xl2tpd.conf - L2TPD configuration file
The xl2tpd.conf file contains configuration information for xl2tpd, the
implementation of l2tp protocol.
The configuration file is composed of sections and parameters. Each section has
a given name which will be used when using the configuration FIFO (normally
/var/run/xl2tpd/l2tp-control). See xl2tpd.8 for more details.
The specific given name default
will specify parameters applicable for
all the following sections.
- auth file
- Specify where to find the authentication file used to
authenticate l2tp tunnels. The default is /etc/xl2tpd/l2tp-secrets.
- ipsec saref
- Use IPsec Security Association tracking. When this is
enabled, packets received by xl2tpd should have to extra fields (refme and
refhim) which allows tracking of multiple clients using the same internal
NATed IP address, and allows tracking of multiple clients behind the same
NAT router. This needs to be supported by the kernel. Currently, this only
works with Openswan KLIPS in "mast" mode. (see
Set this to yes and the system will provide proper SAref values in the
Values can be yes or no. The default is no.
- saref refinfo
- When using IPsec Security Association trackinng, a new
setsockopt is used. Since this is not (yet?) an official Linux kernel
option, we got bumped. Openswan upto 2.6.35 for linux kernels up to 2.6.35
used a saref num of 22. Linux 3.6.36+ uses 22 for IP_NODEFRAG. We moved
our IP_IPSEC_REFINFO to 30. If not set, the default is to use 30. For
older SAref patched kernels, use 22.
- The IP address of the interface on which the daemon
listens. By default, it listens on INADDR_ANY (0.0.0.0), meaning it
listens on all interfaces.
- Specify which UDP port xl2tpd should use. The default is
- access control
- If set to yes, the xl2tpd process will only accept
connections from peers addresses specified in the following sections. The
default is no.
- debug avp
- Set this to yes to enable syslog output of L2TP AVP
- debug network
- Set this to yes to enable syslog output of network
- debug packet
- Set this to yes to enable printing of L2TP packet debugging
information. Note: Output goes to STDOUT, so use this only in conjunction
with the -D command line option.
- debug state
- Set this to yes to enable syslog output of FSM debugging
- debug tunnel
- Set this to yes to enable syslog output of tunnel debugging
- If set to yes, only one control tunnel will be allowed to
be built between 2 peers. CHECK
- (no) ip range
- Specify the range of ip addresses the LNS will assign to
the connecting LAC PPP tunnels. Multiple ranges can be defined. Using the
'no' statement disallows the use of that particular range. Ranges are
defined using the format IP - IP (example: 18.104.22.168 - 22.214.171.124). Note that
either at least one ip range option must be given, or you must set
assign ip to no.
- assign ip
- Set this to no if xl2tpd should not assign IP addresses out
of the pool defined with the ip range option. This can be useful if
you have some other means to assign IP addresses, e. g. a pppd that
supports RADIUS AAA.
- (no) lac
- Specify the ip addresses of LAC's which are allowed to
connect to xl2tpd acting as a LNS. The format is the same as the ip
- hidden bit
- If set to yes, xl2tpd will use the AVP hiding feature of
L2TP. To get more information about hidden AVP's and AVP in general, refer
to rfc2661 (add URL?)
- local ip
- Use the following IP as xl2tpd's own ip address.
- local ip range
- Specify the range of addresses the LNS will assign as the
local address to connecting LAC PPP tunnels. This option is mutually
exclusive with the local ip option and is useful in cases where it
is desirable to have a unique IP address for each tunnel. Specify the
range value exactly like the ip range option. Note that the
assign ip option has no effect on this option.
- length bit
- If set to yes, the length bit present in the l2tp packet
payload will be used.
- (refuse | require) chap
- Will require or refuse the remote peer to get authenticated
via CHAP for the ppp authentication.
- (refuse | require) pap
- Will require or refuse the remote peer to get authenticated
via PAP for the ppp authentication.
- (refuse | require) authentication
- Will require or refuse the remote peer to authenticate
- unix authentication
- If set to yes, /etc/passwd will be used for remote peer ppp
- Will report this as the xl2tpd hostname in negotiation.
- ppp debug
- This will enable the debug for pppd.
- pass peer
- Pass the peer's IP address to pppd as ipparam. Enabled by
- Specify the path for a file which contains pppd
configuration parameters to be used.
- call rws
- This option is deprecated and no longer functions. It used
to be used to define the flow control window size for individual L2TP
calls or sessions. The L2TP standard (RFC2661) no longer defines flow
control or window sizes on calls or sessions.
- tunnel rws
- This defines the window size of the control channel. The
window size is defined as the number of outstanding unacknowledged
packets, not as a number of bytes.
- flow bits
- If set to yes, sequence numbers will be included in the
communication. The feature to use sequence numbers in sessions is
currently broken and does not function.
- If set to yes, use challenge authentication to authenticate
- rx bps
- If set, the receive bandwidth maximum will be set to this
- tx bps
- If set, the transmit bandwidth maximum will be set to this
The following are LAC specific configuration flags. Most of those described in
the LNS section may be used in a LAC context, where it makes common sense
(essentially l2tp protocols tuning flags and authentication / ppp related
- Set the dns name or ip address of the LNS to connect to.
- If set to yes, xl2tpd will automatically dial the LAC
- If set to yes, xl2tpd will attempt to redial if the call
get disconnected. Note that, if enabled, xl2tpd will keep passwords in
memory: a potential security risk.
- redial timeout
- Wait X seconds before redial. The redial option must be set
to yes to use this option. Defaults to 30 seconds.
- max redials
- Will give up redial tries after X attempts.
Please address bugs and comment to firstname.lastname@example.org
Forked from xl2tpd by Xelerance (https://www.xelerance.com/software/xl2tpd/)
Michael Richardson <email@example.com> Paul Wouters
Many thanks to Jacco de Leeuw <firstname.lastname@example.org> for maintaining l2tpd.
Previous development was hosted at sourceforge
Scott Balmos <email@example.com>
David Stipp <firstname.lastname@example.org>
Jeff McAdams <email@example.com>
Based off of l2tpd version 0.60
Copyright (C)1998 Adtran, Inc.
Mark Spencer <firstname.lastname@example.org>