X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/fa3a21e4a815106d785c6bd78fbecce76077854f..e843431b6078e2fbfd8782f65f2cd2beadbdb0cc:/Docs/manual.html?ds=sidebyside diff --git a/Docs/manual.html b/Docs/manual.html index b95858b..8894599 100644 --- a/Docs/manual.html +++ b/Docs/manual.html @@ -60,8 +60,8 @@ H3 { </OL> <H2 ID="Overview">Overview</H2> -l2tpns is half of a complete L2TP implementation. It supports only the -LNS side of the connection.<P> +l2tpns a complete L2TP implementation. It supports the LAC, LNS and + PPPOE server.<P> L2TP (Layer 2 Tunneling Protocol) is designed to allow any layer 2 protocol (e.g. Ethernet, PPP) to be tunneled over an IP connection. l2tpns @@ -184,6 +184,18 @@ the same as the LAC, or authentication will fail. Only actually be used if the LAC requests authentication. </LI> +<LI><B>l2tp_mtu</B> (int)<BR> +MTU of interface for L2TP traffic (default: 1500). Used to set link +MRU and adjust TCP MSS. +</LI> + +<LI><B>ppp_restart_time</B> (int)<BR> +<B>ppp_max_configure</B> (int)<BR> +<B>ppp_max_failure</B> (int)<BR> +PPP counter and timer values, as described in §4.1 of +<a href="ftp://ftp.rfc-editor.org/in-notes/rfc1661.txt">RFC1661</a>. +</LI> + <LI><B>primary_dns</B> (ip address) <LI><B>secondary_dns</B> (ip address)<BR> Whenever a PPP connection is established, DNS servers will be sent to the @@ -191,14 +203,6 @@ user, both a primary and a secondary. If either is set to 0.0.0.0, then that one will not be sent. </LI> -<LI><B>save_state</B> (boolean)<BR> -When l2tpns receives a STGTERM it will write out its current -ip_address_pool, session and tunnel tables to disk prior to exiting to -be re-loaded at startup. The validity of this data is obviously quite -short and the intent is to allow an sessions to be retained over a -software upgrade. -</LI> - <LI><B>primary_radius</B> (ip address) <LI><B>secondary_radius</B> (ip address)<BR> Sets the RADIUS servers used for both authentication and accounting. @@ -231,16 +235,61 @@ This secret will be used in all RADIUS queries. If this is not set then RADIUS queries will fail. </LI> +<LI><B>radius_authtypes</B> (string)</BR> +A comma separated list of supported RADIUS authentication methods +(<B>pap</B> or <B>chap</B>), in order of preference (default <B>pap</B>). +</LI> + +<LI><B>radius_dae_port</B> (short)<BR> +Port for DAE RADIUS (Packet of Death/Disconnect, Change of Authorization) +requests (default: <B>3799</B>). +</LI> + +<LI><B>allow_duplicate_users</B> (boolean)</BR> +Allow multiple logins with the same username. If false (the default), +any prior session with the same username will be dropped when a new +session is established. +</LI> + <LI><B>bind_address</B> (ip address)<BR> -When the tun interface is created, it is assigned the address -specified here. If no address is given, 1.1.1.1 is used. Packets -containing user traffic should be routed via this address if given, -otherwise the primary address of the machine. +It's the listen address of the l2tp udp protocol sent and received +to LAC. This address is also assigned to the tun interface if no +iftun_address is specified. Packets containing user traffic should be +routed via this address if given, otherwise the primary address of the +machine. +</LI> + +<LI><B>iftun_address</B> (ip address)<BR> +This parameter is used when you want a tun interface address different +from the address of "bind_address" (For use in cases of specific configuration). +If no address is given to iftun_address and bind_address, 1.1.1.1 is used. +</LI> + +<LI><B>bind_multi_address</B> (ip address)<BR> +This parameter permit to listen several addresss of the l2tp udp protocol +(and set several address to the tun interface). +<BR> +WHEN this parameter is set, It OVERWRITE the parameters "bind_address" +and "iftun_address". +<BR> +these can be interesting when you want do load-balancing in cluster mode +of the uploaded from the LAC. For example you can set a bgp.prepend(MY_AS) +for Address1 on LNS1 and a bgp.prepend(MY_AS) for Address2 on LNS2 +(see BGP AS-path prepending). +<BR> +example of use with 2 address: +<BR> +set bind_multi_address "64.14.13.41, 64.14.13.42" + +</LI> + +<LI><B>tundevicename</B> (string)<BR> +Name of the tun interface (default: "tun0"). </LI> <LI><B>peer_address</B> (ip address)<BR> Address to send to clients as the default gateway. -</L1> +</LI> <LI><B>send_garp</B> (boolean)<BR> Determines whether or not to send a gratuitous ARP for the @@ -267,8 +316,13 @@ every connected use will be dumped to a file in this directory. Each file dumped begins with a header, where each line is prefixed by #. Following the header is a single line for every connected user, fields separated by a space.<BR> The fields are username, ip, qos, -uptxoctets, downrxoctets. The qos field is 1 if a standard user, and -2 if the user is throttled. +uptxoctets, downrxoctets, origin (optional). The qos field is 1 if a standard user, and +2 if the user is throttled. The origin field is dump if account_all_origin is set to true +(origin value: L=LAC data, R=Remote LNS data, P=PPPOE data). +</LI> + +<LI><B>account_all_origin</B> (boolean)<BR> +If set to true, all origin of the usage is dumped to the accounting file (LAC+Remote LNS+PPPOE)(default false). </LI> <LI><B>setuid</B> (int)<BR> @@ -282,10 +336,6 @@ second. Even if this is disabled, you can see this information by running the <EM>uptime</EM> command on the CLI. </LI> -<LI><B>cleanup_interval</B> (int)<BR> -Interval between regular cleanups (in seconds). -</LI> - <LI><B>multi_read_count</B> (int)<BR> Number of packets to read off each of the UDP and TUN fds when returned as readable by select (default: 10). Avoids incurring the @@ -307,6 +357,13 @@ Keep all pages mapped by the l2tpns process in memory. Maximum number of host unreachable ICMP packets to send per second. </LI> +<LI><B>packet_limit</B> (int><BR> +Maximum number of packets of downstream traffic to be handled each +tenth of a second per session. If zero, no limit is applied (default: +0). Intended as a DoS prevention mechanism and not a general +throttling control (packets are dropped, not queued). +</LI> + <LI><B>cluster_address</B> (ip address)<BR> Multicast cluster address (default: 239.192.13.13). See the section on <A HREF="#Clustering">Clustering</A> for more information. @@ -316,6 +373,10 @@ on <A HREF="#Clustering">Clustering</A> for more information. Interface for cluster packets (default: eth0). </LI> +<LI><B>cluster_mcast_ttl</B> (int)<BR> +TTL for multicast packets (default: 1). +</LI> + <LI><B>cluster_hb_interval</B> (int)<BR> Interval in tenths of a second between cluster heartbeat/pings. </LI> @@ -325,8 +386,100 @@ Cluster heartbeat timeout in tenths of a second. A new master will be elected when this interval has been passed without seeing a heartbeat from the master. </LI> + +<LI><B>cluster_master_min_adv</B> (int)<BR> +Determines the minumum number of up to date slaves required before the +master will drop routes (default: 1). +</LI> + +<LI><B>echo_timeout</B> (int)<BR> +Time between last packet sent and LCP ECHO generation +(default: 10 (seconds)). +</LI> + +<LI><B>idle_echo_timeout</B> (int)<BR> +Drop sessions who have not responded within idle_echo_timeout seconds +(default: 240 (seconds)) +</LI> + +<LI><B>auth_tunnel_change_addr_src</B> (boolean)<BR> +This parameter authorize to change the source IP of the tunnels l2tp. +This parameter can be used when the remotes BAS/LAC are l2tpns server +configured in cluster mode, but that the interface to remote LNS are +not clustered (the tunnel can be coming from different source IP) +(default: no). +</LI> + +<LI><B>disable_sending_hello</B> (boolean)<BR> +Disable l2tp sending HELLO message for Apple compatibility. +Some OS X implementation of l2tp no manage the L2TP "HELLO message". +(default: no). +</LI> + +</UL> + +<P><U><B>LAC configuration</B></U></P> +<UL> +<LI><B>bind_address_remotelns</B> (ip address)<BR> +Address of the interface to listen the remote LNS tunnels. +If no address is given, all interfaces are listened (Any Address). +</LI> + +<LI><B>bind_portremotelns</B> (short)<BR> +Port to bind for the Remote LNS (default: 65432). +</LI> + </UL> +<P>A static REMOTES LNS configuration can be entered by the command:</P> +<DL> <DD><B>setforward</B> <I>MASK</I> <I>IP</I> <I>PORT</I> <I>SECRET</I> </DL> + +where <I>MASK</I> specifies the mask of users who have forwarded to +remote LNS (ex: "/friendISP@company.com").</BR> +where <I>IP</I> specifies the IP of the remote LNS (ex: "66.66.66.55").</BR> +where <I>PORT</I> specifies the L2TP Port of the remote LNS +(Normally should be 1701) (ex: 1701).</BR> +where <I>SECRET</I> specifies the secret password the remote LNS (ex: mysecret).</BR> +</BR> +The static Remote LNS configuration can be used when the friend ISP not +have a proxied Radius.</BR> +If the proxied Radius is used, It will return the RADIUS attributes:</BR> + Tunnel-Type: 1 = L2TP</BR> + Tunnel-Medium-Type: 1 = IPv4</BR> + Tunnel-Password: 1 = "LESECRETL2TP"</BR> + Tunnel-Server-Endpoint: 1 = "88.xx.xx.x1"</BR> + Tunnel-Assignment-Id: 1 = "friendisp_lns1"</BR> + Tunnel-Type: 2 = L2TP</BR> + Tunnel-Medium-Type: 2 = IPv4</BR> + Tunnel-Password: 2 = "LESECRETL2TP"</BR> + Tunnel-Server-Endpoint: 2 = "88.xx.xx.x2"</BR> + Tunnel-Assignment-Id: 2 = "friendisp_lns2"</BR> + +<P><U><B>PPPOE configuration</B></U></P> + +<UL> +<LI><B>pppoe_if_to_bind</B> (string)<BR> +PPPOE server interface to bind (ex: "eth0.12"), If not specified the server PPPOE is not enabled. +For the pppoe clustering, all the interfaces PPPOE of the clusters must use the same HW address (MAC address). +</LI> + +<LI><B>pppoe_service_name</B> (string)<BR> +PPPOE service name (default: NULL). +</LI> + +<LI><B>pppoe_ac_name</B> (string)<BR> +PPPOE access concentrator name (default: "l2tpns-pppoe"). +</LI> + +<LI><B>pppoe_only_equal_svc_name</B> (boolean)<BR> +If set to yes, the PPPOE server only accepts clients with a "service-name" +different from NULL and a "service-name" equal to server "service-name" (default: no). +</LI> + +</UL> + +<P><U><B>BGP configuration</B></U></P> + <P>BGP routing configuration is entered by the command: The routing configuration section is entered by the command <DL><DD><B>router bgp</B> <I>as</I></DL> @@ -684,16 +837,15 @@ killall -HUP l2tpns </PRE> The signals understood are: -<UL> -<LI>SIGHUP - Reload the config from disk and re-open log file<P></LI> -<LI>SIGTERM / SIGINT - Shut down for a restart. This will dump the current -state to disk (if <EM>save_state</EM> is set to true). Upon restart, the -process will read this saved state to resume active sessions.<P> -<LI>SIGQUIT - Shut down cleanly. This will send a disconnect message for -every active session and tunnel before shutting down. This is a good idea -when upgrading the code, as no sessions will be left with the remote end -thinking they are open.</LI> -</UL> +<DL> +<DT>SIGHUP</DT><DD>Reload the config from disk and re-open log file.</DD> +<DT>SIGTERM, SIGINT</DT><DD>Stop process. Tunnels and sessions are not +terminated. This signal should be used to stop l2tpns on a +<A HREF="#Clustering">cluster node</A> where there are other machines to +continue handling traffic.</DD> +<DT>SIGQUIT</DT><DD>Shut down tunnels and sessions, exit process when +complete.</DD> +</DL> <H2 ID="Throttling">Throttling</H2> @@ -806,14 +958,14 @@ supplied structure: some way. </TD> <TD> - <UL> - <LI>t - Tunnel ID</LI> - <LI>s - Session ID</LI> - <LI>username</LI> - <LI>password</LI> - <LI>protocol (0xC023 for PAP, 0xC223 for CHAP)</LI> - <LI>continue_auth - Set to 0 to stop processing authentication modules</LI> - </UL> + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + <DT>username + <DT>password + <DT>protocol<DD>0xC023 for PAP, 0xC223 for CHAP + <DT>continue_auth<DD>Set to 0 to stop processing authentication modules + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>post_auth</B></TD> @@ -823,16 +975,16 @@ supplied structure: to be accepted. </TD> <TD> - <UL> - <LI>t - Tunnel ID</LI> - <LI>s - Session ID</LI> - <LI>username</LI> - <LI>auth_allowed - This is already set to true or + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + <DT>username + <DT>auth_allowed<DD>This is already set to true or false depending on whether authentication has been allowed so far. You can set this to 1 or 0 to force - allow or disallow authentication</LI> - <LI>protocol (0xC023 for PAP, 0xC223 for CHAP)</LI> - </UL> + allow or disallow authentication + <DT>protocol<DD>0xC023 for PAP, 0xC223 for CHAP + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>packet_rx</B></TD> @@ -841,12 +993,12 @@ supplied structure: seriously slow down the system.</FONT> </TD> <TD> - <UL> - <LI>t - Tunnel ID</LI> - <LI>s - Session ID</LI> - <LI>buf - The raw packet data</LI> - <LI>len - The length of buf</LI> - </UL> + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + <DT>buf<DD>The raw packet data + <DT>len<DD>The length of buf + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>packet_tx</B></TD> @@ -855,12 +1007,12 @@ supplied structure: seriously slow down the system.</FONT> </TD> <TD> - <UL> - <LI>t - Tunnel ID</LI> - <LI>s - Session ID</LI> - <LI>buf - The raw packet data</LI> - <LI>len - The length of buf</LI> - </UL> + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + <DT>buf<DD>The raw packet data + <DT>len<DD>The length of buf + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>timer</B></TD> @@ -869,9 +1021,9 @@ supplied structure: you do is reentrant. </TD> <TD> - <UL> - <LI>time_now - The current unix timestamp</LI> - </UL> + <DL> + <DT>time_now<DD>The current unix timestamp + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>new_session</B></TD> @@ -879,10 +1031,10 @@ supplied structure: session is now ready to handle traffic. </TD> <TD> - <UL> - <LI>t - Tunnel ID</LI> - <LI>s - Session ID</LI> - </UL> + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>kill_session</B></TD> @@ -890,10 +1042,10 @@ supplied structure: This may be called multiple times for the same session. </TD> <TD> - <UL> - <LI>t - Tunnel ID</LI> - <LI>s - Session ID</LI> - </UL> + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>radius_response</B></TD> @@ -903,12 +1055,24 @@ supplied structure: modules. </TD> <TD> - <UL> - <LI>t - Tunnel ID</LI> - <LI>s - Session ID</LI> - <LI>key</LI> - <LI>value</LI> - </UL> + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + <DT>key + <DT>value + </DL> + </TD> + </TR> + <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>radius_reset</B></TD> + <TD>This is called whenever a RADIUS CoA request is + received to reset any options to default values before + the new values are applied. + </TD> + <TD> + <DL> + <DT>t<DD>Tunnel + <DT>s<DD>Session + </DL> </TD> </TR> <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>control</B></TD> @@ -917,21 +1081,13 @@ supplied structure: required. </TD> <TD> - <UL> - <LI>buf - The raw packet data</LI> - <LI>l - The raw packet data length</LI> - <LI>source_ip - Where the request came from</LI> - <LI>source_port - Where the request came from</LI> - <LI>response - Allocate a buffer and put your response in here</LI> - <LI>response_length - Length of response</LI> - <LI>send_response - true or false whether a response - should be sent. If you set this to true, you must - allocate a response buffer.</LI> - <LI>type - Type of request (see nsctl.c)</LI> - <LI>id - ID of request</LI> - <LI>data - I'm really not sure</LI> - <LI>data_length - Length of data</LI> - </UL> + <DL> + <DT>iam_master<DD>Cluster master status + <DT>argc<DD>The number of arguments + <DT>argv<DD>Arguments + <DT>response<DD>Return value: NSCTL_RES_OK or NSCTL_RES_ERR + <DT>additional<DD>Extended response text + </DL> </TD> </TR> </TABLE>