.

Scalable software based solution

ProL2TP works on any Linux system, large or small, running Linux kernel 2.6.23 or later. A more recent kernel (2.6.35 or later) is needed if you want to use L2TPv3. You choose the hardware and Linux OS version that best suits your application. We can even provide assistance to get you running on more exotic hardware, such as custom embedded platforms.

Designed to scale from embedded platforms all the way up to enterprise class servers, handling just a few sessions or thousands. ProL2TP has been tested to ensure that it can cope with the most demanding workloads. The only limit is your hardware.

ProL2TP is distributed as standard Linux packages for Debian, Ubuntu and Fedora distributions (Intel 32 and 64 bit architectures). Custom builds can be provided for customers using other hardware. If your hardware runs Linux, it can run ProL2TP too.

Scalable PPP Server

Our optional PPP server supports thousands of simultaneous PPP sessions in a single process. As is the case with other ProL2TP components, the data path for PPP sessions is handled entirely in the Linux Kernel, with the PPP daemon itself handling the control plane for the session.

The server supports session authentication via. PAP, CHAP, and RADIUS; and supports data transport over Ethernet, L2TP, and serial connections.

Optimised for Linux

Written by the authors and maintainers of the Linux kernel's L2TP support, ProL2TP has been engineered with performance in mind. Tunnelled protocol data takes the fastest possible path through the Linux system. L2TP control messages are handled in userspace by the ProL2TP server, but L2TP session data remains entirely within the kernel.

ProL2TP also supports Linux network namespaces, which allows it to run on virtualized server instances.

Secure VPN using IPSec

ProL2TP can provide an end-to-end secure VPN connection using the Linux kernel's IPSec capabilities. L2TP/IPSec is a standard secure tunneling solution. Client support is built-in to common operating systems including Apple OS-X, Microsoft Windows, Linux, Android, and iPhone, which means no additional client software needs to be installed. While other L2TP VPN server implementations exist for Linux, no other supports IPSec using the kernel's L2TP data path for optimimum performance. ProL2TP also supports multiple clients behind a NAT gateway.

Since ProL2TP can be both an L2TP client and an L2TP server, it can be used to implement corporate VPNs, where offices are securely connected together over a public network. With L2TP being a standard protocol, ProL2TP doesn't have to be used at all sites; ProL2TP will interoperate with other L2TP network devices.

Extensible plugin API

The optional ProL2TP SDK is available to help you extend and interface ProL2TP with your environment via the ProL2TP plugin API. Some examples of uses for the plugin API:

  • Custom L2TP protocol extensions. Add vendor AVPs to any L2TP control message, or retrieve vendor AVPs of received messages, to implement custom L2TP protocol extensions, e.g. Cable Labs DEPI Protocol, which is used by cable TV networks.
  • Interfacing with network management software / billing services.
  • Hardware L2TP session datapath offloading, to get the maximum possible throughput. A custom plugin is delivered the Linux kernel configuration requests, allowing the plugin to implement its own, platform-specific actions, such as setting up hardware packet forwarding engines.

Management API

Most configuration is done using a local config file. The operator defines parameter sets in named profiles, which are matched to incoming L2TP requests using well defined rules. The operator configures tunnel and session attributes to be used for each peer, such as authentication parameters and protocol options. ProL2TP's profiles are very flexible. Profiles may be shared by multiple peers, if appropriate. Profiles are also convenient for defining a named set of parameters to be used when creating new client tunnels and sessions.

ProL2TP can also execute user scripts when certain events happen, such as a new session coming up or an existing session being torn down. Information about the session is made available to the script or custom application, allowing the operator to invoke session-specific actions to handle the event, such as add custom entries to the system's routing table.

ProL2TP comes with management utilities allowing dynamic querying, creation, and destruction of L2TP tunnels and sessions. In situations where tighter integration is needed with billing systems or other third party applications, an optional ProL2TP SDK is available. The ProL2TP SDK allows customers to develop their own applications to interface directly with ProL2TP using the comprehensive management API.

IPv6

ProL2TP supports L2TP over IPv6 where support is available in the Linux kernel. L2TP/IPv6 is available in standard Linux kernels from 3.5.0 and may be back-ported to older kernels if needed.

Please contact us for more information.

PPP Access Concentrator

An optional PPPoE access concentrator is available, which accepts incoming PPP connections on Ethernet and routes them through L2TP tunnels. The datapath for each session remains within the kernel for high throughput.

PPP connections can be routed statically, or using a RADIUS authentication server to provide the destination for the session. When RADIUS is used, an internal PPP server handles initial PPP link negotiation with the PPP client and identifies the PPP authentication parameters in order to do the RADIUS lookup to obtain tunnel parameters.

Once the L2TP session has been established for the PPP client, the PPP frames are passed directly into the L2TP session. Data packets are handled entirely by the Linux kernel. Since the PPP session is not terminated by the Access Concentrator, ProL2TP is able to handle thousands of PPPoE clients.

Implements IETF standards:

L2TPv3 Support

ProL2TP implements the latest L2TPv3 standard, which brings advanced new features.

Ethernet and PPP pseudowires

ProL2TP supports L2TPv3 ethernet and PPP pseudowire types. Pseudowires can be thought of as virtual wires carrying data of a specific format over an IP network. Different pseudowire types can be carried within different sessions over the same L2TP tunnel.

Ethernet pseudowires carry Ethernet frames within an L2TP session. They provide a Layer-2 Tunneling mechanism, allowing you to extend an Ethernet network over an IP network.

L2TPv3 retains support for tunneling PPP using the PPP pseudowire type; this is similar to an L2TPv2 session but with all the benefits of L2TPv3.

IP encapsulation

ProL2TP supports both L2TPv3 UDP and IP encapsulation. Unlike L2TPv2 where L2TP frames are always carried in UDP, L2TPv3 allows L2TP frames to be carried directly over IP without the UDP overhead.

Standards compliant

ProL2TP implements the following IETF standards:

Our PPP Server supports the following IETF standards:

Flexible Licensing

Several licensing options are available.

  • Host license. Each copy of ProL2TP is separately licensed. Discounts are available when multiple licenses are purchased. This is the most common license type.
  • Unlimited license. This is for customers wishing to deploy ProL2TP on many systems without consideration for license allocation. It might be suited for OEMs wishing to include ProL2TP in their product.
  • Source license. For OEMs wanting more flexibility for integrating ProL2TP into their product, or for customers wishing to do specific customisation which isn't possible with the ProL2TP SDK.

The optional ProL2TP SDK may be purchased separately.

Please contact us for more information.