X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/3057f5e655405b7ba84a559213a1dbaaa3eaaab6..bd1ea89ed17f63b4725825f93e2ced687cca45b5:/Docs/manual.html diff --git a/Docs/manual.html b/Docs/manual.html index 13748a9..f8f3908 100644 --- a/Docs/manual.html +++ b/Docs/manual.html @@ -60,8 +60,8 @@ H3 {

Overview

-l2tpns is half of a complete L2TP implementation. It supports only the -LNS side of the connection.

+l2tpns a complete L2TP implementation. It supports the LAC, LNS and + PPPOE server.

L2TP (Layer 2 Tunneling Protocol) is designed to allow any layer 2 protocol (e.g. Ethernet, PPP) to be tunneled over an IP connection. l2tpns @@ -184,6 +184,18 @@ the same as the LAC, or authentication will fail. Only actually be used if the LAC requests authentication. +

  • l2tp_mtu (int)
    +MTU of interface for L2TP traffic (default: 1500). Used to set link +MRU and adjust TCP MSS. +
  • + +
  • ppp_restart_time (int)
    +ppp_max_configure (int)
    +ppp_max_failure (int)
    +PPP counter and timer values, as described in §4.1 of +RFC1661. +
  • +
  • primary_dns (ip address)
  • secondary_dns (ip address)
    Whenever a PPP connection is established, DNS servers will be sent to the @@ -191,14 +203,6 @@ user, both a primary and a secondary. If either is set to 0.0.0.0, then that one will not be sent.
  • -
  • save_state (boolean)
    -When l2tpns receives a STGTERM it will write out its current -ip_address_pool, session and tunnel tables to disk prior to exiting to -be re-loaded at startup. The validity of this data is obviously quite -short and the intent is to allow an sessions to be retained over a -software upgrade. -
  • -
  • primary_radius (ip address)
  • secondary_radius (ip address)
    Sets the RADIUS servers used for both authentication and accounting. @@ -231,16 +235,43 @@ This secret will be used in all RADIUS queries. If this is not set then RADIUS queries will fail.
  • +
  • radius_authtypes (string)
    +A comma separated list of supported RADIUS authentication methods +(pap or chap), in order of preference (default pap). +
  • + +
  • radius_dae_port (short)
    +Port for DAE RADIUS (Packet of Death/Disconnect, Change of Authorization) +requests (default: 3799). +
  • + +
  • allow_duplicate_users (boolean)
    +Allow multiple logins with the same username. If false (the default), +any prior session with the same username will be dropped when a new +session is established. +
  • +
  • bind_address (ip address)
    -When the tun interface is created, it is assigned the address -specified here. If no address is given, 1.1.1.1 is used. Packets -containing user traffic should be routed via this address if given, -otherwise the primary address of the machine. +It's the listen address of the l2tp udp protocol sent and received +to LAC. This address is also assigned to the tun interface if no +iftun_address is specified. Packets containing user traffic should be +routed via this address if given, otherwise the primary address of the +machine. +
  • + +
  • iftun_address (ip address)
    +This parameter is used when you want a tun interface address different +from the address of "bind_address" (For use in cases of specific configuration). +If no address is given to iftun_address and bind_address, 1.1.1.1 is used. +
  • + +
  • tundevicename (string)
    +Name of the tun interface (default: "tun0").
  • peer_address (ip address)
    Address to send to clients as the default gateway. - +
  • send_garp (boolean)
    Determines whether or not to send a gratuitous ARP for the @@ -282,10 +313,6 @@ second. Even if this is disabled, you can see this information by running the uptime command on the CLI.
  • -
  • cleanup_interval (int)
    -Interval between regular cleanups (in seconds). -
  • -
  • multi_read_count (int)
    Number of packets to read off each of the UDP and TUN fds when returned as readable by select (default: 10). Avoids incurring the @@ -307,6 +334,13 @@ Keep all pages mapped by the l2tpns process in memory. Maximum number of host unreachable ICMP packets to send per second.
  • +
  • packet_limit (int>
    +Maximum number of packets of downstream traffic to be handled each +tenth of a second per session. If zero, no limit is applied (default: +0). Intended as a DoS prevention mechanism and not a general +throttling control (packets are dropped, not queued). +
  • +
  • cluster_address (ip address)
    Multicast cluster address (default: 239.192.13.13). See the section on Clustering for more information. @@ -316,6 +350,10 @@ on Clustering for more information. Interface for cluster packets (default: eth0).
  • +
  • cluster_mcast_ttl (int)
    +TTL for multicast packets (default: 1). +
  • +
  • cluster_hb_interval (int)
    Interval in tenths of a second between cluster heartbeat/pings.
  • @@ -325,8 +363,89 @@ Cluster heartbeat timeout in tenths of a second. A new master will be elected when this interval has been passed without seeing a heartbeat from the master. + +
  • cluster_master_min_adv (int)
    +Determines the minumum number of up to date slaves required before the +master will drop routes (default: 1). +
  • + +
  • echo_timeout (int)
    +Time between last packet sent and LCP ECHO generation +(default: 10 (seconds)). +
  • + +
  • idle_echo_timeout (int)
    +Drop sessions who have not responded within idle_echo_timeout seconds +(default: 240 (seconds)) +
  • + +
  • auth_tunnel_change_addr_src (boolean)
    +This parameter authorize to change the source IP of the tunnels l2tp. +This parameter can be used when the remotes BAS/LAC are l2tpns server +configured in cluster mode, but that the interface to remote LNS are +not clustered (the tunnel can be coming from different source IP) +(default: no). +
  • + + + +

    LAC configuration

    + + +

    A static REMOTES LNS configuration can be entered by the command:

    +
    setforward MASK IP PORT SECRET
    + +where MASK specifies the mask of users who have forwarded to +remote LNS (ex: "/friendISP@company.com").
    +where IP specifies the IP of the remote LNS (ex: "66.66.66.55").
    +where PORT specifies the L2TP Port of the remote LNS +(Normally should be 1701) (ex: 1701).
    +where SECRET specifies the secret password the remote LNS (ex: mysecret).
    +
    +The static Remote LNS configuration can be used when the friend ISP not +have a proxied Radius.
    +If the proxied Radius is used, It will return the RADIUS attributes:
    + Tunnel-Type: 1 = L2TP
    + Tunnel-Medium-Type: 1 = IPv4
    + Tunnel-Password: 1 = "LESECRETL2TP"
    + Tunnel-Server-Endpoint: 1 = "88.xx.xx.x1"
    + Tunnel-Assignment-Id: 1 = "friendisp_lns1"
    + Tunnel-Type: 2 = L2TP
    + Tunnel-Medium-Type: 2 = IPv4
    + Tunnel-Password: 2 = "LESECRETL2TP"
    + Tunnel-Server-Endpoint: 2 = "88.xx.xx.x2"
    + Tunnel-Assignment-Id: 2 = "friendisp_lns2"
    + +

    PPPOE configuration

    + + +

    BGP configuration

    +

    BGP routing configuration is entered by the command: The routing configuration section is entered by the command

    router bgp as
    @@ -360,23 +479,25 @@ define the body of the access-list. Standard access-list syntax: Extended access-lists: -
    -
    {permit|deny} ip +
    +

    {permit|deny} ip {host|source source-wildcard|any} - {host|destination destination-wildcard|any} -

    {permit|deny} udp + {host|destination destination-wildcard|any} [fragments] +

    {permit|deny} udp {host|source source-wildcard|any} [{eq|neq|gt|lt} port|range from to] {host|destination destination-wildcard|any} [{eq|neq|gt|lt} port|range from to] -

    {permit|deny} tcp + [fragments] +

    {permit|deny} tcp {host|source source-wildcard|any} [{eq|neq|gt|lt} port|range from to] {host|destination destination-wildcard|any} [{eq|neq|gt|lt} port|range from to] [{established|{match-any|match-all} - {+|-}{fin|syn|rst|psh|ack|urg} ...] -

    + {+|-}{fin|syn|rst|psh|ack|urg} + ...|fragments] +

    users

    @@ -682,16 +803,15 @@ killall -HUP l2tpns The signals understood are: - +
    +
    SIGHUP
    Reload the config from disk and re-open log file.
    +
    SIGTERM, SIGINT
    Stop process. Tunnels and sessions are not +terminated. This signal should be used to stop l2tpns on a +cluster node where there are other machines to +continue handling traffic.
    +
    SIGQUIT
    Shut down tunnels and sessions, exit process when +complete.
    +

    Throttling

    @@ -804,14 +924,14 @@ supplied structure: some way. - +
    +
    t
    Tunnel +
    s
    Session +
    username +
    password +
    protocol
    0xC023 for PAP, 0xC223 for CHAP +
    continue_auth
    Set to 0 to stop processing authentication modules +
    post_auth @@ -821,16 +941,16 @@ supplied structure: to be accepted. - + allow or disallow authentication +
    protocol
    0xC023 for PAP, 0xC223 for CHAP + packet_rx @@ -839,12 +959,12 @@ supplied structure: seriously slow down the system. - +
    +
    t
    Tunnel +
    s
    Session +
    buf
    The raw packet data +
    len
    The length of buf +
    packet_tx @@ -853,12 +973,12 @@ supplied structure: seriously slow down the system. - +
    +
    t
    Tunnel +
    s
    Session +
    buf
    The raw packet data +
    len
    The length of buf +
    timer @@ -867,9 +987,9 @@ supplied structure: you do is reentrant. - +
    +
    time_now
    The current unix timestamp +
    new_session @@ -877,10 +997,10 @@ supplied structure: session is now ready to handle traffic. - +
    +
    t
    Tunnel +
    s
    Session +
    kill_session @@ -888,10 +1008,10 @@ supplied structure: This may be called multiple times for the same session. - +
    +
    t
    Tunnel +
    s
    Session +
    radius_response @@ -901,12 +1021,24 @@ supplied structure: modules. - +
    +
    t
    Tunnel +
    s
    Session +
    key +
    value +
    + + + radius_reset + This is called whenever a RADIUS CoA request is + received to reset any options to default values before + the new values are applied. + + +
    +
    t
    Tunnel +
    s
    Session +
    control @@ -915,21 +1047,13 @@ supplied structure: required. - +
    +
    iam_master
    Cluster master status +
    argc
    The number of arguments +
    argv
    Arguments +
    response
    Return value: NSCTL_RES_OK or NSCTL_RES_ERR +
    additional
    Extended response text +