|
Packit Service |
3880ab |
.TH IP\-L2TP 8 "19 Apr 2012" "iproute2" "Linux"
|
|
Packit Service |
3880ab |
.SH "NAME"
|
|
Packit Service |
3880ab |
ip-l2tp - L2TPv3 static unmanaged tunnel configuration
|
|
Packit Service |
3880ab |
.SH "SYNOPSIS"
|
|
Packit Service |
3880ab |
.sp
|
|
Packit Service |
3880ab |
.ad l
|
|
Packit Service |
3880ab |
.in +8
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.B ip
|
|
Packit Service |
3880ab |
.RI "[ " OPTIONS " ]"
|
|
Packit Service |
3880ab |
.B l2tp
|
|
Packit Service |
3880ab |
.RI " { " COMMAND " | "
|
|
Packit Service |
3880ab |
.BR help " }"
|
|
Packit Service |
3880ab |
.sp
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.BR "ip l2tp add tunnel"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.BI remote " ADDR " local " ADDR "
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.B tunnel_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.B peer_tunnel_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " encap " { " ip " | " udp " } ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " udp_sport
|
|
Packit Service |
3880ab |
.IR PORT
|
|
Packit Service |
3880ab |
.RB " ] [ " udp_dport
|
|
Packit Service |
3880ab |
.IR PORT
|
|
Packit Service |
3880ab |
.RB " ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " udp_csum " { " on " | " off " } ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " udp6_csum_tx " { " on " | " off " } ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " udp6_csum_rx " { " on " | " off " } ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.BR "ip l2tp add session"
|
|
Packit Service |
3880ab |
.RB "[ " name
|
|
Packit Service |
3880ab |
.IR NAME
|
|
Packit Service |
3880ab |
.RB " ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.B tunnel_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.B session_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.B peer_session_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " cookie
|
|
Packit Service |
3880ab |
.IR HEXSTR
|
|
Packit Service |
3880ab |
.RB " ] [ " peer_cookie
|
|
Packit Service |
3880ab |
.IR HEXSTR
|
|
Packit Service |
3880ab |
.RB " ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " l2spec_type " { " none " | " default " } ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.RB "[ " seq " { " none " | " send " | " recv " | " both " } ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.BR "ip l2tp del tunnel"
|
|
Packit Service |
3880ab |
.B tunnel_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.BR "ip l2tp del session"
|
|
Packit Service |
3880ab |
.B tunnel_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.B session_id
|
|
Packit Service |
3880ab |
.IR ID
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.BR "ip l2tp show tunnel" " [ " tunnel_id
|
|
Packit Service |
3880ab |
.IR ID " ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.BR "ip l2tp show session" " [ " tunnel_id
|
|
Packit Service |
3880ab |
.IR ID .B " ] ["
|
|
Packit Service |
3880ab |
.B session_id
|
|
Packit Service |
3880ab |
.IR ID " ]"
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.IR NAME " := "
|
|
Packit Service |
3880ab |
.IR STRING
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.IR ADDR " := { " IP_ADDRESS " |"
|
|
Packit Service |
3880ab |
.BR any " }"
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.IR PORT " := { " NUMBER " }"
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.IR ID " := { " NUMBER " }"
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.ti -8
|
|
Packit Service |
3880ab |
.IR HEXSTR " := { 8 or 16 hex digits (4 / 8 bytes) }"
|
|
Packit Service |
3880ab |
.SH DESCRIPTION
|
|
Packit Service |
3880ab |
The
|
|
Packit Service |
3880ab |
.B ip l2tp
|
|
Packit Service |
3880ab |
commands are used to establish static, or so-called
|
|
Packit Service |
3880ab |
.I unmanaged
|
|
Packit Service |
3880ab |
L2TPv3 ethernet tunnels. For unmanaged tunnels, there is no L2TP
|
|
Packit Service |
3880ab |
control protocol so no userspace daemon is required - tunnels are
|
|
Packit Service |
3880ab |
manually created by issuing commands at a local system and at a remote
|
|
Packit Service |
3880ab |
peer.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
L2TPv3 is suitable for Layer-2 tunneling. Static tunnels are useful
|
|
Packit Service |
3880ab |
to establish network links across IP networks when the tunnels are
|
|
Packit Service |
3880ab |
fixed. L2TPv3 tunnels can carry data of more than one session. Each
|
|
Packit Service |
3880ab |
session is identified by a session_id and its parent tunnel's
|
|
Packit Service |
3880ab |
tunnel_id. A tunnel must be created before a session can be created in
|
|
Packit Service |
3880ab |
the tunnel.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
When creating an L2TP tunnel, the IP address of the remote peer is
|
|
Packit Service |
3880ab |
specified, which can be either an IPv4 or IPv6 address. The local IP
|
|
Packit Service |
3880ab |
address to be used to reach the peer must also be specified. This is
|
|
Packit Service |
3880ab |
the address on which the local system will listen for and accept
|
|
Packit Service |
3880ab |
received L2TP data packets from the peer.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
L2TPv3 defines two packet encapsulation formats: UDP or IP. UDP
|
|
Packit Service |
3880ab |
encapsulation is most common. IP encapsulation uses a dedicated IP
|
|
Packit Service |
3880ab |
protocol value to carry L2TP data without the overhead of UDP. Use IP
|
|
Packit Service |
3880ab |
encapsulation only when there are no NAT devices or firewalls in the
|
|
Packit Service |
3880ab |
network path.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
When an L2TPv3 ethernet session is created, a virtual network
|
|
Packit Service |
3880ab |
interface is created for the session, which must then be configured
|
|
Packit Service |
3880ab |
and brought up, just like any other network interface. When data is
|
|
Packit Service |
3880ab |
passed through the interface, it is carried over the L2TP tunnel to
|
|
Packit Service |
3880ab |
the peer. By configuring the system's routing tables or adding the
|
|
Packit Service |
3880ab |
interface to a bridge, the L2TP interface is like a virtual wire
|
|
Packit Service |
3880ab |
(pseudowire) connected to the peer.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
Establishing an unmanaged L2TPv3 ethernet pseudowire involves manually
|
|
Packit Service |
3880ab |
creating L2TP contexts on the local system and at the peer. Parameters
|
|
Packit Service |
3880ab |
used at each site must correspond or no data will be passed. No
|
|
Packit Service |
3880ab |
consistency checks are possible since there is no control protocol
|
|
Packit Service |
3880ab |
used to establish unmanaged L2TP tunnels. Once the virtual network
|
|
Packit Service |
3880ab |
interface of a given L2TP session is configured and enabled, data can
|
|
Packit Service |
3880ab |
be transmitted, even if the peer isn't yet configured. If the peer
|
|
Packit Service |
3880ab |
isn't configured, the L2TP data packets will be discarded by
|
|
Packit Service |
3880ab |
the peer.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
To establish an unmanaged L2TP tunnel, use
|
|
Packit Service |
3880ab |
.B l2tp add tunnel
|
|
Packit Service |
3880ab |
and
|
|
Packit Service |
3880ab |
.B l2tp add session
|
|
Packit Service |
3880ab |
commands described in this document. Then configure and enable the
|
|
Packit Service |
3880ab |
tunnel's virtual network interface, as required.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
Note that unmanaged tunnels carry only ethernet frames. If you need to
|
|
Packit Service |
3880ab |
carry PPP traffic (L2TPv2) or your peer doesn't support unmanaged
|
|
Packit Service |
3880ab |
L2TPv3 tunnels, you will need an L2TP server which implements the L2TP
|
|
Packit Service |
3880ab |
control protocol. The L2TP control protocol allows dynamic L2TP
|
|
Packit Service |
3880ab |
tunnels and sessions to be established and provides for detecting and
|
|
Packit Service |
3880ab |
acting upon network failures.
|
|
Packit Service |
3880ab |
.SS ip l2tp add tunnel - add a new tunnel
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI tunnel_id " ID"
|
|
Packit Service |
3880ab |
set the tunnel id, which is a 32-bit integer value. Uniquely
|
|
Packit Service |
3880ab |
identifies the tunnel. The value used must match the peer_tunnel_id
|
|
Packit Service |
3880ab |
value being used at the peer.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI peer_tunnel_id " ID"
|
|
Packit Service |
3880ab |
set the peer tunnel id, which is a 32-bit integer value assigned to
|
|
Packit Service |
3880ab |
the tunnel by the peer. The value used must match the tunnel_id value
|
|
Packit Service |
3880ab |
being used at the peer.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI remote " ADDR"
|
|
Packit Service |
3880ab |
set the IP address of the remote peer. May be specified as an IPv4
|
|
Packit Service |
3880ab |
address or an IPv6 address.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI local " ADDR"
|
|
Packit Service |
3880ab |
set the IP address of the local interface to be used for the
|
|
Packit Service |
3880ab |
tunnel. This address must be the address of a local interface. May be
|
|
Packit Service |
3880ab |
specified as an IPv4 address or an IPv6 address.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI encap " ENCAP"
|
|
Packit Service |
3880ab |
set the encapsulation type of the tunnel.
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
Valid values for encapsulation are:
|
|
Packit Service |
3880ab |
.BR udp ", " ip "."
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI udp_sport " PORT"
|
|
Packit Service |
3880ab |
set the UDP source port to be used for the tunnel. Must be present
|
|
Packit Service |
3880ab |
when udp encapsulation is selected. Ignored when ip encapsulation is
|
|
Packit Service |
3880ab |
selected.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI udp_dport " PORT"
|
|
Packit Service |
3880ab |
set the UDP destination port to be used for the tunnel. Must be
|
|
Packit Service |
3880ab |
present when udp encapsulation is selected. Ignored when ip
|
|
Packit Service |
3880ab |
encapsulation is selected.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI udp_csum " STATE"
|
|
Packit Service |
3880ab |
(IPv4 only) control if IPv4 UDP checksums should be calculated and checked for the
|
|
Packit Service |
3880ab |
encapsulating UDP packets, when UDP encapsulating is selected.
|
|
Packit Service |
3880ab |
Default is
|
|
Packit Service |
3880ab |
.BR off "."
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
Valid values are:
|
|
Packit Service |
3880ab |
.BR on ", " off "."
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI udp6_csum_tx " STATE"
|
|
Packit Service |
3880ab |
(IPv6 only) control if IPv6 UDP checksums should be calculated for encapsulating
|
|
Packit Service |
3880ab |
UDP packets, when UDP encapsulating is selected.
|
|
Packit Service |
3880ab |
Default is
|
|
Packit Service |
3880ab |
.BR on "."
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
Valid values are:
|
|
Packit Service |
3880ab |
.BR on ", " off "."
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI udp6_csum_rx " STATE"
|
|
Packit Service |
3880ab |
(IPv6 only) control if IPv6 UDP checksums should be checked for the encapsulating
|
|
Packit Service |
3880ab |
UDP packets, when UDP encapsulating is selected.
|
|
Packit Service |
3880ab |
Default is
|
|
Packit Service |
3880ab |
.BR on "."
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
Valid values are:
|
|
Packit Service |
3880ab |
.BR on ", " off "."
|
|
Packit Service |
3880ab |
.SS ip l2tp del tunnel - destroy a tunnel
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI tunnel_id " ID"
|
|
Packit Service |
3880ab |
set the tunnel id of the tunnel to be deleted. All sessions within the
|
|
Packit Service |
3880ab |
tunnel must be deleted first.
|
|
Packit Service |
3880ab |
.SS ip l2tp show tunnel - show information about tunnels
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI tunnel_id " ID"
|
|
Packit Service |
3880ab |
set the tunnel id of the tunnel to be shown. If not specified,
|
|
Packit Service |
3880ab |
information about all tunnels is printed.
|
|
Packit Service |
3880ab |
.SS ip l2tp add session - add a new session to a tunnel
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI name " NAME "
|
|
Packit Service |
3880ab |
sets the session network interface name. Default is l2tpethN.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI tunnel_id " ID"
|
|
Packit Service |
3880ab |
set the tunnel id, which is a 32-bit integer value. Uniquely
|
|
Packit Service |
3880ab |
identifies the tunnel into which the session will be created. The
|
|
Packit Service |
3880ab |
tunnel must already exist.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI session_id " ID"
|
|
Packit Service |
3880ab |
set the session id, which is a 32-bit integer value. Uniquely
|
|
Packit Service |
3880ab |
identifies the session being created. The value used must match the
|
|
Packit Service |
3880ab |
peer_session_id value being used at the peer.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI peer_session_id " ID"
|
|
Packit Service |
3880ab |
set the peer session id, which is a 32-bit integer value assigned to
|
|
Packit Service |
3880ab |
the session by the peer. The value used must match the session_id
|
|
Packit Service |
3880ab |
value being used at the peer.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI cookie " HEXSTR"
|
|
Packit Service |
3880ab |
sets an optional cookie value to be assigned to the session. This is a
|
|
Packit Service |
3880ab |
4 or 8 byte value, specified as 8 or 16 hex digits,
|
|
Packit Service |
3880ab |
e.g. 014d3636deadbeef. The value must match the peer_cookie value set
|
|
Packit Service |
3880ab |
at the peer. The cookie value is carried in L2TP data packets and is
|
|
Packit Service |
3880ab |
checked for expected value at the peer. Default is to use no cookie.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI peer_cookie " HEXSTR"
|
|
Packit Service |
3880ab |
sets an optional peer cookie value to be assigned to the session. This
|
|
Packit Service |
3880ab |
is a 4 or 8 byte value, specified as 8 or 16 hex digits,
|
|
Packit Service |
3880ab |
e.g. 014d3636deadbeef. The value must match the cookie value set at
|
|
Packit Service |
3880ab |
the peer. It tells the local system what cookie value to expect to
|
|
Packit Service |
3880ab |
find in received L2TP packets. Default is to use no cookie.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI l2spec_type " L2SPECTYPE"
|
|
Packit Service |
3880ab |
set the layer2specific header type of the session.
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
Valid values are:
|
|
Packit Service |
3880ab |
.BR none ", " default "."
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI seq " SEQ"
|
|
Packit Service |
3880ab |
controls sequence numbering to prevent or detect out of order packets.
|
|
Packit Service |
3880ab |
.B send
|
|
Packit Service |
3880ab |
puts a sequence number in the default layer2specific header of each
|
|
Packit Service |
3880ab |
outgoing packet.
|
|
Packit Service |
3880ab |
.B recv
|
|
Packit Service |
3880ab |
reorder packets if they are received out of order.
|
|
Packit Service |
3880ab |
Default is
|
|
Packit Service |
3880ab |
.BR none "."
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
Valid values are:
|
|
Packit Service |
3880ab |
.BR none ", " send ", " recv ", " both "."
|
|
Packit Service |
3880ab |
.SS ip l2tp del session - destroy a session
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI tunnel_id " ID"
|
|
Packit Service |
3880ab |
set the tunnel id in which the session to be deleted is located.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI session_id " ID"
|
|
Packit Service |
3880ab |
set the session id of the session to be deleted.
|
|
Packit Service |
3880ab |
.SS ip l2tp show session - show information about sessions
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI tunnel_id " ID"
|
|
Packit Service |
3880ab |
set the tunnel id of the session(s) to be shown. If not specified,
|
|
Packit Service |
3880ab |
information about sessions in all tunnels is printed.
|
|
Packit Service |
3880ab |
.TP
|
|
Packit Service |
3880ab |
.BI session_id " ID"
|
|
Packit Service |
3880ab |
set the session id of the session to be shown. If not specified,
|
|
Packit Service |
3880ab |
information about all sessions is printed.
|
|
Packit Service |
3880ab |
.SH EXAMPLES
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
.SS Setup L2TP tunnels and sessions
|
|
Packit Service |
3880ab |
.nf
|
|
Packit Service |
3880ab |
site-A:# ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 \\
|
|
Packit Service |
3880ab |
encap udp local 1.2.3.4 remote 5.6.7.8 \\
|
|
Packit Service |
3880ab |
udp_sport 5000 udp_dport 6000
|
|
Packit Service |
3880ab |
site-A:# ip l2tp add session tunnel_id 3000 session_id 1000 \\
|
|
Packit Service |
3880ab |
peer_session_id 2000
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
site-B:# ip l2tp add tunnel tunnel_id 4000 peer_tunnel_id 3000 \\
|
|
Packit Service |
3880ab |
encap udp local 5.6.7.8 remote 1.2.3.4 \\
|
|
Packit Service |
3880ab |
udp_sport 6000 udp_dport 5000
|
|
Packit Service |
3880ab |
site-B:# ip l2tp add session tunnel_id 4000 session_id 2000 \\
|
|
Packit Service |
3880ab |
peer_session_id 1000
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
site-A:# ip link set l2tpeth0 up mtu 1488
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
site-B:# ip link set l2tpeth0 up mtu 1488
|
|
Packit Service |
3880ab |
.fi
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
Notice that the IP addresses, UDP ports and tunnel / session ids are
|
|
Packit Service |
3880ab |
matched and reversed at each site.
|
|
Packit Service |
3880ab |
.SS Configure as IP interfaces
|
|
Packit Service |
3880ab |
The two interfaces can be configured with IP addresses if only IP data
|
|
Packit Service |
3880ab |
is to be carried. This is perhaps the simplest configuration.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
.nf
|
|
Packit Service |
3880ab |
site-A:# ip addr add 10.42.1.1 peer 10.42.1.2 dev l2tpeth0
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
site-B:# ip addr add 10.42.1.2 peer 10.42.1.1 dev l2tpeth0
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
site-A:# ping 10.42.1.2
|
|
Packit Service |
3880ab |
.fi
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
Now the link should be usable. Add static routes as needed to have
|
|
Packit Service |
3880ab |
data sent over the new link.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
.SS Configure as bridged interfaces
|
|
Packit Service |
3880ab |
To carry non-IP data, the L2TP network interface is added to a bridge
|
|
Packit Service |
3880ab |
instead of being assigned its own IP address, using standard Linux
|
|
Packit Service |
3880ab |
utilities. Since raw ethernet frames are then carried inside the
|
|
Packit Service |
3880ab |
tunnel, the MTU of the L2TP interfaces must be set to allow space for
|
|
Packit Service |
3880ab |
those headers.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
.nf
|
|
Packit Service |
3880ab |
site-A:# ip link set l2tpeth0 up mtu 1446
|
|
Packit Service |
3880ab |
site-A:# ip link add br0 type bridge
|
|
Packit Service |
3880ab |
site-A:# ip link set l2tpeth0 master br0
|
|
Packit Service |
3880ab |
site-A:# ip link set eth0 master br0
|
|
Packit Service |
3880ab |
site-A:# ip link set br0 up
|
|
Packit Service |
3880ab |
.fi
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
If you are using VLANs, setup a bridge per VLAN and bridge each VLAN
|
|
Packit Service |
3880ab |
over a separate L2TP session. For example, to bridge VLAN ID 5 on eth1
|
|
Packit Service |
3880ab |
over an L2TP pseudowire:
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
.nf
|
|
Packit Service |
3880ab |
site-A:# ip link set l2tpeth0 up mtu 1446
|
|
Packit Service |
3880ab |
site-A:# ip link add brvlan5 type bridge
|
|
Packit Service |
3880ab |
site-A:# ip link set l2tpeth0.5 master brvlan5
|
|
Packit Service |
3880ab |
site-A:# ip link set eth1.5 master brvlan5
|
|
Packit Service |
3880ab |
site-A:# ip link set brvlan5 up
|
|
Packit Service |
3880ab |
.fi
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
Adding the L2TP interface to a bridge causes the bridge to forward
|
|
Packit Service |
3880ab |
traffic over the L2TP pseudowire just like it forwards over any other
|
|
Packit Service |
3880ab |
interface. The bridge learns MAC addresses of hosts attached to each
|
|
Packit Service |
3880ab |
interface and intelligently forwards frames from one bridge port to
|
|
Packit Service |
3880ab |
another. IP addresses are not assigned to the l2tpethN interfaces. If
|
|
Packit Service |
3880ab |
the bridge is correctly configured at both sides of the L2TP
|
|
Packit Service |
3880ab |
pseudowire, it should be possible to reach hosts in the peer's bridged
|
|
Packit Service |
3880ab |
network.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
When raw ethernet frames are bridged across an L2TP tunnel, large
|
|
Packit Service |
3880ab |
frames may be fragmented and forwarded as individual IP fragments to
|
|
Packit Service |
3880ab |
the recipient, depending on the MTU of the physical interface used by
|
|
Packit Service |
3880ab |
the tunnel. When the ethernet frames carry protocols which are
|
|
Packit Service |
3880ab |
reassembled by the recipient, like IP, this isn't a problem. However,
|
|
Packit Service |
3880ab |
such fragmentation can cause problems for protocols like PPPoE where
|
|
Packit Service |
3880ab |
the recipient expects to receive ethernet frames exactly as
|
|
Packit Service |
3880ab |
transmitted. In such cases, it is important that frames leaving the
|
|
Packit Service |
3880ab |
tunnel are reassembled back into a single frame before being
|
|
Packit Service |
3880ab |
forwarded on. To do so, enable netfilter connection tracking
|
|
Packit Service |
3880ab |
(conntrack) or manually load the Linux netfilter defrag modules at
|
|
Packit Service |
3880ab |
each tunnel endpoint.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
.nf
|
|
Packit Service |
3880ab |
site-A:# modprobe nf_defrag_ipv4
|
|
Packit Service |
3880ab |
|
|
Packit Service |
3880ab |
site-B:# modprobe nf_defrag_ipv4
|
|
Packit Service |
3880ab |
.fi
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
If L2TP is being used over IPv6, use the IPv6 defrag module.
|
|
Packit Service |
3880ab |
.SH INTEROPERABILITY
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
Unmanaged (static) L2TPv3 tunnels are supported by some network
|
|
Packit Service |
3880ab |
equipment equipment vendors such as Cisco.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
In Linux, L2TP Hello messages are not supported in unmanaged
|
|
Packit Service |
3880ab |
tunnels. Hello messages are used by L2TP clients and servers to detect
|
|
Packit Service |
3880ab |
link failures in order to automate tearing down and reestablishing
|
|
Packit Service |
3880ab |
dynamic tunnels. If a non-Linux peer supports Hello messages in
|
|
Packit Service |
3880ab |
unmanaged tunnels, it must be turned off to interoperate with Linux.
|
|
Packit Service |
3880ab |
.PP
|
|
Packit Service |
3880ab |
Linux defaults to use the Default Layer2SpecificHeader type as defined
|
|
Packit Service |
3880ab |
in the L2TPv3 protocol specification, RFC3931. This setting must be
|
|
Packit Service |
3880ab |
consistent with that configured at the peer. Some vendor
|
|
Packit Service |
3880ab |
implementations (e.g. Cisco) default to use a Layer2SpecificHeader
|
|
Packit Service |
3880ab |
type of None.
|
|
Packit Service |
3880ab |
.SH SEE ALSO
|
|
Packit Service |
3880ab |
.br
|
|
Packit Service |
3880ab |
.BR ip (8)
|
|
Packit Service |
3880ab |
.SH AUTHOR
|
|
Packit Service |
3880ab |
James Chapman <jchapman@katalix.com>
|