Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Single-Shot L2TP/IPsec Tunnels Overview

    You can use the single-shot-tunnel command in L2TP Destination Profile Host Configuration mode to configure a single-shot L2TP tunnel. Although configuration of single-shot tunnels is more typically used with secure L2TP/IPsec tunnels, you can also configure single-shot tunnels for nonsecure L2TP tunnels that do not run over an IPsec connection.

    A single-shot tunnel does not persist beyond its last connected L2TP session. As a result, using single-shot L2TP/IPsec tunnels instead of the default (standard) tunnel behavior provides better protection against a brute force attack that makes multiple, simultaneous authentication attempts.

    A single-shot tunnel has the following characteristics:

    • The L2TP tunnel can carry no more than a single L2TP session for the duration of its existence.
    • The router ignores the idle timeout period for single-shot tunnels. This means that as soon as single-shot tunnel's session is removed, the single-shot tunnel proceeds to disconnect.
    • The following characteristics apply only to secure L2TP/IPsec single-shot tunnels:
      • The underlying IPsec connection for a single-shot tunnel can carry no more than a single L2TP tunnel for the duration of its existence.
      • The router disconnects the underlying IPsec transport connection for a single-shot tunnel at the beginning of the destruct timeout period instead of waiting until the destruct timeout period expires.

    For L2TP/IPsec single-shot tunnels, as soon as the tunnel or its single session fails negotiations or disconnects, the router prevents any further L2TP tunnels or L2TP sessions from connecting, and requires that a new IPsec connection be established for any subsequent connection attempts.

    Table 1 describes the differences between how the router handles the idle timeout period (configured with the l2tp tunnel idle-timeout command) and the destruct timeout period (configured with the l2tp destruct-timeout command) for standard L2TP/IPsec tunnels and for single-shot L2TP/IPsec tunnels when the last remaining tunnel session has been disconnected.

    Table 1: Differences in Handling Timeout Periods for L2TP/IPsec Tunnels

    Timeout Period

    Standard L2TP/IPsec Tunnels (Not Single-Shot)

    Single-Shot L2TP/IPsec Tunnels

    Idle timeout period

    The tunnel persists until the idle timeout period expires. If a new L2TP session is created before the idle timeout period expires, the tunnel persists to carry the new session and any subsequent sessions that are established.

    When the idle timeout period expires, the router disconnects the tunnel.

    The router ignores the idle timeout period.

    This behavior prevents a single-shot tunnel from passing traffic after its single L2TP session is disconnected.

    Destruct timeout period

    The router signals the underlying IPsec transport connection to disconnect when the destruct timeout period expires.

    The router signals the underlying IPsec transport connection to disconnect at the beginning of the destruct timeout period.

    Published: 2014-08-12