Man Linux: Main Page and Category List


       xl2tpd.conf - L2TPD configuration file


       The xl2tpd.conf file contains configuration information for xl2tpd, the
       implementation of l2tp protocol.

       The configuration file is composed of  sections  and  parameters.  Each
       section   has   a  given  name  which  will  be  used  when  using  the
       configuration FIFO (normaly /var/run/l2tp-control). See  xl2tpd.8   for
       more details.

       The specific given name default will specify parameters applicables for
       all the following sections.


       auth file
              Specify  where  to  find  the  authentication   file   used   to
              authenticate      l2tp      tunnels.      The     default     is

       ipsec saref
              Use ipsec Security Association trackinng. When this is  enabled,
              packets  received  by  xl2tpd should have to extra fields (refme
              and refhim) which allows tracking of multiple clients using  the
              same  internal NATed IP address, and allows tracking of multiple
              clients behind the same NAT router. This neds to be supported by
              the  kernel.  Currently,  this only works with Openswan KLIPS in
              "mast" mode. (see

              Set this to yes and the system will provide proper SAref  values
              in the recvmsg() calls.

              Values can be yes or no. The default is no.

              The IP address of the interface on which the daemon listens.  By
              default, it listens on INADDR_ANY (, meaning it  listens
              on all interfaces.

       port   Specify which UDP port xl2tpd should use. The default is 1701.

       access control
              If  set  to yes, the xl2tpd process will only accept connections
              from peers addresses specified in the  following  sections.  The
              default is no.

       debug avp
              Set  this  to  yes to enable syslog output of L2TP AVP debugging

       debug network
              Set this to yes to enable syslog  output  of  network  debugging

       debug packet
              Set  this  to  yes  to  enable printing of L2TP packet debugging
              information.  Note: Output goes to STDOUT, so use this  only  in
              conjunction with the -D command line option.

       debug state
              Set  this  to  yes  to  enable  syslog  output  of FSM debugging

       debug tunnel
              Set this to yes to enable  syslog  output  of  tunnel  debugging


              If  set  to  yes,  only one control tunnel will be allowed to be
              built between 2 peers. CHECK

       (no) ip range
              Specify the range of ip addresses the LNS  will  assign  to  the
              connecting  LAC  PPP  tunnels.  Multiple  ranges can be defined.
              Using the ’no’ statement disallows the use  of  that  particular
              range.   Ranges  are  defined using the format IP - IP (example:
     -  Note that either at  least  one  ip  range
              option must be given, or you must set assign ip to no.

       assign ip
              Set  this  to no if xl2tpd should not assign IP addresses out of
              the pool defined with the ip range option.  This can  be  useful
              if  you  have  some  other means to assign IP addresses, e. g. a
              pppd that supports RADIUS AAA.

       (no) lac
              Specify the ip addresses of LAC’s which are allowed  to  connect
              to  xl2tpd  acting  as  a  LNS. The format is the same as the ip
              range option.

       hidden bit
              If set to yes, xl2tpd will use the AVP hiding feature  of  L2TP.
              To  get  more information about hidden AVP’s and AVP in general,
              refer to rfc2661 (add URL?)

       local ip
              Use the following IP as xl2tpd’s own ip address.

       length bit
              If set to yes, the length bit present in the l2tp packet payload
              will be used.

       (refuse | require) chap
              Will  require or refuse the remote peer to get authenticated via
              CHAP for the ppp authentication.

       (refuse | require) pap
              Will require or refuse the remote peer to get authenticated  via
              PAP for the ppp authentication.

       (refuse | require) authentication
              Will require or refuse the remote peer to authenticate itself.

       unix authentication
              If  set  to  yes,  /etc/passwd  will be used for remote peer ppp

              Will report this as the xl2tpd hostname in negociation.

       ppp debug
              This will enable the debug for pppd.

              Specify the path for a file which  contains  pppd  configuration
              parameters to be used.

       call rws
              This  option  is deprecated and no longer functions.  It used to
              be used to define the flow control window  size  for  individual
              L2TP  calls  or sessions.  The L2TP standard (RFC2661) no longer
              defines flow control or window sizes on calls or sessions.

       tunnel rws
              This defines the window size of the control channel.  The window
              size  is  defined  as  the  number of outstanding unacknowledged
              packets, not as a number of bytes.

       flow bits
              If set  to  yes,  sequence  numbers  will  be  included  in  the
              communication.   The feature to use sequence numbers in sessions
              is currently broken and does not function.

              If set to yes,  use  challenge  authentication  to  authenticate


       The  following  are  LAC  specific  configuration  flags. Most of those
       described in the LNS section may be used in a  LAC  context,  where  it
       make   common  sense  (essentially  l2tp  procotols  tuning  flags  and
       authentication / ppp related ones).

       lns    Set the dns name or ip address of the LNS to connect to.

       redial If set to yes, xl2tpd will attemps to redial  if  the  call  get

       redial timeout
              Wait  X  seconds before redial. The redial option must be set to
              yes to use this option.

       max redial
              Will give up redial tries after X attempts.


       /etc/xl2tpd/xl2tpd.conf                        /etc/xl2tpd/l2tp-secrets


       Please address bugs and comment to




       Forked           from           xl2tpd           by           Xelerance

       Michael      Richardson      <>      Paul      Wouters

       Many thanks to Jacco de Leeuw <> for maintaining l2tpd.

       Previous      development      was      hosted      at      sourceforge
       ( by:

       Scott Balmos <>
       David Stipp <>
       Jeff McAdams <>

       Based off of l2tpd version 0.60
       Copyright (C)1998 Adtran, Inc.
       Mark Spencer <>