mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
L2TP: change to 80 characters column width
This commit is contained in:
Christian Poessinger
parent
7c6604f76a
commit
624c3cd42a
@ -3,7 +3,8 @@
|
||||
L2TP
|
||||
-----------
|
||||
|
||||
VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used with local authentication or a connected RADIUS server.
|
||||
VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used
|
||||
with local authentication or a connected RADIUS server.
|
||||
|
||||
L2TP over IPsec
|
||||
===============
|
||||
@ -26,7 +27,8 @@ with native Windows and Mac VPN clients):
|
||||
set vpn l2tp remote-access authentication mode local
|
||||
set vpn l2tp remote-access authentication local-users username test password 'test'
|
||||
|
||||
In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address 192.168.255.1 uses as client tunnel termination point.
|
||||
In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address
|
||||
192.168.255.1 uses as client tunnel termination point.
|
||||
|
||||
If a local firewall policy is in place on your external interface you will need
|
||||
to allow the ports below:
|
||||
@ -66,7 +68,8 @@ To allow VPN-clients access via your external address, a NAT rule is required:
|
||||
set nat source rule 110 translation address masquerade
|
||||
|
||||
|
||||
VPN-clients will request configuration parameters, optionally you can DNS parameter to the client.
|
||||
VPN-clients will request configuration parameters, optionally you can DNS
|
||||
parameter to the client.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
@ -82,15 +85,15 @@ operational command, or **show l2tp-server sessions**
|
||||
.. code-block:: sh
|
||||
|
||||
vyos@vyos:~$ show vpn remote-access
|
||||
ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
|
||||
ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
|
||||
--------+----------+--------------+---------------+------------+------+------+--------+----------
|
||||
ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13
|
||||
ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13
|
||||
|
||||
|
||||
LNS (L2TP Network Server)
|
||||
=========================
|
||||
|
||||
LNS are often used to connect to a LAC (L2TP Access Concentrator).
|
||||
LNS are often used to connect to a LAC (L2TP Access Concentrator).
|
||||
|
||||
Below is an example to configure a LNS:
|
||||
|
||||
@ -101,13 +104,16 @@ Below is an example to configure a LNS:
|
||||
set vpn l2tp remote-access client-ip-pool start 192.168.255.2
|
||||
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
|
||||
set vpn l2tp remote-access lns shared-secret 'secret'
|
||||
set vpn l2tp remote-access ccp-disable
|
||||
set vpn l2tp remote-access ccp-disable
|
||||
set vpn l2tp remote-access authentication mode local
|
||||
set vpn l2tp remote-access authentication local-users username test password 'test'
|
||||
|
||||
The example above uses 192.0.2.2 as external IP address, the nexthop is supposed to be 192.168.255.1 and is used as client termination point.
|
||||
A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``.
|
||||
This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that.
|
||||
The example above uses 192.0.2.2 as external IP address, the nexthop is supposed
|
||||
to be 192.168.255.1 and is used as client termination point. A LAC normally
|
||||
requires an authentication password, which is set in the example configuration
|
||||
to ``lns shared-secret 'secret'``. This setup requires the Compression Control
|
||||
Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable``
|
||||
accomplishes that.
|
||||
|
||||
|
||||
Bandwidth Shaping
|
||||
@ -115,7 +121,7 @@ Bandwidth Shaping
|
||||
|
||||
Bandwidth rate limits can be set for local users or via RADIUS based attributes.
|
||||
|
||||
Bandwidth Shaping for local users
|
||||
Bandwidth Shaping for local users
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The rate-limit is set in kbit/sec.
|
||||
@ -131,31 +137,34 @@ The rate-limit is set in kbit/sec.
|
||||
set vpn l2tp remote-access authentication local-users username test rate-limit download 20480
|
||||
set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240
|
||||
|
||||
vyos@vyos:~$ show vpn remote-access
|
||||
ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
|
||||
vyos@vyos:~$ show vpn remote-access
|
||||
ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
|
||||
-------+----------+--------------+---------------+-------------+------+------+--------+-----------
|
||||
ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30
|
||||
ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30
|
||||
|
||||
RADIUS authentication
|
||||
======================
|
||||
|
||||
To enable RADIUS based authentication, the authentication mode needs to be changed withing the configuration.
|
||||
Previous settings like the local users, still exists within the configuration, however they are not used if the mode
|
||||
has been changed from local to radius. Once changed back to local, it will use all local accounts again.
|
||||
To enable RADIUS based authentication, the authentication mode needs to be
|
||||
changed withing the configuration. Previous settings like the local users, still
|
||||
exists within the configuration, however they are not used if the mode has been
|
||||
changed from local to radius. Once changed back to local, it will use all local
|
||||
accounts again.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set vpn l2tp remote-access authentication mode <local|radius>
|
||||
|
||||
Since the RADIUS server would be a single point of failure, multiple RADIUS server can be setup and will be used subsequentially.
|
||||
Since the RADIUS server would be a single point of failure, multiple RADIUS
|
||||
servers can be setup and will be used subsequentially.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
|
||||
set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
|
||||
|
||||
.. note:: Some RADIUS_ severs use an access control list which allows or denies queries,
|
||||
make sure to add your VyOS router to the allowed client list.
|
||||
.. note:: Some RADIUS_ severs use an access control list which allows or denies
|
||||
queries, make sure to add your VyOS router to the allowed client list.
|
||||
|
||||
RADIUS source address
|
||||
^^^^^^^^^^^^^^^^^^^^^
|
||||
@ -171,8 +180,8 @@ single source IP e.g. the loopback interface.
|
||||
Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries
|
||||
on this NAS.
|
||||
|
||||
.. note::
|
||||
The ``source-address`` must be configured on one of VyOS interface.
|
||||
.. note:: The ``source-address`` must be configured on one of VyOS interface.
|
||||
Best proctice would be a loopback or dummy interface.
|
||||
|
||||
RADIUS bandwidth shaping attribute
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
@ -183,31 +192,40 @@ To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enable
|
||||
|
||||
set vpn l2tp remote-access authentication radius rate-limit enable
|
||||
|
||||
The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also redefine it.
|
||||
The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also
|
||||
redefine it.
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed
|
||||
|
||||
.. note:: If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client, which is the vyos router in our example.
|
||||
.. note:: If you set a custom RADIUS attribute you must define it on both
|
||||
dictionaries at RADIUS server and client, which is the vyos router in our
|
||||
example.
|
||||
|
||||
The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/``
|
||||
|
||||
RADIUS advanced features
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
Received RADIUS attributes have a higher priority than parameters defined withm the cli configuration, refer to the explanation below.
|
||||
|
||||
Received RADIUS attributes have a higher priority than parameters defined within
|
||||
the CLI configuration, refer to the explanation below.
|
||||
|
||||
Allocation clients ip addresses by RADIUS
|
||||
*****************************************
|
||||
|
||||
If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ip-pool within the cli config is being ignored.
|
||||
If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
|
||||
address will be allocated to the client and the option ip-pool within the CLI
|
||||
config is being ignored.
|
||||
|
||||
Renaming clients interfaces by RADIUS
|
||||
*************************************
|
||||
|
||||
If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be renamed.
|
||||
If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
|
||||
renamed.
|
||||
|
||||
.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed.
|
||||
.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
|
||||
characters, otherwise the interface won't be renamed.
|
||||
|
||||
|
||||
.. _`Google Public DNS`: https://developers.google.com/speed/public-dns
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user