Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring L2TP Tunnel Groups

 

To establish L2TP service on a router, you need to identify an L2TP tunnel group and specify a number of values that define which access profiles, interface addresses, and other properties to use in creating a tunnel. To identify the tunnel group, include the tunnel-group statement at the [edit services l2tp] hierarchy level.

Note

If you delete a tunnel group or mark it inactive, all L2TP sessions in that tunnel group are terminated. If you change the value of the local-gateway address or the service-interface statement, all L2TP sessions using those settings are terminated. If you change or delete other statements at the [edit services l2tp tunnel-group group-name] hierarchy level, new tunnels you establish will use the updated values but existing tunnels and sessions are not affected.

This following sections explain how to configure L2TP tunnel groups:

Configuring Access Profiles for L2TP Tunnel Groups

To validate L2TP connections and session requests, you set up access profiles by configuring the profile statement at the [edit access] hierarchy level. You need to configure two types of profiles:

  • L2TP tunnel access profile, which validates all L2TP connection requests to the specified local gateway address

  • PPP access profile, which validates all PPP session requests through L2TP tunnels established to the local gateway address

For more information on configuring the profiles, see the Junos OS Administration Library. A profile example is included in Examples: Configuring L2TP Services.

To associate the profiles with a tunnel group, include the l2tp-access-profile and ppp-access-profile statements at the [edit services l2tp tunnel-group group-name] hierarchy level:

Configuring the Local Gateway Address and PIC

When you configure an L2TP group, you must also define a local address for the L2TP tunnel connections and the AS PIC that processes the requests:

  • To configure the local gateway IP address, include the address statement at the [edit services l2tp tunnel-group group-name local-gateway] hierarchy level:

  • To configure the AS PIC, include the service-interface statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

You can optionally specify the logical unit number along with the service interface. If specified, the unit is used as a logical interface representing PPP sessions negotiated using this profile.

Note

If you change the local gateway address or the service interface configuration, all L2TP sessions using those settings are terminated.

Dynamic class-of-service (CoS) functionality is supported on L2TP LNS sessions or L2TP sessions with ATM VCs, as long as the L2TP session is configured to use an IQ2 PIC on the egress interface. For more information, see the Class of Service User Guide (Routers and EX9200 Switches).

Configuring Window Size for L2TP Tunnels

You can configure the maximum window size for packet processing at each end of the L2TP tunnel:

  • The receive window size limits the number of concurrent packets the server processes. By default, the maximum is 16 packets. To change the window size, include the receive-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

  • The maximum-send window size limits the other end’s receive window size. The information is transmitted in the receive window size attribute-value pair. By default, the maximum is 32 packets. To change the window size, include the maximum-send-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

Configuring Timers for L2TP Tunnels

You can configure the following timer values that regulate L2TP tunnel processing:

  • Hello interval—If the server does not receive any messages within a specified time interval, the router software sends a hello message to the tunnel’s remote peer. By default, the interval length is 60 seconds. If you configure a value of 0, no hello messages are sent. To configure a different value, include the hello-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

  • Retransmit interval—By default, the retransmit interval length is 30 seconds. To configure a different value, include the retransmit-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

  • Tunnel timeout—If the server cannot send any data through the tunnel within a specified time interval, it assumes that the connection with the remote peer has been lost and deletes the tunnel. By default, the interval length is 120 seconds. To configure a different value, include the tunnel-timeout statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

Hiding Attribute-Value Pairs for L2TP Tunnels

Once an L2TP tunnel has been established and the connection authenticated, information is encoded by means of attribute-value pairs. By default, this information is not hidden. To hide the attribute-value pairs once the shared secret is known, include the hide-avps statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

Configuring System Logging of L2TP Tunnel Activity

You can specify properties that control how system log messages are generated for L2TP services.

To configure interface-wide default system logging values, include the syslog statement at the [edit services l2tp tunnel-group group-name] hierarchy level:

Configure the host statement with a hostname or IP address that specifies the system log target server. The hostname local directs system log messages to the Routing Engine. For external system log servers, the hostname must be reachable from the same routing instance to which the initial data packet (that triggered session establishment) is delivered. You can specify only one system logging hostname.

Table 1 lists the severity levels that you can specify in configuration statements at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level. The levels from emergency through info are in order from highest severity (greatest effect on functioning) to lowest.

Table 1: System Log Message Severity Levels

Severity Level

Description

any

Includes all severity levels

emergency

System panic or other condition that causes the router to stop functioning

alert

Conditions that require immediate correction, such as a corrupted system database

critical

Critical conditions, such as hard drive errors

error

Error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels

warning

Conditions that warrant monitoring

notice

Conditions that are not errors but might warrant special handling

info

Events or nonerror conditions of interest

We recommend setting the system logging severity level to error during normal operation. To monitor PIC resource usage, set the level to warning. To gather information about an intrusion attack when an intrusion detection system error is detected, set the level to notice for a specific service set. To debug a configuration or log Network Address Translation (NAT) events, set the level to info.

For more information about system log messages, see the System Log Explorer.

To use one particular facility code for all logging to the specified system log host, include the facility-override statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level:

The supported facilities include: authorization, daemon, ftp, kernel, user, and local0 through local7.

To specify a text prefix for all logging to this system log host, include the log-prefix statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level: