prol2tpd.conf

 

NAME

prol2tpd.conf - ProL2TP configuration file  

SYNOPSIS

This document describes the configuration file syntax of ProL2TP.  

DESCRIPTION

The configuration file is used to setup prol2tpd. It is processed when prol2tpd start up, and again if it receives a SIGHUP signal.  

FILE SYNTAX

Parameters are organised in blocks, delimited by braces { }. The block type and optional name precedes the open brace. Parameters are written inside the braces, as a parameter name and value pair.
block-type "name" {
  param1 value
  param2 "string-value"
}

 

BLOCK TYPES

The following block types exist in ProL2TP:
SYSTEM
Contains attributes that may be used to control the system behavior of ProL2TP, i.e. tunnel instance limits, UDP port number etc. There is always one instance of this object and it has no name.

system {
  params...
}
PEER PROFILE
Identifies parameters to be used when connecting with an L2TP peer. Peers are identified by name or by IP address / netmask. The peer profile specifies default tunnel, session, PPP and ethernet profile names which are to be used for the peer, unless overridden by other settings. Peer profiles are matched by IP address or peer identifier, which is provided in the L2TP tunnel setup request. They are the core mechanism used in servers to identify specific tunnel, session and ppp profiles for incoming requests from clients.

peer profile "name" {
  params...
}
TUNNEL PROFILE
Provides a named set of L2TP tunnel parameters which may be used when creating tunnels locally (by specifying the tunnel profile name when the tunnel is created) or when tunnels are created by remote request.

tunnel profile "name" {
  params...
}
SESSION PROFILE
Provides a named set of L2TP session parameters which may be used when creating sessions locally (by specifying the tunnel profile name when the tunnel is created) or when sessions are created by remote request.

session profile "name" {
  params...
}
PPP PROFILE
Provides a named set of PPP parameters which are to be used when creating PPP sessions in L2TP sessions.

ppp profile "name" {
  params...
}
ETHERNET PROFILE
Provides a named set of ethernet parameters which are to be used when creating L2TPv3 ethernet pseudowires.

ethernet profile "name" {
  params...
}
IP POOL
Defines a named IP address pool. The prol2tpd daemon assigns IP addresses from a named pool when configured to do so using the ip_pool_name parameter in ppp or ethernet profiles.

ip pool "name" {
  params...
}
TUNNEL
Contains parameters of an L2TP tunnel, such as tunnel secret, AVP hiding, L2TP hello timeout etc. A tunnel is identified by a unique name and may contain one or more session blocks, one per session within the tunnel. A tunnel block is used only in client configurations to automatically create one or more tunnels at startup.

tunnel "name" {
  params...
}
SESSION
Contains parameters of an L2TP session, such as whether to use data sequence numbers. A session is identified by a tunnel-unique name.

tunnel "name" {
  params...
  session "name" {
    params...
  }
}

 

PARAMETERS

 

SYSTEM

trace_flags
System-wide trace flags. This controls the generation of log messages that are not associated with specific tunnel, session or PPP instances.
max_tunnels
Maximum number of tunnels permitted. Default=0 (no limit).
max_sessions
Maximum number of sessions permitted. Default=0 (no limit).
drain_tunnels
Enable the draining of existing tunnels. This prevents new tunnels from being created but does not delete those already present. This can be used to perform a soft shutdown of a system.
deny_local_tunnel_creates
Deny the creation of new tunnels by local request.
deny_remote_tunnel_creates
Deny the creation of new tunnels by remote peers.
operational_mode
Sets whether the local system operates as a LAC, LNS or both. Possible values are lac, lns, laclns. The default is laclns.
router_id
Required for L2TPv3 only. This is a 4-octet value which uniquely identifies the local system. It is usually derived from one of the system's active IP addresses, as specified in RFC2072, Section 8.1. It may be specified either as a number or an IP address. Default=0.
listen
Specifies a comma-separated list of IP addresses that prol2tpd will listen on. Default is any IP address.
 

PEER PROFILE

peer_ipaddr
IP address of peer
peer_port
UDP port with which to connect to peer. Default=1701.
netmask
IP netmask to be used when matching for peer_ipaddr. Default=255.255.255.255.
lac_lns
We can operate as a LAC or LNS or both.
tunnel_profile_name
Name of default Tunnel Profile. Default="default"
session_profile_name
Name of default Session Profile. Default="default"
ppp_profile_name
Name of default PPP Profile. Default="default"
ethernet_profile_name
Name of default Ethernet Profile. Default="default"
router_id
The router_id of an L2TPv3 peer that will match this profile. Default=0.
 

TUNNEL PROFILE

dest_ipaddr
Destination IP address.
src_ipaddr
Source IP address. May be used to force a tunnel to use a specific local interface. By default, the system chooses how to reach the destination by IP route table lookup.
our_udp_port
UDP port number to use for the local side of the UDP connection. Default is to assign an ephemeral port. If using a NAT gateway which is unable to track UDP ephemeral port assignments, this parameter may be set to a fixed port (usually 1701) to have the server not use ephemeral ports.
peer_udp_port
UDP port number with which to contact peer L2TP server. Default=1701
use_tiebreaker
Enable use of a tiebreaker when setting up the tunnel. Default=ON
allow_ppp_proxy
Allow PPP proxy. Not currently implemented.
framing_caps
Framing capabilities: sync, async, any. These are passed to the peer when the tunnel is set up to tell the capabilities of the network beyond the L2TP tunnel.
bearer_caps
Bearer capabilities: digital, analog, any. These are passed to the peer when the tunnel is set up to tell the capabilities of the network beyond the L2TP tunnel.
host_name
Name to advertise to the peer when setting up the tunnel. This name is passed in the HOST_NAME AVP and may be used by the peer to invoke local policies. Default=local system hostname.
secret
Optional secret which is shared with tunnel peer. Must be specified when hide_avps is enabled.
auth_mode
Tunnel authentication mode:-
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
message_digest
Message digest algorithm. Possible values are md5, sha1, or fInone. Not used for L2TPv2 tunnels. If specified without auth_mode and secret, a message digest is added to all control messages as a data integrity check. If auth_mode is challenge and a secret is specified then the digest is used for L2TPv3 authentication. When used for authentication defaults to md5, otherwise defaults to NONE.
hide_avps
Hide AVPs. Default OFF
pseudowire_caps
Identifies the set of pseudowire types supported by the tunnel. These are specified as one or more pseudowire type numbers (defined in RFC3379). By default, prol2tpd advertises PPP and Ethernet pseudowire types. Not used for L2TPv2 tunnels.
pmtu_discovery
Do Path MTU Discovery. Default=OFF. Not yet implemented.
trace_flags
Trace flags, for debugging network problems
use_udp_checksums
Use UDP checksums in data frames. Default=ON
hello_timeout
Set timeout used for periodic L2TP Hello messages (in seconds). Hello messages are sent only if no data or control frames have been sent or received since the last Hello was sent. Default=60.
max_retries
The maximum number of retransmits of unacknowledged control frames. Setting this too low may bring down a tunnel unecessarily if a brief network error occurs. Setting it too high delays the system responding to real network outages. Control messages are retransmitted on an exponentially increasing delay. Default=5.
rx_window_size
Receive window size. This is the maximum number of control messages that the system will queue for processing. It is the maximum number of unacknowledged messages. Must be 4 or greater.
tx_window_size
Transmit window size. This is the preferred maximum number of unacknowledged messages that the local system will send to the peer. It can be reduced if the peer's rx_window_size is smaller.
retry_timeout
Retry timeout. The delay (in seconds) before sending the first retry of unacknowledged control frames. Default=1.
idle_timeout
Idle timeout. The time (in seconds) that a tunnel will remain after its last session has been torn down. Default=0, tunnel remains forever when it has no sessions, until a local administrator or network request deletes it..
max_sessions
Maximum number of sessions allowed on tunnel. Default=0 (limited only by max_sessions limit in system parameters).
mtu
MTU for all sessions in tunnel. Default=1460.
session_profile_name
Name of session profile which will be used for default values of the tunnel's session parameters.
 

SESSION PROFILE

profile_name
Name of session profile
ppp_profile_name
For PPP sessions, this is the name of ppp profile to use for PPP parameters.
ethernet_profile_name
For L2TPv3 Ethernet pseudowires, this is the name of the ethernet profile to use for ethernet parameters.
trace_flags
Trace flags, for debugging network problems. Default=NONE.
sequencing_required
The use of sequence numbers in the data channel is mandatory.
use_sequence_numbers
Enable sequence numbers in the data channel if peer supports them.
reorder_timeout
Timeout to wait for out-of-sequence packets before discarding. Out-of-sequence packet reordering is not currently supported.
session_type
Session type: LAC Incoming (LAIC), LAC Outgoing (LAOC), LNS Incoming (LNIC), LNS Outgoing (LNOC). Default=derived from tunnel type.
priv_group_id
Private group ID, used to separate this session into a named administrative group
interface_name
interface name of session interface. Default pppN for PPP pseudowires, or l2tpethN for ethernet pseudowires. If this is specified in the session profile, the session profile cannot be used to define parameters for more than one session, since sessionsmust have unique interface names.
user_name
PPP user name.
user_password
PPP user password.
framing_type
Framing type: sync, async or any. Default=any
bearer_type
Bearer type: digital, analog, any. Default=any
minimum_bps
Minimum bits/sec acceptable. Default=0
maximum_bps
Maximum bits/sec required. Default=no limit
connect_speed
Specified as speed[:txspeed], indicates connection speeds.
cookie
For L2TPv3, each session carries an optional 4 or 8 byte cookie value in the packet header. This parameter specifies the cookie value to use for the session. The value is specified as hex digits, preceded by "hex:", e.g. hex:01234567. The number of hex digits must correspond to a 4 or 8 byte value. Default: no cookie.
cookie_len
If this parameter is set to 4 or 8 and a specific cookie value is not provided using the cookie parameter, a random cookie value is generated when setting up the session. Default=0.
peer_cookie
Specifies the peer cookie value which will be used to match incoming session setup requests to this profile. This is useful in servers because it allows specific incoming sessions to be matched to a specific session profile, and therefore a specific ppp or ethernet profile. The value is specified as hex digits, preceded by "hex:", e.g. hex:01234567. The number of hex digits must correspond to a 4 or 8 byte value. Default: no peer cookie.
remote_end_id
Specifies the data to be transmitted in the Remote End Id AVP for L2TPv3 sessions. This value may be used to match incoming session setup requests to this profile. This is useful in servers because it allows specific incoming sessions to be matched to a specific session profile, and therefore a specific ppp or ethernet profile. The value is specified as hex digits, preceded by "hex:", e.g. hex:01234567. Default: empty.
 

PPP PROFILE

trace_flags
Trace flags, for debugging network problems
asyncmap
Async character map. Valid only if PPP is async mode.
mtu
Maximum Transmit Unit (MTU) or maximum packet size transmitted.
mru
Maximum Receive Unit (MRU) or maximum packet size passed when received.
sync_mode
Allow PPP sync/async operation.
auth_pap
Allow PPP PAP authentication. Default=YES
auth_chap
Allow PPP CHAP authentication. Default=YES
auth_mschapv1
Allow PPP MSCHAP authentication. Default=YES
auth_mschapv2
Allow PPP MSCHAPV2 authentication. Default=YES
auth_eap
Allow PPP EAP authentication. Default=YES
auth_none
Allow unauthenticated PPP users. Default=NO
chap_interval
Rechallenge the peer every chap_interval seconds. Default=0 (don't rechallenge).
chap_max_challenge
Maximum number of CHAP challenges to transmit without successful acknowledgment before declaring a failure. Default=10.
chap_restart
Retransmission timeout for CHAP challenges. Default=3.
pap_max_auth_reqs
Maximum number of PAP authenticate-request transmissions. Default=10.
pap_restart_interval
Retransmission timeout for PAP requests. Default=3.
pap_timeout
Maximum time to wait for peer to authenticate itself. Default=0 (no limit).
idle_timeout
Disconnect session if idle for more than N seconds. Default=0 (no limit).
ipcp_max_cfg_reqs
Maximum number of IPCP config-requests to transmit without successful acknowledgement before declaring a failure. Default=10.
ipcp_max_cfg_naks
Maximum number of IPCP config-naks to allow before starting to send config-rejects instead. Default=10.
ipcp_max_term_reqs
Maximum number of IPCP term-requests to send. Default=3.
ipcp_retransmit_interval
IPCP retransmission timeout. Default=3.
lcp_echo_failure_count
Number of LCP echo failures to accept before assuming peer is down. Default=5.
lcp_echo_interval
Send LCP echo-request to peer every N seconds. Default=0 (don't send).
lcp_max_cfg_reqs
Maximum number of LCP config-request transmissions. Default=10.
lcp_max_cfg_naks
Maximum number of LCP config-requests to transmit without successful acknowledgement before declaring a failure. Default=10.
lcp_max_term_reqs
Maximum number of LCP term-requests to send. Default=3.
lcp_retransmit_interval
LCP retransmission timeout. Default=3.
max_connect_time
Maximum connect time (in seconds) that the PPP session may stay in use.Default=0 (no limit)
local_ipaddr
The IP address to assign to the local end of the PPP link.
peer_ipaddr
The IP address to assign to the remote (peer) end of the PPP link.
dns_addr_1
Primary DNS address to use over the PPP link.
dns_addr_2
Secondary DNS address to use over the PPP link.
wins_addr_1
Primary WINS address to use over the PPP link.
wins_addr_2
Secondary WINS address to use over the PPP link.
ip_pool_name
The name of an IP pool from which to allocate local and remote IP addresses if not otherwise assigned. This value may be passed to RADIUS if RADIUS is configured. ProL2TP does not provide IP pool functionality itself.
use_radius
Says whether PPP should use RADIUS to authenticate the user and obtain user parameters for the connection. RADIUS is the preferred method to derive values for IP addresses, DNS etc rather than using fixed values in PPP profiles.
radius_hint
An arbitrary string that is passed to PPP when RADIUS is enabled. The PPP implementation may use this string in any way. The bundled ppp_unix plugin for use with pppd applies this value to pppd's radius-config-file parameter.
default_route
Says whether the PPP interface should be configured as the host's default route. Useful for use at a LAC which expects to use the L2TP tunnel as its path to the global internet.
multilink
Enable PPP multilink. Default=off.
local_name
The name to use for the local side for authentication with the peer, unless overridden by user_name.
remote_name
The name to assume for the remote peer for authentication purposes, unless overridden by a PPP username via PPP protocol exchange..
 

ETHERNET PROFILE

trace_flags
Trace flags, for debugging network problems.
local_ipaddr
The IP address to assign to the ethernet interface when the session comes up. peer_ipaddr If the peer IP address of the session is known, it can be set here. This causes the interface to be configured with the peer's IP address and ARP is disabled. netmask The netmask (specified in dot-quad notation) with which to configure the ethernet interface when the session comes up. bridge_name Instead of assigning IP addresses to the ethernet interface, it can be added to a named bridge instance if this parameter is set. Use this to bridge ethernet frames over L2TP. The bridge must already exist. ip_pool_name Not yet implemented. vlan_id Not yet implemented. mtu The MTU of the ethernet interface. By default, the MTU is derived from the MTU of the L2TP session, which is itself derived from the tunnel.
 

IP POOL

trace_flags
Trace flags, for debugging problems.
ip_range
A range of IP addresses assigned to the pool. The range is defined as the first and last IP address (inclusive). Multiple first/last address pairs may be specified.
 

TUNNEL

dest_ipaddr
Destination IP address
config_id
Optional configuration id, used to uniquify a tunnel when there is more the one tunnel between the same two IP addresses
tunnel_id
Optional tunnel id of new tunnel. Usually auto-generated. Use is discouraged.
profile_name
Name of tunnel profile which will be used for default values of this tunnel's parameters.
src_ipaddr
Source IP address
our_udp_port
UDP port number to use for the local side of the UDP connection. Default is to assign an ephemeral port. If using a NAT gateway which is unable to track UDP ephemeral port assignments, this parameter may be set to a fixed port (usually 1701) to have the server not use ephemeral ports.
peer_udp_port
UDP port number with which to contact peer L2TP server. Default=1701
mode
Indicates whether the local tunnel is a LAC or LNS.
use_tiebreaker
Enable use of a tiebreaker when setting up the tunnel. Default=ON
allow_ppp_proxy
Allow PPP proxy
framing_caps
Framing capabilities: sync, async, any. These are passed to the peer when the tunnel is set up to tell the capabilities of the network beyond the L2TP tunnel.
bearer_caps
Bearer capabilities: digital, analog, any. These are passed to the peer when the tunnel is set up to tell the capabilities of the network beyond the L2TP tunnel.
host_name
Name to advertise to peer when setting up the tunnel. This name is passed in the HOST_NAME AVP and may be used by the peer to invoke local policies. Default=local system hostname.
secret
Optional secret which is shared with tunnel peer. Must be specified when hide_avps is enabled.
auth_mode
Tunnel authentication mode:-
none - no authentication, unless secret is given
simple - check peer hostname
challenge - require tunnel secret
message_digest
Message digest algorithm. Possible values are md5, sha1, or none. Not used for L2TPv2 tunnels. If specified without auth_mode and secret, a message digest is added to all control messages as a data integrity check. If auth_mode is challenge and a secret is specified then the digest is used for L2TPv3 authentication. When used for authentication defaults to md5, otherwise defaults to NONE.
hide_avps
Hide AVPs. Default OFF
pseudowire_caps
Identifies the set of pseudowire types supported by the tunnel. These are specified as one or more pseudowire type numbers (defined in RFC3379). By default, prol2tpd advertises PPP and Ethernet pseudowire types. Not used for L2TPv2 tunnels.
pmtu_discovery
Do Path MTU Discovery. Default=OFF.
trace_flags
Trace flags, for debugging network problems
use_udp_checksums
Use UDP checksums in data frames. Default=ON
persist
Marks the tunnel as persistent. Persistent tunnels attempt to restore themselves if the tunnel fails for some reason. Any locally created sessions in persistent tunnels are also restored if/when the tunnel reestablishes. The period at which a down persistent tunnel will attempt to reestablish is 5 minutes but this can be modified by the system tunnel_persist_pend_timeout parameter.
max_retries
The maximum number of retransmits of unacknowledged control frames. Setting this too low may bring down a tunnel unecessarily if a brief network error occurs. Setting it too high delays the system responding to real network outages. Control messages are retransmitted on an exponentially increasing delay. Default=5.
rx_window_size
Receive window size. This is the maximum number of control messages that the system will queue for processing. It is the maximum number of unacknowledged messages. Must be 4 or greater.
tx_window_size
Transmit window size. This is the preferred maximum number of unacknowledged messages that the local system will send to the peer. It can be reduced if the peer's
mtu
MTU for all sessions in tunnel. Default=1460.
peer_profile_name
Name of peer profile which will be used for default values of the tunnel's parameters.
session_profile_name
Name of session profile which will be used for default values of the tunnel's session parameters. trace_flags Trace flags, for debugging network problems
use_udp_checksums
Use UDP checksums in data frames. Default=ON
persist
Marks the tunnel as persistent. Persistent tunnels attempt to restore themselves if the tunnel fails for some reason. Any locally created sessions in persistent tunnels are also restored if/when the tunnel reestablishes. The period at which a down persistent tunnel will attempt to reestablish is 5 minutes but this can be modified by the system tunnel_persist_pend_timeout parameter.
hello_timeout
Set timeout used for periodic L2TP Hello messages (in seconds). Hello messages are sent only if no data or control frames have been sent or received since the last Hello was sent. Default=60.
retry_timeout
Retry timeout. The delay (in seconds) before sending the first retry of unacknowledged control frames. Default=1.
idle_timeout
Idle timeout. The time (in seconds) that a tunnel will remain after its last session has been torn down. Default=0, tunnel remains forever when it has no sessions, until a local administrator or network request deletes it..
max_sessions
Maximum number of sessions allowed on tunnel. Default=0 (limited only by max_sessions limit in system parameters).
mtu
MTU for all sessions in tunnel. Default=1460.
peer_profile_name
Name of peer profile which will be used for default values of the tunnel's parameters.
session_profile_name
Name of session profile which will be used for default values of the tunnel's session parameters.
ppp_profile_name
Name of ppp profile which will be used for default values of the tunnel's session PPP parameters.
 

SESSION

profile_name
Name of session profile. If not specified, the profile name is inherited from the tunnel or the peer profile.
ppp_profile_name
Name of ppp profile to use for PPP parameters. If not specified, the profile name is inherited from the tunnel or the peer profile.
trace_flags
Trace flags, for debugging network problems
sequencing_required
Says whether the use of sequence numbers in the data channel is mandatory. If set, the receipt of data packets without sequence numbers causes the session to be torn down.
use_sequence_numbers
Says to enable sequence numbers in the data channel if peer supports them.
no_ppp
Says to not start PPP on the L2TP session.
reorder_timeout
Timeout to wait for out-of-sequence packets before discarding. Data packet out-of-sequence reordering is not currently implemented.
session_type
Session type: LAC Incoming (LAIC), LAC Outgoing (LAOC), LNS Incoming (LNIC), LNS Outgoing (LNOC). Default=derived from tunnel type.
priv_group_id
Private group ID, used to separate this session into a named administrative group
interface_name
interface name of session interface. Default pppN for PPP pseudowires, or l2tpethN for ethernet pseudowires. Must be unique for each session instance.
user_name
PPP user name
user_password
PPP user password
framing_type
Framing type: sync, async or any. Default=any. These are passed to the peer when the session is set up to tell the capabilities of the network beyond the L2TP tunnel.
bearer_type
Bearer type: digital, analog, any. Default=any. These are passed to the peer when the session is set up to tell the capabilities of the network beyond the L2TP tunnel.
minimum_bps
Minimum bits/sec acceptable. Default=0 (don't care)
maximum_bps
Maximum bits/sec required. Default=9 (no limit)
connect_speed
Indicates transmit and receive connection speeds.
session_id
Session ID of session. Default=system chooses random ID. Use is discouraged.
trace_flags
Trace flags, for debugging network problems
sequencing_required
Says whether the use of sequence numbers in the data channel is mandatory. If set, the receipt of data packets without sequence numbers causes the session to be torn down.
use_sequence_numbers
Says whether to enable sequence numbers in the data channel if peer supports them.
no_ppp
Says to not start PPP on the L2TP session.
reorder_timeout
Timeout to wait for out-of-sequence packets before discarding. Out-of-sequence packet reordering is not currently supported.
cookie
For L2TPv3, each session carries an optional 4 or 8 byte cookie value in the packet header. This parameter specifies the cookie value to use for the session. The value is specified as hex digits, preceded by "hex:", e.g. hex:01234567. The number of hex digits must correspond to a 4 or 8 byte value.
cookie_len
If this parameter is set to 4 or 8 and a specific cookie value is not provided using the cookie parameter, a random cookie value is generated when setting up the session.
remote_end_id
Specifies the data to be transmitted in the Remote End Id AVP for L2TPv3 sessions. This value may be used to match incoming session setup requests. This is useful in servers because it allows specific incoming sessions to be matched to a specific session profile, and therefore a specific ppp or ethernet profile. The value is specified as hex digits, preceded by "hex:", e.g. hex:01234567. Default: empty.
 

EXAMPLES

A simple L2TP client.

system {
  operational_mode lac
}

tunnel "one" {
  dest_ipaddr 1.2.3.4
  persist yes

  session "one" {
    user_name "me"
    user_password "mypass"
  }
}
A simple L2TP server using RADIUS.

system {
    # Don't let this system be used as a LAC
    deny_local_tunnel_creates yes
    operational_mode lns

    # Optional list of IP addresses that we listen on
    # Default is to listen on all interfaces.
    listen 1.2.3.4,10.11.12.13
}

ppp profile "default" {
    # Use RADIUS to authenticate all PPP users
    use_radius=yes

    # Enable PAP and CHAP only, since that is all RADIUS supports
    auth_mschap=no
    auth_mschapv2=no
    auth_eap=no
}
A simple L2TP server using non-ephemeral UDP ports.

system {
    # Don't let this system be used as a LAC
    deny_local_tunnel_creates yes
    operational_mode lns

    # Optional list of IP addresses that we listen on
    # Default is to listen on all interfaces.
    listen 1.2.3.4,10.11.12.13
}

# To use a non-ephemeral port for tunnels created by network request,
# configure our_udp_port to be the desired port (usually 1701). This
# forces prol2tpd to use that port for the local UDP port, instead of
# assigning an unused port for the tunnel. Using a fixed port can be
# useful if a NAT gateway is in the path, when the NAT gateway does
# not track UDP ephemeral ports.

tunnel profile "default" {
       our_udp_port 1701
}
An L2TP server using static addresses for VPN clients.

system {
    # Don't let this system be used as a LAC
    deny_local_tunnel_creates yes
    operational_mode lns

    # Optional list of IP addresses that we listen on.
    # Default is to listen on all interfaces.
    listen 1.2.3.4,10.11.12.13
}

tunnel profile "default" {
    # Only one session per tunnel (VPN)
    max_sessions 1
}

peer profile "one" {
     # This client connects from the 80.81.82/24 net
     peer_ipaddr 80.81.82.0
     netmask 255.255.0.0
     ppp_profile_name "one"
}

peer profile "two" {
     # This client connects using a static public IP 40.41.42.43
     peer_ipaddr 40.41.42.43
     ppp_profile_name "two"
}

peer profile "road-warrior-3.katalix.com" {
     # This client has a name "road-warrior-3.katalix.com". For
     # incoming tunnel setup requests, prol2tpd looks for a peer
     # profile with a name that matches the client's name. This
     # is useful when the client does not use a fixed IP address.
     # Few L2TP clients support configurable names and it can be
     # difficult to find out what name a client is using.
     # If using the ProL2TP client, use the host_name parameter
     # when creating the tunnel.
     ppp_profile_name "three"
}

# Use fixed PPP addresses for each peer's connection
ppp profile "one" {
     local_ipaddr 10.1.1.1
     remote_ipaddr 10.1.1.2
}

ppp profile "two" {
     local_ipaddr 10.1.1.1
     remote_ipaddr 10.1.1.3
}

ppp profile "three" {
     local_ipaddr 10.1.1.1
     remote_ipaddr 10.1.1.4

     # Enable LCP echo because this client's network is unreliable
     lcp_echo_interval 10
}
A simple L2TPv3 server for an ethernet pseudowire.

system {
    # Don't let this system be used as a LAC
    deny_local_tunnel_creates yes
    operational_mode lns

    # Optional list of IP addresses that we listen on
    # Default is to listen on all interfaces.
    listen 1.2.3.4,10.11.12.13
}

tunnel profile "default" {
    # Use L2TPv3.
    proto_version 3

    # Log tunnel events. Optional.
    debug protocol,fsm
}

session profile "default" {
    # Force ethernet pseudowire type for L2TPv3 clients.
    pseudowire_type eth

    # Log session events. Optional. 
    debug protocol,fsm
}

ethernet profile "default" {
    # Configuration for the ethernet interface of the pseudowire
    local_ipaddr 10.5.1.1
    peer_ipaddr 10.5.1.2
}

A simple L2TPv3 client for an ethernet pseudowire.

system {
    # Don't let this system be used as a LNS
    deny_remote_tunnel_creates yes
    operational_mode lns
}

tunnel profile "default" {
    # Use L2TPv3.
    proto_version 3

    # Optional IP encapsulation. UDP is the default.
    # encap_type ip
}

session profile "default" {
    # Force ethernet pseudowire type for L2TPv3 clients.
    pseudowire_type eth

    # Use a 4-byte L2TPv3 cookie. Optional.
    cookie_len 4
}

ethernet profile "default" {
    # Configuration for the ethernet interface of the pseudowire
    local_ipaddr 10.5.1.2
    peer_ipaddr 10.5.1.1
}

tunnel "one" {
    dest_ipaddr 1.2.3.4

    session "one" {
        use_sequence_numbers no
    }
}
A more complex L2TPv3 server, serving several ethernet pseudowires.

system {
    # Don't let this system be used as a LAC
    deny_local_tunnel_creates yes
    operational_mode lns

    # Optional list of IP addresses that we listen on
    # Default is to listen on all interfaces.
    listen 1.2.3.4,10.11.12.13
}

tunnel profile "default" {
    # Use L2TPv3.
    proto_version 3

    # Log tunnel events. Optional.
    debug protocol,fsm

    # Authenticate tunnels
    auth_mode challenge
    message_digest md5
    secret "my_password"
}

session profile "default" {
    # Force ethernet pseudowire type for L2TPv3 clients.
    pseudowire_type eth

    # Log session events. Optional. 
    debug protocol,fsm
}

session profile "one" {
    # Use a fixed cookie value for this session
    cookie hex:1122334455667788

    # Match this profile only with requests using this cookie
    peer_cookie hex:aa55bb6612345678

    pseudowire_type eth
    ethernet_profile_name "one"
}

ethernet profile "one" {
    # Configuration for the ethernet interface of the pseudowire
    local_ipaddr 10.5.1.1
    peer_ipaddr 10.5.1.2
}

session profile "two" {
    # Use a fixed cookie value for this session
    cookie hex:2233445566778899

    # Match this profile only with requests using this cookie
    peer_cookie hex:12345678abcdef01

    pseudowire_type eth
    ethernet_profile_name "two"
}

ethernet profile "two" {
    # Configuration for the ethernet interface of the pseudowire
    local_ipaddr 10.5.1.3
    peer_ipaddr 10.5.1.4
}

If the client uses ProL2TP, it would be configured to connect to the
above server as follows:-

system {
    # Don't let this system be used as a LNS
    deny_remote_tunnel_creates yes
    operational_mode lac
}

ethernet profile "one" {
    # Configuration for the ethernet interface of the pseudowire
    local_ipaddr 10.5.1.2
    peer_ipaddr 10.5.1.1
}

tunnel "one" {
    dest_ipaddr 1.2.3.4

    # Use L2TPv3.
    proto_version 3

    # L2TPv3 tunnel authentication
    auth_mode challenge
    secret "my_password"
    message_digest md5

    session "one" {
        use_sequence_numbers no
        pseudowire_type eth
        ethernet_profile_name "one"
        cookie hex:aa55bb6612345678
    }
}
 

SEE ALSO


prol2tp(1), prol2tpctl(1), prol2tp(7), prol2tpd(8),


 

Index

NAME
SYNOPSIS
DESCRIPTION
FILE SYNTAX
BLOCK TYPES
PARAMETERS
SYSTEM
PEER PROFILE
TUNNEL PROFILE
SESSION PROFILE
PPP PROFILE
ETHERNET PROFILE
IP POOL
TUNNEL
SESSION
EXAMPLES
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 14:19:10 GMT, June 03, 2013