Provided by: xl2tpd_1.3.1+dfsg-1_amd64 bug


       xl2tpd.conf - L2TPD configuration file


       The  xl2tpd.conf file contains configuration information for xl2tpd, the implementation of
       l2tp protocol.

       The configuration file is composed of sections and parameters. Each section  has  a  given
       name which will be used when using the configuration FIFO (normaly /var/run/l2tp-control).
       See xl2tpd.8  for more details.

       The specific given name default will specify parameters applicables for all the  following


       auth file
              Specify  where  to  find the authentication file used to authenticate l2tp tunnels.
              The default is /etc/l2tpd/l2tp-secrets.

       ipsec saref
              Use IPsec Security Association trackinng. When this is enabled, packets received by
              xl2tpd  should  have  to  extra  fields (refme and refhim) which allows tracking of
              multiple clients using the same internal NATed IP address, and allows  tracking  of
              multiple  clients  behind  the  same  NAT  router. This neds to be supported by the
              kernel. Currently, this only  works  with  Openswan  KLIPS  in  "mast"  mode.  (see

              Set  this  to  yes and the system will provide proper SAref values in the recvmsg()

              Values can be yes or no. The default is no.

       saref refinfo
              When using IPsec Security Association trackinng, a new setsockopt is  used.   Since
              this  is  not (yet?) an official Linux kernel option, we got bumped.  Openswan upto
              2.6.35 for linux kernels up to 2.6.35 used a saref num of 22.  Linux  3.6.36+  uses
              22  for  IP_NODEFRAG. We moved our IP_IPSEC_REFINFO to 30.  If not set, the default
              is to use 30. For older SAref patched kernels, use 22.

              The IP address of the interface on  which  the  daemon  listens.   By  default,  it
              listens on INADDR_ANY (, meaning it listens on all interfaces.

       port   Specify which UDP port xl2tpd should use. The default is 1701.

       access control
              If set to yes, the xl2tpd process will only accept connections from peers addresses
              specified in the following sections. The default is no.

       debug avp
              Set this to yes to enable syslog output of L2TP AVP debugging information.

       debug network
              Set this to yes to enable syslog output of network debugging information.

       debug packet
              Set this to yes to enable printing of L2TP  packet  debugging  information.   Note:
              Output  goes  to  STDOUT,  so use this only in conjunction with the -D command line

       debug state
              Set this to yes to enable syslog output of FSM debugging information.

       debug tunnel
              Set this to yes to enable syslog output of tunnel debugging information.


              If set to yes, only one control tunnel will be allowed to be built between 2 peers.

       (no) ip range
              Specify  the  range  of  ip addresses the LNS will assign to the connecting LAC PPP
              tunnels. Multiple ranges can be defined. Using the 'no' statement disallows the use
              of  that  particular  range.  Ranges are defined using the format IP - IP (example:
     -  Note that either at least one ip range option must be  given,
              or you must set assign ip to no.

       assign ip
              Set  this  to  no  if xl2tpd should not assign IP addresses out of the pool defined
              with the ip range option.  This can be useful if  you  have  some  other  means  to
              assign IP addresses, e. g. a pppd that supports RADIUS AAA.

       (no) lac
              Specify  the ip addresses of LAC's which are allowed to connect to xl2tpd acting as
              a LNS. The format is the same as the ip range option.

       hidden bit
              If set to yes, xl2tpd will use  the  AVP  hiding  feature  of  L2TP.  To  get  more
              information about hidden AVP's and AVP in general, refer to rfc2661 (add URL?)

       local ip
              Use the following IP as xl2tpd's own ip address.

       length bit
              If set to yes, the length bit present in the l2tp packet payload will be used.

       (refuse | require) chap
              Will  require  or  refuse the remote peer to get authenticated via CHAP for the ppp

       (refuse | require) pap
              Will require or refuse the remote peer to get authenticated via  PAP  for  the  ppp

       (refuse | require) authentication
              Will require or refuse the remote peer to authenticate itself.

       unix authentication
              If set to yes, /etc/passwd will be used for remote peer ppp authentication.

              Will report this as the xl2tpd hostname in negociation.

       ppp debug
              This will enable the debug for pppd.

              Specify  the  path  for  a  file which contains pppd configuration parameters to be

       call rws
              This option is deprecated and no longer functions.  It used to be  used  to  define
              the  flow  control  window  size  for  individual L2TP calls or sessions.  The L2TP
              standard (RFC2661) no longer defines flow control  or  window  sizes  on  calls  or

       tunnel rws
              This defines the window size of the control channel.  The window size is defined as
              the number of outstanding unacknowledged packets, not as a number of bytes.

       flow bits
              If set to yes, sequence numbers will be included in the communication.  The feature
              to use sequence numbers in sessions is currently broken and does not function.

              If set to yes, use challenge authentication to authenticate peer.

       rx bps If set, the receive bandwidth maximum will be set to this value

       tx bps If set, the transmit bandwidth maximum will be set to this value


       The  following  are  LAC  specific configuration flags. Most of those described in the LNS
       section may be used in a LAC  context,  where  it  make  common  sense  (essentially  l2tp
       procotols tuning flags and authentication / ppp related ones).

       lns    Set the dns name or ip address of the LNS to connect to.

       redial If set to yes, xl2tpd will attempts to redial if the call get disconected.

       redial timeout
              Wait  X  seconds  before  redial.  The redial option must be set to yes to use this

       max redial
              Will give up redial tries after X attempts.


       /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/l2tp-secrets /var/run/xl2tpd/l2tp-control


       Please address bugs and comment to




       Forked from xl2tpd by Xelerance (

       Michael Richardson <> Paul Wouters <>

       Many thanks to Jacco de Leeuw <> for maintaining l2tpd.

       Previous development was hosted at sourceforge (

       Scott Balmos <>
       David Stipp <>
       Jeff McAdams <>

       Based off of l2tpd version 0.60
       Copyright (C)1998 Adtran, Inc.
       Mark Spencer <>