xl2tpd.conf - L2TPD configuration file
The xl2tpd.conf file contains configuration information for
xl2tpd, the implementation of l2tp protocol.
The configuration file is composed of sections and parameters.
Each section has a given name which will be used when using the
configuration FIFO (normally /var/run/xl2tpd/l2tp-control). See xl2tpd.8 for
more details.
The specific given name default will specify parameters
applicable for all the following sections.
- auth file
- Specify where to find the authentication file used to authenticate l2tp
tunnels. The default is /etc/xl2tpd/l2tp-secrets.
- ipsec saref
- Use IPsec Security Association tracking. When this is enabled, packets
received by xl2tpd should have to extra fields (refme and refhim) which
allows tracking of multiple clients using the same internal NATed IP
address, and allows tracking of multiple clients behind the same NAT
router. This needs to be supported by the kernel. Currently, this only
works with Openswan KLIPS in "mast" mode. (see
http://www.openswan.org/)
Set this to yes and the system will provide proper SAref
values in the recvmsg() calls.
Values can be yes or no. The default is no.
- saref
refinfo
- When using IPsec Security Association trackinng, a new setsockopt is used.
Since this is not (yet?) an official Linux kernel option, we got bumped.
Openswan upto 2.6.35 for linux kernels up to 2.6.35 used a saref num of
22. Linux 3.6.36+ uses 22 for IP_NODEFRAG. We moved our IP_IPSEC_REFINFO
to 30. If not set, the default is to use 30. For older SAref patched
kernels, use 22.
- listen-addr
- The IP address of the interface on which the daemon listens. By default,
it listens on INADDR_ANY (0.0.0.0), meaning it listens on all interfaces.
- port
- Specify which UDP port xl2tpd should use. The default is 1701.
- access
control
- If set to yes, the xl2tpd process will only accept connections from peers
addresses specified in the following sections. The default is no.
- debug avp
- Set this to yes to enable syslog output of L2TP AVP debugging information.
- debug
network
- Set this to yes to enable syslog output of network debugging information.
- debug
packet
- Set this to yes to enable printing of L2TP packet debugging information.
Note: Output goes to STDOUT, so use this only in conjunction with the
-D command line option.
- debug
state
- Set this to yes to enable syslog output of FSM debugging information.
- debug
tunnel
- Set this to yes to enable syslog output of tunnel debugging information.
- max retries
- Specify how many retries before a tunnel is closed. If there is no tunnel,
then stop re-transmitting. The default is 5.
- exclusive
- If set to yes, only one control tunnel will be allowed to be built between
2 peers. CHECK
- (no) ip range
- Specify the range of ip addresses the LNS will assign to the connecting
LAC PPP tunnels. Multiple ranges can be defined. Using the 'no' statement
disallows the use of that particular range. Ranges are defined using the
format IP - IP (example: 1.1.1.1 - 1.1.1.10). Note that either at least
one ip range option must be given, or you must set assign ip
to no.
- assign ip
- Set this to no if xl2tpd should not assign IP addresses out of the pool
defined with the ip range option. This can be useful if you have
some other means to assign IP addresses, e. g. a pppd that supports RADIUS
AAA.
- (no) lac
- Specify the ip addresses of LAC's which are allowed to connect to xl2tpd
acting as a LNS. The format is the same as the ip range option.
- hidden bit
- If set to yes, xl2tpd will use the AVP hiding feature of L2TP. To get more
information about hidden AVP's and AVP in general, refer to rfc2661 (add
URL?)
- local ip
- Use the following IP as xl2tpd's own ip address.
- local ip
range
- Specify the range of addresses the LNS will assign as the local address to
connecting LAC PPP tunnels. This option is mutually exclusive with the
local ip option and is useful in cases where it is desirable to
have a unique IP address for each tunnel. Specify the range value exactly
like the ip range option. Note that the assign ip option has
no effect on this option.
- length bit
- If set to yes, the length bit present in the l2tp packet payload will be
used.
- (refuse | require) chap
- Will require or refuse the remote peer to get authenticated via CHAP for
the ppp authentication.
- (refuse | require) pap
- Will require or refuse the remote peer to get authenticated via PAP for
the ppp authentication.
- (refuse | require) authentication
- Will require or refuse the remote peer to authenticate itself.
- unix
authentication
- If set to yes, /etc/passwd will be used for remote peer ppp
authentication.
- hostname
- Will report this as the xl2tpd hostname in negotiation.
- ppp debug
- This will enable the debug for pppd.
- pass peer
- Pass the peer's IP address to pppd as ipparam. Enabled by default.
- pppoptfile
- Specify the path for a file which contains pppd configuration parameters
to be used.
- call rws
- This option is deprecated and no longer functions. It used to be used to
define the flow control window size for individual L2TP calls or sessions.
The L2TP standard (RFC2661) no longer defines flow control or window sizes
on calls or sessions.
- tunnel rws
- This defines the window size of the control channel. The window size is
defined as the number of outstanding unacknowledged packets, not as a
number of bytes.
- flow bits
- If set to yes, sequence numbers will be included in the communication. The
feature to use sequence numbers in sessions is currently broken and does
not function.
- challenge
- If set to yes, use challenge authentication to authenticate peer.
- rx bps
- If set, the receive bandwidth maximum will be set to this value
- tx bps
- If set, the transmit bandwidth maximum will be set to this value
The following are LAC specific configuration flags. Most of those
described in the LNS section may be used in a LAC context, where it makes
common sense (essentially l2tp protocols tuning flags and authentication /
ppp related ones).
- lns
- Set the dns name or ip address of the LNS to connect to.
- autodial
- If set to yes, xl2tpd will automatically dial the LAC during startup.
- redial
- If set to yes, xl2tpd will attempt to redial if the call get disconnected.
Note that, if enabled, xl2tpd will keep passwords in memory: a potential
security risk.
- redial timeout
- Wait X seconds before redial. The redial option must be set to yes to use
this option. Defaults to 30 seconds.
- max redials
- Will give up redial tries after X attempts.
/etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/l2tp-secrets
/var/run/xl2tpd/l2tp-control
Please address bugs and comment to xl2tpdv@lists.xelerance.com
Forked from xl2tpd by Xelerance
(https://www.xelerance.com/software/xl2tpd/)
Michael Richardson <mcr@xelerance.com> Paul Wouters
<paul@xelerance.com>
Many thanks to Jacco de Leeuw <jacco2@dds.nl> for
maintaining l2tpd.
Previous development was hosted at sourceforge
(http://www.sourceforge.net/projects/l2tpd) by:
Scott Balmos <sbalmos@iglou.com>
David Stipp <dstipp@one.net>
Jeff McAdams <jeffm@iglou.com>
Based off of l2tpd version 0.60
Copyright (C)1998 Adtran, Inc.
Mark Spencer <markster@marko.net>