Presentation is loading. Please wait.

Presentation is loading. Please wait.

L2tpd - L2TP for Unix Land of confusion.

Published byBenjamin Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "L2tpd - L2TP for Unix Land of confusion."— Presentation transcript:

1 l2tpd - L2TP for Unix Land of confusion

2 Overview of L2TP protocol

3 Layer 2 Tunnelling Protocol
Product of the PPP Extensions working group of the IETF Largely builds on the work done with L2F at Cisco Backwards compatible with L2F

4 L2TP features Encapsulates PPP Utilizes UDP
Reliable Signalling channel ("Control Connection") Unreliable Data Channel Data Channel sequencing Tunnel level authentication

5 Applications for L2TP Half of a secure VPN implementation
Overlay network Avoid University firewalls Remote static IP address Global addressing behind NAT

6 L2TP Header Format |T|L|x|x|S|x|O|P|x|x|x|x|Version| | Length (opt.) | | Tunnel ID | | Session ID | | Sequence Number (Ns) | | Expected Sequence Number (Nr) | | Offset Size (opt.) | | Offset Pad (opt.) | T=Type bit Set for control packets L=Length bit Set if Length field is present S=Sequence bit Set if sequence numbers are present, always set for Control messages O=Offset bit Set if offset field is present Rarely used P=Priority bit Set if this packet should be given preferential treatment I've never seen this used Version Set to 2 currently, 1 indicates L2F as it used substantially the same header format

7 L2TP Header Format 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 Length
|T|L|x|x|S|x|O|P|x|x|x|x|Version| | Length (opt.) | | Tunnel ID | | Session ID | | Sequence Number (Ns) | | Expected Sequence Number (Nr) | | Offset Size (opt.) | | Offset Pad (opt.) | Length Total length of L2TP packet Tunnel ID Identifies Tunnel that this packet is associated with Session ID Identifies Session within the tunnel that this packet is associated with Sequence Number (Ns) Start with 0, increment for each packet in tunnel Expected Sequence Number (Nr) Sequence number expected in next packet from peer Offset Size Size, in octets of Offset Pad field Offset Pad Undefined “filler”

8 L2TP AVP Format |M|H| rsvd | Length | | Vendor ID | | Attribute Type | | Attribute Value ...[until length is reached... | M=Mandatory bit If you don't understand this AVP, shut down the tunnel or session H=Hidden bit This attribute is "hidden" Length Overall length of the AVP, including these headers (minimum value of 6) Vendor ID 0 for IETF defined AVP's Attribute Type What attribute is this? Attribute Value Actual attribute data (if Length field is 6, this field is absent)

9 L2TP Message Types 1 - SCCRQ - Start Control Connection ReQuest
2 - SCCRP - Start Control Connection RePly 3 - SCCCN - Start Connection Control CoNnected 4 - StopCCN - Stop Control Connection Notification 6 - HELLO - HELLO 7 - OCRQ - Outgoing Call ReQuest 8 - OCRP - Outgoing Call RePly 9 - OCCN - Outgoing Call CoNnected 10 - ICRQ - Incoming Call ReQuest 11 - ICRP - Incoming Call RePly 12 - ICCN - Incoming Call CoNnected 14 - CDN - Call Disconnect Notification 15 - WEN - Wan Error Notify 16 - SLI - Set Link Info

10 The Future of L2TP - L2TPv3 New data channel header format
Clarify ambiguities in current standard Encapsulates other types of frames than PPP (work with PWE3 - Pseudo Wire Emulation Edge to Edge) Ethernet Frame relay Circuit emulation

11 Overview of l2tpd software package

12 History of l2tpd Originally written by Mark Spencer last version 0.60 Forked in 2000 by Scott Balmos and David Stipp, hosted on Sourceforge Turned over control in Jan to me Obtained support of Mark Spencer for further development as well Further detail at

13 l2tpd features Tunnel level authentication (currently broken)
Works as both LNS and LAC (only with PPP on same system) "Autodial" pre-configured peers "interactive" control (named pipe)

14 Known bugs Challenge Response authentication on tunnels broken
Data channel sequencing support doesn't exist pty handling is horrible, though works after a fashion Session and tunnel shutdown works, barely

15 l2tpd - current work directions
Bugfixing, bugfixing, bugfixing Easily integrated new features (data sequencing) Knobs for interoperability Did I mention bugfixing? No significant new feature work

16 l2tpd-devel What I'm calling the "next-generation" l2tpd
No working code available yet kernel-module pppd plugin l2tpd daemon

17 "Interactive" use of l2tpd
echo "t " > /var/run/l2tp-control Standard output of l2tpd gives you a tunnel ID: control_finish: Connection established to , Local: 17767, Remote: 86. echo "c 17767" > /var/run/l2tp-control

18 /etc/l2tp/l2tpd.conf [global] port = 1701 [lns default]
ip range = lac = hidden bit = no refuse chap = yes require authentication = yes ppp debug = yes [lac cindsl01] lns = autodial = yes [lac iostest] lns =

19 l2tpd compared to other tunnelling technologies

20 Why L2TP vs. IPSec Tunnel Mode
Multi-Protocol Authentication flexibility Works via NAT Multi-Link PPP avoids MTU issues Encryption Protocol overhead

21 L2TP PPTP Why L2TP vs. PPTP Open standard Weak encryption
Not Microsoft - 'nuff said Weak encryption Microsoft Non-standard

22 L2TP GRE/IPIP Why L2TP vs. GRE or IPIP Scaleability
Control protocol mechanism Authentication Multi-protocol Low protocol overhead Simple configuration No dependancy on PPP

23 L2TP VTun Why L2TP vs. VTun Interoperability
Open standard Can carry varied types of traffic Open Encryption Traffic Shaping

Download ppt "L2tpd - L2TP for Unix Land of confusion."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
W. Mark Townsley townsley@cisco.com Pseudowires and L2TPv3 W. Mark Townsley townsley@cisco.com.

W. Mark Townsley Pseudowires and L2TPv3 W. Mark Townsley
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Internet Security CSCE 813 Network Access Layer Security Protocols.

Internet Security CSCE 813 Network Access Layer Security Protocols.
Softwires Hub & Spoke using L2TPv3

Softwires Hub & Spoke using L2TPv3
WAN Technologies Dial-up modem connections Cheap Slow

WAN Technologies Dial-up modem connections Cheap Slow
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.

Similar presentations

Ads by Google