Single-Shot L2TP/IPsec Tunnels Overview

You can use the single-shot-tunnel command in L2TP Destination Profile Host Configuration mode to configure a single-shot L2TP tunnel. Although configuration of single-shot tunnels is more typically used with secure L2TP/IPsec tunnels, you can also configure single-shot tunnels for nonsecure L2TP tunnels that do not run over an IPsec connection.

A single-shot tunnel does not persist beyond its last connected L2TP session. As a result, using single-shot L2TP/IPsec tunnels instead of the default (standard) tunnel behavior provides better protection against a brute force attack that makes multiple, simultaneous authentication attempts.

A single-shot tunnel has the following characteristics:

For L2TP/IPsec single-shot tunnels, as soon as the tunnel or its single session fails negotiations or disconnects, the router prevents any further L2TP tunnels or L2TP sessions from connecting, and requires that a new IPsec connection be established for any subsequent connection attempts.

Table 39 describes the differences between how the router handles the idle timeout period (configured with the l2tp tunnel idle-timeout command) and the destruct timeout period (configured with the l2tp destruct-timeout command) for standard L2TP/IPsec tunnels and for single-shot L2TP/IPsec tunnels when the last remaining tunnel session has been disconnected.

Table 39: Differences in Handling Timeout Periods for L2TP/IPsec Tunnels

Timeout Period

Standard L2TP/IPsec Tunnels (Not Single-Shot)

Single-Shot L2TP/IPsec Tunnels

Idle timeout period

The tunnel persists until the idle timeout period expires. If a new L2TP session is created before the idle timeout period expires, the tunnel persists to carry the new session and any subsequent sessions that are established.

When the idle timeout period expires, the router disconnects the tunnel.

The router ignores the idle timeout period.

This behavior prevents a single-shot tunnel from passing traffic after its single L2TP session is disconnected.

Destruct timeout period

The router signals the underlying IPsec transport connection to disconnect when the destruct timeout period expires.

The router signals the underlying IPsec transport connection to disconnect at the beginning of the destruct timeout period.

Related Documentation