Difference between revisions of "L2TPv3"

From VyOS Wiki
Jump to: navigation, search
m
Line 22: Line 22:
 
=== Examples ===
 
=== Examples ===
  
L2TPv3 over IP:
+
==== L2TPv3 over IP ====
 
<pre>
 
<pre>
 
# show interfaces l2tpv3  
 
# show interfaces l2tpv3  
Line 37: Line 37:
 
</pre>
 
</pre>
  
L2TPv3 over UDP:
+
==== L2TPv3 over UDP ====
 
<pre>
 
<pre>
 
# show interfaces l2tpv3  
 
# show interfaces l2tpv3  
Line 53: Line 53:
 
  }
 
  }
 
</pre>
 
</pre>
 +
 +
 +
 +
==== L2TPv3 over IPSec, L2 VPN (bridge) ====
 +
IPSec:
 +
set vpn ipsec esp-group test-ESP-1 compression 'disable'
 +
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
 +
set vpn ipsec esp-group test-ESP-1 mode 'transport'
 +
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
 +
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
 +
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
 +
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
 +
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
 +
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
 +
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
 +
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
 +
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' authentication mode 'pre-shared-secret'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' authentication pre-shared-secret ''<pre-shared-key>''
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' connection-type 'initiate'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' ike-group 'test-IKE-1'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' ikev2-reauth 'inherit'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' local-address ''<local-ip>''
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 allow-nat-networks 'disable'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 allow-public-networks 'disable'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 esp-group 'test-ESP-1'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 protocol 'l2tp'
 +
 +
Bridge:
 +
set interfaces bridge br0 description 'L2 VPN Bridge'
 +
set interfaces bridge br0 address '172.16.30.17/30'
 +
set interfaces ethernet eth0 bridge-group bridge 'br0'
 +
set interfaces ethernet eth0 description 'L2 VPN Physical port'
 +
 +
L2TPv3:
 +
set interfaces l2tpv3 l2tpeth0 bridge-group bridge 'br0'
 +
set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
 +
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
 +
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
 +
set interfaces l2tpv3 l2tpeth0 local-ip ''<local-ip>''
 +
set interfaces l2tpv3 l2tpeth0 mtu '1500'
 +
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
 +
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
 +
set interfaces l2tpv3 l2tpeth0 remote-ip '''<peer-ip>'''
 +
set interfaces l2tpv3 l2tpeth0 session-id '110'
 +
set interfaces l2tpv3 l2tpeth0 source-port '5000'
 +
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'
 +
 +
== Notes ==
 +
* Linux/VyOS L2TPv3 does not interop with Cisco out of the box.
 +
* OpenVPN is easier to deploy for the 'Layer 2 L2TPv3/IPsec' use case.
  
 
[[Category: User documentation]]
 
[[Category: User documentation]]

Revision as of 12:24, 23 May 2017

L2TPv3 is a pseudowire protocol, more information in Wikipedia L2TPv3. example

Configuration commands

interfaces
  l2tpv3 <l2tpeth[0-999]>
    encapsulation <ip|udp>
    local-ip <ipv4> # Local address
    remote-ip <ipv4> # Remote address
    local-port <1-65535> # Local port, UDP only
    remote-port <1-65535> # Remote port, UDP only
    session-id <int32> # Local L2TPv3 session identifier
    peer-session-id <int32> # Remote L2TPv3 session identifier
    tunnel-id <int32> # Local L2TPv3 tunnel identifier
    peer-tunnel-id <int32> # Remote L2TPv3 tunnel identifier

All other usual interface commands (firewall, QoS etc.) are supported on L2TPv3 interfaces as well.

Examples

L2TPv3 over IP

# show interfaces l2tpv3 
 l2tpv3 l2tpeth10 {
     address 192.168.37.1/27
     encapsulation ip
     local-ip 192.0.2.1
     peer-session-id 100
     peer-tunnel-id 200
     remote-ip 203.0.113.24
     session-id 100
     tunnel-id 200
 }

L2TPv3 over UDP

# show interfaces l2tpv3 
 l2tpv3 l2tpeth10 {
     address 192.168.37.1/27
     destination-port 9001
     encapsulation udp
     local-ip 192.0.2.1
     peer-session-id 100
     peer-tunnel-id 200
     remote-ip 203.0.113.24
     session-id 100
     source-port 9000
     tunnel-id 200
 }


L2TPv3 over IPSec, L2 VPN (bridge)

IPSec:

set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' 

Bridge:

set interfaces bridge br0 description 'L2 VPN Bridge'
set interfaces bridge br0 address '172.16.30.17/30'
set interfaces ethernet eth0 bridge-group bridge 'br0'
set interfaces ethernet eth0 description 'L2 VPN Physical port'

L2TPv3:

set interfaces l2tpv3 l2tpeth0 bridge-group bridge 'br0'
set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
set interfaces l2tpv3 l2tpeth0 local-ip <local-ip>
set interfaces l2tpv3 l2tpeth0 mtu '1500'
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
set interfaces l2tpv3 l2tpeth0 remote-ip <peer-ip>
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'

Notes

  • Linux/VyOS L2TPv3 does not interop with Cisco out of the box.
  • OpenVPN is easier to deploy for the 'Layer 2 L2TPv3/IPsec' use case.