diff options
| author | Robert Göhler <github@ghlr.de> | 2021-01-24 22:14:00 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-24 22:14:00 +0100 |
| commit | c25c40dfa96dfeb022b203280c607c1f1835417b (patch) | |
| tree | ed05f81d48c65639e621ee3a067f435cb204ea9e /docs/configuration/interfaces/l2tpv3.rst | |
| parent | ce9f2016218f0c162bd48457a41a18db15e52749 (diff) | |
| download | vyos-documentation-c25c40dfa96dfeb022b203280c607c1f1835417b.tar.gz vyos-documentation-c25c40dfa96dfeb022b203280c607c1f1835417b.zip | |
Migrate new file structure to crux (#435)
* order workflows and add submodule
* rename gitmodules file
* delete docs/.gitignore
* add vyos custom linter
* correct __pycache__ in gitignore
* add test-coverage.py
* move draw.io folder
* arrange changelog, install history and about
* arrange: firewall
* arrange: highavailability
* arrange: loadbalancing
* arrange: nat
* arrange: services
* sort configexamples and configuration interfaces
* wireles: rename wireless
* rearrange: Protocols and Policy
* rearrange: Firewall and Zone Policy
* rearrange: Interfaces
* rearrange: Interfaces
* rearrange: dynamic DNS
* hostinfo: add page to index
* rearrange: appendix
* venv: add Pipfile
* rearrange: contributing
* index: remove debugging
* rearrange: fix all figure and refs
* rearrange: commandtree
* fix: cli, openvpn, install headline level
* protocols: change headline
* firewall: move mss clamping
* ip: separate ipv4 and ipv6
* arp: move to static page
* igmp: rename multicast page
* Update to year 2021
Diffstat (limited to 'docs/configuration/interfaces/l2tpv3.rst')
| -rw-r--r-- | docs/configuration/interfaces/l2tpv3.rst | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst new file mode 100644 index 00000000..4514412d --- /dev/null +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -0,0 +1,119 @@ +.. _l2tpv3-interface: + +L2TPv3 Interfaces +----------------- + +L2TPv3 is a pseudowire protocol, you can read more about here `Wikipedia L2TPv3`_ or `RFC3921`_ + +L2TPv3 can transport any traffic including ethernet frames. L2TPv2 is limited to PPP. + + +L2TPv3 over IP +^^^^^^^^^^^^^^ + +.. code-block:: none + + # show interfaces l2tpv3 + l2tpv3 l2tpeth10 { + address 192.168.37.1/27 + encapsulation ip + local-ip 192.0.2.1 + peer-session-id 100 + peer-tunnel-id 200 + remote-ip 203.0.113.24 + session-id 100 + tunnel-id 200 + } + +Inverse configuration has to be applied to the remote side. + +L2TPv3 over UDP +^^^^^^^^^^^^^^^ + +UDP mode works better with NAT: + +* Set local-ip to your local IP (LAN). +* Add a forwarding rule matching UDP port on your internet router. + +.. code-block:: none + + # show interfaces l2tpv3 + l2tpv3 l2tpeth10 { + address 192.168.37.1/27 + destination-port 9001 + encapsulation udp + local-ip 192.0.2.1 + peer-session-id 100 + peer-tunnel-id 200 + remote-ip 203.0.113.24 + session-id 100 + source-port 9000 + tunnel-id 200 + } + +To create more than one tunnel, use distinct UDP ports. + + +L2TPv3 over IPSec, L2 VPN (bridge) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This is the LAN extension use case. The eth0 port of the distant VPN peers will be directly connected like if there was a switch between them. + +IPSec: + +.. code-block:: none + + set vpn ipsec ipsec-interfaces <VPN-interface> + set vpn ipsec esp-group test-ESP-1 compression 'disable' + set vpn ipsec esp-group test-ESP-1 lifetime '3600' + set vpn ipsec esp-group test-ESP-1 mode 'transport' + set vpn ipsec esp-group test-ESP-1 pfs 'enable' + set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128' + set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1' + set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no' + set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1' + set vpn ipsec ike-group test-IKE-1 lifetime '3600' + set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5' + set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128' + set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1' + set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key> + set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate' + set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1' + set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip> + set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable' + set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable' + set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1' + set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' + +Bridge: + +.. code-block:: none + + set interfaces bridge br0 description 'L2 VPN Bridge' + # remote side in this example: + # set interfaces bridge br0 address '172.16.30.18/30' + set interfaces bridge br0 address '172.16.30.17/30' + set interfaces ethernet eth0 bridge-group bridge 'br0' + set interfaces ethernet eth0 description 'L2 VPN Physical port' + +L2TPv3: + +.. code-block:: none + + set interfaces l2tpv3 l2tpeth0 bridge-group bridge 'br0' + set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel' + set interfaces l2tpv3 l2tpeth0 destination-port '5000' + set interfaces l2tpv3 l2tpeth0 encapsulation 'ip' + set interfaces l2tpv3 l2tpeth0 local-ip <local-ip> + set interfaces l2tpv3 l2tpeth0 mtu '1500' + set interfaces l2tpv3 l2tpeth0 peer-session-id '110' + set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10' + set interfaces l2tpv3 l2tpeth0 remote-ip <peer-ip> + set interfaces l2tpv3 l2tpeth0 session-id '110' + set interfaces l2tpv3 l2tpeth0 source-port '5000' + set interfaces l2tpv3 l2tpeth0 tunnel-id '10' + +.. _`Wikipedia L2TPv3`: http://en.wikipedia.org/wiki/L2TPv3 +.. _`RFC3921`: https://tools.ietf.org/html/rfc3931
\ No newline at end of file |