5 .Id $Id: startup-config.5,v 1.18 2006/07/01 12:40:17 bodea Exp $
6 .TH STARTUP-CONFIG 5 "\*(Dt" L2TPNS "File Formats and Conventions"
8 startup\-config \- configuration file for l2tpns
10 /etc/l2tpns/startup-config
13 is the configuration file for
16 The format is plain text, in the same format as accepted by the
19 telnet administrative interface. Comments are indicated by either the
25 Settings are specified with
27 .BI "set " "variable value"
35 Set the level of debugging messages written to the log file. The
36 value should be between 0 and 5, with 0 being no debugging, and 5
40 This will be where all logging and debugging information is written
41 to. This may be either a filename, such as
44 .BR syslog : \fIfacility\fR ,
47 is any one of the syslog logging facilities, such as
51 If set, the process id will be written to the specified file. The
52 value must be an absolute path.
55 Path to random data source (default
57 Use "" to use the rand() library function.
62 for authenticating tunnel request. Must be the same as the LAC, or
63 authentication will fail. Only actually be used if the LAC requests
67 MTU of interface for L2TP traffic (default: 1500). Used to set link
68 MRU and adjust TCP MSS.
71 Restart timer for PPP protocol negotiation in seconds (default: 3).
74 Number of configure requests to send before giving up (default: 10).
77 Number of Configure-Nak requests to send before sending a
78 Configure-Reject (default: 5).
80 .BR primary_dns ", " secondary_dns
81 Whenever a PPP connection is established, DNS servers will be sent to the
82 user, both a primary and a secondary. If either is set to 0.0.0.0, then that
85 .BR primary_radius ", " secondary_radius
86 Sets the RADIUS servers used for both authentication and accounting.
87 If the primary server does not respond, then the secondary RADIUS
90 .BR primary_radius_port ", " secondary_radius_port
91 Sets the authentication ports for the primary and secondary RADIUS
92 servers. The accounting port is one more than the authentication
93 port. If no ports are given, authentication defaults to 1645, and
97 If set to true, then RADIUS accounting packets will be sent. A
99 record will be sent when the session is successfully authenticated,
102 record when the session is closed.
107 is on, defines the interval between sending of RADIUS interim
108 accounting records (in seconds).
111 Secret to be used in RADIUS packets.
114 A comma separated list of supported RADIUS authentication methods
115 ("pap" or "chap"), in order of preference (default "pap").
118 Port for DAE RADIUS (Packet of Death/Disconnect, Change of Authorization)
119 requests (default: 3799).
121 .BR radius_bind_min ", " radius_bind_max
122 Define a port range in which to bind sockets used to send and receive
123 RADIUS packets. Must be at least RADIUS_FDS (64) wide. Simplifies
124 firewalling of RADIUS ports (default: dynamically assigned).
126 .B allow_duplicate_users
127 Allow multiple logins with the same username. If false (the default),
128 any prior session with the same username will be dropped when a new
129 session is established.
132 Allow multiple logins matching this specific username.
135 When the tun interface is created, it is assigned the address
136 specified here. If no address is given, 1.1.1.1 is used. Packets
137 containing user traffic should be routed via this address if given,
138 otherwise the primary address of the machine.
141 Address to send to clients as the default gateway.
144 Determines whether or not to send a gratuitous ARP for the
146 when the server is ready to handle traffic (default: true). This
147 setting is ignored if BGP is configured.
150 Sets the default speed (in kbits/s) which sessions will be limited to.
153 Number of token buckets to allocate for throttling. Each throttled
154 session requires two buckets (in and out).
157 If set to a directory, then every 5 minutes the current usage for
158 every connected use will be dumped to a file in this directory.
161 If set to true, then the current bandwidth utilization will be logged
162 every second. Even if this is disabled, you can see this information
168 Number of packets to read off each of the UDP and TUN fds when
169 returned as readable by select (default: 10). Avoids incurring the
170 unnecessary system call overhead of select on busy servers.
173 Sets the scheduling policy for the
177 This causes the kernel to immediately preempt any currently running
179 (normal) process in favour of
181 when it becomes runnable.
183 Ignored on uniprocessor systems.
186 Keep all pages mapped by the
191 Maximum number of host unreachable ICMP packets to send per second.
194 Maximum number of packets of downstream traffic to be handled each
195 tenth of a second per session. If zero, no limit is applied (default:
196 0). Intended as a DoS prevention mechanism and not a general
197 throttling control (packets are dropped, not queued).
200 Multicast cluster address (default: 239.192.13.13).
203 Interface for cluster packets (default: eth0).
206 TTL for multicast packets (default: 1).
208 .B cluster_hb_interval
209 Interval in tenths of a second between cluster heartbeat/pings.
211 .B cluster_hb_timeout
212 Cluster heartbeat timeout in tenths of a second. A new master will be
213 elected when this interval has been passed without seeing a heartbeat
216 .B cluster_master_min_adv
217 Determines the minumum number of up to date slaves required before the
218 master will drop routes (default: 1).
221 Enable negotiation of IPv6. This forms the the first 64 bits of the
222 client allocated address. The remaining 64 come from the allocated
223 IPv4 address and 4 bytes of 0s.
226 The routing configuration section is entered by the command
232 specifies the local AS number.
234 Subsequent lines prefixed with
235 .BI "neighbour " peer
236 define the attributes of BGP neighhbours. Valid commands are:
238 .BI "neighbour " peer " remote-as " as
240 .BI "neighbour " peer " timers " "keepalive hold"
244 specifies the BGP neighbour as either a hostname or IP address,
246 is the remote AS number and
249 are the timer values in seconds.
250 .SS NAMED ACCESS LISTS
251 Named access lists may be defined with either of
253 .BI "ip access\-list standard " name
255 .BI "ip access\-list extended " name
257 Subsequent lines starting with
261 define the body of the access\-list.
263 .B Standard Access Lists
265 Standard access lists are defined with:
267 .RB { permit | deny }
268 .IR source " [" dest ]
274 specify IP matches using one of:
287 are in dotted-quad notation, bits in the
289 indicate which address bits in
291 are relevant to the match (0 = exact match; 1 = don't care).
302 .BR 255.255.255.255 '.
305 .B Extended Access Lists
307 Extended access lists are defined with:
309 .RB { permit | deny }
311 .IR source " [" ports "] " dest " [" ports "] [" flags ]
324 are as described above for standard lists.
326 For TCP and UDP matches, source and destination may be optionally
331 .RB { eq | neq | gt | lt }
342 .RB { match\-any | match\-all }
343 .RB { + | - }{ fin | syn | rst | psh | ack | urg }
346 Match packets with any or all of the tcp flags set
353 Match "established" TCP connections: packets with
363 Match IP fragments. May not be specified on rules with layer 4