История страницы

...

PPTP (Point-to-Point Tunneling Protocol) is a point-to-point tunneling protocol that allows a computer to establish secure connection with a server by creating a special tunnel in a common unsecured network. PPTP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. PPTP may be used for tunnel establishment between two local area networks. РРТР uses an additional TCP connection for tunnel handling.

Configuration algorithm

Step	Description	Command	Keys
1	Create PPTP server profile.	esr(config)# remote-access pptp <NAME>	<NAME> – PPTP server profile name, set by the string of up to 31 characters.
2	Specify the description of the configured server (optional).	esr(config-pptp-server)# description <DESCRIPTION>	<DESCRIPTION> – PPTP server description, set by the string of up to 255 characters.
3	Specify IP address that should be proceeded by PPTP server.	esr(config-pptp-server)# outside-address { object-group <OBJ-GROUP-NETWORK-NAME> \| ip-address <ADDR> \| interface { <IF> \| <TUN> } }	<OBJ-GROUP-NETWORK-NAME> – name of the profile having IP address that should listened by PPTP server, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IF> – router interface type and identifier; <TUN> – router tunnel type and number.
4	IP address of a local gateway.	esr(config-pptp-server)# local-address { object-group <OBJ-GROUP-NETWORK-NAME> \| ip-address <ADDR> }	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes local gateway IP address, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
5	Specify IP addresses list from which dynamic IP addresses are leased to remote users by PPTP.	esr(config-pptp-server)# remote-address { object-group <OBJ-GROUP-NETWORK-NAME> \| address-range <FROM-ADDR>-<TO-ADDR> }	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes remote users IP addresses list, set by the string of up to 31 characters; <FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
6	Select PPTP clients authentication mode.	esr(config-pptp-server)# authentication mode { local \| radius }	local – user authentication by local base. radius – user authentication by RADIUS server base. The router must be configured to interact with a RADIUS-server, see section AAA RADIUS configuration algorithm.
7	Allow necessary authentication methods for remote users	esr(config-pptp-server)# authentication method <METHOD>	<METHOD> – authentication method, possible values: [chap, mschap, mschap-v2, eap, pap]. By default only chap is allowed.
8	Specify user name (when using local user authentication).	esr(config-pptp-server) username <NAME>	<NAME> – user name, set by the string of up to 12 characters.
9	Specify password (when using local user authentication).	esr(config-pptp-user) password ascii-text { <PASSWORD> \| encrypted <PASSWORD> }	<PASSWORD> – user password, set by the string of up to 32 characters.
10	Activate user (when using local user authentication).	esr(config-pptp-user) enable
11	Include the PPTP server in a security zone and configure interaction rules between zones or disable firewall (see section Firewall configuration).	esr(config-pptp-server)# security-zone <NAME>	<NAME> – security zone name, set by the string of up to 31 characters.
12	Enable server.	esr(config-pptp-server)# enable
13	Specify outgoing packets DSCP priority (optional).	esr(config-pptp-server)# dscp <DSCP>	<DSCP> – outgoing packets dscp priority [0..63].
14	Enable MPPE encryption for PPTP connections (optional).	esr(config-pptp-server)# encryption mppe
15	Specify MTU size (MaximumTransmissionUnit) for the server (optional). MTU above 1500 will be active only when using the 'system jumbo-frames' command.	esr(config-pptp-server) mtu <MTU>	<MTU> – MTU value, takes values in the range of [1280..1500]. Default value: 1500.
16	Define the list of DNS servers that will be used by remote users (optional).	esr(config-pptp-server)# dns-servers object-group <OBJ-GROUP-NETWORK -NAME>	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required DNS servers addresses, set by the string of up to 31 characters.
17	Define the list of WINS servers that will be used by remote users (optional).	esr(config-pptp-server)# wins-servers object-group <OBJ-GROUP-NETWORK-NAME >	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required WINS servers addresses, set by the string of up to 31 characters.

Configuration example

Objective:

...

Scroll Pagebreak

Configuration algorithm

Step	Description	Command	Keys
1	Create L2TP server profile.	esr(config)# remote-access l2tp <NAME>	<NAME> – L2TP server profile name, set by the string of up to 31 characters.
2	Specify the description of the configured server (optional).	esr(config-l2tp-server)# description <DESCRIPTION>	<DESCRIPTION> – L2TP server description, set by the string of up to 255 characters.
3	Specify IP address that should be listened by L2TP server.	esr(config-l2tp-server)# outside-address { object-group <NAME> \| ip-address <ADDR> \| interface { <IF> \| <TUN> } }	<OBJ-GROUP-NETWORK-NAME> – name of the profile having IP address that should be listened by L2TP server, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IF> – router interface type and identifier; <TUN> – router tunnel type and number.
4	Specify the IP address of the local gateway or disable firewall for the PPTP server	esr(config-l2tp-server)# local-address { object-group <OBJ-GROUP-NETWORK -NAME> \| ip-address <ADDR> }	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes local gateway IP address, set by the string of up to 31 characters; <ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
5	Specify IP addresses list from which dynamic IP addresses are leased to remote users by L2TP.	esr(config-l2tp-server)# remote-address { object-group <OBJ-GROUP-NETWORK -NAME> \| address-range <FROM-ADDR>-<TO-ADDR> }	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes remote users IP addresses list, set by the string of up to 31 characters; <FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
6	Select L2TP clients authentication mode.	esr(config-l2tp-server)# authentication mode { local \| radius }	local – user authentication by local base. radius – user authentication by RADIUS server base. The router must be configured to interact with a RADIUS-server, see section AAA RADIUS configuration algorithm
7	Allow necessary authentication methods for remote users	esr(config-l2tp-server)# authentication method <METHOD>	<METHOD> – authentication method, possible values: [chap, mschap, mschap-v2, eap, pap]. By default only chap is allowed.
8	Include the L2TP server in a security zone and configure interaction rules between zones (see section Firewall configuration).	esr(config-l2tp-server)# security-zone <NAME>	<NAME> – security zone name, set by the string of up to 31 characters.
9	Specify user name (when using local authentication base).	esr(config-l2tp-server) username < NAME >	<NAME> – user name, set by the string of up to 12 characters.
10	Specify user password (when using local authentication base).	esr(config-l2tp-user) password ascii-text { <PASSWORD> \| encrypted <PASSWORD> }	<PASSWORD> – user password, set by the string of up to 32 characters.
11	Enable user (when using local authentication base).	esr(config-l2tp-user) enable
12	Select a key authentication method for IKE connection (optional).	esr(config-l2tp-server)# ipsec authentication method pre-shared-key
13	Specify a shared secret authentication key that should be the same for both parties of the tunnel.	esr(config-l2tp-server)# ipsec authentication pre-shared-key { ascii-text { <TEXT> \| encrypted <ENCRYPTED-TEXT> } \| hexadecimal {<HEX> \| encrypted <ENCRYPTED-HEX> } }	<TEXT> – string [1..64] ASCII characters; <HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...). <ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters. <ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.
14	Restrict the authentication and encryption methods used for the IKE protocol (optional).	esr(config-l2tp-server)# ipsec ike proposal <NAME>	<NAME> – name of the previously created IKE profile, set by the string of up to 31 characters.
15	Restrict the authentication and encryption methods used for the IPsec protocol (optional).	esr(config-l2tp-server)# ipsec proposal <NAME>	<NAME> – name of the previously created IPsec profile, set by the string of up to 31 characters.
16	Enable server.	esr(config-l2tp-server)# enable
17	Specify outgoing packets DSCP priority.	esr(config-l2tp-server)# dscp <DSCP>	<DSCP> – outgoing packets dscp priority [0..63].
18	Specify MTU size (MaximumTransmissionUnit) for the server (optional). MTU above 1500 will be active only when using the 'system jumbo-frames' command.	esr(config-l2tp-server) mtu <MTU>	<MTU> – MTU value, takes values in the range of [1280..1500]. Default value: 1500.
19	Define the list of DNS servers that will be used by remote users (optional).	esr(config-l2tp-server)# dns-servers object-group <OBJ-GROUP-NETWORK -NAME >	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required DNS servers addresses, set by the string of up to 31 characters.
20	Define the list of WINS servers that will be used by remote users (optional).	esr(config-l2tp-server)# wins-servers object-group <OBJ-GROUP-NETWORK -NAME >	<OBJ-GROUP-NETWORK-NAME> – name of the IP addresses profile that includes required WINS servers addresses, set by the string of up to 31 characters.

Configuration example

Objective:

...

Блок кода
esr(config)# object-group network l2tp_local esr(config-object-group-network)# ip address-range 10.10.10.1 esr(config-object-group-network)# exit

Scroll Pagebreak

Create address profile that contains DNS servers:

...

Блок кода
esr# clear remote-access session l2tp username fedor esr# clear remote-access session l2tp server remote-workers username fedor

...

To view L2TP server configuration, use the following command:

...

OpenVPN is a sophisticated tool based on SSL that implements Virtual Private Networks (VPN), enables remote access and solves many different tasks related to data transmission security.

Configuration algorithm

Step	Description	Command	Keys
1	Create OpenVPN server profile.	esr(config)# remote-access openvpn <NAME>	<NAME> – OpenVPN server profile name, set by the string of up to 31 characters.
2	Specify the description of the configured server (optional).	esr(config-openvpn-server)# description <DESCRIPTION>	<DESCRIPTION> – OpenVPN server description, set by the string of up to 255 characters.
3	Define the subnet from which IP addresses are leased to users (only for tunnel ip).	esr(config-openvpn-server)# network <ADDR/LEN>	<ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [16..29].
4	Specify an encapsulated protocol.	esr(config-openvpn-server)# protocol <PROTOCOL>	<PROTOCOL> – encapsulation type, possible values: TCP encapsulation in TCP segments; UDP encapsulation in UDP datagrams.
5	Define type of connection with a private network via OpenVPN server.	esr(config-openvpn-server)# tunnel <TYPE>	<TYPE> – encapsulation protocol, takes the following values: ip – point-to-point connection; ethernet – L2 domain connection.
6	Specify IP addresses list from which dynamic IP addresses are leased to remote users in L2 mode by OpenVPN server (only for tunnel ethernet).	esr(config-openvpn-server)# address-range <FROM-ADDR>-<TO-ADDR>	<FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
7	Include client connections via OpenVPN in L2 domain (only for tunnel ethernet).	esr(config-openvpn-server)# bridge-group <BRIDGE-ID>	<BRIDGE-ID> – bridge identifying number.
8	Specify certificates and keys.	esr(config-openvpn-server)# certificate <CERTIFICATE-TYPE> <NAME>	<CERTIFICATE-TYPE> – certificate or key type, may take the following values: ca – Certificate Authority; crl – Certificate Revocation List; dh – Diffie-Hellman key; server - crt – public server certificate; server - key – private server key; ta – HMAC key. <NAME> – certificate or key name, set by the string of up to 31 characters.
9	Select encryption algorithm used when data transmission.	esr(config-openvpn-server)# encryption algorithm <ALGORITHM>	<ALGORITHM> – encryption protocol identifier, may take values: 3des,blowfish128, aes128.
10	Include the OpenVPN server in a security zone and configure interaction rules between zones (see section Firewall configuration).	esr(config-openvpn-server)# security-zone <NAME>	<NAME> – security zone name, set by the string of up to 31 characters.
11	Define the additional parameters for a specified OpenVPN server user (when using a local base for user authentication).	esr(config-openvpn-server)# username < NAME >	<NAME> – user name, set by the string of up to 31 characters.
12	Define a subnet for the specified user of the OpenVPN server.	esr(config-openvpn-user)# subnet <ADDR/LEN>	<ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].
13	Define a static ip address for the specified OpenVPN server user.	esr(config-openvpn-user)# ip address <ADDR>	<ADDR> – address set in the following format: AAA.BBB.CCC.DDD – IP address of the subnet where AAA-DDD are set to [0..255].
14	Enable OpenVPN server profile.	esr(config-openvpn-server)# enable
15	Enable data transmission blocking between clients (optional).	esr(config-openvpn-server)# client-isolation
16	Set the maximum amount of simultaneous user sessions (optional).	esr(config-openvpn-server)# client-max <VALUE>	<VALUE> – maximum amount of users, takes values of [1..65535].
17	The mechanism of transmitted data compression between clients and the OpenVPN server is enabled (optional).	esr(config-openvpn-server)# compression
18	Define the list of DNS servers that will be used by remote users (optional).	esr(config-openvpn-server)# dns-server <ADDR>	<ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
19	Specify TCP/UDP port that will be listened by OpenVPN server (optional).	esr(config-openvpn-server)# port <PORT>	<PORT> – TCP/UDP port, takes values of [1..65535]. Default value: 1194.
20	Enable the default route advertising for OpenVPN connections, which leads to the replacement of the default route on the client side (optional).	esr(config-openvpn-server)# redirect-gateway
21	Enable the advertising of specified subnets, the gateway is OpenVPN server IP address (optional).	esr(config-openvpn-server)# route <ADDR/LEN>	<ADDR/LEN> – subnet address, set in the following format: AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].
22	Set time interval after which the opposing party is considered to be unavailable (optional).	esr(config-openvpn-server)# timers holdtime <TIME>	<TIME> – time in seconds, takes values of [1..65535]. Default value: 120.
23	Set the time interval after which the connection with the opposing party is checked (optional).	esr(config-openvpn-server)# timers keepalive <TIME>	<TIME> – time in seconds, takes values of [1..65535]. Default value: 10.
24	Allow multiple users with the same certificate to connect to the OpenVPN server.	esr(config-openvpn-server)# duplicate-cn
25	Define the list of WINS servers that will be used by remote users (optional).	esr(config-openvpn-server)# wins-server <ADDR>	<ADDR> – WINS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
26	Change the authentication algorithm for OpenVPN clients (optional).	esr(config-openvpn-server)# authentication algorithm <ALGORITHM>	<ALGORITHM> – authentication algorithm: 8-128 bits key size: md4, rsa-md4, md5, rsa-md5, mdc2, rsa-mdc2 8-160 bits key size: sha, sha1, rsa-sha, rsa-sha1, rsa-sha1-2, dsa, dsa-sha, dsa-sha1, dsa-sha1-old, ripemd160, rsa-ripemd160, ecdsa-with-sha1 8-224 bits key size: sha-224, rsa-sha-224 8-256 bits key size: sha-256, rsa-sha-256 8-384 bits key size: sha-384, rsa-sha-384 8-512 bits key size: sha-512, rsa-sha-512, whirlpool Default value: sha.

Configuration example

Objective:

...

PPPoE is a tunneling protocol that allows encapsulating IP PPP over Ethernet connections and has PPP connection software capabilities, which allows using it to establish virtual connections to a neighboring Ethernet device or a point-to-point connection that is used to transmit IP packets, and also works with PPP features. This allows applying conventional PPP-oriented software to configure the connection that uses not serial communication link but packet-oriented network (for example, Ethernet) to organize a classical connection with login and password for Internet connections. In addition, IP address on the opposite side of connection is assigned only when PPPoE connection is open, allowing the dynamic reuse of IP addresses.

Configuration algorithm

Step	Description	Command	Keys
1	Create a PPPoE tunnel and switch to its configuration mode.	esr(config)# tunnel pppoe <PPPoE>	<PPPoE> – tunnel sequence number from 1 to 10.
2	Specify the description of the configured client (optional).	esr(config-pppoe)# description <DESCRIPTION>	<DESCRIPTION> – PPPoE server description, set by the string of up to 255 characters.
3	Specify the name of the VRF instance that will use the PPPoE client (optional).	esr(config-pppoe)# ip vrf forwarding <VRF>	<VRF> – VRF name, set by the string of up to 31 characters.
4	Specify the interface through which the PPPoE connection will be established.	esr(config-pppoe)# interface <IF>	<IF> – interface or interface group.
5	Specify user name and password for connection to PPPoE server.	esr(config-pppoe)# username <NAME> password ascii-text { <CLEAR-TEXT> \| encrypted <ENCRYPTED-TEXT> }	<NAME> – user name, set by the string of up to 31 characters; <CLEAR-TEXT> – password, set by the string of 8 to 16 characters; <ENCRYPTED-TEXT> – encrypted password, set by the string of [16..128] characters.
6	Include the PPPoE tunnel in a security zone and configure interaction rules between zones (see section Firewall configuration).	esr(config-pppoe)# security-zone <NAME>	<NAME> – security zone name, set by the string of up to 31 characters.
7	Enable a configured profile.	esr(config-pppoe)# enable
8	Specify authentication method (optional).	esr(config-pppoe)# authentication method <METHOD>	<METHOD> – authentication method, possible values: chap, mschap, mschap-v2, eap, pap Default value: chap.
9	Enable the opt-out of receiving the default route from PPPoE server (optional).	esr(config-pppoe)# ignore-default-route
10	Specify the time interval during which the statistics on the load is averaged (optional).	esr(config-pppoe)# load-average <TIME>	<TIME> – time interval in seconds from 5 to 150 (5 seconds by default).
11	Specify MTU size (MaximumTransmissionUnit) for PPPoE tunnel. MTU above 1500 will be active only when using the 'system jumbo-frames' command (optional).	esr(config-pppoe)# mtu <MTU>	<MTU> – MTU value, takes values in the range of: for ESR-10/12V(F)/14VF – [1280..9600]; for ESR-20/21 – [1280..9500]; for ESR-100/200/1000/1200/1500/1511/1700 – [1280..10000] for ESR-3100 – [1280..9190]. Default value: 1500.
12	Change the number of failed data-link tests before breaking the session (optional).	esr(config-pppoe)# ppp failure-count <NUM>	<NUM> – the number of failed data-link tests, specified in the range [1..100]. Default value: 10.
13	Change the time interval in seconds after which the router sends a keepalive message (optional).	esr(config-pppoe)# ppp timeout keepalive <TIME >	<TIME> – time in seconds, takes values of [1..32767]. Default value: 10.
14	Override the MSS (Maximum segment size) field in incoming TCP packets (optional).	esr(config-pppoe)# ip tcp adjust-mss <MSS>	<MSS> – MSS value, takes values in the range of [500..1460]. Default value: 1460.
15	Enable recording of the current tunnel usage statistics (optional).	esr(config-pppoe)# history statistics
It is also possible to configure the PPPoE client: QoS in basic or advanced mode (see section QoS management); proxy (see section HTTP/HTTPS traffic proxying); Traffic monitoring (see sections Netflow configuration and sFlow configuration);

Configuration example

Objective:

...

PPTP ( Point-to-Point Tunneling Protocol) is a point-to-point tunneling protocol that allows establishing secure connection with a server by creating a special tunnel in a common unsecured network. PPTP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. PPTP may be used for tunnel establishment between two local area networks. РРТР uses an additional TCP connection for tunnel handling.

Configuration algorithm

Step	Description	Command	Keys
1	Create a PPTP tunnel and switch to its configuration mode.	esr(config)# tunnel pptp <INDEX>	<INDEX> – tunnel identifier, set in the range of: [1..10].
2	Specify the description of the configured tunnel (optional).	esr(config-pptp)# description <DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
3	Specify VRF instance, in which the given PPTP tunnel will operate (optional).	esr(config-pptp)# ip vrf forwarding <VRF>	<VRF> – VRF name, set by the string of up to 31 characters.
4	Include the PPTP tunnel in a security zone and configure interaction rules between zones or disable firewall (see section Firewall configuration).	esr(config-pptp)# security-zone <NAME>	<NAME> – security zone name, set by the string of up to 31 characters.
4		esr(config-pptp)# ip firewall disable
5	Set remote IP address for tunnel installation.	esr(config-pptp)# remote address <ADDR>	<ADDR> – local gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
6	Specify MTU size (MaximumTransmissionUnit) for the tunnel (optional).	esr(config-pptp)# mtu <MTU>	<MTU> – MTU value, takes values in the range of: for ESR-10/12V(F)/14VF – [552..9600]; for ESR-20/21 – [552..9500]; for ESR-100/200/1000/1200/1500/1511/1700 – [552..10000] for ESR-3100 – [552..9190]. Default value: 1500.
7	Specify the user and set an encrypted or unencrypted password to authenticate the remote party.	esr(config-pptp)# username <NAME> password ascii-text { <WORD> \| encrypted <HEX> }	<NAME> – user name, set by the string of up to 31 characters. <WORD> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters. <HEX> – encrypted password, set by the string of [16..128] characters.
8	Enable the tunnel.	esr(config-pptp)# enable
9	Override the MSS (Maximum segment size) field in incoming TCP packets (optional).	esr(config-pptp)# ip tcp adjust-mss <MSS>	<MSS> – MSS value, takes values in the range of [500..1460]. Default value: 1460.
10	Ignore the default route via the given PPTP tunnel (optional).	esr(config-pptp)# ignore-default-route
11	Specify the time interval during which the statistics on the tunnel load is averaged (optional).	esr(config-pptp)# load-average <TIME>	<TIME> – interval in seconds, takes values of [5..150]. Default value: 5.
12	Specify authentication method (optional).	esr(config-pptp)# authentication method <METHOD>	<METHOD> – authentication method, possible values: chap, mschap, mschap-v2, eap, pap Default value: chap.
13	Enable recording of the current tunnel usage statistics (optional).	esr(config-pptp)# history statistics
14	Change the time interval in seconds after which the router sends a keepalive message (optional).	esr(config-pptp)# ppp timeout keepalive <TIME >	<TIME> – time in seconds, takes values of [1..32767]. Default value: 10.
15	Change the number of failed data-link tests before breaking the session (optional).	esr(config-pptp)# ppp failure-count <NUM>	<NUM> – the number of failed data-link tests, specified in the range [1..100]. Default value: 10.

Configuration example

Objective:

...

L2TP ( Layer 2 Tunneling Protocol) is a sophisticated tunneling protocol used to support virtual private networks. L2TP encapsulates PPP frames into IP packets for transmission via global IP network, e.g. the Internet. L2TP may be used for tunnel establishment between two local area networks. L2TP uses an additional UDP connection for tunnel handling. L2TP protocol does not provide data encryption, therefore it is usually combined with an IPsec protocol group that provides security on a packet level.

Configuration algorithm

Step	Description	Command	Keys
1	Create a L2TP tunnel and switch to its configuration mode.	esr(config)# tunnel l2tp <INDEX>	<INDEX> – tunnel identifier, set in the range of: [1..10].
2	Specify VRF instance, in which the given L2TP tunnel will operate (optional).	esr(config-l2tp)# ip vrf forwarding <VRF>	<VRF> – VRF name, set by the string of up to 31 characters.
3	Specify the description of the configured tunnel (optional).	esr(config-l2tp)# description <DESCRIPTION>	<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
4	Include the L2TP tunnel in a security zone and configure interaction rules between zones or disable firewall (see section Firewall configuration).	esr(config-l2tp)# security-zone <NAME>	<NAME> – security zone name, set by the string of up to 31 characters.
4		esr(config-l2tp)# ip firewall disable
5	Set remote IP address for tunnel installation.	esr(config-l2tp)# remote address <ADDR>	<ADDR> – local gateway IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
6	Specify the user and set an encrypted or unencrypted password to authenticate the remote party.	esr(config-l2tp)# username <NAME> password ascii-text { <WORD> \| encrypted <HEX> }	<NAME> – user name, set by the string of up to 31 characters. <WORD> – unencrypted password, set by the string of [8..64] characters, may include [0-9a-fA-F] characters. <HEX> – encrypted password, set by the string of [16..128] characters.
7	Select a key authentication method for IKE connection.	esr(config-l2tp)# ipsec authentication method pre-shared-key
8	Specify a shared secret authentication key that should be the same for both parties of the tunnel.	esr(config-l2tp)# ipsec authentication pre-shared-key { ascii-text { <TEXT> \| encrypted <ENCRYPTED-TEXT> } \| hexadecimal {<HEX> \| encrypted <ENCRYPTED-HEX> } }	<TEXT> – string [1..64] ASCII characters; <HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...); <ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters. <ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.
9	Restrict the authentication and encryption methods used for the IKE protocol (optional).	esr(config-l2tp)# ipsec ike proposal <NAME>	<NAME> – name of the previously created IKE profile, set by the string of up to 31 characters.
10	Restrict the authentication and encryption methods used for the IPsec protocol (optional).	esr(config-l2tp)# ipsec proposal <NAME>	<NAME> – name of the previously created IPsec profile, set by the string of up to 31 characters.
11	Specify UDP port number on which the connection to the L2TP server is established (optional).	esr(config-l2tp)# port <PORT>	<PORT> – UDP port number, takes values of [1024..65535]. Default value: 1701.
12	Enable the tunnel.	esr(config-l2tp)# enable
10	Specify MTU size (MaximumTransmissionUnit) for the tunnel (optional).	esr(config-l2tp)# mtu <MTU>	<MTU> – MTU value, takes values in the range of: for ESR-10/12V(F)/14VF – [552..9600]; for ESR-20/21 – [552..9500]; for ESR-100/200/1000/1200/1500/1511/1700 – [552..10000] for ESR-3100 – [552..9190]. Default value: 1500.
11	Ignore the default route via the given L2TP tunnel (optional).	esr(config-l2tp)# ignore-default-route
12	Specify authentication method (optional).	esr(config-l2tp)# authentication method <METHOD>	<METHOD> – authentication method, possible values: chap, mschap, mschap-v2, eap, pap Default value: chap.
13	Specify the time interval during which the statistics on the tunnel load is averaged (optional).	esr(config-l2tp)# load-average <TIME>	<TIME> – interval in seconds, takes values of [5..150]. Default value: 5.
14	Change the time interval in seconds after which the router sends a keepalive message (optional).	esr(config-l2tp)# ppp timeout keepalive <TIME >	<TIME> – time in seconds, takes values of [1..32767]. Default value: 10.
15	Change the number of failed data-link tests before breaking the session (optional).	esr(config-l2tp)# ppp failure-count <NUM>	<NUM> – the number of failed data-link tests, specified in the range [1..100]. Default value: 10.
It is also possible to configure QoS in basic or advanced mode for the L2TP client (see section QoS management).

Configuration example

Objective:

...

Блок кода
esr# show tunnels configuration l2tp

Scroll Pagebreak

Дерево страниц

Сравнение версий

Старая версия 1

Новая версия Текущий

Ключ

Configuration algorithm

Configuration example

Objective:

Configuration algorithm

Configuration example

Objective:

Configuration algorithm

Configuration example

Objective:

Configuration algorithm

Configuration example

Objective:

Configuration algorithm

Configuration example

Objective:

Configuration algorithm

Configuration example

Objective: