Layer 2 tunnelling protocol is a standard way to pass IP packets via a tunnel. It was originally used for dialup connections, connecting the RAS (Remote Access Server) to the LNS (L2TP Network Server), and is still used today within Internet Service Providers for broadband connections. L2TP has the advantage that it is very standard and interacts with a variety of equipment.
The FireBrick provides a means to accept static L2TP connections with configured username, password, and IP routing.
The FireBrick also provides a means to make an outgoing L2TP connection as if it was a RAS, connecting to an LNS. This can be used with ISPs that offer this service, or could be used, for example, to connect to another FireBrick.
L2TP is usually used by Internet Service Providers, but it can also be used to create point to point tunnels connecting, say, two FireBricks together to pass IP traffic. The configuration for this can be a little confusing because L2TP is designed for multiple connections over separate tunnels between Access Controllers and L2TP Network Controllers, so the protocol involves more than one layer and authentication, and a lot of detailed settings.
Once upon a time the Remote Access Server (RAS) would have had a bank of modems or ISDN links, but these days it would be broadband connections over PPPoE. A RAS would create tunnel to an L2TP Network Server (LNS). Once a call comes in, the RAS would then create a session over that tunnel connecting the LNS to the end user. Each tunnel can hold multiple sessions all to the same LNS. The LNS then talks PPP over the tunnel/session to the end user and negotiates login details and IP addressing and so on. It then uses PPP to pass IP packets allowing a connection to the Internet.
If you make a point to point link, one end acts as the RAS, and makes a tunnel to the other end acting as an LNS, and then it creates a session over that tunnel. The settings needed for this are often a lot simpler than an ISP would use, so there is a lot of the FireBrick configuration you can ignore. It is, however, useful to understand some of the terms and settings, especially the authentication.
The FireBrick uses a static configuration to decide if it will accept an incoming L2TP tunnel. This is the Incoming L2TP
configuration. An incoming tunnel has very few credentials - the main one being the hostname it sends. This
is matched against the remote-hostname
(which allows a wildcard, even).
You can also match to allow specific RAS IP addresses, as well as the routing table used.
The secret
needs to be the same on the RAS and LNS.
Once the first match is found, the L2TP tunnel can be accepted. Most of the remaining configuration settings are not related to the tunnel as such, but define the default settings for any session that comes in over the tunnel. These settings can normally be omitted as they will have sensible defaults anyway.
A single tunnel config allows multiple instances of that tunnel to be created. If you are making multiple connections you may want to create different tunnel hostnames to allow fine control of specific features.
Once the RAS has a tunnel to the LNS it can create a session. The FireBrick acting as the LNS has to decide to accept the session or not, and what settings to use for the session.
The FireBrick acting as an LNS can use a static configuration to accept a session, or use RADIUS. An ISP would typically use RADIUS which allowes a separate authentication service to decide if to accept the session and the settings that apply.
The static configuration consists of match settings. These are part of the relevant Incoming L2TP
configuration for the tunnel being used.
The main criteria is username
(which can be wildcard, even), but can also match calling-station-id
and called-station-id
which would have once been phone numbers, but are typically some sort of circuit ID
and service ID in broadband. The password
has to be correct, if specified. Making a point to point L2TP
link allows all of these to be set on the outgoing connection.
Having found the first match, there are a few settings which can be controlled. This is not the full set of session
settings, but most can be set as a default in the Incoming L2TP tunnel configuraion if required on a point to point static configuration.
The main setting is remote-ppp-ip
which defines the IPv4 endpoint for the far end. If this is set then the
session is accepted and routing for this IP is negotiated and routed. Additional routes can also be set.
If the remote-ppp-ip
is not defined, then relay settings can be defined to allow
the session to be relayed down another L2TP tunnel. These include the hostname, IP, and secret to use.
An outgoing L2TP connection means the FireBrick is wanting to establish a session with IP routing.
To do this it is necessary to create an L2TP tunnels first, so the outgoing configuration includes
details of both the tunnel (local-hostname
, secret
, server
IP),
and the session (username
, password
, calling-station-id
,
called-station-id
).
If a tunnel exists with the right credentials, it is re-used, so having more than one session, although typically you do
not do this as tunnels to the same LNS will normally be via different routing tables and backhaul links. If no tunnel
exists, one is created first and then the session created over that tunnel. If the session drops, it may be re-established
over the same tunnel. If the tunnel drops (which drops all sessions in it) then it hands around for a few seconds before
a new tunnel can be made (fail-timeout
).
local-…
and remote-…
. These are relative to the device you
are configuring. So a config to link two FireBricks will have local-hostname
one end matching the
remote-hostname
the other. Similarly settings like tx-…
and rx-…
are relative, tx being transmit/send from this device, and rx being receive to this device.
The L2TP configuration has an optional ha-set
setting allowing you to define that sessions in the specified tunnel are used for High availability.
This means any packets sent to the sessions are in fact sent to each session (duplicated). At the receiving end the first of each duplicate is passed on as normal and any subsequent ones discarded.
This sacrafices bandwidth for high availability and reliability.
You need to ensure packets are routed to the multiple sessions in the set, in the same way as bonding L2TP, and also that they are put in the same ha-set
.