With LANconfig, you configure L2TP under
.The tunnel configuration for the control data of an L2TP tunnel to a tunnel endpoint is located under L2TP endpoints.
- Name
- Name of the tunnel endpoint.
- L2TP tunnel active
- Enables the configured L2TP tunnel.
- L2TP version
- The L2TP protocol version used, either version 2 or 3.
Important: Ethernet tunnels are only possible with version 3. In this case, be sure to set the protocol "L2TPv3" here.Note: L2TPv3 in the LCOS is always encapsulated in UDP. This allows transmissions to pass through NAT gateways without problem.
- IP address
- IP address of the tunnel endpoint (IPv4, IPv6, FQDN).
Note: Leaving this field blank when the L2TPv3 protocol is selected makes this field into a "wildcard" entry that can accept connections from any remote site.
- Routing tag
- The routing tag of the route to the tunnel endpoint.
Note: If a loopback address is entered as the source address and the routing tag has a value of "0", the device uses the routing tag of the loopback address.
- Port
- UDP port
- Polling interval
- Polling interval in seconds
- Host name
- Name used by the device to authenticate at the tunnel endpoint
- Password
- Password used by the device to authenticate at the tunnel endpoint
- Authenticate remote end
- Enable this option if two tunnel endpoints (LAC and LNS) are required to mutually authenticate one another before establishing a tunnel. In this case, the tunnel endpoint name and password for this device are configured as the tunnel endpoint and the option to Authenticate remote end is similarly enabled.
- Obfuscate tunnel negotiation
- If the tunnel negotiations between the LAC and the LNS are to be encrypted, you enable this option. The two L2TP partners encrypt and decrypt the L2TP messages with the help certain AVPs (attribute value pairs) of a common preshared secret.
- Source address
- Here you can optionally specify a source address for the device to use as the target address instead of the one that would normally be selected automatically. Possible values are:
- Name of the IP networks whose addresses are to be used.
- "INT" for the address of the first intranet
- "DMZ" for the address of the first DMZ
- LB0 to LBF for the 16 loopback addresses
- Any valid IP address
Note: If the list of IP networks or loopback addresses contains an entry named "DMZ", then the associated IP address will be used.Important: If the source address set here is a loopback address, this will be used unmasked even on masked remote clients.
From LCOS 10.20, layer-3 Ethernet tunnels can be configured to use L2TPv3. The configuration is done in the L2TP endpoint table described above and in the L2TP Ethernet table described below. For a corresponding scenario, see Configuring a WLAN scenario for bridging payload data to the central site. If you specify an IP address or a host name, an attempt is made to establish a connection. If the corresponding field is left blank, no connection is established, but connections can be accepted. Configured properties such as the station name or password are checked by the remote site when the connection is established.
- The host name transmitted by the remote site is checked to see whether it corresponds to a configured L2TP endpoint. The host name is configured in the L2TP endpoint table of the remote site under Host name. If this field is left blank, the device name is used for authentication instead.
- If this is the case, the connection is established using the configuration for the corresponding L2TP endpoint.
- If not, the L2TP endpoints table is checked to see if it contains a "wildcard" entry. This is an entry that contains no host/station name or routing tag. The connection is established using the configuration of the "wildcard" entry.
- If authentication is activated for the corresponding entry in the L2TP endpoints table, authentication is carried out based on the configured password.
- If the password field is empty and authentication is switched on, a RADIUS authentication is carried out. See Authentication via RADIUS.
- If authentication is turned off, a "wildcard" entry accepts any incoming tunnel accordingly.
Under L2TP list, you make the link between the L2TP remote sites and a previously configured tunnel endpoint.
- Outgoing connections
- Incoming connections with an idle timeout not equal to "20" or
- If incoming links specify the use of a specific tunnel only.
- Remote site
- Name of the L2TP remote device
- L2TP endpoint
- Name of the tunnel endpoint used by this remote site.
- Short hold time
- Determines how long the L2TP tunnel endpoint keeps the tunnel open when inactive.
- IPv6
- This entry specifies the name of the IPv6 WAN interface. Leaving this entry blank causes IPv6 to be disabled for this interface. The IPv6 remote sites are configured under .
Under L2TP Ethernet you link L2TPv3 sessions with one of the 16 L2TP virtual Ethernet interfaces. The L2TP virtual Ethernet interfaces can then be used elsewhere in the configuration, e.g. in the LAN bridge for linking to WLAN or LAN interfaces.
- Remote site
- Here you configure the name used to assign the Ethernet tunnel to the remote site. For each Ethernet tunnel, this name must be identical at both ends.
- L2TP endpoint
- Here you configure the name of the L2TP endpoint configured in the L2TP endpoints table. This causes an Ethernet tunnel session to be established via this endpoint. If connections are to be accepted only, and not actively established from this end, leaving this field blank allows any sessions to be accepted. Of course, these still need "to run" via an accepted/established endpoint from the L2TP endpoints table. This can be useful in scenarios where not every endpoint on the receiving side should be configured separately.
- Interface
- The virtual L2TP Ethernet interface to be used for the L2TPv3 session.
In the case of incoming tunnel requests, a check is performed either by RADIUS or by means of an entry for the requesting host in the L2TP endpoints table. If the table contains an entry with the same IP address (or no IP address is specified for this entry), the device permits tunnel establishment to this host.
For additional protection, for example to enable encryption of the L2TP sessions via IPSec, the device can additionally check the routing tag of the remote site from which it received the data. This option is enabled with L2TP source routing tag check enabled.
You have the option to configure up to 32 additional gateways per tunnel endpoint by clicking on Further remote endpoints.
- L2TP endpoint
- Name of the tunnel endpoint, as configured in the table of L2TP endpoints.
- Begin with L2TP endpoint
- Option for selecting the next gateway. The following options are available:
- Last used: Select the last successful address
- First: Select the first gateway in the list
- Random: Random selection from the gateways in the list
On the following tabs you configure the names and the respective routing tags of the alternative gateways.