Supported Platforms
Configuring L2TP Tunnel Groups
To establish L2TP service on a router, you need to identify an L2TP tunnel group and specify a number of values that define which access profiles, interface addresses, and other properties to use in creating a tunnel. To identify the tunnel group, include the tunnel-group statement at the [edit services l2tp] hierarchy level:
 | Note: If you delete a tunnel group or mark it inactive, all L2TP sessions in that tunnel group are terminated. If you change the value of the local-gateway address or the service-interface statement, all L2TP sessions using those settings are terminated. If you change or delete other statements at the [edit services l2tp tunnel-group group-name] hierarchy level, new tunnels you establish will use the updated values but existing tunnels and sessions are not affected. |
This following sections explain how to configure L2TP tunnel groups:
Configuring Access Profiles for L2TP Tunnel Groups
To validate L2TP connections and session requests, you set up access profiles by configuring the profile statement at the [edit access] hierarchy level. You need to configure two types of profiles:
- L2TP tunnel access profile, which validates all L2TP connection requests to the specified local gateway address
- PPP access profile, which validates all PPP session requests through L2TP tunnels established to the local gateway address
For more information on configuring the profiles, see the Junos OS Administration Library for Routing Devices. A profile example is included in Examples: Configuring L2TP Services.
To associate the profiles with a tunnel group, include the l2tp-access-profile and ppp-access-profile statements at the [edit services l2tp tunnel-group group-name] hierarchy level:
Configuring the Local Gateway Address and PIC
When you configure an L2TP group, you must also define a local address for the L2TP tunnel connections and the AS PIC that processes the requests:
- To configure the local gateway IP address, include the local-gateway statement at the [edit services l2tp tunnel-group group-name] hierarchy level:local-gateway address address;
- To configure the AS PIC, include the service-interface statement at the [edit services l2tp tunnel-group group-name] hierarchy level:service-interface sp-fpc/pic/port;
You can optionally specify the logical unit number along with the service interface. If specified, the unit is used as a logical interface representing PPP sessions negotiated using this profile.
| Note: If you change the local gateway address or the service interface configuration, all L2TP sessions using those settings are terminated. |
Dynamic class-of-service (CoS) functionality is supported on L2TP LNS sessions or L2TP sessions with ATM VCs, as long as the L2TP session is configured to use an IQ2 PIC on the egress interface. For more information, see the Junos OS Class of Service Library for Routing Devices.
Configuring Window Size for L2TP Tunnels
You can configure the maximum window size for packet processing at each end of the L2TP tunnel:
- The receive window size limits the number of concurrent
packets the server processes. By default, the maximum is 16 packets.
To change the window size, include the receive-window statement
at the [edit services l2tp tunnel-group group-name] hierarchy level:receive-window packets;
- The maximum-send window size limits the other end’s
receive window size. The information is transmitted in the receive
window size attribute-value pair. By default, the maximum is 32 packets.
To change the window size, include the maximum-send-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level:maximum-send-window packets;
Configuring Timers for L2TP Tunnels
You can configure the following timer values that regulate L2TP tunnel processing:
- Hello interval—If the server does not receive any
messages within a specified time interval, the router software sends
a hello message to the tunnel’s remote peer. By default, the
interval length is 60 seconds. If you configure a value of 0,
no hello messages are sent. To configure a different value, include
the hello-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy
level:hello-interval seconds;
- Retransmit interval—By default, the retransmit interval
length is 30 seconds. To configure a different value, include
the retransmit-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy
level:retransmit-interval seconds;
- Tunnel timeout—If the server cannot send any data
through the tunnel within a specified time interval, it assumes that
the connection with the remote peer has been lost and deletes the
tunnel. By default, the interval length is 120 seconds. To configure
a different value, include the tunnel-timeout statement
at the [edit services l2tp tunnel-group group-name] hierarchy level:tunnel-timeout seconds;
Hiding Attribute-Value Pairs for L2TP Tunnels
Once an L2TP tunnel has been established and the connection authenticated, information is encoded by means of attribute-value pairs. By default, this information is not hidden. To hide the attribute-value pairs once the shared secret is known, include the hide-avps statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
Configuring System Logging of L2TP Tunnel Activity
You can specify properties that control how system log messages are generated for L2TP services.
To configure interface-wide default system logging values, include the syslog statement at the [edit services l2tp tunnel-group group-name] hierarchy level:
Configure the host statement with a hostname or IP address that specifies the system log target server. The hostname local directs system log messages to the Routing Engine. For external system log servers, the hostname must be reachable from the same routing instance to which the initial data packet (that triggered session establishment) is delivered. You can specify only one system logging hostname.
Table 1 lists the severity levels that you can specify in configuration statements at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level. The levels from emergency through info are in order from highest severity (greatest effect on functioning) to lowest.
Table 1: System Log Message Severity Levels
Severity Level | Description |
|---|---|
any | Includes all severity levels |
emergency | System panic or other condition that causes the router to stop functioning |
alert | Conditions that require immediate correction, such as a corrupted system database |
critical | Critical conditions, such as hard drive errors |
error | Error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels |
warning | Conditions that warrant monitoring |
notice | Conditions that are not errors but might warrant special handling |
info | Events or nonerror conditions of interest |
We recommend setting the system logging severity level to error during normal operation. To monitor PIC resource usage, set the level to warning. To gather information about an intrusion attack when an intrusion detection system error is detected, set the level to notice for a specific service set. To debug a configuration or log Network Address Translation (NAT) events, set the level to info.
For more information about system log messages, see the Junos OS System Log Messages Reference.
To use one particular facility code for all logging to the specified system log host, include the facility-override statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level:
The supported facilities include: authorization, daemon, ftp, kernel, user, and local0 through local7.
To specify a text prefix for all logging to this system log host, include the log-prefix statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level:
