| Chapter 11. Tunnels | ||
|---|---|---|
 |  | |
| Chapter 11. Tunnels | ||
|---|---|---|
| | | |
Table of Contents
The FB6000 supports the following tunnelling protocols :-
L2TP client functionality enables tunnelled connections to be made to an L2TP server
Layer 2 tunnelling protocol is a standard way to pass IP packets via a tunnel. It was originally used for dialup connections, connecting the RAS (Remote Access Server) to the LNS (L2TP Network Server), and is still used today within Internet Service Providers for broadband connections. L2TP has the advantage that it is very standard and interacts with a variety of equipment.
The FireBrick provides a means to accept static L2TP connections with configured username, password, and IP routing.
The FireBrick can act as full LNS, designed to allow thousands of connections to be handled by an ISP. See Chapter 16 for more details.
L2TP is usually used by Internet Service Providers, but it can also be used to create point to point tunnels connecting, say, two FireBricks together to pass IP traffic. The configuration for this can be a little confusing because L2TP is designed for multiple connections over separate tunnels between Access Controllers and L2TP Network Controllers, so the protocol involves more than one layer and authentication, and a lot of detailed settings.
Once upon a time the Remote Access Server (RAS) would have had a bank of modems or ISDN links, but these days it would be broadband connections over PPPoE. A RAS would create tunnel to an L2TP Network Server (LNS). Once a call comes in, the RAS would then create a session over that tunnel connecting the LNS to the end user. Each tunnel can hold multiple sessions all to the same LNS. The LNS then talks PPP over the tunnel/session to the end user and negotiates login details and IP addressing and so on. It then uses PPP to pass IP packets allowing a connection to the Internet.
If you make a point to point link, one end acts as the RAS, and makes a tunnel to the other end acting as an LNS, and then it creates a session over that tunnel. The settings needed for this are often a lot simpler than an ISP would use, so there is a lot of the FireBrick configuration you can ignore. It is, however, useful to understand some of the terms and settings, especially the authentication.
The FireBrick uses a static configuration to decide if it will accept an incoming L2TP tunnel. This is the Incoming L2TP
configuration. An incoming tunnel has very few credentials - the main one being the hostname it sends. This
is matched against the remote-hostname (which allows a wildcard, even).
You can also match to allow specific RAS IP addresses, as well as the routing table used.
The secret needs to be the same on the RAS and LNS.
Once the first match is found, the L2TP tunnel can be accepted. Most of the remaining configuration settings are not related to the tunnel as such, but define the default settings for any session that comes in over the tunnel. These settings can normally be omitted as they will have sensible defaults anyway.
A single tunnel config allows multiple instances of that tunnel to be created. If you are making multiple connections you may want to create different tunnel hostnames to allow fine control of specific features. Alternatively you may want to have one incoming tunnel configuration, even matching any hostname, and set specific session details using RADIUS. As an ISP, you will typically have an incoming tunnel config for each carrier, or possibly service type.
Once the RAS has a tunnel to the LNS it can create a session. The FireBrick acting as the LNS has to decide to accept the session or not, and what settings to use for the session.
The FireBrick acting as an LNS can use a static configuration to accept a session, or use RADIUS. An ISP would typically use RADIUS which allowes a separate authentication service to decide if to accept the session and the settings that apply.
The static configuration consists of match settings. These are part of the relevant Incoming L2TP
configuration for the tunnel being used.
The main criteria is username (which can be wildcard, even), but can also match calling-station-id
and called-station-id which would have once been phone numbers, but are typically some sort of circuit ID
and service ID in broadband. The password has to be correct, if specified. Making a point to point L2TP
link allows all of these to be set on the outgoing connection.
Having found the first match, there are a few settings which can be controlled. This is not the full set of session
settings, but most can be set as a default in the Incoming L2TP tunnel configuraion if required on a point to point static configuration.
The main setting is remote-ppp-ip which defines the IPv4 endpoint for the far end. If this is set then the
session is accepted and routing for this IP is negotiated and routed. Additional routes can also be set.
If the remote-ppp-ip is not defined, then relay settings can be defined to allow
the session to be relayed down another L2TP tunnel. These include the hostname, IP, and secret to use.
If not static match is made them RADIUS is used. As an ISP it will be unusual to have any static incoming session matching apart from special test cases.
local-… and remote-…. These are relative to the device you
are configuring. So a config to link two FireBricks will have local-hostname one end matching the
remote-hostname the other. Similarly settings like tx-… and rx-…
are relative, tx being transmit/send from this device, and rx being receive to this device.
| | | |
| 10.4. PPPoE BRAS |  | Chapter 12. System Services |