1xl2tpd.conf(5) xl2tpd.conf(5)
2
3
4
6 xl2tpd.conf - L2TPD configuration file
7
9 The xl2tpd.conf file contains configuration information for xl2tpd, the
10 implementation of l2tp protocol.
11
12 The configuration file is composed of sections and parameters. Each
13 section has a given name which will be used when using the configura‐
14 tion FIFO (normally /var/run/xl2tpd/l2tp-control). See xl2tpd.8 for
15 more details.
16
17 The specific given name default will specify parameters applicable for
18 all the following sections.
19
21 auth file
22 Specify where to find the authentication file used to authenti‐
23 cate l2tp tunnels. The default is /etc/xl2tpd/l2tp-secrets.
24
25
26 ipsec saref
27 Use IPsec Security Association tracking. When this is enabled,
28 packets received by xl2tpd should have to extra fields (refme
29 and refhim) which allows tracking of multiple clients using the
30 same internal NATed IP address, and allows tracking of multiple
31 clients behind the same NAT router. This needs to be supported
32 by the kernel. Currently, this only works with Openswan KLIPS in
33 "mast" mode. (see http://www.openswan.org/)
34
35 Set this to yes and the system will provide proper SAref values
36 in the recvmsg() calls.
37
38 Values can be yes or no. The default is no.
39
40
41 saref refinfo
42 When using IPsec Security Association trackinng, a new setsock‐
43 opt is used. Since this is not (yet?) an official Linux kernel
44 option, we got bumped. Openswan upto 2.6.35 for linux kernels
45 up to 2.6.35 used a saref num of 22. Linux 3.6.36+ uses 22 for
46 IP_NODEFRAG. We moved our IP_IPSEC_REFINFO to 30. If not set,
47 the default is to use 30. For older SAref patched kernels, use
48 22.
49
50
51 listen-addr
52 The IP address of the interface on which the daemon listens. By
53 default, it listens on INADDR_ANY (0.0.0.0), meaning it listens
54 on all interfaces.
55
56
57 port Specify which UDP port xl2tpd should use. The default is 1701.
58
59
60 access control
61 If set to yes, the xl2tpd process will only accept connections
62 from peers addresses specified in the following sections. The
63 default is no.
64
65
66 debug avp
67 Set this to yes to enable syslog output of L2TP AVP debugging
68 information.
69
70
71 debug network
72 Set this to yes to enable syslog output of network debugging
73 information.
74
75
76 debug packet
77 Set this to yes to enable printing of L2TP packet debugging
78 information. Note: Output goes to STDOUT, so use this only in
79 conjunction with the -D command line option.
80
81
82 debug state
83 Set this to yes to enable syslog output of FSM debugging infor‐
84 mation.
85
86
87 debug tunnel
88 Set this to yes to enable syslog output of tunnel debugging
89 information.
90
91
92 max retries
93 Specify how many retries before a tunnel is closed. If there is
94 no tunnel, then stop re-transmitting. The default is 5.
95
96
98 exclusive
99 If set to yes, only one control tunnel will be allowed to be
100 built between 2 peers. CHECK
101
102
103 (no) ip range
104 Specify the range of ip addresses the LNS will assign to the
105 connecting LAC PPP tunnels. Multiple ranges can be defined.
106 Using the 'no' statement disallows the use of that particular
107 range. Ranges are defined using the format IP - IP (example:
108 1.1.1.1 - 1.1.1.10). Note that either at least one ip range
109 option must be given, or you must set assign ip to no.
110
111
112 assign ip
113 Set this to no if xl2tpd should not assign IP addresses out of
114 the pool defined with the ip range option. This can be useful
115 if you have some other means to assign IP addresses, e. g. a
116 pppd that supports RADIUS AAA.
117
118
119
120 (no) lac
121 Specify the ip addresses of LAC's which are allowed to connect
122 to xl2tpd acting as a LNS. The format is the same as the ip
123 range option.
124
125
126 hidden bit
127 If set to yes, xl2tpd will use the AVP hiding feature of L2TP.
128 To get more information about hidden AVP's and AVP in general,
129 refer to rfc2661 (add URL?)
130
131
132 local ip
133 Use the following IP as xl2tpd's own ip address.
134
135
136 local ip range
137 Specify the range of addresses the LNS will assign as the local
138 address to connecting LAC PPP tunnels. This option is mutually
139 exclusive with the local ip option and is useful in cases where
140 it is desirable to have a unique IP address for each tunnel.
141 Specify the range value exactly like the ip range option. Note
142 that the assign ip option has no effect on this option.
143
144
145 length bit
146 If set to yes, the length bit present in the l2tp packet payload
147 will be used.
148
149
150 (refuse | require) chap
151 Will require or refuse the remote peer to get authenticated via
152 CHAP for the ppp authentication.
153
154
155 (refuse | require) pap
156 Will require or refuse the remote peer to get authenticated via
157 PAP for the ppp authentication.
158
159
160 (refuse | require) authentication
161 Will require or refuse the remote peer to authenticate itself.
162
163
164 unix authentication
165 If set to yes, /etc/passwd will be used for remote peer ppp
166 authentication.
167
168
169 hostname
170 Will report this as the xl2tpd hostname in negotiation.
171
172
173 ppp debug
174 This will enable the debug for pppd.
175
176
177 pass peer
178 Pass the peer's IP address to pppd as ipparam. Enabled by
179 default.
180
181
182 pppoptfile
183 Specify the path for a file which contains pppd configuration
184 parameters to be used.
185
186
187 call rws
188 This option is deprecated and no longer functions. It used to
189 be used to define the flow control window size for individual
190 L2TP calls or sessions. The L2TP standard (RFC2661) no longer
191 defines flow control or window sizes on calls or sessions.
192
193
194 tunnel rws
195 This defines the window size of the control channel. The window
196 size is defined as the number of outstanding unacknowledged
197 packets, not as a number of bytes.
198
199
200 flow bits
201 If set to yes, sequence numbers will be included in the communi‐
202 cation. The feature to use sequence numbers in sessions is cur‐
203 rently broken and does not function.
204
205
206 challenge
207 If set to yes, use challenge authentication to authenticate
208 peer.
209
210
211 rx bps If set, the receive bandwidth maximum will be set to this value
212
213
214 tx bps If set, the transmit bandwidth maximum will be set to this value
215
216
218 The following are LAC specific configuration flags. Most of those
219 described in the LNS section may be used in a LAC context, where it
220 makes common sense (essentially l2tp protocols tuning flags and authen‐
221 tication / ppp related ones).
222
223
224 lns Set the dns name or ip address of the LNS to connect to.
225
226
227 autodial
228 If set to yes, xl2tpd will automatically dial the LAC during
229 startup.
230
231
232 redial If set to yes, xl2tpd will attempt to redial if the call get
233 disconnected. Note that, if enabled, xl2tpd will keep passwords
234 in memory: a potential security risk.
235
236
237 redial timeout
238 Wait X seconds before redial. The redial option must be set to
239 yes to use this option. Defaults to 30 seconds.
240
241
242 max redials
243 Will give up redial tries after X attempts.
244
245
247 /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/l2tp-secrets
248 /var/run/xl2tpd/l2tp-control
249
251 Please address bugs and comment to xl2tpdv@lists.xelerance.com
252
254 xl2tpd(8)
255
257 Forked from xl2tpd by Xelerance (https://www.xelerance.com/soft‐
258 ware/xl2tpd/)
259
260 Michael Richardson <mcr@xelerance.com> Paul Wouters <paul@xeler‐
261 ance.com>
262
263 Many thanks to Jacco de Leeuw <jacco2@dds.nl> for maintaining l2tpd.
264
265
266 Previous development was hosted at sourceforge (http://www.source‐
267 forge.net/projects/l2tpd) by:
268
269 Scott Balmos <sbalmos@iglou.com>
270 David Stipp <dstipp@one.net>
271 Jeff McAdams <jeffm@iglou.com>
272
273
274 Based off of l2tpd version 0.60
275 Copyright (C)1998 Adtran, Inc.
276 Mark Spencer <markster@marko.net>
277
278
279
280Jean-Francois Dive xl2tpd.conf(5)