Difference between revisions of "L2TPv3"

From VyOS Wiki
Jump to: navigation, search
m (L2TPv3 over UDP)
Line 38: Line 38:
  
 
==== L2TPv3 over UDP ====
 
==== L2TPv3 over UDP ====
 +
UDP mode works well with NAT:
 +
* Set local-ip to your local IP (LAN).
 +
* Add a forwarding rule matching UDP port on your internet router.
 +
 
<pre>
 
<pre>
 
# show interfaces l2tpv3  
 
# show interfaces l2tpv3  
Line 54: Line 58:
 
</pre>
 
</pre>
  
 
+
To create more than one tunnel, use distinct UDP ports.
  
 
==== L2TPv3 over IPSec, L2 VPN (bridge) ====
 
==== L2TPv3 over IPSec, L2 VPN (bridge) ====

Revision as of 12:39, 31 May 2017

L2TPv3 is a pseudowire protocol, more information in Wikipedia L2TPv3. example

Configuration commands

interfaces
  l2tpv3 <l2tpeth[0-999]>
    encapsulation <ip|udp>
    local-ip <ipv4> # Local address
    remote-ip <ipv4> # Remote address
    local-port <1-65535> # Local port, UDP only
    remote-port <1-65535> # Remote port, UDP only
    session-id <int32> # Local L2TPv3 session identifier
    peer-session-id <int32> # Remote L2TPv3 session identifier
    tunnel-id <int32> # Local L2TPv3 tunnel identifier
    peer-tunnel-id <int32> # Remote L2TPv3 tunnel identifier

All other usual interface commands (firewall, QoS etc.) are supported on L2TPv3 interfaces as well.

Examples

L2TPv3 over IP

# show interfaces l2tpv3 
 l2tpv3 l2tpeth10 {
     address 192.168.37.1/27
     encapsulation ip
     local-ip 192.0.2.1
     peer-session-id 100
     peer-tunnel-id 200
     remote-ip 203.0.113.24
     session-id 100
     tunnel-id 200
 }

L2TPv3 over UDP

UDP mode works well with NAT:

  • Set local-ip to your local IP (LAN).
  • Add a forwarding rule matching UDP port on your internet router.
# show interfaces l2tpv3 
 l2tpv3 l2tpeth10 {
     address 192.168.37.1/27
     destination-port 9001
     encapsulation udp
     local-ip 192.0.2.1
     peer-session-id 100
     peer-tunnel-id 200
     remote-ip 203.0.113.24
     session-id 100
     source-port 9000
     tunnel-id 200
 }

To create more than one tunnel, use distinct UDP ports.

L2TPv3 over IPSec, L2 VPN (bridge)

IPSec:

set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' 

Bridge:

set interfaces bridge br0 description 'L2 VPN Bridge'
set interfaces bridge br0 address '172.16.30.17/30'
set interfaces ethernet eth0 bridge-group bridge 'br0'
set interfaces ethernet eth0 description 'L2 VPN Physical port'

L2TPv3:

set interfaces l2tpv3 l2tpeth0 bridge-group bridge 'br0'
set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
set interfaces l2tpv3 l2tpeth0 local-ip <local-ip>
set interfaces l2tpv3 l2tpeth0 mtu '1500'
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
set interfaces l2tpv3 l2tpeth0 remote-ip <peer-ip>
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'

Notes

  • Linux/VyOS L2TPv3 does not interop with Cisco out of the box.
  • OpenVPN is easier to deploy for the 'Layer 2 L2TPv3/IPsec' use case.