<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>L2TP device type commands</TITLE>
</HEAD>
<BODY text="#000000" bgcolor="#ffffff">
<A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
<b>:</b> <A HREF="mpd42.html"><EM>Device Types</EM></A>
<b>:</b> <EM>L2TP device type commands</EM><BR>
<b>Previous:</b> <A HREF="mpd47.html"><EM>PPTP device type commands</EM></A><BR>
<b>Next:</b> <A HREF="mpd49.html"><EM>PPPoE device type commands</EM></A>
<HR NOSHADE>
<H2><A NAME="48"></A>5.6. L2TP device type commands<A NAME="l2tp"></A></H2>
<p>This chapter describes commands that are specific to L2TP type links.
These commands apply to the currently active link, and are only
valid if the currently active link has type <b>l2tp</b>.</p>
<p>The L2TP protocol utilizes UDP datagrams on port 1701 (and this is
the default for <code><em>port</em></code> in the commands below)
to create and maintain virtual tunnel between IP peers.
One or more independent PPP connections (sessions) can be
carried inside this tunnel.</p>
<p>Complete L2TP network topology looks like:
<pre>
client <- some link type -> LAC <- L2TP tunnel -> LNS
</pre>
</p>
<p>LAC is physical level repeater, which receives PPP connection of some
type and forwards it to LNS using L2TP protocol. LNS is a PPP endpoint,
which receives PPP frames via L2TP tunnel and processes them.</p>
<p>In simple case, when physical conversion is not required, topology
can be simplified to:
<pre>
client (LAC emulator) <- L2TP tunnel -> LNS
</pre>
</p>
<p>Mpd is able to operate in both LAC and LNS modes. As LAC mpd supports
both simple case LAC emulator and complete LAC topologies. Complete
LAC can be configured by joining two physical devices using mpd's
repeater functionality.</p>
<p>Windows L2TP client uses IPSec encryption for the additional tunnel
security. So, to let it connect you must configure IPSec on your
MPD router or disable IPSec on Windows by setting registry
DWORD value ProhibitIpSec at the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\
into "1".</p>
<p>
<dl>
<dt><b><code>set l2tp self <em>ipaddr</em> [ <em>port</em> ]</code></b><dd><p>Sets the local IP address and port for the L2TP connection.
There is known implementation bug if this option is not set
while accepting incoming connections on the router with multiple
IPs and clients are connecting not to the nearest address of
this router.</p>
<dt><b><code>set l2tp peer <em>ipaddr</em> [ <em>port</em> ]</code></b><dd><p>Sets the peer IP address and port for the L2TP connection.
This command applies to both incoming and outgoing connections.
For outgoing connections, this command is required in order to
specify where to connect to. For incoming connections, this command
is optional; if not given, mpd accepts incoming connections from any
host. Otherwise, only connections from the stated IP address
(and, optionally, port) are allowed.</p>
<dt><b><code>set l2tp hostname <em>name</em></code></b><dd><p>Sets the L2TP tunnel local hostname. For server side, only one
unique hostname supported for every pair of listening IP (set l2tp self ...)
and peer ip (set l2tp peer ...).
If several hostnames defined, only the first matching will be used for all
incoming connections.</p>
<dt><b><code>set l2tp pmask <em>mask</em></code></b><dd><p>Check peer hostname, related to wildcard <code><em>mask</em></code>.
Wildcard can contain any shell-like mask, such as "*.myhost.com"
Peer can set self hostname with <code><em>set l2tp hostname</em></code> command.</p>
<dt><b><code>set l2tp secret <em>secret</em></code></b><dd><p>Sets the L2TP tunnel secret. Used to authenticate tunnel connection
and encrypt important control packets avpairs. For server side, only
one unique secret supported for every pair of listening IP (set l2tp self ...)
and peer ip (set l2tp peer ...).
If several secrets defined, only the first matching will be used for all
incoming connections.</p>
<p>NOTE: This options is not related with usual PPP authentication.
Windows client does not support tunnel authentication.</p>
<dt><b><code>set l2tp callingnum <em>number</em></code></b><dd>
<dt><b><code>set l2tp callednum <em>number</em></code></b><dd><p>Sets the calling and called telephone number to use when initiating a L2TP
connection. For most VPN applications this is ignored, but in certain
cases an actual phone number is required.
The default is the empty string.</p>
<dt><b><code>set l2tp enable <em>option ...</em> </code></b><dd>
<dt><b><code>set l2tp disable <em>option ...</em> </code></b><dd>
<p>Enable and disable L2TP device type options for the link.</p>
</dl>
</p>
<p>The following options are supported:</p>
<p>
<dl>
<dt><b><code>outcall</code></b><dd><p>Inside L2TP tunnel, each individual PPP connection (there may be several),
is initiated as either an incoming or an outgoing call.
This allows to make an outgoing phone call (by LNS) via a remote access
server (LAC), as well as in more common case forward an incoming
phone call from an access server (LAC) to a remote L2TP server (LNS).</p>
<p>When this option is enabled, mpd will initiate outgoing calls (LNS);
otherwise mpd will initiate incoming calls (LAC).</p>
<p>The default is disable.</p>
<dt><b><code>hidden</code></b><dd><p>When L2TP tunnel secret is configured it is possible hide (encrypt) some
control data for additional protection.</p>
<p>The default is disable.</p>
<dt><b><code>length</code></b><dd><p>By default L2TP uses header Length field for control packets, but not for
data packets. This option enables Length field for data packets.
This feature enabled may be useful on links where packets padding may
happend. Disabling it reduces overhead by 2 bytes per packet.</p>
<p>The default is disable.</p>
<dt><b><code>dataseq</code></b><dd><p>By default L2TP requires header sequence fields for control packets, but
not require them for data packets. This option enables sequence fields for
data packets.
This feature enabled may be useful on links where packets reordering may
happend but it is intolerable. Disabling it reduces overhead by 4 bytes per packet.</p>
<p>The default is enable.</p>
<dt><b><code>resolve-once</code></b><dd><p>Enables resolving peer address only once, on startup, or on manual
typing in CLI.</p>
<p>The default is enable.</p>
</dl>
</p>
<HR NOSHADE>
<A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
<b>:</b> <A HREF="mpd42.html"><EM>Device Types</EM></A>
<b>:</b> <EM>L2TP device type commands</EM><BR>
<b>Previous:</b> <A HREF="mpd47.html"><EM>PPTP device type commands</EM></A><BR>
<b>Next:</b> <A HREF="mpd49.html"><EM>PPPoE device type commands</EM></A>
</BODY>
</HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>