[Contents] [Prev] [Next] [Index] [Report an Error]

Single-Shot Tunnels

You can use the single-shot-tunnel command in L2TP Destination Profile Host Configuration mode to configure a single-shot L2TP tunnel. Although configuration of single-shot tunnels is more typically used with secure L2TP/IPSec tunnels, as described in this chapter, you can also configure single-shot tunnels for nonsecure L2TP tunnels that do not run over an IPSec connection.

A single-shot tunnel has the following characteristics:

The L2TP tunnel can carry no more than a single L2TP session for the duration of its existence.
The router ignores the idle timeout period for single-shot tunnels. This means that as soon a single-shot tunnel's session is removed, the single-shot tunnel proceeds to disconnect.
The following characteristics apply only to secure L2TP/IPSec single-shot tunnels:
- The underlying IPSec connection for a single-shot tunnel can carry no more than a single L2TP tunnel for the duration of its existence.
- The router disconnects the underlying IPSec transport connection for a single-shot tunnel at the beginning of the destruct timeout period instead of waiting until the destruct timeout period expires.

For L2TP/IPSec single-shot tunnels, as soon as the tunnel or its single session fails negotiations or disconnects, the router prevents any further L2TP tunnels or L2TP sessions from connecting, and requires that a new IPSec connection be established for any subsequent connection attempts.

Table 19 describes the differences between how the router handles the idle timeout period (configured with the l2tp tunnel idle-timeout command) and the destruct timeout period (configured with the l2tp destruct-timeout command) for standard L2TP/IPSec tunnels and for single-shot L2TP/IPSec tunnels when the last remaining tunnel session has been disconnected.

Table 19: Differences in Handling Timeout Periods for L2TP/IPSec Tunnels

Timeout Period	Standard L2TP/IPSec Tunnels (Not Single-Shot)	Single-Shot L2TP/IPSec Tunnels
Idle timeout period	The tunnel persists until the idle timeout period expires. If a new L2TP session is created before the idle timeout period expires, the tunnel persists to carry the new session and any subsequent sessions that are established. When the idle timeout period expires, the router disconnects the tunnel.	The router ignores the idle timeout period. This behavior prevents a single-shot tunnel from passing traffic after its single L2TP session is disconnected.
Destruct timeout period	The router signals the underlying IPSec transport connection to disconnect when the destruct timeout period expires.	The router signals the underlying IPSec transport connection to disconnect at the beginning of the destruct timeout period.

Timeout
Period

Standard L2TP/IPSec Tunnels (Not Single-Shot)

Single-Shot L2TP/IPSec Tunnels

Idle timeout period

The tunnel persists until the idle timeout period expires. If a new L2TP session is created before the idle timeout period expires, the tunnel persists to carry the new session and any subsequent sessions that are established.

When the idle timeout period expires, the router disconnects the tunnel.

The router ignores the idle timeout period.

This behavior prevents a single-shot tunnel from passing traffic after its single L2TP session is disconnected.

Destruct timeout period

The router signals the underlying IPSec transport connection to disconnect when the destruct timeout period expires.

The router signals the underlying IPSec transport connection to disconnect at the beginning of the destruct timeout period.

For information about configuring L2TP/IPSec single-shot tunnels on the router, see Configuring Single-Shot Tunnels .

[Contents] [Prev] [Next] [Index] [Report an Error]