Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

l2tp (Profile)

 

Syntax

Hierarchy Level

Release Information

Statement introduced before Junos OS Release 7.4.

Description

Configure the L2TP properties for a profile.

Note

Only the interface-id, lcp-renegotiation, maximum-sessions, maximum-sessions-per-tunnel, sessions-limit-group and shared-secret statements are supported for L2TP LNS on MX Series routers.

Options

interface-idConfigure the interface identifier.

Values:

  • interface-id—Identifier for the interface representing a Layer 2 Tunneling Protocol (L2TP) session configured at the [edit interfaces interface-name unit local-unit-number dial-options] hierarchy level. For more information about the interface ID, see Services Interface Naming Overview.

lcp-renegotiationConfigure the L2TP network server (LNS) so it renegotiates the link control protocol (LCP) with the PPP client. When LCP renegotiation is disabled, LNS uses the pre-negotiated LCP parameters between the L2TP access concentrator (LAC) and PPP client to set up the session. When LCP renegotiation is enabled, authentication is also renegotiated.
Note

This statement is not supported at the [edit access group-profile l2tp] hierarchy level for L2TP LNS on MX Series routers.

local-chapConfigure the Junos OS so that the LNS ignores proxy authentication attribute-value pairs (AVPs) from the L2TP access concentrator (LAC) and reauthenticates the PPP client using a Challenge Handshake Authentication Protocol (CHAP) challenge. When you do this, the LNS directly authenticates the PPP client.
Note

This statement is not supported for L2TP LNS on MX Series routers.

maximum-sessionsSpecify the maximum number of L2TP sessions for the chassis, all tunnels, a tunnel group, a session limit group, or a client.

Values:

  • number—Number of sessions allowed.

  • Range: (Chassis, tunnel group, session limit group, or client) 1 through the default maximum chassis limit

  • Range: (Tunnel) 1 through 65,536

maximum-sessions-per-tunnelConfigure the maximum sessions for a Layer 2 tunnel.
Note

This statement is not supported at the [edit access group-profile l2tp] hierarchy level for L2TP LNS on MX Series routers.

Values:

  • number—Maximum number of sessions for a Layer 2 tunnel.

multilinkConfigure Multilink PPP for Layer 2 Tunneling Protocol (L2TP).

The options for this statement are explained separately. Click the linked statement for details.

override-result-codeConfigure the LNS to override result codes in Call-Disconnect-Notify (CDN) messages.

Values:

  • session-out-of-resource—Override result codes 4 and 5 with result code 2. These result codes indicate that the number of L2TP sessions have reached the configured maximum value and the LNS can support no more sessions. When the LAC receives the code, it fails over to another LNS to establish subsequent sessions. Some third-party LACs respond only to result code 2.

ppp-authentication(T Series only) Configure PPP authentication.
Note

This statement is not supported for L2TP LNS on MX Series routers.

Values:

  • chap—Challenge Handshake Authentication Protocol.

  • pap—Password Authentication Protocol.

ppp-profile(M Series, T Series only) Specify the profile used to validate PPP session requests through L2TP tunnels.
Note

This statement is not supported for L2TP LNS on MX Series routers.

Values: profile-name—Identifier for the PPP profile.

sessions-limit-group(MX Series only) Starting in Junos OS Release 16.1, specify in an L2TP access profile the session limit group to which a client is assigned by the profile.

Values: limit-group-name—Identifier of the session-limit group to which a client is assigned.

service-profileConfigure one or more dynamic service profiles to be applied to subscriber sessions at activation for all subscribers in the specified tunnel group or on the specified LAC. Services are typically applied to L2TP sessions with RADIUS VSAs or CoA requests. In multivendor environments, you might use only standard attributes to simplify management of multiple vendor VSAs. This statement enables you to apply services without using an external authority such as RADIUS. The locally configured list of services (service profiles) serves as local authorization that is applied by authd during client session activation. This list of services is subject to the same validation and processing as services originating from an external authority, such as RADIUS.

You can optionally specify parameters that are passed to the corresponding service when it is activated for the session. The parameter might override values configured in the profile itself, such as a downstream shaping rate for a CoS service. This enables you to use the same service profile for multiple situations with different requirements, or to modify a previously applied value for a service.

You can still use RADIUS VSAs or CoA requests together with the service profiles. If services are sourced from an external authority as authorization during authentication or during subscriber session provisioning (activation), the services from the external authority take strict priority over those in the local configuration. If a service applied with RADIUS is the same as a service applied with a service profile in the CLI, but with different parameters, the RADIUS service is applied with a new session ID and takes precedence over the earlier service profile.

When service profiles are configured on a LAC client and on a tunnel group that uses that LAC client, the LAC configuration overrides the tunnel group configuration. Only the service profile configured on the LAC client is applied to subscribers in the tunnel group.

Values:

  • profile-name—Name of a dynamic service profile that defines a service to be applied to L2TP subscriber sessions. You can specify one or more service profiles, separated by an ampersand (&).

  • parameter—(Optional) Value to be passed to the service when it is activated on the subscriber session.

shared-secretConfigure the shared secret.

Values:

  • shared-secret—Shared secret key for authenticating the peer.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.