Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• ru/xl2tpd.conf/man

VPN >> xl2tpd >> ?файл для настройки L2TPD >> Руководство xl2tpd.conf

Руководство xl2tpd.conf(5)

НАЗВАНИЕ

• xl2tpd.conf — файл для настройки L2TPD

ОПИСАНИЕ

• Файл xl2tpd.conf содержит различную информацию о настройках для xl2tpd, реализации протокола l2tp.
  • Файл с настройками состоит из различных секций и параметров. Каждой секции присвоено определённое значение, которое в дальнейшем будет использоваться при использовании настроек FIFO (обычно /var/run/l2tp-control). Обратитесь за более подробной информацией к руководству xl2tpd.8
  Значение по-умолчанию для соответствующего параметра в секции будет использоваться во всех остальных секциях как значение по-умолчанию.

ГЛОБАЛЬНАЯ СЕКЦИЯ

• auth file Указывает путь к файлу аутентификации для использования в целях аутентификации l2tp-туннелей. Значение по-умолчанию: /etc/l2tpd/l2tp-secrets. ipsec saref

  • Use IPsec Security Association trackinng. When this is enabled, packets received by xl2tpd should have to extra fields (refme and refhim) which allows tracking of multiple clients using the same internal NATed IP address, and allows tracking of multiple clients behind the same NAT router. This neds to be supported by the kernel. Currently, this only works with Openswan KLIPS in "mast" mode. (see http://www.openswan.org/)

    • Set this to yes and the system will provide proper SAref values in the recvmsg() calls. Values can be yes or no. The default is no.
  saref refinfo
  • When using IPsec Security Association trackinng, a new setsockopt is used. Since this is not (yet?) an official Linux kernel option, we got bumped. Openswan upto 2.6.35 for linux kernels up to 2.6.35 used a saref num of 22. Linux 3.6.36+ uses 22 for IP_NODEFRAG. We moved our IP_IPSEC_REFINFO to 30. If not set, the default is to use 30. For older SAref patched kernels, use 22.
  listen-addr
  • The IP address of the interface on which the daemon listens. By default, it listens on INADDR_ANY (0.0.0.0), meaning it listens on all interfaces.
  port
  • Specify which UDP port xl2tpd should use. The default is 1701.
  access control
  • If set to yes, the xl2tpd process will only accept connections from peers addresses specified in the following sections. The default is no.
  debug avp
  • Set this to yes to enable syslog output of L2TP AVP debugging information.
  debug network
  • Set this to yes to enable syslog output of network debugging information.
  debug packet
  • Set this to yes to enable printing of L2TP packet debugging information. Note: Output goes to STDOUT, so use this only in conjunction with the -D command line option.
  debug state
  • Set this to yes to enable syslog output of FSM debugging information.
  debug tunnel
  • Set this to yes to enable syslog output of tunnel debugging information.

LNS СЕКЦИЯ (СЕКЦИЯ ДЛЯ СЕРВЕРА)

• exclusive
  • If set to yes, only one control tunnel will be allowed to be built between 2 peers. CHECK
  (no) ip range
  • Specify the range of ip addresses the LNS will assign to the connecting LAC PPP tunnels. Multiple ranges can be defined. Using the 'no' statement disallows the use of that particular range. Ranges are defined using the format IP - IP (example: 1.1.1.1 - 1.1.1.10). Note that either at least one ip range option must be given, or you must set assign ip to no.
  assign ip
  • Set this to no if xl2tpd should not assign IP addresses out of the pool defined with the ip range option. This can be useful if you have some other means to assign IP addresses, e. g. a pppd that supports RADIUS AAA.
  (no) lac
  • Specify the ip addresses of LAC's which are allowed to connect to xl2tpd acting as a LNS. The format is the same as the ip range option.
  hidden bit
  • If set to yes, xl2tpd will use the AVP hiding feature of L2TP. To get more information about hidden AVP's and AVP in general, refer to rfc2661 (add URL?)
  local ip
  • Use the following IP as xl2tpd's own ip address.
  length bit
  • If set to yes, the length bit present in the l2tp packet payload will be used.
  (refuse | require) chap
  • Will require or refuse the remote peer to get authenticated via CHAP for the ppp authentication.
  (refuse | require) pap
  • Will require or refuse the remote peer to get authenticated via PAP for the ppp authentication.
  (refuse | require) authentication
  • Will require or refuse the remote peer to authenticate itself.
  unix authentication
  • If set to yes, /etc/passwd will be used for remote peer ppp authentication.
  hostname
  • Will report this as the xl2tpd hostname in negociation.
  ppp debug
  • This will enable the debug for pppd.
  pppoptfile
  • Specify the path for a file which contains pppd configuration parameters to be used.
  call rws
  • This option is deprecated and no longer functions. It used to be used to define the flow control window size for individual L2TP calls or sessions. The L2TP standard (RFC2661) no longer defines flow control or window sizes on calls or sessions.
  tunnel rws
  • This defines the window size of the control channel. The window size is defined as the number of outstanding unacknowledged packets, not as a number of bytes.
  flow bits
  • If set to yes, sequence numbers will be included in the communication. The feature to use sequence numbers in sessions is currently broken and does not function.
  challenge
  • If set to yes, use challenge authentication to authenticate peer.
  rx bps
  • If set, the receive bandwidth maximum will be set to this value
  tx bps
  • If set, the transmit bandwidth maximum will be set to this value

LAC СЕКЦИЯ (СЕКЦИЯ ДЛЯ КЛИЕНТА)

• The following are LAC specific configuration flags. Most of those described in the LNS section may be used in a LAC context, where it make common sense (essentially l2tp procotols tuning flags and authentication / ppp related ones).
  • lns
    • Set the dns name or ip address of the LNS to connect to.
    redial
    • If set to yes, xl2tpd will attempts to redial if the call get disconected.
    redial timeout
    • Wait X seconds before redial. The redial option must be set to yes to use this option.
    max redial
    • Will give up redial tries after X attempts.

ФАЙЛЫ

ОШИБКИ

• Пожалуйста, отправляйте сообщения об обнаруженных ошибках и комментарии на адрес xl2tpd-dev@xelerance.com

СМОТРИТЕ ТАКЖЕ

• xl2tpd(8)

АВТОРЫ

• Разработка основана на xl2tpd фирмой Xelerance (http://www.xelerance.com/software/xl2tpd/

  Майкл Ричардсон (Michael Richardson) <mcr@xelerance.com> Пол Уотерс (Paul Wouters) <paul@xelerance.com>

  Особая благодарность Жако де Лию (Jacco de Leeuw) <jacco2@dds.nl> за поддержку l2tpd.

  Прежние разработки располагались на sourceforge (http://www.sourceforge.net/projects/l2tpd):

• Скотом Балмосом (Scott Balmos) <sbalmos@iglou.com>

  Дэвидом Стипп (David Stipp) <dstipp@one.net>

  Джефом ?МакАдамсом (Jeff ?McAdams) <jeffm@iglou.com>

• xl2tpd основан на l2tpd версии 0.60 Copyright (C)1998 Adtran, Inc.

• Марк Спенсер (Mark Spencer) <markster@marko.net>

Ссылки

• ru/VPN — VPN

• ru/xl2tpd — xl2tpd

• ru/xl2tpd/man — Руководство xl2tpd(8)

• ?ru/xl2tpd.conf — xl2tpd.conf, файл для настройки L2TPD