projects / l2tpns.git / blob
? search:


38e7b81f914f0401d7761b8677b4d2135a61c48b
[l2tpns.git] / Docs / manual / manual.xml
1 <?xml version="1.0"?>
2 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://docbook.org/xml/4.4/docbookx.dtd">
4
5 <article>
6 <articleinfo>
7 <title>L2TPNS Manual</title>
8 </articleinfo>
9
10 <sect1 id="overview">
11 <title>Overview</title>
12 <para>
13 <command>l2tpns</command> is half of a complete L2TP
14 implementation. It supports only the LNS side of the
15 connection.
16 </para>
17
18 <para>
19 L2TP (Layer 2 Tunneling Protocol) is designed to allow any layer
20 2 protocol (e.g. Ethernet, PPP) to be tunneled over an IP
21 connection. <command>l2tpns</command> implements PPP over L2TP
22 only.
23 </para>
24
25 <para>
26 There are a couple of other L2TP implementations, of which
27 <ulink url="http://sourceforge.net/projects/l2tpd">l2tpd</ulink>
28 is probably the most popular. l2tpd also will handle being
29 either end of a tunnel, and is a lot more configurable than
30 <command>l2tpns</command>. However, due to the way it works, it
31 is nowhere near as scalable.
32 </para>
33
34 <para>
35 <command>l2tpns</command> uses the TUN/TAP interface provided by
36 the Linux kernel to receive and send packets. Using some packet
37 manipulation it doesn't require a single interface per
38 connection, as l2tpd does.
39 </para>
40
41 <para>
42 This allows it to scale extremely well to very high loads and
43 very high numbers of connections.
44 </para>
45
46 <para>
47 It also has a plugin architecture which allows custom code to be
48 run during processing. An example of this is in the walled
49 garden module included.
50 </para>
51 </sect1>
52
53 <sect1 id="installation">
54 <title>Installation</title>
55 <sect2 id="installation-requirements">
56 <title>Requirements</title>
57 <itemizedlist>
58 <listitem>
59 <para>
60 Linux kernel version 2.4 or above, with the Tun/Tap
61 interface either compiled in, or as a module.
62 </para>
63 </listitem>
64
65 <listitem>
66 <para>
67 libcli 1.8.5 or greater. You can get this from
68 <ulink url="http://sourceforge.net/projects/libcli">
69 SourceForge</ulink>
70 </para>
71 </listitem>
72 </itemizedlist>
73 </sect2>
74
75 <sect2 id="installation-compile">
76 <title>Compiling</title>
77 <para>
78 You can generally get away with just running
79 <command>make</command> from the source directory. This will
80 compile the daemon, associated tools and any modules shipped
81 with the distribution.
82 </para>
83 </sect2>
84
85 <sect2 id="installation-install">
86 <title>Installing</title>
87 <para>
88 After you have successfully compiled everything, run
89 <userinput>make install</userinput> to install it. By
90 default, the binaries are installed into
91 <filename>/usr/sbin</filename>, the configuration into
92 <filename>/etc/l2tpns</filename>, and the modules into
93 <filename>/usr/lib/l2tpns</filename>.
94 </para>
95
96 <para>
97 You will definately need to edit the configuration files
98 before you start. See <xref linkend="configuration"/> for
99 more information.
100 </para>
101 </sect2>
102
103 <sect2 id="installation-run">
104 <title>Running</title>
105 <para>
106 You only need to run <filename>/usr/sbin/l2tpns</filename> as
107 root to start it. It does not normally detach to a daemon
108 process (see the <option>-d</option> option), so you should
109 perhaps run it from <command>init</command>.
110 </para>
111
112 <para>
113 By default there is no log destination set, so all log
114 messages will go to stdout.
115 </para>
116 </sect2>
117 </sect1>
118
119 <sect1 id="configuration">
120 <title>Configuration</title>
121 <para>
122 All configuration of the software is done from the files
123 installed into <filename>/etc/l2tpns</filename>.
124 </para>
125
126 <sect2 id="config-startup">
127 <title><filename>startup-config</filename></title>
128 <para>
129 This is the main configuration file for
130 <command>l2tpns</command>. The format of the file is a list
131 of commands that can be run through the command-line
132 interface. This file can also be written directly by the
133 <command>l2tpns</command> process if a user runs the
134 <userinput>write memory</userinput> command, so any comments
135 will be lost. However if your policy is not to write the
136 config by the program, then feel free to comment the file with
137 a <literal>#</literal> or <literal>!</literal> at the
138 beginning of the line.
139 </para>
140
141 <para>
142 A list of the possible configuration directives follows. Each
143 of these should be set by a line like:
144 <synopsis>
145 set configstring "value"
146 set ipaddress 192.168.1.1
147 set boolean true
148 </synopsis>
149 </para>
150
151 <variablelist>
152 <varlistentry>
153 <term><literal>debug</literal> (int)</term>
154 <listitem>
155 <para>
156 Sets the level of messages that will be written to the
157 log file. The value should be between 0 and 5, with 0
158 being no debugging, and 5 being the highest. A rough
159 description of the levels is:
160
161 <variablelist>
162 <varlistentry>
163 <term><constant>0</constant>: Critical Errors</term>
164 <listitem>
165 <para>Things are probably broken</para>
166 </listitem>
167 </varlistentry>
168
169 <varlistentry>
170 <term><constant>1</constant>: Errors</term>
171 <listitem>
172 <para>
173 Things might have gone wrong, but probably will
174 recover
175 </para>
176 </listitem>
177 </varlistentry>
178
179 <varlistentry>
180 <term><constant>2</constant>: Warnings</term>
181 <listitem>
182 <para>
183 Just in case you care what is not quite perfect
184 </para>
185 </listitem>
186 </varlistentry>
187
188 <varlistentry>
189 <term><constant>3</constant>: Information</term>
190 <listitem>
191 <para>Parameters of control packets</para>
192 </listitem>
193 </varlistentry>
194
195 <varlistentry>
196 <term><constant>4</constant>: Calls</term>
197 <listitem>
198 <para>For tracing the execution of the code</para>
199 </listitem>
200 </varlistentry>
201
202 <varlistentry>
203 <term><constant>5</constant>: Packets</term>
204 <listitem>
205 <para>
206 Everything, including a hex dump of all packets
207 processed... probably twice
208 </para>
209 </listitem>
210 </varlistentry>
211 </variablelist>
212 </para>
213
214 <para>
215 Note that the higher you set the debugging level, the
216 slower the program will run. Also, at level 5 a
217 <emphasis>lot</emphasis> of information will be logged.
218 This should only ever be used for working out why it
219 doesn't work at all.
220 </para>
221 </listitem>
222 </varlistentry>
223
224 <varlistentry>
225 <term><literal>log_file</literal> (string)</term>
226 <listitem>
227 <para>
228 This will be where all logging and debugging information
229 is written to. This may be either a filename, such as
230 <filename>/var/log/l2tpns</filename>, or the special
231 magic string
232 <literal>syslog:</literal><replaceable>facility</replaceable>,
233 where <replaceable>facility</replaceable> is any one of
234 the syslog logging facilities, such as
235 <literal>local5</literal>.
236 </para>
237 </listitem>
238 </varlistentry>
239
240 <varlistentry>
241 <term><literal>pid_file</literal> (string)</term>
242 <listitem>
243 <para>
244 If set, the process id will be written to the specified
245 file. The value must be an absolute path.
246 </para>
247 </listitem>
248 </varlistentry>
249
250 <varlistentry>
251 <term><literal>random_device</literal> (string)</term>
252 <listitem>
253 <para>
254 Path to random data source (default
255 <filename>/dev/urandom</filename>). Use "" to use the
256 rand() library function.
257 </para>
258 </listitem>
259 </varlistentry>
260
261 <varlistentry>
262 <term><literal>l2tp_secret</literal> (string)</term>
263 <listitem>
264 <para>
265 The secret used by <command>l2tpns</command> for
266 authenticating tunnel request. Must be the same as the
267 LAC, or authentication will fail. Only actually be used
268 if the LAC requests authentication.
269 </para>
270 </listitem>
271 </varlistentry>
272
273 <varlistentry>
274 <term><literal>l2tp_mtu</literal> (int)</term>
275 <listitem>
276 <para>
277 MTU of interface for L2TP traffic (default:
278 <literal>1500</literal>). Used to set link MRU and
279 adjust TCP MSS.
280 </para>
281 </listitem>
282 </varlistentry>
283
284 <varlistentry>
285 <term><literal>ppp_restart_time</literal> (int)</term>
286 <term><literal>ppp_max_configure</literal> (int)</term>
287 <term><literal>ppp_max_failure</literal> (int)</term>
288 <listitem>
289 <para>
290 PPP counter and timer values, as described in &sect;4.1
291 of <ulink url="ftp://ftp.rfc-editor.org/in-notes/rfc1661.txt">
292 RFC1661</ulink>.
293 </para>
294 </listitem>
295 </varlistentry>
296
297 <varlistentry>
298 <term><literal>primary_dns</literal> (ip address)</term>
299 <term><literal>econdary_dns</literal> (ip address)</term>
300 <listitem>
301 <para>
302 Whenever a PPP connection is established, DNS servers
303 will be sent to the user, both a primary and a
304 secondary. If either is set to 0.0.0.0, then that one
305 will not be sent.
306 </para>
307 </listitem>
308 </varlistentry>
309
310 <varlistentry>
311 <term><literal>primary_radius</literal> (ip address)</term>
312 <term><literal>secondary_radius</literal> (ip address)</term>
313 <listitem>
314 <para>
315 Sets the RADIUS servers used for both authentication and
316 accounting. If the primary server does not respond,
317 then the secondary RADIUS server will be tried.
318
319 <note>
320 <para>
321 In addition to the source IP address and identifier,
322 the RADIUS server <emphasis>must</emphasis> include
323 the source port when detecting duplicates to supress
324 (in order to cope with a large number of sessions
325 comming on-line simultaneously
326 <command>l2tpns</command> uses a set of udp sockets,
327 each with a seperate identifier).
328 </para>
329 </note>
330 </para>
331 </listitem>
332 </varlistentry>
333
334 <varlistentry>
335 <term><literal>primary_radius_port</literal> (short)</term>
336 <term><literal>secondary_radius_port</literal> (short)</term>
337 <listitem>
338 <para>
339 Sets the authentication ports for the primary and
340 secondary RADIUS servers. The accounting port is one
341 more than the authentication port. If no RADIUS ports
342 are given, the authentication port defaults to 1645, and
343 the accounting port to 1646.
344 </para>
345 </listitem>
346 </varlistentry>
347
348 <varlistentry>
349 <term><literal>radius_accounting</literal> (boolean)</term>
350 <listitem>
351 <para>
352 If set to true, then RADIUS accounting packets will be
353 sent. This means that a Start record will be sent when
354 the session is successfully authenticated, and a Stop
355 record will be sent when the session is closed.
356 </para>
357 </listitem>
358 </varlistentry>
359
360 <varlistentry>
361 <term><literal>radius_interim</literal> (int)</term>
362 <listitem>
363 <para>
364 If <literal>radius_accounting</literal> is on, defines
365 the interval between sending of RADIUS interim
366 accounting records (in seconds).
367 </para>
368 </listitem>
369 </varlistentry>
370
371 <varlistentry>
372 <term><literal>radius_secret</literal> (string)</term>
373 <listitem>
374 <para>
375 This secret will be used in all RADIUS queries. If this
376 is not set then RADIUS queries will fail.
377 </para>
378 </listitem>
379 </varlistentry>
380
381 <varlistentry>
382 <term><literal>radius_authtypes</literal> (string)</term>
383 <listitem>
384 <para>
385 A comma separated list of supported RADIUS
386 authentication methods (<literal>pap</literal> or
387 <literal>chap</literal>), in order of preference
388 (default <literal>pap</literal>).
389 </para>
390 </listitem>
391 </varlistentry>
392
393 <varlistentry>
394 <term><literal>radius_bind_min</literal> (short)</term>
395 <term><literal>radius_bind_max</literal> (short)</term>
396 <listitem>
397 <para>
398 Define a port range in which to bind sockets used to
399 send and receive RADIUS packets. Must be at least
400 RADIUS_FDS (64) wide. Simplifies firewalling of RADIUS
401 ports (default: dynamically assigned).
402 </para>
403 </listitem>
404 </varlistentry>
405
406 <varlistentry>
407 <term><literal>radius_dae_port</literal> (short)</term>
408 <listitem>
409 <para>
410 Port for DAE RADIUS (Packet of Death/Disconnect, Change
411 of Authorization) requests (default:
412 <literal>3799</literal>).
413 </para>
414 </listitem>
415 </varlistentry>
416
417 <varlistentry>
418 <term><literal>allow_duplicate_users</literal> (boolean)</term>
419 <listitem>
420 <para>
421 Allow multiple logins with the same username. If false
422 (the default), any prior session with the same username
423 will be dropped when a new session is established.
424 </para>
425 </listitem>
426 </varlistentry>
427
428 <varlistentry>
429 <term><literal>guest_account</literal> (string)</term>
430 <listitem>
431 <para>
432 Allow multiple logins matching this specific username.
433 </para>
434 </listitem>
435 </varlistentry>
436
437 <varlistentry>
438 <term><literal>bind_address</literal> (ip address)</term>
439 <listitem>
440 <para>
441 When the tun interface is created, it is assigned the
442 address specified here. If no address is given, 1.1.1.1
443 is used. Packets containing user traffic should be
444 routed via this address if given, otherwise the primary
445 address of the machine.
446 </para>
447 </listitem>
448 </varlistentry>
449
450 <varlistentry>
451 <term><literal>peer_address</literal> (ip address)</term>
452 <listitem>
453 <para>Address to send to clients as the default gateway.</para>
454 </listitem>
455 </varlistentry>
456
457 <varlistentry>
458 <term><literal>send_garp</literal> (boolean)</term>
459 <listitem>
460 <para>
461 Determines whether or not to send a gratuitous ARP for
462 the bind_address when the server is ready to handle
463 traffic (default: <literal>true</literal>). This value
464 is ignored if BGP is configured.
465 </para>
466 </listitem>
467 </varlistentry>
468
469 <varlistentry>
470 <term><literal>throttle_speed</literal> (int)</term>
471 <listitem>
472 <para>
473 Sets the default speed (in kbits/s) which sessions will
474 be limited to. If this is set to 0, then throttling
475 will not be used at all. Note: You can set this by the
476 CLI, but changes will not affect currently connected
477 users.
478 </para>
479 </listitem>
480 </varlistentry>
481
482 <varlistentry>
483 <term><literal>throttle_buckets</literal> (int)</term>
484 <listitem>
485 <para>
486 Number of token buckets to allocate for throttling.
487 Each throttled session requires two buckets (in and
488 out).
489 </para>
490 </listitem>
491 </varlistentry>
492
493 <varlistentry>
494 <term><literal>accounting_dir</literal> (string)</term>
495 <listitem>
496 <para>
497 If set to a directory, then every 5 minutes the current
498 usage for every connected use will be dumped to a file
499 in this directory. Each file dumped begins with a
500 header, where each line is prefixed by <code>#</code>.
501 Following the header is a single line for every
502 connected user, fields separated by a space.
503 </para>
504
505 <para>
506 The fields are username, ip, qos, uptxoctets,
507 downrxoctets. The qos field is 1 if a standard user,
508 and 2 if the user is throttled.
509 </para>
510 </listitem>
511 </varlistentry>
512
513 <varlistentry>
514 <term><literal>dump_speed</literal> (boolean)</term>
515 <listitem>
516 <para>
517 If set to true, then the current bandwidth utilization
518 will be logged every second. Even if this is disabled,
519 you can see this information by running the
520 <userinput>uptime</userinput> command on the CLI.
521 </para>
522 </listitem>
523 </varlistentry>
524
525 <varlistentry>
526 <term><literal>multi_read_count</literal> (int)</term>
527 <listitem>
528 <para>
529 Number of packets to read off each of the UDP and TUN
530 fds when returned as readable by select (default: 10).
531 Avoids incurring the unnecessary system call overhead of
532 select on busy servers.
533 </para>
534 </listitem>
535 </varlistentry>
536
537 <varlistentry>
538 <term><literal>scheduler_fifo</literal> (boolean)</term>
539 <listitem>
540 <para>
541 Sets the scheduling policy for the
542 <command>l2tpns</command> process to
543 <constant>SCHED_FIFO</constant>. This causes the kernel
544 to immediately preempt any currently running
545 <constant>SCHED_OTHER</constant> (normal) process in
546 favour of <command>l2tpns</command> when it becomes
547 runnable. Ignored on uniprocessor systems.
548 </para>
549 </listitem>
550 </varlistentry>
551
552 <varlistentry>
553 <term><literal>lock_pages</literal> (boolean)</term>
554 <listitem>
555 <para>
556 Keep all pages mapped by the <command>l2tpns</command>
557 process in memory.
558 </para>
559 </listitem>
560 </varlistentry>
561
562 <varlistentry>
563 <term><literal>icmp_rate</literal> (int)</term>
564 <listitem>
565 <para>
566 Maximum number of host unreachable ICMP packets to send
567 per second.
568 </para>
569 </listitem>
570 </varlistentry>
571
572 <varlistentry>
573 <term><literal>packet_limit</literal> (int)</term>
574 <listitem>
575 <para>
576 Maximum number of packets of downstream traffic to be
577 handled each tenth of a second per session. If zero, no
578 limit is applied (default: 0). Intended as a DoS
579 prevention mechanism and not a general throttling
580 control (packets are dropped, not queued).
581 </para>
582 </listitem>
583 </varlistentry>
584
585 <varlistentry>
586 <term><literal>cluster_address</literal> (ip address)</term>
587 <listitem>
588 <para>
589 Multicast cluster address (default: 239.192.13.13).
590 See <xref linkend="clustering"/> for more information.
591 </para>
592 </listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term><literal>cluster_interface</literal> (string)</term>
597 <listitem>
598 <para>Interface for cluster packets (default: eth0)</para>
599 </listitem>
600 </varlistentry>
601
602 <varlistentry>
603 <term><literal>cluster_mcast_ttl</literal> (int)</term>
604 <listitem>
605 <para>TTL for multicast packets (default: 1).</para>
606 </listitem>
607 </varlistentry>
608
609 <varlistentry>
610 <term><literal>cluster_hb_interval</literal> (int)</term>
611 <listitem>
612 <para>
613 Interval in tenths of a second between cluster
614 heartbeat/pings.
615 </para>
616 </listitem>
617 </varlistentry>
618
619 <varlistentry>
620 <term><literal>cluster_hb_timeout</literal> (int)</term>
621 <listitem>
622 <para>
623 Cluster heartbeat timeout in tenths of a second. A new
624 master will be elected when this interval has been
625 passed without seeing a heartbeat from the master.
626 </para>
627 </listitem>
628 </varlistentry>
629
630 <varlistentry>
631 <term><literal>cluster_master_min_adv</literal> (int)</term>
632 <listitem>
633 <para>
634 Determines the minumum number of up to date slaves
635 required before the master will drop routes (default: 1).
636 </para>
637 </listitem>
638 </varlistentry>
639
640 <varlistentry>
641 <term><literal>ipv6_prefix</literal> (ipv6 address)</term>
642 <listitem>
643 <para>
644 Enable negotiation of IPv6. This forms the the first 64
645 bits of the client allocated address. The remaining 64
646 come from the allocated IPv4 address and 4 bytes of 0s.
647 </para>
648 </listitem>
649 </varlistentry>
650 </variablelist>
651
652 <sect3 id="config-startup-bgp">
653 <title>BGP</title>
654 <para>
655 BGP routing configuration is entered by the command:
656 <synopsis>router bgp <replaceable>as</replaceable></synopsis>
657 where <replaceable>as</replaceable> specifies the local AS
658 number.
659 </para>
660
661 <para>
662 Subsequent lines prefixed with
663 <synopsis>neighbour <replaceable>peer</replaceable></synopsis>
664 define the attributes of BGP neighhbours. Valid commands
665 are:
666 <synopsis>
667 neighbour <replaceable>peer</replaceable> remote-as <replaceable>as</replaceable>
668 neighbour <replaceable>peer</replaceable> timers <replaceable>keepalive hold</replaceable>
669 </synopsis>
670 </para>
671
672 <para>
673 Where <replaceable>peer</replaceable> specifies the BGP
674 neighbour as either a hostname or IP address,
675 <replaceable>as</replaceable> is the remote AS number and
676 <replaceable>keepalive</replaceable>,
677 <replaceable>hold</replaceable> are the timer values in
678 seconds.
679 </para>
680 </sect3>
681
682 <sect3 id="config-startup-acl">
683 <title>Access Lists</title>
684 <para>
685 Named access-lists are configured using one of the commands:
686 <synopsis>
687 ip access-list standard <replaceable>name</replaceable>
688 ip access-list extended <replaceable>name</replaceable>
689 </synopsis>
690 </para>
691
692 <para>
693 Subsequent lines prefixed with <literal>permit</literal> or
694 <literal>deny</literal> define the body of the access-list.
695 Standard access-list syntax:
696 </para>
697
698 <para role="hanging-indent">
699 {<literal>permit</literal>|<literal>deny</literal>}
700 {<replaceable>host</replaceable>|<replaceable>source
701 source-wildcard</replaceable>|<literal>any</literal>}
702 [{<replaceable>host</replaceable>|<replaceable>destination
703 destination-wildcard</replaceable>|<literal>any</literal>}]
704 </para>
705
706 <para>Extended access-lists:</para>
707 <para role="hanging-indent">
708 {<literal>permit</literal>|<literal>deny</literal>}
709 <literal>ip</literal>
710 {<replaceable>host</replaceable>|<replaceable>source
711 source-wildcard</replaceable>|<literal>any</literal>}
712 {<replaceable>host</replaceable>|<replaceable>destination
713 destination-wildcard</replaceable>|<literal>any</literal>}
714 [<literal>fragments</literal>]
715 </para>
716
717 <para role="hanging-indent">
718 {<literal>permit</literal>|<literal>deny</literal>}
719 <literal>udp</literal>
720 {<replaceable>host</replaceable>|<replaceable>source
721 source-wildcard</replaceable>|<literal>any</literal>}
722 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
723 <replaceable>port</replaceable>|<literal>range</literal>
724 <replaceable>from</replaceable>
725 <replaceable>to</replaceable>]
726 {<replaceable>host</replaceable>|<replaceable>destination
727 destination-wildcard</replaceable>|<literal>any</literal>}
728 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
729 <replaceable>port</replaceable>|<literal>range</literal>
730 <replaceable>from</replaceable>
731 <replaceable>to</replaceable>]
732 [<literal>fragments</literal>]
733 </para>
734
735 <para role="hanging-indent">
736 {<literal>permit</literal>|<literal>deny</literal>}
737 <literal>tcp</literal>
738 {<replaceable>host</replaceable>|<replaceable>source
739 source-wildcard</replaceable>|<literal>any</literal>}
740 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
741 <replaceable>port</replaceable>|<literal>range</literal>
742 <replaceable>from</replaceable>
743 <replaceable>to</replaceable>]
744 {<replaceable>host</replaceable>|<replaceable>destination
745 destination-wildcard</replaceable>|<literal>any</literal>}
746 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
747 <replaceable>port</replaceable>|<literal>range</literal>
748 <replaceable>from</replaceable>
749 <replaceable>to</replaceable>]
750 [{<literal>established</literal>|{<literal>match-any</literal>|<literal>match-all</literal>}
751 {<literal>+</literal>|<literal>-</literal>}{<literal>fin</literal>|<literal>syn</literal>|<literal>rst</literal>|<literal>psh</literal>|<literal>ack</literal>|<literal>urg</literal>}
752 ...|<literal>fragments</literal>]
753 </para>
754 </sect3>
755 </sect2>
756
757 <sect2 id="config-users">
758 <title><filename>users</filename></title>
759 <para>
760 Usernames and passwords for the command-line interface are
761 stored in this file. The format is
762 <synopsis>
763 <replaceable>username</replaceable>:<replaceable>password</replaceable>
764 </synopsis>
765 where <replaceable>password</replaceable> may either by plain
766 text, an MD5 digest (prefixed by
767 <literal>$1</literal><replaceable>salt</replaceable><literal>$</literal>)
768 or a DES password, distinguished from plain text by the prefix
769 <literal>{crypt}</literal>.
770 </para>
771
772 <para>
773 The username <literal>enable</literal> has a special meaning
774 and is used to set the enable password.
775 </para>
776
777 <important>
778 <para>
779 If this file doesn't exist, then anyone who can get to port
780 23 will be allowed access without a username or password.
781 </para>
782 </important>
783 </sect2>
784
785 <sect2 id="config-ip-pool">
786 <title><filename>ip_pool</filename></title>
787 <para>
788 This file is used to configure the IP address pool which user
789 addresses are assigned from. This file should contain either
790 an IP address or a CIDR network per line. e.g.:
791
792 <programlisting>
793 192.168.1.1
794 192.168.1.2
795 192.168.1.3
796 192.168.4.0/24
797 172.16.0.0/16
798 10.0.0.0/8
799 </programlisting>
800 </para>
801
802 <para>
803 Keep in mind that <command>l2tpns</command> can only handle
804 65535 connections per process, so don't put more than 65535 IP
805 addresses in the configuration file. They will be
806 wasted.
807 </para>
808 </sect2>
809
810 <sect2 id="config-build-garden" xreflabel="build-garden">
811 <title><filename>build-garden</filename></title>
812 <para>
813 The garden plugin on startup creates a NAT table called
814 "garden" then sources the <filename>build-garden</filename>
815 script to populate that table. All packets from gardened
816 users will be sent through this table. Example:
817
818 <programlisting>
819 iptables -t nat -A garden -p tcp -m tcp --dport 25 -j DNAT --to 192.168.1.1
820 iptables -t nat -A garden -p udp -m udp --dport 53 -j DNAT --to 192.168.1.1
821 iptables -t nat -A garden -p tcp -m tcp --dport 53 -j DNAT --to 192.168.1.1
822 iptables -t nat -A garden -p tcp -m tcp --dport 80 -j DNAT --to 192.168.1.1
823 iptables -t nat -A garden -p tcp -m tcp --dport 110 -j DNAT --to 192.168.1.1
824 iptables -t nat -A garden -p tcp -m tcp --dport 443 -j DNAT --to 192.168.1.1
825 iptables -t nat -A garden -p icmp -m icmp --icmp-type echo-request -j DNAT --to 192.168.1.1
826 iptables -t nat -A garden -p icmp -j ACCEPT
827 iptables -t nat -A garden -j DROP
828 </programlisting>
829 </para>
830 </sect2>
831 </sect1>
832
833 <sect1 id="operation">
834 <title>Operation</title>
835 <para>
836 A running l2tpns process can be controlled in a number of ways.
837 The primary method of control is by the Command-Line Interface
838 (CLI).
839 </para>
840
841 <para>
842 You can also remotely send commands to modules via the
843 <command>nsctl</command> client provided.
844 </para>
845
846 <para>
847 There are also a number of signals that l2tpns understands and
848 takes action when it receives them.
849 </para>
850
851 <sect2 id="operation-cli">
852 <title>Command-Line Interface</title>
853 <para>
854 You can access the command line interface by telneting to port
855 23. There is no IP address restriction, so it's a good idea
856 to firewall this port off from anyone who doesn't need access
857 to it. See <xref linkend="config-users"/> for information on
858 restricting access based on a username and password.
859 </para>
860
861 <para>
862 The CLI gives you real-time control over almost everything in
863 the process. The interface is designed to look like a Cisco
864 device, and supports things like command history, line editing
865 and context sensitive help. This is provided by linking with
866 the <ulink url="http://sourceforge.net/projects/libcli">
867 libcli</ulink> library. Some general documentation of the
868 interface is <ulink
869 url="http://sourceforge.net/docman/display_doc.php?docid=20501&amp;group_id=79019">
870 here</ulink>.
871 </para>
872
873 <para>
874 After you have connected to the telnet port (and perhaps
875 logged in), you will be presented with a
876 <prompt><replaceable>hostname</replaceable>&gt;</prompt>
877 prompt.
878 </para>
879
880 <para>
881 Enter <userinput>help</userinput> to get a list of possible
882 commands, or press <userinput>?</userinput> for
883 context-specific help.
884 </para>
885
886 <para>
887 A brief overview of the more important commands
888 follows:
889
890 <variablelist>
891 <varlistentry id="operation-cli-show-session"
892 xreflabel="show session">
893 <term>
894 <userinput>show session [<replaceable>ID</replaceable>]
895 </userinput>
896 </term>
897
898 <listitem>
899 <para>
900 Detailed information for a specific session is
901 presented if you specify a session
902 <replaceable>ID</replaceable> argument.
903 </para>
904
905 <para>
906 If no <replaceable>ID</replaceable> is given, a
907 summary of all connected sessions is produced. Note
908 that this summary list can be around 185 columns wide,
909 so you should probably use a wide
910 terminal.
911 </para>
912
913 <para>
914 The columns listed in the summary are:
915
916 <informaltable>
917 <tgroup cols="3">
918 <colspec colname="col"/>
919 <colspec colname="desc"/>
920 <colspec colname="extra"/>
921 <tbody>
922 <row>
923 <entry><literal>SID</literal></entry>
924 <entry namest="desc" nameend="extra">Session ID</entry>
925 </row>
926 <row>
927 <entry><literal>TID</literal></entry>
928 <entry>Tunnel ID</entry>
929 <entry>
930 See also the <xref
931 linkend="operation-cli-show-tunnel"/> CLI
932 command.
933 </entry>
934 </row>
935 <row>
936 <entry><literal>Username</literal></entry>
937 <entry>
938 The username given in the PPP authentication.
939 </entry>
940 <entry>
941 If this is *, then LCP authentication has
942 not completed.
943 </entry>
944 </row>
945 <row>
946 <entry><literal>IP</literal></entry>
947 <entry>The IP address given to the session.</entry>
948 <entry>
949 If this is 0.0.0.0, IPCP negotiation has not
950 completed
951 </entry>
952 </row>
953 <row>
954 <entry><literal>I</literal></entry>
955 <entry>Intercept</entry>
956 <entry>
957 Y or N: indicates whether the session is
958 being snooped. See also the
959 <xref linkend="operation-cli-snoop"/>
960 CLI command.
961 </entry>
962 </row>
963 <row>
964 <entry><literal>T</literal></entry>
965 <entry>Throttled</entry>
966 <entry>
967 Y or N: indicates whether the session is
968 currently throttled. See also the
969 <xref linkend="operation-cli-throttle"/>
970 CLI command.
971 </entry>
972 </row>
973 <row>
974 <entry><literal>G</literal></entry>
975 <entry>Walled Garden</entry>
976 <entry>
977 Y or N: indicates whether the user is
978 trapped in the walled garden. This field is
979 present even if the garden module is not
980 loaded.
981 </entry>
982 </row>
983 <row>
984 <entry><literal>6</literal></entry>
985 <entry>IPv6</entry>
986 <entry>
987 Y or N: indicates whether the session has
988 IPv6 active (IPV6CP open)
989 </entry>
990 </row>
991 <row>
992 <entry><literal>opened</literal></entry>
993 <entry namest="desc" nameend="extra">
994 The number of seconds since the
995 session started
996 </entry>
997 </row>
998 <row>
999 <entry><literal>downloaded</literal></entry>
1000 <entry namest="desc" nameend="extra">
1001 Number of bytes downloaded by the user
1002 </entry>
1003 </row>
1004 <row>
1005 <entry><literal>uploaded</literal></entry>
1006 <entry namest="desc" nameend="extra">
1007 Number of bytes uploaded by the user
1008 </entry>
1009 </row>
1010 <row>
1011 <entry><literal>idle</literal></entry>
1012 <entry namest="desc" nameend="extra">
1013 The number of seconds since traffic was
1014 detected on the session
1015 </entry>
1016 </row>
1017 <row>
1018 <entry><literal>LAC</literal></entry>
1019 <entry namest="desc" nameend="extra">
1020 The IP address of the LAC the session is
1021 connected to.
1022 </entry>
1023 </row>
1024 <row>
1025 <entry><literal>CLI</literal></entry>
1026 <entry namest="desc" nameend="extra">
1027 The Calling-Line-Identification field
1028 provided during the session setup. This
1029 field is generated by the LAC.
1030 </entry>
1031 </row>
1032 </tbody>
1033 </tgroup>
1034 </informaltable>
1035 </para>
1036 </listitem>
1037 </varlistentry>
1038
1039 <varlistentry id="operation-cli-show-user" xreflabel="show user">
1040 <term>
1041 <userinput>show users</userinput>
1042 </term>
1043 <term>
1044 <userinput>show user <replaceable>username</replaceable>
1045 </userinput>
1046 </term>
1047
1048 <listitem>
1049 <para>
1050 With no arguments, display a list of currently
1051 connected users. If an argument is given, the session
1052 details for the given
1053 <replaceable>username</replaceable> are displayed.
1054 </para>
1055 </listitem>
1056 </varlistentry>
1057
1058 <varlistentry id="operation-cli-show-tunnel" xreflabel="show tunnel">
1059 <term>
1060 <userinput>show tunnel [<replaceable>ID</replaceable>]</userinput>
1061 </term>
1062
1063 <listitem>
1064 <para>
1065 Produce a summary list of all open tunnels, or detail
1066 on a specific tunnel <replaceable>ID</replaceable>.
1067 </para>
1068
1069 <para>
1070 The columns listed in the summary are:
1071
1072 <informaltable>
1073 <tgroup cols="2">
1074 <tbody>
1075 <row>
1076 <entry>TID</entry>
1077 <entry>Tunnel ID</entry>
1078 </row>
1079 <row>
1080 <entry>Hostname</entry>
1081 <entry>
1082 The hostname for the tunnel as provided by
1083 the LAC. This has no relation to DNS, it is
1084 just a text field.
1085 </entry>
1086 </row>
1087 <row>
1088 <entry>IP</entry>
1089 <entry>The IP address of the LAC</entry>
1090 </row>
1091 <row>
1092 <entry>State</entry>
1093 <entry>
1094 Tunnel state: Free, Open, Dieing, Opening
1095 </entry>
1096 </row>
1097 <row>
1098 <entry>Sessions</entry>
1099 <entry>The number of open sessions on the tunnel</entry>
1100 </row>
1101 </tbody>
1102 </tgroup>
1103 </informaltable>
1104 </para>
1105 </listitem>
1106 </varlistentry>
1107
1108 <varlistentry id="operation-cli-show-pool" xreflabel="show pool">
1109 <term><userinput>show pool</userinput></term>
1110 <listitem>
1111 <para>
1112 Displays the current IP address pool allocation. This
1113 will only display addresses that are in use, or are
1114 reserved for re-allocation to a disconnected user.
1115 </para>
1116
1117 <para>
1118 If an address is not currently in use, but has been
1119 used, then in the User column the username will be
1120 shown in square brackets, followed by the time since
1121 the address was used:
1122
1123 <screen>
1124 IP Address Used Session User
1125 192.168.100.6 N [joe.user] 1548s
1126 </screen>
1127 </para>
1128 </listitem>
1129 </varlistentry>
1130
1131 <varlistentry id="operation-cli-show-radius" xreflabel="show radius">
1132 <term><userinput>show radius</userinput></term>
1133 <listitem>
1134 <para>
1135 Show a summary of the in-use RADIUS sessions. This
1136 list should not be very long, as RADIUS sessions
1137 should be cleaned up as soon as they are used. The
1138 columns listed are:
1139
1140 <informaltable>
1141 <tgroup cols="2">
1142 <tbody>
1143 <row>
1144 <entry>Radius</entry>
1145 <entry>
1146 The ID of the RADIUS request. This is sent
1147 in the packet to the RADIUS server for
1148 identification
1149 </entry>
1150 </row>
1151 <row>
1152 <entry>State</entry>
1153 <entry>
1154 The state of the request: WAIT, CHAP, AUTH,
1155 IPCP, START, STOP or NULL
1156 </entry>
1157 </row>
1158 <row>
1159 <entry>Session</entry>
1160 <entry>
1161 The session ID that this RADIUS request is
1162 associated with
1163 </entry>
1164 </row>
1165 <row>
1166 <entry>Retry</entry>
1167 <entry>
1168 If a response does not appear to the
1169 request, it will retry at this time. This
1170 is a Unix timestamp
1171 </entry>
1172 </row>
1173 <row>
1174 <entry>Try</entry>
1175 <entry>
1176 Retry count. The RADIUS request is
1177 discarded after 3 retries
1178 </entry>
1179 </row>
1180 </tbody>
1181 </tgroup>
1182 </informaltable>
1183 </para>
1184 </listitem>
1185 </varlistentry>
1186
1187 <varlistentry id="operation-cli-show-run" xreflabel="show run">
1188 <term><userinput>show running-config</userinput></term>
1189 <listitem>
1190 <para>
1191 This will list the current running configuration.
1192 This is in a format that can either be pasted into the
1193 configuration file, or run directly at the command
1194 line.
1195 </para>
1196 </listitem>
1197 </varlistentry>
1198
1199 <varlistentry id="operation-cli-show-counters"
1200 xreflabel="show counters">
1201 <term><userinput>show counters</userinput></term>
1202 <listitem>
1203 <para>
1204 Internally, counters are kept of key values, such as
1205 bytes and packets transferred, as well as function
1206 call counters. This function displays all these
1207 counters, and is probably only useful for debugging.
1208 </para>
1209
1210 <para>
1211 You can reset these counters by running
1212 <userinput>clear counters</userinput>.
1213 </para>
1214 </listitem>
1215 </varlistentry>
1216
1217 <varlistentry id="operation-cli-show-cluster"
1218 xreflabel="show cluster">
1219 <term><userinput>show cluster</userinput></term>
1220 <listitem>
1221 <para>
1222 Show cluster status. Shows the cluster state for this
1223 server (Master/Slave), information about known peers
1224 and (for slaves) the master IP address, last packet
1225 seen and up-to-date status. See
1226 <xref linkend="clustering"/> for more information.
1227 </para>
1228 </listitem>
1229 </varlistentry>
1230
1231 <varlistentry id="operation-cli-write-mem" xreflabel="write memory">
1232 <term><userinput>write memory</userinput></term>
1233 <listitem>
1234 <para>
1235 This will write the current running configuration to
1236 the config file <filename>startup-config</filename>,
1237 which will be run on a restart.
1238 </para>
1239 </listitem>
1240 </varlistentry>
1241
1242 <varlistentry id="operation-cli-snoop" xreflabel="snoop">
1243 <term>
1244 <userinput>snoop <replaceable>user</replaceable>
1245 <replaceable>IP</replaceable>
1246 <replaceable>port</replaceable></userinput>
1247 </term>
1248 <listitem>
1249 <para>
1250 You must specify a username, IP address and port. All
1251 packets for the current session for that username will
1252 be forwarded to the given host/port. Specify
1253 <userinput>no snoop
1254 <replaceable>username</replaceable></userinput> to
1255 disable interception for the session.
1256 </para>
1257
1258 <para>
1259 If you want interception to be permanent, you will
1260 have to modify the RADIUS response for the user. See
1261 <xref linkend="interception"/>.
1262 </para>
1263 </listitem>
1264 </varlistentry>
1265
1266 <varlistentry id="operation-cli-throttle" xreflabel="throttle">
1267 <term>
1268 <userinput>throttle <replaceable>user</replaceable>
1269 [in|out] <replaceable>rate</replaceable></userinput>
1270 </term>
1271 <listitem>
1272 <para>
1273 You must specify a username, which will be throttled
1274 for the current session to
1275 <replaceable>rate</replaceable> Kbps. Prefix
1276 <replaceable>rate</replaceable> with
1277 <userinput>in</userinput> or
1278 <userinput>out</userinput> to set different upstream
1279 and downstream rates.
1280 </para>
1281
1282 <para>
1283 Specify <userinput>no throttle
1284 <replaceable>username</replaceable></userinput> to
1285 disable throttling for the current session.
1286 </para>
1287
1288 <para>
1289 If you want throttling to be permanent, you will have
1290 to modify the RADIUS response for the user. See <xref
1291 linkend="throttling"/>.
1292 </para>
1293 </listitem>
1294 </varlistentry>
1295
1296 <varlistentry id="operation-cli-drop-session"
1297 xreflabel="drop session">
1298 <term>
1299 <userinput>drop <replaceable>session</replaceable></userinput>
1300 </term>
1301 <listitem>
1302 <para>
1303 This will cleanly disconnect the session specified by
1304 <replaceable>session</replaceable> ID.
1305 </para>
1306 </listitem>
1307 </varlistentry>
1308
1309 <varlistentry id="operation-cli-drop-tunnel" xreflabel="drop tunnel">
1310 <term>
1311 <userinput>drop <replaceable>tunnel</replaceable></userinput>
1312 </term>
1313 <listitem>
1314 <para>
1315 This will cleanly disconnect the tunnel specified by
1316 <replaceable>tunnel</replaceable> ID, as well as all
1317 sessions on that tunnel.
1318 </para>
1319 </listitem>
1320 </varlistentry>
1321
1322 <varlistentry id="operation-cli-uptime" xreflabel="uptime">
1323 <term><userinput>uptime</userinput></term>
1324 <listitem>
1325 <para>
1326 This will show how long the <command>l2tpns</command>
1327 process has been running, and the current bandwidth
1328 utilization:
1329
1330 <screen>
1331 17:10:35 up 8 days, 2212 users, load average: 0.21, 0.17, 0.16
1332 Bandwidth: UDP-ETH:6/6 ETH-UDP:13/13 TOTAL:37.6 IN:3033 OUT:2569
1333 </screen>
1334
1335 The bandwidth line contains 4 sets of values:
1336
1337 <informaltable>
1338 <tgroup cols="2">
1339 <tbody>
1340 <row>
1341 <entry>UDP-ETH</entry>
1342 <entry>
1343 The current bandwidth going from the LAC to
1344 the ethernet (user uploads), in mbits/sec.
1345 </entry>
1346 </row>
1347 <row>
1348 <entry>ETH-UDP</entry>
1349 <entry>
1350 The current bandwidth going from ethernet to
1351 the LAC (user downloads).
1352 </entry>
1353 </row>
1354 <row>
1355 <entry>TOTAL</entry>
1356 <entry>The total aggregate bandwidth in mbits/s.</entry>
1357 </row>
1358 <row>
1359 <entry>IN and OUT</entry>
1360 <entry>
1361 Packets/per-second going between UDP-ETH and
1362 ETH-UDP.
1363 </entry>
1364 </row>
1365 </tbody>
1366 </tgroup>
1367 </informaltable>
1368
1369 These counters are updated every second.
1370 </para>
1371 </listitem>
1372 </varlistentry>
1373
1374 <varlistentry id="operation-cli-configure" xreflabel="configure">
1375 <term><userinput>configure terminal</userinput></term>
1376 <listitem>
1377 <para>
1378 Enter configuration mode. Use
1379 <userinput>exit</userinput> or
1380 <userinput>^Z</userinput> to exit this mode.
1381 </para>
1382
1383 <para>
1384 The following commands are valid in this mode:
1385
1386 <variablelist>
1387 <varlistentry id="operation-cli-conf-load">
1388 <term>
1389 <userinput>load plugin
1390 <replaceable>name</replaceable></userinput>
1391 </term>
1392 <listitem>
1393 <para>
1394 Load a plugin. You must specify the plugin
1395 name, and it will search in
1396 <filename>/usr/lib/l2tpns</filename> for
1397 <filename><replaceable>name</replaceable>.so</filename>.
1398 You can unload a loaded plugin with
1399 <userinput>remove plugin
1400 <replaceable>name</replaceable></userinput>.
1401 </para>
1402 </listitem>
1403 </varlistentry>
1404
1405 <varlistentry id="operation-cli-conf-set">
1406 <term><userinput>set</userinput> ...</term>
1407 <listitem>
1408 <para>
1409 Set a configuration variable. You must specify
1410 the variable name, and the value. If the value
1411 contains any spaces, you should quote the value
1412 with double (") or single (') quotes.
1413 </para>
1414
1415 <para>
1416 You can set any configuration value in this
1417 way, although some may require a restart to
1418 take effect. See <xref
1419 linkend="config-startup"/>.
1420 </para>
1421 </listitem>
1422 </varlistentry>
1423
1424 <varlistentry id="operation-cli-conf-router">
1425 <term><userinput>router bgp</userinput> ...</term>
1426 <listitem>
1427 <para>
1428 Configure BGP. See <xref
1429 linkend="config-startup-bgp"/>.
1430 </para>
1431 </listitem>
1432 </varlistentry>
1433
1434 <varlistentry id="operation-cli-conf-acl">
1435 <term><userinput>ip access-list</userinput> ...</term>
1436 <listitem>
1437 <para>
1438 Configure a named access list. See <xref
1439 linkend="config-startup-acl"/>.
1440 </para>
1441 </listitem>
1442 </varlistentry>
1443 </variablelist>
1444 </para>
1445 </listitem>
1446 </varlistentry>
1447 </variablelist>
1448 </para>
1449 </sect2>
1450
1451 <sect2 id="operation-nsctl">
1452 <title>nsctl</title>
1453 <para>
1454 <command>nsctl</command> sends messages to a running
1455 <command>l2tpns</command> instance to be control plugins.
1456 </para>
1457
1458 <para>
1459 Arguments are <userinput>command</userinput> and optional
1460 <replaceable>args</replaceable>. See
1461 <literal>nsctl(8)</literal>.
1462 </para>
1463
1464 <para>
1465 Built-in command are <userinput>load_plugin</userinput>,
1466 <userinput>unload_plugin</userinput> and
1467 <userinput>help</userinput>. Any other commands are passed to
1468 plugins for processing by the
1469 <literal>plugin_control</literal> function.
1470 </para>
1471 </sect2>
1472
1473 <sect2 id="operation-signals">
1474 <title>Signals</title>
1475 <para>
1476 While the process is running, you can send it a few different
1477 signals, using the <command>kill</command> command.
1478
1479 <screen>
1480 killall -HUP l2tpns
1481 </screen>
1482
1483 The signals understood are:
1484
1485 <variablelist>
1486 <varlistentry>
1487 <term>SIGHUP</term>
1488 <listitem>
1489 <para>Reload the config from disk and re-open log file.</para>
1490 </listitem>
1491 </varlistentry>
1492
1493 <varlistentry>
1494 <term>SIGTERM</term>
1495 <term>SIGINT</term>
1496 <listitem>
1497 <para>
1498 Stop process. Tunnels and sessions are not
1499 terminated. This signal should be used to stop
1500 <command>l2tpns</command> on a cluster node where
1501 there are other machines to continue handling traffic.
1502 See <xref linkend="clustering"/>
1503 </para>
1504 </listitem>
1505 </varlistentry>
1506
1507 <varlistentry>
1508 <term>SIGQUIT</term>
1509 <listitem>
1510 <para>
1511 Shut down tunnels and sessions, exit process when
1512 complete.
1513 </para>
1514 </listitem>
1515 </varlistentry>
1516 </variablelist>
1517 </para>
1518 </sect2>
1519 </sect1>
1520
1521 <sect1 id="throttling">
1522 <title>Throttling</title>
1523 <para>
1524 <command>l2tpns</command> contains support for slowing down user
1525 sessions to whatever speed you desire. The global setting
1526 <literal>throttle_speed</literal> defines the default throttle
1527 rate.
1528 </para>
1529
1530 <para>
1531 To throttle a sesion permanently, add a
1532 <literal>Cisco-AVPair</literal> RADIUS attribute. The
1533 <filename>autothrotle</filename> module interprets the following
1534 attributes:
1535
1536 <informaltable>
1537 <tgroup cols="2">
1538 <tbody>
1539 <row>
1540 <entry><literal>throttle=yes</literal></entry>
1541 <entry>
1542 Throttle upstream/downstream traffic to the configured
1543 <literal>throttle_speed</literal>.
1544 </entry>
1545 </row>
1546
1547 <row>
1548 <entry>
1549 <literal>throttle=<replaceable>rate</replaceable></literal>
1550 </entry>
1551 <entry>
1552 Throttle upstream/downstream traffic to the specified
1553 <replaceable>rate</replaceable> Kbps.
1554 </entry>
1555 </row>
1556
1557 <row>
1558 <entry>
1559 <literal>lcp:interface-config#1=service-policy input
1560 <replaceable>rate</replaceable></literal>
1561 </entry>
1562
1563 <entry morerows="1">
1564 Alternate (Cisco) format: throttle
1565 upstream/downstream to specified
1566 <replaceable>rate</replaceable> Kbps.
1567 </entry>
1568 </row>
1569
1570 <row>
1571 <entry>
1572 <literal>lcp:interface-config#2=service-policy output
1573 <replaceable>rate</replaceable></literal>
1574 </entry>
1575 </row>
1576 </tbody>
1577 </tgroup>
1578 </informaltable>
1579 </para>
1580
1581 <para>
1582 You can also enable and disable throttling an active session
1583 using the <xref linkend="operation-cli-throttle"/> CLI command.
1584 </para>
1585 </sect1>
1586
1587 <sect1 id="interception">
1588 <title>Interception</title>
1589 <para>
1590 You may have to deal with legal requirements to be able to
1591 intercept a user's traffic at any time.
1592 <command>l2tpns</command> allows you to begin and end
1593 interception on the fly, as well as at authentication time.
1594 </para>
1595
1596 <para>
1597 When a user is being intercepted, a copy of every packet they
1598 send and receive will be sent wrapped in a UDP packet to a
1599 specified host.
1600 </para>
1601
1602 <para>
1603 The UDP packet contains just the raw IP frame, with no extra
1604 headers. The script <filename>scripts/l2tpns-capture</filename>
1605 may be used as the end-point for such intercepts, writing the
1606 data in PCAP format (suitable for inspection with
1607 <command>tcpdump</command>).
1608 </para>
1609
1610 <para>
1611 To enable or disable interception of a connected user, use the
1612 <xref linkend="operation-cli-snoop"/> and <userinput>no
1613 snoop</userinput> CLI commands. These will enable interception
1614 immediately.
1615 </para>
1616
1617 <para>
1618 If you wish the user to be intercepted whenever they reconnect,
1619 you will need to modify the RADIUS response to include the
1620 Vendor-Specific value
1621 <literal>Cisco-AVPair="intercept=<replaceable>ip</replaceable>:<replaceable>port</replaceable>"</literal>.
1622 For this feature to be enabled, you need to have the
1623 <filename>autosnoop</filename> module loaded.
1624 </para>
1625 </sect1>
1626
1627 <sect1 id="plugins">
1628 <title>Plugins</title>
1629 <para>
1630 So as to make <command>l2tpns</command> as flexible as possible,
1631 a plugin API is include which you can use to hook into certain
1632 events.
1633 </para>
1634
1635 <para>
1636 There are a some standard modules included which may be used as
1637 examples: <filename>autosnoop</filename>,
1638 <filename>autothrottle</filename>, <filename>garden</filename>,
1639 <filename>sessionctl</filename>,
1640 <filename>setrxspeed</filename>, <filename>snoopctl</filename>,
1641 <filename>stripdomain</filename> and
1642 <filename>throttlectl</filename>.
1643 </para>
1644
1645 <para>
1646 When an event occurs that has a hook, <command>l2tpns</command>
1647 looks for a predefined function name in every loaded module, and
1648 runs them in the order the modules were loaded.
1649 </para>
1650
1651 <para>
1652 The function should return <code>PLUGIN_RET_OK</code> if it is
1653 all OK. If it returns <code>PLUGIN_RET_STOP</code>, then it is
1654 assumed to have worked, but that no further modules should be
1655 run for this event.
1656 </para>
1657
1658 <para>
1659 A return of <code>PLUGIN_RET_ERROR</code> means that this module
1660 failed, and no further processing should be done for this event.
1661 <note><para>Use this with care.</para></note>
1662 </para>
1663
1664 <para>
1665 Most event functions take a specific structure named
1666 <code>param_<replaceable>event</replaceable></code>, which
1667 varies in content with each event. The function name for each
1668 event will be
1669 <code>plugin_<replaceable>event</replaceable></code>, so for the
1670 event <replaceable>timer</replaceable>, the function declaration
1671 should look like:
1672
1673 <programlisting>
1674 int plugin_timer(struct param_timer *data);
1675 </programlisting>
1676
1677 A list of the available events follows, with a list of all the
1678 fields in the supplied structure:
1679
1680 <informaltable>
1681 <tgroup cols="4">
1682 <colspec colname="event"/>
1683 <colspec colname="event_desc"/>
1684 <colspec colname="member"/>
1685 <colspec colname="member_desc"/>
1686 <spanspec spanname="args" namest="member" nameend="member_desc"/>
1687 <thead>
1688 <row>
1689 <entry>Event</entry>
1690 <entry>Description</entry>
1691 <entry spanname="args">Arguments</entry>
1692 </row>
1693 </thead>
1694
1695 <tbody>
1696 <row>
1697 <entry morerows="1"><code>plugin_init</code></entry>
1698 <entry morerows="1">
1699 <para>
1700 Called when the plugin is loaded. A pointer to a
1701 struct containing function pointers is passed as the
1702 only argument, allowing the plugin to call back into
1703 the main code.
1704 </para>
1705 <para>
1706 Prior to loading the plugin, <command>l2tpns</command>
1707 checks the API version the plugin was compiled
1708 against. All plugins should contain:
1709 <programlisting>
1710 int plugin_api_version = PLUGIN_API_VERSION;
1711 </programlisting>
1712 </para>
1713 </entry>
1714 <entry spanname="args"><code>struct pluginfuncs *</code></entry>
1715 </row>
1716 <row>
1717 <entry spanname="args">
1718 See <code>pluginfuncs</code> structure in
1719 <code>plugin.h</code> for available functions.
1720 </entry>
1721 </row>
1722
1723 <row>
1724 <entry morerows="1"><code>plugin_done</code></entry>
1725 <entry morerows="1">
1726 Called when the plugin is unloaded or
1727 <command>l2tpns</command> is shutdown.
1728 </entry>
1729 <entry spanname="args"><code>void</code></entry>
1730 </row>
1731 <row>
1732 <entry spanname="args">No arguments.</entry>
1733 </row>
1734
1735 <row>
1736 <entry morerows="6"><code>plugin_pre_auth</code></entry>
1737 <entry morerows="6">
1738 Called after a RADIUS response has been received, but
1739 before it has been processed by the code. This will
1740 allow you to modify the response in some way.
1741 </entry>
1742 <entry spanname="args">
1743 <code>struct plugin param_pre_auth *</code>
1744 </entry>
1745 </row>
1746 <row>
1747 <entry><code>tunnelt *t</code></entry>
1748 <entry>Tunnel.</entry>
1749 </row>
1750 <row>
1751 <entry><code>sessiont *s</code></entry>
1752 <entry>Session.</entry>
1753 </row>
1754 <row>
1755 <entry><code>char *username</code></entry>
1756 <entry>User name.</entry>
1757 </row>
1758 <row>
1759 <entry><code>char *password</code></entry>
1760 <entry>Password.</entry>
1761 </row>
1762 <row>
1763 <entry><code>int protocol</code></entry>
1764 <entry>
1765 Authentication protocol: <literal>0xC023</literal> for PAP,
1766 <literal>0xC223</literal> for CHAP.
1767 </entry>
1768 </row>
1769 <row>
1770 <entry><code>int continue_auth</code></entry>
1771 <entry>Set to 0 to stop processing authentication modules.</entry>
1772 </row>
1773
1774 <row>
1775 <entry morerows="5"><code>plugin_post_auth</code></entry>
1776 <entry morerows="5">
1777 Called after a RADIUS response has been received, and
1778 the basic checks have been performed. This is what
1779 the <filename>garden</filename> module uses to force
1780 authentication to be accepted.
1781 </entry>
1782 <entry spanname="args">
1783 <code>struct plugin param_post_auth *</code>
1784 </entry>
1785 </row>
1786 <row>
1787 <entry><code>tunnelt *t</code></entry>
1788 <entry>Tunnel.</entry>
1789 </row>
1790 <row>
1791 <entry><code>sessiont *s</code></entry>
1792 <entry>Session.</entry>
1793 </row>
1794 <row>
1795 <entry><code>char *username</code></entry>
1796 <entry>User name.</entry>
1797 </row>
1798 <row>
1799 <entry><code>short auth_allowed</code></entry>
1800 <entry>
1801 Initially true or false depending on whether
1802 authentication has been allowed so far. You can
1803 set this to 1 or 0 to force authentication to be
1804 accepted or rejected.
1805 </entry>
1806 </row>
1807 <row>
1808 <entry><code>int protocol</code></entry>
1809 <entry>
1810 Authentication protocol: <literal>0xC023</literal> for PAP,
1811 <literal>0xC223</literal> for CHAP.
1812 </entry>
1813 </row>
1814
1815 <row>
1816 <entry morerows="1"><code>plugin_timer</code></entry>
1817 <entry morerows="1">
1818 Run once per second.
1819 </entry>
1820 <entry spanname="args">
1821 <code>struct plugin param_timer *</code>
1822 </entry>
1823 </row>
1824 <row>
1825 <entry><code>time_t time_now</code></entry>
1826 <entry>The current unix timestamp.</entry>
1827 </row>
1828
1829 <row>
1830 <entry morerows="2"><code>plugin_new_session</code></entry>
1831 <entry morerows="2">
1832 Called after a session is fully set up. The session
1833 is now ready to handle traffic.
1834 </entry>
1835 <entry spanname="args">
1836 <code>struct plugin param_new_session *</code>
1837 </entry>
1838 </row>
1839 <row>
1840 <entry><code>tunnelt *t</code></entry>
1841 <entry>Tunnel.</entry>
1842 </row>
1843 <row>
1844 <entry><code>sessiont *s</code></entry>
1845 <entry>Session.</entry>
1846 </row>
1847
1848 <row>
1849 <entry morerows="2"><code>plugin_kill_session</code></entry>
1850 <entry morerows="2">
1851 Called when a session is about to be shut down. This
1852 may be called multiple times for the same session.
1853 </entry>
1854 <entry spanname="args">
1855 <code>struct plugin param_kill_session *</code>
1856 </entry>
1857 </row>
1858 <row>
1859 <entry><code>tunnelt *t</code></entry>
1860 <entry>Tunnel.</entry>
1861 </row>
1862 <row>
1863 <entry><code>sessiont *s</code></entry>
1864 <entry>Session.</entry>
1865 </row>
1866
1867 <row>
1868 <entry morerows="5"><code>plugin_control</code></entry>
1869 <entry morerows="5">
1870 <para>
1871 Called in whenever a <command>nsctl</command> packet
1872 is received. This should handle the packet and form a
1873 response if required.
1874 </para>
1875 <para>
1876 Plugin-specific help strings may be included in the
1877 output of <userinput>nsctl help</userinput> by
1878 defining a <code>NULL</code> terminated list of
1879 strings as follows:
1880 <programlisting>
1881 char *plugin_control_help[] = { <replaceable>...</replaceable>, NULL };
1882 </programlisting>
1883 </para>
1884 </entry>
1885 <entry spanname="args">
1886 <code>struct plugin param_control *</code>
1887 </entry>
1888 </row>
1889 <row>
1890 <entry><code>int iam_master</code></entry>
1891 <entry>If true, this node is the cluster master.</entry>
1892 </row>
1893 <row>
1894 <entry><code>int argc</code></entry>
1895 <entry morerows="1"><command>nsctl</command> arguments.</entry>
1896 </row>
1897 <row>
1898 <entry><code>char **argc</code></entry>
1899 </row>
1900 <row>
1901 <entry><code>int reponse</code></entry>
1902 <entry>
1903 Response from control message (if handled): should be
1904 either <code>NSCTL_RES_OK</code> or
1905 <code>NSCTL_RES_ERR</code>.
1906 </entry>
1907 </row>
1908 <row>
1909 <entry><code>char *additional</code></entry>
1910 <entry>
1911 Additional information, output by
1912 <command>nsctl</command> on receiving the response.
1913 </entry>
1914 </row>
1915
1916 <row>
1917 <entry morerows="4"><code>plugin_radius_response</code></entry>
1918 <entry morerows="4">
1919 Called whenever a RADIUS response includes a
1920 <literal>Cisco-AVPair</literal> value. The value is
1921 split into
1922 <replaceable>key</replaceable><literal>=</literal><replaceable>value</replaceable>
1923 pairs. Will be called once for each pair in the
1924 response.
1925 </entry>
1926 <entry spanname="args">
1927 <code>struct plugin param_radius_response *</code>
1928 </entry>
1929 </row>
1930 <row>
1931 <entry><code>tunnelt *t</code></entry>
1932 <entry>Tunnel.</entry>
1933 </row>
1934 <row>
1935 <entry><code>sessiont *s</code></entry>
1936 <entry>Session.</entry>
1937 </row>
1938 <row>
1939 <entry><code>char *key</code></entry>
1940 <entry morerows="1">Key and value.</entry>
1941 </row>
1942 <row>
1943 <entry><code>char *value</code></entry>
1944 </row>
1945
1946 <row>
1947 <entry morerows="2"><code>plugin_radius_reset</code></entry>
1948 <entry morerows="2">
1949 Called whenever a RADIUS CoA request is received to
1950 reset any options to default values before the new
1951 values are applied.
1952 </entry>
1953 <entry spanname="args">
1954 <code>struct param_radius_reset *</code>
1955 </entry>
1956 </row>
1957 <row>
1958 <entry><code>tunnelt *t</code></entry>
1959 <entry>Tunnel.</entry>
1960 </row>
1961 <row>
1962 <entry><code>sessiont *s</code></entry>
1963 <entry>Session.</entry>
1964 </row>
1965
1966 <row>
1967 <entry morerows="3"><code>plugin_radius_account</code></entry>
1968 <entry morerows="3">
1969 Called when preparing a RADIUS accounting record to
1970 allow additional data to be added to the packet.
1971 </entry>
1972 <entry spanname="args">
1973 <code>struct param_radius_account *</code>
1974 </entry>
1975 </row>
1976 <row>
1977 <entry><code>tunnelt *t</code></entry>
1978 <entry>Tunnel.</entry>
1979 </row>
1980 <row>
1981 <entry><code>sessiont *s</code></entry>
1982 <entry>Session.</entry>
1983 </row>
1984 <row>
1985 <entry><code>uint8_t **packet</code></entry>
1986 <entry>
1987 Pointer to the end of the currently assembled
1988 packet buffer. The value should be incremented by the
1989 length of any data added.
1990 </entry>
1991 </row>
1992
1993 <row>
1994 <entry morerows="1"><code>plugin_become_master</code></entry>
1995 <entry morerows="1">
1996 Called when a node elects itself cluster master.
1997 </entry>
1998 <entry spanname="args"><code>void</code></entry>
1999 </row>
2000 <row>
2001 <entry spanname="args">No arguments.</entry>
2002 </row>
2003
2004 <row>
2005 <entry morerows="1"><code>plugin_new_session_master</code></entry>
2006 <entry morerows="1">
2007 Called once for each open session on becoming cluster
2008 master.
2009 </entry>
2010 <entry spanname="args"><code>sessiont *</code></entry>
2011 </row>
2012 <row>
2013 <entry spanname="args">
2014 Session.
2015 </entry>
2016 </row>
2017 </tbody>
2018 </tgroup>
2019 </informaltable>
2020 </para>
2021 </sect1>
2022
2023 <sect1 id="walled-garden">
2024 <title>Walled Garden</title>
2025 <para>
2026 A "Walled Garden" is implemented so that you can provide perhaps
2027 limited service to sessions that incorrectly authenticate.
2028 </para>
2029
2030 <para>
2031 Whenever a session provides incorrect authentication, and the
2032 RADIUS server responds with Auth-Reject, the walled garden
2033 module (if loaded) will force authentication to succeed, but set
2034 the <literal>walled_garden</literal> flag in the session
2035 structure, and adds an <command>iptables</command> rule to the
2036 <literal>garden_users</literal> chain to cause all packets for
2037 the session to traverse the <literal>garden</literal> chain.
2038 </para>
2039
2040 <para>
2041 This doesn't <emphasis>just work</emphasis>. To set this all
2042 up, you will to setup the <literal>garden</literal> nat table
2043 with the <xref linkend="config-build-garden"/> script with rules
2044 to limit user's traffic.
2045 </para>
2046
2047 <para>
2048 For example, to force all traffic except DNS to be forwarded to
2049 192.168.1.1, add these entries to your
2050 <filename>build-garden</filename> script:
2051
2052 <programlisting>
2053 iptables -t nat -A garden -p tcp --dport ! 53 -j DNAT --to 192.168.1.1
2054 iptables -t nat -A garden -p udp --dport ! 53 -j DNAT --to 192.168.1.1
2055 </programlisting>
2056 </para>
2057
2058 <para>
2059 <command>l2tpns</command> will add entries to the
2060 <literal>garden_users</literal> chain as appropriate.
2061 </para>
2062
2063 <para>
2064 You can check the amount of traffic being captured using the
2065 following command:
2066
2067 <screen>
2068 iptables -t nat -L garden -nvx
2069 </screen>
2070 </para>
2071 </sect1>
2072
2073 <sect1 id="filtering">
2074 <title>Filtering</title>
2075 <para>
2076 Sessions may be filtered by specifying
2077 <literal>Filter-Id</literal> attributes in the RADIUS reply.
2078 <replaceable>filter</replaceable>.<literal>in</literal>
2079 specifies that the named access-list
2080 <replaceable>filter</replaceable> should be applied to traffic
2081 from the customer,
2082 <replaceable>filter</replaceable>.<literal>out</literal>
2083 specifies a list for traffic to the customer.
2084 </para>
2085 </sect1>
2086
2087 <sect1 id="clustering">
2088 <title>Clustering</title>
2089 <para>
2090 An <command>l2tpns</command> cluster consists of one* or more
2091 servers configured with the same configuration, notably the
2092 multicast <literal>cluster_address</literal>.
2093 </para>
2094
2095 <para>*A stand-alone server is simply a degraded cluster.</para>
2096
2097 <para>
2098 Initially servers come up as cluster slaves, and periodically
2099 (every <literal>cluster_hb_interval</literal>/10 seconds) send
2100 out ping packets containing the start time of the process to the
2101 multicast <literal>cluster_address</literal>.
2102 </para>
2103
2104 <para>
2105 A cluster master sends heartbeat rather than ping packets, which
2106 contain those session and tunnel changes since the last
2107 heartbeat.
2108 </para>
2109
2110 <para>
2111 When a slave has not seen a heartbeat within
2112 <literal>cluster_hb_timeout</literal>/10 seconds it "elects" a
2113 new master by examining the list of peers it has seen pings from
2114 and determines which of these and itself is the "best" candidate
2115 to be master. "Best" in this context means the server with the
2116 highest uptime (the highest IP address is used as a tie-breaker
2117 in the case of equal uptimes).
2118 </para>
2119
2120 <para>
2121 After discovering a master, and determining that it is
2122 up-to-date (has seen an update for all in-use sessions and
2123 tunnels from heartbeat packets) will raise a route (see <xref
2124 linkend="routing"/>) for the <literal>bind_address</literal> and
2125 for all addresses/networks in <filename>ip_pool</filename>.
2126 </para>
2127
2128 <para>
2129 Any packets recieved by the slave which would alter the session
2130 state, as well as packets for throttled or gardened sessions are
2131 forwarded to the master for handling. In addition, byte
2132 counters for session traffic are periodically forwarded.
2133 </para>
2134
2135 <para>
2136 The master, when determining that it has at least one* up-to-date
2137 slave will drop all routes (raising them again if all slaves
2138 disappear) and subsequently handle only packets forwarded to it
2139 by the slaves.
2140 </para>
2141
2142 <para>*Configurable with <literal>cluster_master_min_adv</literal></para>
2143 </sect1>
2144
2145 <sect1 id="routing">
2146 <title>Routing</title>
2147 <para>
2148 If you are running a single instance, you may simply statically
2149 route the IP pools to the <literal>bind_address</literal>
2150 (<command>l2tpns</command> will send a gratuitous arp).
2151 </para>
2152
2153 <para>
2154 For a cluster, configure the members as BGP neighbours on your
2155 router and configure multi-path load-balancing. Cisco uses
2156 <userinput>maximum-paths ibgp</userinput> for IBGP. If this is
2157 not supported by your IOS revision, you can use
2158 <userinput>maximum-paths</userinput> (which works for EBGP) and
2159 set <literal>as_number</literal> to a private value such as
2160 64512.
2161 </para>
2162 </sect1>
2163 </article>
for cloning use: "git clone git://git.sameswireless.fr/l2tpns.git" ; For add to your sources.list: "deb http://package.sameswifi.fr/ jessie main"