Difference between revisions of "L2TPv3"

From VyOS Wiki
Jump to: navigation, search
m
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
{{Migrated | url = https://vyos.readthedocs.io/en/latest/interfaces/l2tpv3.html }}
 +
 
'''L2TPv3''' is a pseudowire protocol, more information in [http://en.wikipedia.org/wiki/L2TPv3 Wikipedia L2TPv3].
 
'''L2TPv3''' is a pseudowire protocol, more information in [http://en.wikipedia.org/wiki/L2TPv3 Wikipedia L2TPv3].
 
[http://cabildocl.blogspot.cl/2015/08/l2tpv3-con-vyosfork-de-vyatta.html example]
 
[http://cabildocl.blogspot.cl/2015/08/l2tpv3-con-vyosfork-de-vyatta.html example]
 +
[https://tools.ietf.org/html/rfc3931 RFC]
 +
 +
L2TPv3 can transport any traffic including ethernet frames. L2TPv2 is limited to PPP.
  
 
== Configuration commands ==
 
== Configuration commands ==
Line 17: Line 22:
 
     peer-tunnel-id <int32> # Remote L2TPv3 tunnel identifier
 
     peer-tunnel-id <int32> # Remote L2TPv3 tunnel identifier
 
</pre>
 
</pre>
 
+
session-id and tunnel-id are identifiers. You can set anything you want as long as they match the peer identifiers.
 +
 
All other usual interface commands (firewall, QoS etc.) are supported on L2TPv3 interfaces as well.
 
All other usual interface commands (firewall, QoS etc.) are supported on L2TPv3 interfaces as well.
  
 
=== Examples ===
 
=== Examples ===
  
L2TPv3 over IP:
+
==== L2TPv3 over IP ====
 
<pre>
 
<pre>
 
# show interfaces l2tpv3  
 
# show interfaces l2tpv3  
Line 36: Line 42:
 
  }
 
  }
 
</pre>
 
</pre>
 +
Inverse configuration has to be applied to the remote side.
 +
 +
==== L2TPv3 over UDP ====
 +
UDP mode works better with NAT:
 +
* Set local-ip to your local IP (LAN).
 +
* Add a forwarding rule matching UDP port on your internet router.
  
L2TPv3 over UDP:
 
 
<pre>
 
<pre>
 
# show interfaces l2tpv3  
 
# show interfaces l2tpv3  
Line 53: Line 64:
 
  }
 
  }
 
</pre>
 
</pre>
 +
 +
To create more than one tunnel, use distinct UDP ports.
 +
 +
==== L2TPv3 over IPSec, L2 VPN (bridge) ====
 +
This is the '''LAN extension''' use case.
 +
The eth0 port of the distant VPN peers will be directly connected like if there was a switch between them.
 +
 +
IPSec:
 +
set vpn ipsec esp-group test-ESP-1 compression 'disable'
 +
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
 +
set vpn ipsec esp-group test-ESP-1 mode 'transport'
 +
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
 +
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
 +
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
 +
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
 +
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
 +
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
 +
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
 +
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
 +
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' authentication mode 'pre-shared-secret'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' authentication pre-shared-secret ''<pre-shared-key>''
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' connection-type 'initiate'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' ike-group 'test-IKE-1'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' ikev2-reauth 'inherit'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' local-address ''<local-ip>''
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 allow-nat-networks 'disable'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 allow-public-networks 'disable'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 esp-group 'test-ESP-1'
 +
set vpn ipsec site-to-site peer ''<peer-ip>'' tunnel 1 protocol 'l2tp'
 +
 +
Bridge:
 +
set interfaces bridge br0 description 'L2 VPN Bridge'
 +
set interfaces bridge br0 address '172.16.30.17/30'
 +
set interfaces ethernet eth0 bridge-group bridge 'br0'
 +
set interfaces ethernet eth0 description 'L2 VPN Physical port'
 +
 +
L2TPv3:
 +
set interfaces l2tpv3 l2tpeth0 bridge-group bridge 'br0'
 +
set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
 +
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
 +
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
 +
set interfaces l2tpv3 l2tpeth0 local-ip ''<local-ip>''
 +
set interfaces l2tpv3 l2tpeth0 mtu '1500'
 +
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
 +
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
 +
set interfaces l2tpv3 l2tpeth0 remote-ip '''<peer-ip>'''
 +
set interfaces l2tpv3 l2tpeth0 session-id '110'
 +
set interfaces l2tpv3 l2tpeth0 source-port '5000'
 +
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'
 +
 +
== Notes ==
 +
* Linux/VyOS L2TPv3 does not interop with Cisco out of the box.
 +
* As of 1.1.7 there are a few bugs in the backend that can make configuration a bit difficult.
 +
* Once configured it runs flawlessly but OpenVPN can do the same and is easier to deploy between VyOS routers.
  
 
[[Category: User documentation]]
 
[[Category: User documentation]]
 +
[[Category:VPN]]

Latest revision as of 22:25, 22 June 2019

Warning sign.png This page is migrated to Readthedocs .
Information found on this page is migrated to readthedocs and information found here could be outdated or misleading. https://vyos.readthedocs.io/en/latest/interfaces/l2tpv3.html
For a complete status of all migrations, see Project:Migration


L2TPv3 is a pseudowire protocol, more information in Wikipedia L2TPv3. example RFC

L2TPv3 can transport any traffic including ethernet frames. L2TPv2 is limited to PPP.

Configuration commands

interfaces
  l2tpv3 <l2tpeth[0-999]>
    encapsulation <ip|udp>
    local-ip <ipv4> # Local address
    remote-ip <ipv4> # Remote address
    local-port <1-65535> # Local port, UDP only
    remote-port <1-65535> # Remote port, UDP only
    session-id <int32> # Local L2TPv3 session identifier
    peer-session-id <int32> # Remote L2TPv3 session identifier
    tunnel-id <int32> # Local L2TPv3 tunnel identifier
    peer-tunnel-id <int32> # Remote L2TPv3 tunnel identifier

session-id and tunnel-id are identifiers. You can set anything you want as long as they match the peer identifiers.

All other usual interface commands (firewall, QoS etc.) are supported on L2TPv3 interfaces as well.

Examples

L2TPv3 over IP

# show interfaces l2tpv3 
 l2tpv3 l2tpeth10 {
     address 192.168.37.1/27
     encapsulation ip
     local-ip 192.0.2.1
     peer-session-id 100
     peer-tunnel-id 200
     remote-ip 203.0.113.24
     session-id 100
     tunnel-id 200
 }

Inverse configuration has to be applied to the remote side.

L2TPv3 over UDP

UDP mode works better with NAT:

  • Set local-ip to your local IP (LAN).
  • Add a forwarding rule matching UDP port on your internet router.
# show interfaces l2tpv3 
 l2tpv3 l2tpeth10 {
     address 192.168.37.1/27
     destination-port 9001
     encapsulation udp
     local-ip 192.0.2.1
     peer-session-id 100
     peer-tunnel-id 200
     remote-ip 203.0.113.24
     session-id 100
     source-port 9000
     tunnel-id 200
 }

To create more than one tunnel, use distinct UDP ports.

L2TPv3 over IPSec, L2 VPN (bridge)

This is the LAN extension use case. The eth0 port of the distant VPN peers will be directly connected like if there was a switch between them.

IPSec:

set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' 

Bridge:

set interfaces bridge br0 description 'L2 VPN Bridge'
set interfaces bridge br0 address '172.16.30.17/30'
set interfaces ethernet eth0 bridge-group bridge 'br0'
set interfaces ethernet eth0 description 'L2 VPN Physical port'

L2TPv3:

set interfaces l2tpv3 l2tpeth0 bridge-group bridge 'br0'
set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
set interfaces l2tpv3 l2tpeth0 local-ip <local-ip>
set interfaces l2tpv3 l2tpeth0 mtu '1500'
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
set interfaces l2tpv3 l2tpeth0 remote-ip <peer-ip>
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'

Notes

  • Linux/VyOS L2TPv3 does not interop with Cisco out of the box.
  • As of 1.1.7 there are a few bugs in the backend that can make configuration a bit difficult.
  • Once configured it runs flawlessly but OpenVPN can do the same and is easier to deploy between VyOS routers.