James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 1 | .TH IP\-L2TP 8 "19 Apr 2012" "iproute2" "Linux" |
| 2 | .SH "NAME" |
| 3 | ip-l2tp - L2TPv3 static unmanaged tunnel configuration |
| 4 | .SH "SYNOPSIS" |
| 5 | .sp |
| 6 | .ad l |
| 7 | .in +8 |
| 8 | .ti -8 |
| 9 | .B ip |
| 10 | .RI "[ " OPTIONS " ]" |
| 11 | .B l2tp |
| 12 | .RI " { " COMMAND " | " |
| 13 | .BR help " }" |
| 14 | .sp |
| 15 | .ti -8 |
| 16 | .BR "ip l2tp add tunnel" |
| 17 | .br |
Phil Sutter | 2227f2a | 2016-03-02 19:20:07 +0100 | [diff] [blame] | 18 | .BI remote " ADDR " local " ADDR " |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 19 | .br |
| 20 | .B tunnel_id |
| 21 | .IR ID |
| 22 | .B peer_tunnel_id |
| 23 | .IR ID |
| 24 | .br |
| 25 | .RB "[ " encap " { " ip " | " udp " } ]" |
| 26 | .br |
| 27 | .RB "[ " udp_sport |
| 28 | .IR PORT |
| 29 | .RB " ] [ " udp_dport |
| 30 | .IR PORT |
| 31 | .RB " ]" |
| 32 | .br |
| 33 | .ti -8 |
| 34 | .BR "ip l2tp add session" |
| 35 | .RB "[ " name |
| 36 | .IR NAME |
| 37 | .RB " ]" |
| 38 | .br |
| 39 | .B tunnel_id |
| 40 | .IR ID |
| 41 | .B session_id |
| 42 | .IR ID |
| 43 | .B peer_session_id |
| 44 | .IR ID |
| 45 | .br |
| 46 | .RB "[ " cookie |
| 47 | .IR HEXSTR |
| 48 | .RB " ] [ " peer_cookie |
| 49 | .IR HEXSTR |
| 50 | .RB " ]" |
| 51 | .br |
James Chapman | 9c064b5 | 2013-03-26 06:49:23 +0000 | [diff] [blame] | 52 | .RB "[ " l2spec_type " { " none " | " default " } ]" |
| 53 | .br |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 54 | .RB "[ " offset |
| 55 | .IR OFFSET |
| 56 | .RB " ] [ " peer_offset |
| 57 | .IR OFFSET |
| 58 | .RB " ]" |
| 59 | .br |
| 60 | .ti -8 |
| 61 | .BR "ip l2tp del tunnel" |
| 62 | .B tunnel_id |
| 63 | .IR ID |
| 64 | .br |
| 65 | .ti -8 |
| 66 | .BR "ip l2tp del session" |
| 67 | .B tunnel_id |
| 68 | .IR ID |
| 69 | .B session_id |
| 70 | .IR ID |
| 71 | .br |
| 72 | .ti -8 |
Phil Sutter | 2227f2a | 2016-03-02 19:20:07 +0100 | [diff] [blame] | 73 | .BR "ip l2tp show tunnel" " [ " tunnel_id |
| 74 | .IR ID " ]" |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 75 | .br |
| 76 | .ti -8 |
Phil Sutter | 2227f2a | 2016-03-02 19:20:07 +0100 | [diff] [blame] | 77 | .BR "ip l2tp show session" " [ " tunnel_id |
| 78 | .IR ID .B " ] [" |
| 79 | .B session_id |
| 80 | .IR ID " ]" |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 81 | .br |
| 82 | .ti -8 |
| 83 | .IR NAME " := " |
| 84 | .IR STRING |
| 85 | .ti -8 |
Phil Sutter | 2227f2a | 2016-03-02 19:20:07 +0100 | [diff] [blame] | 86 | .IR ADDR " := { " IP_ADDRESS " |" |
| 87 | .BR any " }" |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 88 | .ti -8 |
| 89 | .IR PORT " := { " NUMBER " }" |
| 90 | .ti -8 |
| 91 | .IR ID " := { " NUMBER " }" |
| 92 | .ti -8 |
| 93 | .ti -8 |
| 94 | .IR HEXSTR " := { 8 or 16 hex digits (4 / 8 bytes) }" |
| 95 | .SH DESCRIPTION |
| 96 | The |
| 97 | .B ip l2tp |
| 98 | commands are used to establish static, or so-called |
| 99 | .I unmanaged |
| 100 | L2TPv3 ethernet tunnels. For unmanaged tunnels, there is no L2TP |
| 101 | control protocol so no userspace daemon is required - tunnels are |
| 102 | manually created by issuing commands at a local system and at a remote |
| 103 | peer. |
| 104 | .PP |
Petr Sabata | 6274b0b | 2013-04-04 03:36:57 +0000 | [diff] [blame] | 105 | L2TPv3 is suitable for Layer-2 tunneling. Static tunnels are useful |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 106 | to establish network links across IP networks when the tunnels are |
| 107 | fixed. L2TPv3 tunnels can carry data of more than one session. Each |
| 108 | session is identified by a session_id and its parent tunnel's |
| 109 | tunnel_id. A tunnel must be created before a session can be created in |
| 110 | the tunnel. |
| 111 | .PP |
| 112 | When creating an L2TP tunnel, the IP address of the remote peer is |
| 113 | specified, which can be either an IPv4 or IPv6 address. The local IP |
| 114 | address to be used to reach the peer must also be specified. This is |
| 115 | the address on which the local system will listen for and accept |
| 116 | received L2TP data packets from the peer. |
| 117 | .PP |
| 118 | L2TPv3 defines two packet encapsulation formats: UDP or IP. UDP |
| 119 | encapsulation is most common. IP encapsulation uses a dedicated IP |
| 120 | protocol value to carry L2TP data without the overhead of UDP. Use IP |
| 121 | encapsulation only when there are no NAT devices or firewalls in the |
| 122 | network path. |
| 123 | .PP |
| 124 | When an L2TPv3 ethernet session is created, a virtual network |
| 125 | interface is created for the session, which must then be configured |
| 126 | and brought up, just like any other network interface. When data is |
| 127 | passed through the interface, it is carried over the L2TP tunnel to |
| 128 | the peer. By configuring the system's routing tables or adding the |
| 129 | interface to a bridge, the L2TP interface is like a virtual wire |
| 130 | (pseudowire) connected to the peer. |
| 131 | .PP |
| 132 | Establishing an unmanaged L2TPv3 ethernet pseudowire involves manually |
| 133 | creating L2TP contexts on the local system and at the peer. Parameters |
| 134 | used at each site must correspond or no data will be passed. No |
| 135 | consistency checks are possible since there is no control protocol |
| 136 | used to establish unmanaged L2TP tunnels. Once the virtual network |
| 137 | interface of a given L2TP session is configured and enabled, data can |
| 138 | be transmitted, even if the peer isn't yet configured. If the peer |
| 139 | isn't configured, the L2TP data packets will be discarded by |
| 140 | the peer. |
| 141 | .PP |
| 142 | To establish an unmanaged L2TP tunnel, use |
| 143 | .B l2tp add tunnel |
| 144 | and |
| 145 | .B l2tp add session |
| 146 | commands described in this document. Then configure and enable the |
| 147 | tunnel's virtual network interface, as required. |
| 148 | .PP |
| 149 | Note that unmanaged tunnels carry only ethernet frames. If you need to |
| 150 | carry PPP traffic (L2TPv2) or your peer doesn't support unmanaged |
| 151 | L2TPv3 tunnels, you will need an L2TP server which implements the L2TP |
| 152 | control protocol. The L2TP control protocol allows dynamic L2TP |
| 153 | tunnels and sessions to be established and provides for detecting and |
| 154 | acting upon network failures. |
| 155 | .SS ip l2tp add tunnel - add a new tunnel |
| 156 | .TP |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 157 | .BI tunnel_id " ID" |
| 158 | set the tunnel id, which is a 32-bit integer value. Uniquely |
| 159 | identifies the tunnel. The value used must match the peer_tunnel_id |
| 160 | value being used at the peer. |
| 161 | .TP |
| 162 | .BI peer_tunnel_id " ID" |
| 163 | set the peer tunnel id, which is a 32-bit integer value assigned to |
| 164 | the tunnel by the peer. The value used must match the tunnel_id value |
| 165 | being used at the peer. |
| 166 | .TP |
| 167 | .BI remote " ADDR" |
| 168 | set the IP address of the remote peer. May be specified as an IPv4 |
| 169 | address or an IPv6 address. |
| 170 | .TP |
| 171 | .BI local " ADDR" |
| 172 | set the IP address of the local interface to be used for the |
| 173 | tunnel. This address must be the address of a local interface. May be |
| 174 | specified as an IPv4 address or an IPv6 address. |
| 175 | .TP |
| 176 | .BI encap " ENCAP" |
| 177 | set the encapsulation type of the tunnel. |
| 178 | .br |
| 179 | Valid values for encapsulation are: |
| 180 | .BR udp ", " ip "." |
| 181 | .TP |
| 182 | .BI udp_sport " PORT" |
| 183 | set the UDP source port to be used for the tunnel. Must be present |
| 184 | when udp encapsulation is selected. Ignored when ip encapsulation is |
| 185 | selected. |
| 186 | .TP |
| 187 | .BI udp_dport " PORT" |
| 188 | set the UDP destination port to be used for the tunnel. Must be |
| 189 | present when udp encapsulation is selected. Ignored when ip |
| 190 | encapsulation is selected. |
| 191 | .SS ip l2tp del tunnel - destroy a tunnel |
| 192 | .TP |
| 193 | .BI tunnel_id " ID" |
| 194 | set the tunnel id of the tunnel to be deleted. All sessions within the |
| 195 | tunnel must be deleted first. |
| 196 | .SS ip l2tp show tunnel - show information about tunnels |
| 197 | .TP |
| 198 | .BI tunnel_id " ID" |
| 199 | set the tunnel id of the tunnel to be shown. If not specified, |
| 200 | information about all tunnels is printed. |
| 201 | .SS ip l2tp add session - add a new session to a tunnel |
| 202 | .TP |
| 203 | .BI name " NAME " |
| 204 | sets the session network interface name. Default is l2tpethN. |
| 205 | .TP |
| 206 | .BI tunnel_id " ID" |
| 207 | set the tunnel id, which is a 32-bit integer value. Uniquely |
| 208 | identifies the tunnel into which the session will be created. The |
| 209 | tunnel must already exist. |
| 210 | .TP |
| 211 | .BI session_id " ID" |
| 212 | set the session id, which is a 32-bit integer value. Uniquely |
| 213 | identifies the session being created. The value used must match the |
| 214 | peer_session_id value being used at the peer. |
| 215 | .TP |
| 216 | .BI peer_session_id " ID" |
| 217 | set the peer session id, which is a 32-bit integer value assigned to |
| 218 | the session by the peer. The value used must match the session_id |
| 219 | value being used at the peer. |
| 220 | .TP |
| 221 | .BI cookie " HEXSTR" |
| 222 | sets an optional cookie value to be assigned to the session. This is a |
| 223 | 4 or 8 byte value, specified as 8 or 16 hex digits, |
| 224 | e.g. 014d3636deadbeef. The value must match the peer_cookie value set |
| 225 | at the peer. The cookie value is carried in L2TP data packets and is |
| 226 | checked for expected value at the peer. Default is to use no cookie. |
| 227 | .TP |
| 228 | .BI peer_cookie " HEXSTR" |
| 229 | sets an optional peer cookie value to be assigned to the session. This |
| 230 | is a 4 or 8 byte value, specified as 8 or 16 hex digits, |
| 231 | e.g. 014d3636deadbeef. The value must match the cookie value set at |
| 232 | the peer. It tells the local system what cookie value to expect to |
| 233 | find in received L2TP packets. Default is to use no cookie. |
| 234 | .TP |
James Chapman | 9c064b5 | 2013-03-26 06:49:23 +0000 | [diff] [blame] | 235 | .BI l2spec_type " L2SPECTYPE" |
| 236 | set the layer2specific header type of the session. |
| 237 | .br |
| 238 | Valid values are: |
Asbjørn Sloth Tønnesen | 222c4da | 2016-11-16 22:45:18 +0000 | [diff] [blame] | 239 | .BR none ", " default "." |
James Chapman | 9c064b5 | 2013-03-26 06:49:23 +0000 | [diff] [blame] | 240 | .TP |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 241 | .BI offset " OFFSET" |
| 242 | sets the byte offset from the L2TP header where user data starts in |
| 243 | transmitted L2TP data packets. This is hardly ever used. If set, the |
| 244 | value must match the peer_offset value used at the peer. Default is 0. |
| 245 | .TP |
| 246 | .BI peer_offset " OFFSET" |
| 247 | sets the byte offset from the L2TP header where user data starts in |
| 248 | received L2TP data packets. This is hardly ever used. If set, the |
| 249 | value must match the offset value used at the peer. Default is 0. |
| 250 | .SS ip l2tp del session - destroy a session |
| 251 | .TP |
| 252 | .BI tunnel_id " ID" |
| 253 | set the tunnel id in which the session to be deleted is located. |
| 254 | .TP |
| 255 | .BI session_id " ID" |
| 256 | set the session id of the session to be deleted. |
| 257 | .SS ip l2tp show session - show information about sessions |
| 258 | .TP |
| 259 | .BI tunnel_id " ID" |
| 260 | set the tunnel id of the session(s) to be shown. If not specified, |
| 261 | information about sessions in all tunnels is printed. |
| 262 | .TP |
| 263 | .BI session_id " ID" |
| 264 | set the session id of the session to be shown. If not specified, |
| 265 | information about all sessions is printed. |
| 266 | .SH EXAMPLES |
| 267 | .PP |
| 268 | .SS Setup L2TP tunnels and sessions |
| 269 | .nf |
| 270 | site-A:# ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 \\ |
| 271 | encap udp local 1.2.3.4 remote 5.6.7.8 \\ |
| 272 | udp_sport 5000 udp_dport 6000 |
| 273 | site-A:# ip l2tp add session tunnel_id 3000 session_id 1000 \\ |
| 274 | peer_session_id 2000 |
| 275 | |
| 276 | site-B:# ip l2tp add tunnel tunnel_id 4000 peer_tunnel_id 3000 \\ |
| 277 | encap udp local 5.6.7.8 remote 1.2.3.4 \\ |
| 278 | udp_sport 6000 udp_dport 5000 |
| 279 | site-B:# ip l2tp add session tunnel_id 4000 session_id 2000 \\ |
| 280 | peer_session_id 1000 |
| 281 | |
| 282 | site-A:# ip link set l2tpeth0 up mtu 1488 |
| 283 | |
| 284 | site-B:# ip link set l2tpeth0 up mtu 1488 |
| 285 | .fi |
| 286 | .PP |
| 287 | Notice that the IP addresses, UDP ports and tunnel / session ids are |
| 288 | matched and reversed at each site. |
| 289 | .SS Configure as IP interfaces |
| 290 | The two interfaces can be configured with IP addresses if only IP data |
| 291 | is to be carried. This is perhaps the simplest configuration. |
| 292 | .PP |
| 293 | .nf |
| 294 | site-A:# ip addr add 10.42.1.1 peer 10.42.1.2 dev l2tpeth0 |
| 295 | |
| 296 | site-B:# ip addr add 10.42.1.2 peer 10.42.1.1 dev l2tpeth0 |
| 297 | |
| 298 | site-A:# ping 10.42.1.2 |
| 299 | .fi |
| 300 | .PP |
| 301 | Now the link should be usable. Add static routes as needed to have |
| 302 | data sent over the new link. |
| 303 | .PP |
| 304 | .SS Configure as bridged interfaces |
| 305 | To carry non-IP data, the L2TP network interface is added to a bridge |
| 306 | instead of being assigned its own IP address, using standard Linux |
| 307 | utilities. Since raw ethernet frames are then carried inside the |
| 308 | tunnel, the MTU of the L2TP interfaces must be set to allow space for |
| 309 | those headers. |
| 310 | .PP |
| 311 | .nf |
| 312 | site-A:# ip link set l2tpeth0 up mtu 1446 |
Stephen Hemminger | ec72fd7 | 2012-10-03 08:45:32 -0700 | [diff] [blame] | 313 | site-A:# ip link add br0 type bridge |
| 314 | site-A:# ip link set l2tpeth0 master br0 |
| 315 | site-A:# ip link set eth0 master br0 |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 316 | site-A:# ip link set br0 up |
| 317 | .fi |
| 318 | .PP |
| 319 | If you are using VLANs, setup a bridge per VLAN and bridge each VLAN |
| 320 | over a separate L2TP session. For example, to bridge VLAN ID 5 on eth1 |
| 321 | over an L2TP pseudowire: |
| 322 | .PP |
| 323 | .nf |
| 324 | site-A:# ip link set l2tpeth0 up mtu 1446 |
Stephen Hemminger | ec72fd7 | 2012-10-03 08:45:32 -0700 | [diff] [blame] | 325 | site-A:# ip link add brvlan5 type bridge |
| 326 | site-A:# ip link set l2tpeth0.5 master brvlan5 |
| 327 | site-A:# ip link set eth1.5 master brvlan5 |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 328 | site-A:# ip link set brvlan5 up |
| 329 | .fi |
| 330 | .PP |
| 331 | Adding the L2TP interface to a bridge causes the bridge to forward |
| 332 | traffic over the L2TP pseudowire just like it forwards over any other |
| 333 | interface. The bridge learns MAC addresses of hosts attached to each |
| 334 | interface and intelligently forwards frames from one bridge port to |
| 335 | another. IP addresses are not assigned to the l2tpethN interfaces. If |
| 336 | the bridge is correctly configured at both sides of the L2TP |
| 337 | pseudowire, it should be possible to reach hosts in the peer's bridged |
| 338 | network. |
| 339 | .PP |
| 340 | When raw ethernet frames are bridged across an L2TP tunnel, large |
| 341 | frames may be fragmented and forwarded as individual IP fragments to |
| 342 | the recipient, depending on the MTU of the physical interface used by |
| 343 | the tunnel. When the ethernet frames carry protocols which are |
| 344 | reassembled by the recipient, like IP, this isn't a problem. However, |
| 345 | such fragmentation can cause problems for protocols like PPPoE where |
| 346 | the recipient expects to receive ethernet frames exactly as |
| 347 | transmitted. In such cases, it is important that frames leaving the |
| 348 | tunnel are reassembled back into a single frame before being |
| 349 | forwarded on. To do so, enable netfilter connection tracking |
Lennart Sorensen | c9ae9ba | 2015-02-24 15:29:15 -0500 | [diff] [blame] | 350 | (conntrack) or manually load the Linux netfilter defrag modules at |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 351 | each tunnel endpoint. |
| 352 | .PP |
| 353 | .nf |
Lennart Sorensen | c9ae9ba | 2015-02-24 15:29:15 -0500 | [diff] [blame] | 354 | site-A:# modprobe nf_defrag_ipv4 |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 355 | |
Lennart Sorensen | c9ae9ba | 2015-02-24 15:29:15 -0500 | [diff] [blame] | 356 | site-B:# modprobe nf_defrag_ipv4 |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 357 | .fi |
| 358 | .PP |
Lennart Sorensen | c9ae9ba | 2015-02-24 15:29:15 -0500 | [diff] [blame] | 359 | If L2TP is being used over IPv6, use the IPv6 defrag module. |
Petr Sabata | 6274b0b | 2013-04-04 03:36:57 +0000 | [diff] [blame] | 360 | .SH INTEROPERABILITY |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 361 | .PP |
| 362 | Unmanaged (static) L2TPv3 tunnels are supported by some network |
| 363 | equipment equipment vendors such as Cisco. |
| 364 | .PP |
| 365 | In Linux, L2TP Hello messages are not supported in unmanaged |
| 366 | tunnels. Hello messages are used by L2TP clients and servers to detect |
| 367 | link failures in order to automate tearing down and reestablishing |
| 368 | dynamic tunnels. If a non-Linux peer supports Hello messages in |
| 369 | unmanaged tunnels, it must be turned off to interoperate with Linux. |
James Chapman | 9c064b5 | 2013-03-26 06:49:23 +0000 | [diff] [blame] | 370 | .PP |
| 371 | Linux defaults to use the Default Layer2SpecificHeader type as defined |
| 372 | in the L2TPv3 protocol specification, RFC3931. This setting must be |
| 373 | consistent with that configured at the peer. Some vendor |
| 374 | implementations (e.g. Cisco) default to use a Layer2SpecificHeader |
| 375 | type of None. |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 376 | .SH SEE ALSO |
| 377 | .br |
James Chapman | 6121e1f | 2012-05-01 15:25:23 +0100 | [diff] [blame] | 378 | .BR ip (8) |
| 379 | .SH AUTHOR |
| 380 | James Chapman <jchapman@katalix.com> |