NAME
startup-config - configuration file for l2tpns
SYNOPSIS
/etc/l2tpns/startup-config
DESCRIPTION
startup-config is the configuration file for l2tpns.
The format is plain text, in the same format as accepted by the
configuration mode of l2tpns’s telnet administrative interface.
Comments are indicated by either the character # or !.
SETTINGS
Settings are specified with
set variable value
The following variables may be set:
debug Set the level of debugging messages written to the log
file. The value should be between 0 and 5, with 0 being
no debugging, and 5 being the highest.
log_file
This will be where all logging and debugging information
is written to. This may be either a filename, such as
/var/log/l2tpns, or the string syslog:facility, where
facility is any one of the syslog logging facilities,
such as local5.
pid_file
If set, the process id will be written to the specified
file. The value must be an absolute path.
random_device
Path to random data source (default /dev/urandom). Use
"" to use the rand() library function.
l2tp_secret
The secret used by l2tpns for authenticating tunnel
request. Must be the same as the LAC, or authentication
will fail. Only actually be used if the LAC requests
authentication.
l2tp_mtu
MTU of interface for L2TP traffic (default: 1500). Used
to set link MRU and adjust TCP MSS.
ppp_restart_time
Restart timer for PPP protocol negotiation in seconds
(default: 3).
ppp_max_configure
Number of configure requests to send before giving up
(default: 10).
ppp_max_failure
Number of Configure-Nak requests to send before sending a
Configure-Reject (default: 5).
primary_dns, secondary_dns
Whenever a PPP connection is established, DNS servers
will be sent to the user, both a primary and a secondary.
If either is set to 0.0.0.0, then that one will not be
sent.
primary_radius, secondary_radius
Sets the RADIUS servers used for both authentication and
accounting. If the primary server does not respond, then
the secondary RADIUS server will be tried.
primary_radius_port, secondary_radius_port
Sets the authentication ports for the primary and
secondary RADIUS servers. The accounting port is one
more than the authentication port. If no ports are
given, authentication defaults to 1645, and accounting to
1646.
radius_accounting
If set to true, then RADIUS accounting packets will be
sent. A Start record will be sent when the session is
successfully authenticated, and a Stop record when the
session is closed.
radius_interim
If radius_accounting is on, defines the interval between
sending of RADIUS interim accounting records (in
seconds).
radius_secret
Secret to be used in RADIUS packets.
radius_authtypes
A comma separated list of supported RADIUS authentication
methods ("pap" or "chap"), in order of preference
(default "pap").
radius_dae_port
Port for DAE RADIUS (Packet of Death/Disconnect, Change
of Authorization) requests (default: 3799).
allow_duplicate_users
Allow multiple logins with the same username. If false
(the default), any prior session with the same username
will be dropped when a new session is established.
bind_address
When the tun interface is created, it is assigned the
address specified here. If no address is given, 1.1.1.1
is used. Packets containing user traffic should be
routed via this address if given, otherwise the primary
address of the machine.
peer_address
Address to send to clients as the default gateway.
send_garp
Determines whether or not to send a gratuitous ARP for
the bind_address when the server is ready to handle
traffic (default: true). This setting is ignored if BGP
is configured.
throttle_speed
Sets the default speed (in kbits/s) which sessions will
be limited to.
throttle_buckets
Number of token buckets to allocate for throttling. Each
throttled session requires two buckets (in and out).
accounting_dir
If set to a directory, then every 5 minutes the current
usage for every connected use will be dumped to a file in
this directory.
setuid After starting up and binding the interface, change UID
to this. This doesn’t work properly.
dump_speed
If set to true, then the current bandwidth utilization
will be logged every second. Even if this is disabled,
you can see this information by running the uptime
command on the CLI.
multi_read_count
Number of packets to read off each of the UDP and TUN fds
when returned as readable by select (default: 10).
Avoids incurring the unnecessary system call overhead of
select on busy servers.
scheduler_fifo
Sets the scheduling policy for the l2tpns process to
SCHED_FIFO. This causes the kernel to immediately
preempt any currently running SCHED_OTHER (normal)
process in favour of l2tpns when it becomes runnable.
Ignored on uniprocessor systems.
lock_pages
Keep all pages mapped by the l2tpns process in memory.
icmp_rate
Maximum number of host unreachable ICMP packets to send
per second.
packet_limit
Maximum number of packets of downstream traffic to be
handled each tenth of a second per session. If zero, no
limit is applied (default: 0). Intended as a DoS
prevention mechanism and not a general throttling control
(packets are dropped, not queued).
cluster_address
Multicast cluster address (default: 239.192.13.13).
cluster_interface
Interface for cluster packets (default: eth0).
cluster_mcast_ttl
TTL for multicast packets (default: 1).
cluster_hb_interval
Interval in tenths of a second between cluster
heartbeat/pings.
cluster_hb_timeout
Cluster heartbeat timeout in tenths of a second. A new
master will be elected when this interval has been passed
without seeing a heartbeat from the master.
cluster_master_min_adv
Determines the minumum number of up to date slaves
required before the master will drop routes (default: 1).
ipv6_prefix
Enable negotiation of IPv6. This forms the the first 64
bits of the client allocated address. The remaining 64
come from the allocated IPv4 address and 4 bytes of 0s.
BGP ROUTING
The routing configuration section is entered by the command
router bgp as
where as specifies the local AS number.
Subsequent lines prefixed with neighbour peer define the attributes of
BGP neighhbours. Valid commands are:
neighbour peer remote-as as
neighbour peer timers keepalive hold
Where peer specifies the BGP neighbour as either a hostname or IP
address, as is the remote AS number and keepalive, hold are the timer
values in seconds.
NAMED ACCESS LISTS
Named access lists may be defined with either of
ip access-list standard name
ip access-list extended name
Subsequent lines starting with permit or deny define the body of the
access-list.
Standard Access Lists
Standard access lists are defined with:
{permit|deny} source [dest]
Where source and dest specify IP matches using one of:
address wildard
host address
any
address and wildard are in dotted-quad notation, bits in the
wildard indicate which address bits in address are relevant to the
match (0 = exact match; 1 = don’t care).
The shorthand ’host address’ is equivalent to ’address 0.0.0.0’;
’any’ to ’0.0.0.0 255.255.255.255’.
Extended Access Lists
Extended access lists are defined with:
{permit|deny} proto source [ports] dest [ports] [flags]
Where proto is one of ip, tcp or udp, and source and dest are as
described above for standard lists.
For TCP and UDP matches, source and destination may be optionally
followed by a ports specification:
{eq|neq|gt|lt} port
range from to
flags may be one of:
{match-any|match-all} {+|-}{fin|syn|rst|psh|ack|urg} ...
Match packets with any or all of the tcp flags set
(+) or clear (-).
established
Match "established" TCP connections: packets with
RST or ACK set, and SYN clear.
fragments
Match IP fragments. May not be specified on rules
with layer 4 matches.
SEE ALSO
l2tpns(8)