1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
.. include:: /_include/need_improvement.txt
.. _l2tpv3-interface:
######
L2TPv3
######
Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that
can be used as an alternative protocol to :ref:`mpls` for encapsulation of
multiprotocol Layer 2 communications traffic over IP networks. Like L2TP,
L2TPv3 provides a pseudo-wire service, but scaled to fit carrier requirements.
L2TPv3 can be regarded as being to MPLS what IP is to ATM: a simplified version
of the same concept, with much of the same benefit achieved at a fraction of the
effort, at the cost of losing some technical features considered less important
in the market.
In the case of L2TPv3, the features lost are teletraffic engineering features
considered important in MPLS. However, there is no reason these features could
not be re-engineered in or on top of L2TPv3 in later products.
The protocol overhead of L2TPv3 is also significantly bigger than MPLS.
L2TPv3 is described in :rfc:`3921`.
*************
Configuration
*************
Common interface configuration
==============================
.. cmdinclude:: /_include/interface-common-without-dhcp.txt
:var0: l2tpv3
:var1: l2tpeth0
L2TPv3 options
==============
.. cfgcmd:: set interfaces l2tpv3 <interface> encapsulation <udp | ip>
Set the encapsulation type of the tunnel. Valid values for encapsulation are:
udp, ip.
This defaults to UDP
.. cfgcmd:: set interfaces l2tpv3 <interface> local-ip <address>
set the IP address of the local interface to be used for the tunnel.
This address must be the address of a local interface. May be specified as an
IPv4 address or an IPv6 address.
.. cfgcmd:: set interfaces l2tpv3 <interface> remote-ip <address>
Set the IP address of the remote peer. May be specified as an IPv4 address or
an IPv6 address.
.. cfgcmd:: set interfaces l2tpv3 <interface> session-id <id>
Set the session id, which is a 32-bit integer value. Uniquely identifies the
session being created. The value used must match the peer_session_id value
being used at the peer.
.. cfgcmd:: set interfaces l2tpv3 <interface> peer-session-id <id>
Set the peer session id, which is a 32-bit integer value assigned to the
session by the peer. The value used must match the session_id value being
used at the peer.
.. cfgcmd:: set interfaces l2tpv3 <interface> tunnel-id <id>
Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the
tunnel into which the session will be created.
.. cfgcmd:: set interfaces l2tpv3 <interface> peer-tunnel-id <id>
Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the
tunnel into which the session will be created.
*******
Example
*******
Over IP
=======
.. code-block:: none
# show interfaces l2tpv3
l2tpv3 l2tpeth10 {
address 192.168.37.1/27
encapsulation ip
local-ip 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote-ip 203.0.113.24
session-id 100
tunnel-id 200
}
Inverse configuration has to be applied to the remote side.
Over UDP
========
UDP mode works better with NAT:
* Set local-ip to your local IP (LAN).
* Add a forwarding rule matching UDP port on your internet router.
.. code-block:: none
# show interfaces l2tpv3
l2tpv3 l2tpeth10 {
address 192.168.37.1/27
destination-port 9001
encapsulation udp
local-ip 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote-ip 203.0.113.24
session-id 100
source-port 9000
tunnel-id 200
}
To create more than one tunnel, use distinct UDP ports.
Over IPSec, L2 VPN (bridge)
===========================
This is the LAN extension use case. The eth0 port of the distant VPN peers
will be directly connected like if there was a switch between them.
IPSec:
.. code-block:: none
set vpn ipsec ipsec-interfaces <VPN-interface>
set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp'
Bridge:
.. code-block:: none
set interfaces bridge br0 description 'L2 VPN Bridge'
# remote side in this example:
# set interfaces bridge br0 address '172.16.30.18/30'
set interfaces bridge br0 address '172.16.30.17/30'
set interfaces bridge br0 member interface eth0
set interfaces ethernet eth0 description 'L2 VPN Physical port'
L2TPv3:
.. code-block:: none
set interfaces bridge br0 member interface 'l2tpeth0'
set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
set interfaces l2tpv3 l2tpeth0 local-ip <local-ip>
set interfaces l2tpv3 l2tpeth0 mtu '1500'
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
set interfaces l2tpv3 l2tpeth0 remote-ip <peer-ip>
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'
|