Call for Contributions
This section needs improvements, examples and explanations.
Please take a look at the Contributing Guide for our Documentation.
L2TPv3
Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to MPLS for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides a pseudo-wire service but is scaled to fit carrier requirements.
L2TPv3 can be regarded as being to MPLS what IP is to ATM: a simplified version of the same concept, with much of the same benefit achieved at a fraction of the effort, at the cost of losing some technical features considered less important in the market.
In the case of L2TPv3, the features lost are teletraffic engineering features considered important in MPLS. However, there is no reason these features could not be re-engineered in or on top of L2TPv3 in later products.
The protocol overhead of L2TPv3 is also significantly bigger than MPLS.
L2TPv3 is described in RFC 3931.
Configuration
Common interface configuration
Configure interface <interface> with one or more interface addresses.
address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
Example:
set interfaces l2tpv3 l2tpeth0 address 192.0.2.1/24
set interfaces l2tpv3 l2tpeth0 address 2001:db8::1/64
Set a human readable, descriptive alias for this connection. Alias is used by
e.g. the show interfaces command or SNMP based monitoring tools.
Example:
set interfaces l2tpv3 l2tpeth0 description 'This is an awesome interface running on VyOS'
Disable given <interface>. It will be placed in administratively down
(A/D) state.
Example:
set interfaces l2tpv3 l2tpeth0 disable
Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:
set interfaces l2tpv3 l2tpeth0 disable-flow-control
Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.
Default is to detects physical link state changes.
Example:
set interfaces l2tpv3 l2tpeth0 disable-link-detect
Configure user defined MAC address on given <interface>.
Example:
set interfaces l2tpv3 l2tpeth0 mac '00:01:02:03:04:05'
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:
set interfaces l2tpv3 l2tpeth0 mtu 9000
Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:
set interfaces l2tpv3 l2tpeth0 ip arp-cache-timeout 180
If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:
set interfaces l2tpv3 l2tpeth0 ip disable-arp-filter
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
set interfaces l2tpv3 l2tpeth0 ip disable-forwarding
Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.
set interfaces l2tpv3 l2tpeth0 ip enable-arp-accept
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.
set interfaces l2tpv3 l2tpeth0 ip enable-arp-announce
Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces l2tpv3 l2tpeth0 ip enable-arp-ignore
Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.
Example:
set interfaces l2tpv3 l2tpeth0 ip enable-proxy-arp
Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.
Note
Don’t need to be used together with proxy_arp.
This technology is known by different names:
In RFC 3069 it is called VLAN Aggregation
Cisco and Allied Telesyn call it Private VLAN
Hewlett-Packard call it Source-Port filtering or port-isolation
Ericsson call it MAC-Forced Forwarding (RFC Draft)
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
disable: No source validation
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface in question.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 address autoconf
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 address eui64 2001:db8:beef::/64
Do not assign a link-local IPv6 address to this interface.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 address no-default-link-local
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
Example:
set interfaces l2tpv3 l2tpeth0 ipv6 disable-forwarding
Place interface in given VRF instance.
See also
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:
set interfaces l2tpv3 l2tpeth0 vrf red
L2TPv3 options
Set the encapsulation type of the tunnel. Valid values for encapsulation are: udp, ip.
This defaults to UDP
Set the IP address of the local interface to be used for the tunnel.
This address must be the address of a local interface. It may be specified as an IPv4 address or an IPv6 address.
Set the IP address of the remote peer. It may be specified as an IPv4 address or an IPv6 address.
Set the session id, which is a 32-bit integer value. Uniquely identifies the session being created. The value used must match the peer_session_id value being used at the peer.
Set the peer-session-id, which is a 32-bit integer value assigned to the session by the peer. The value used must match the session_id value being used at the peer.
Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be created.
Example
Over IP
# show interfaces l2tpv3
l2tpv3 l2tpeth10 {
address 192.168.37.1/27
encapsulation ip
source-address 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote 203.0.113.24
session-id 100
tunnel-id 200
}
The inverse configuration has to be applied to the remote side.
Over UDP
UDP mode works better with NAT:
Set source-address to your local IP (LAN).
Add a forwarding rule matching UDP port on your internet router.
# show interfaces l2tpv3
l2tpv3 l2tpeth10 {
address 192.168.37.1/27
destination-port 9001
encapsulation udp
source-address 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote 203.0.113.24
session-id 100
source-port 9000
tunnel-id 200
}
To create more than one tunnel, use distinct UDP ports.
Over IPSec, L2 VPN (bridge)
This is the LAN extension use case. The eth0 port of the distant VPN peers will be directly connected like if there was a switch between them.
IPSec:
set vpn ipsec ipsec-interfaces <VPN-interface>
set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <peer-ip> local-address <source-address>
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp'
Bridge:
set interfaces bridge br0 description 'L2 VPN Bridge'
# remote side in this example:
# set interfaces bridge br0 address '172.16.30.18/30'
set interfaces bridge br0 address '172.16.30.17/30'
set interfaces bridge br0 member interface eth0
set interfaces ethernet eth0 description 'L2 VPN Physical port'
L2TPv3:
set interfaces bridge br0 member interface 'l2tpeth0'
set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
set interfaces l2tpv3 l2tpeth0 source-address <source-address>
set interfaces l2tpv3 l2tpeth0 mtu '1500'
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
set interfaces l2tpv3 l2tpeth0 remote <peer-ip>
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'