Provided by: xl2tpd_1.3.16-1build1_amd64 
NAME
xl2tpd.conf - L2TPD configuration file
DESCRIPTION
The xl2tpd.conf file contains configuration information for xl2tpd, the free
implementation of l2tp protocol.
The configuration file is composed of sections and parameters. Each section has a given
name which will be used when using the configuration FIFO (normally
/var/run/xl2tpd/l2tp-control). See xl2tpd.8 for more details.
The specific given name default will specify parameters applicable for all the following
sections.
GLOBAL SECTION
auth file
Specify where to find the authentication file used to authenticate l2tp tunnels.
The default is /etc/xl2tpd/l2tp-secrets.
ipsec saref
Use IPsec Security Association tracking. When this is enabled, packets received by
xl2tpd should have to extra fields (refme and refhim) which allows tracking of
multiple clients using the same internal NATed IP address, and allows tracking of
multiple clients behind the same NAT router. This needs to be supported by the
kernel. Currently, this only works with Openswan KLIPS in "mast" mode. (see
http://www.openswan.org/)
Set this to yes and the system will provide proper SAref values in the recvmsg()
calls.
Values can be 'yes' or 'no'. The default is 'no'.
saref refinfo
When using IPsec Security Association trackinng, a new setsockopt is used. Since
this is not (yet?) an official Linux kernel option, we got bumped. Openswan upto
2.6.35 for linux kernels up to 2.6.35 used a saref num of 22. Linux 3.6.36+ uses
22 for IP_NODEFRAG. We moved our IP_IPSEC_REFINFO to 30. If not set, the default
is to use 30. For older SAref patched kernels, use 22.
listen-addr
The IP address of the interface on which the daemon listens. By default, it
listens on INADDR_ANY (0.0.0.0), meaning it listens on all interfaces.
port Specify which UDP port xl2tpd should use. The default is 1701.
access control
If set to 'yes', the xl2tpd process will only accept connections from peers
addresses specified in the following sections. The default is 'no'.
debug avp
Set this to 'yes' to enable syslog output of L2TP AVP debugging information.
debug network
Set this to 'yes' to enable syslog output of network debugging information.
debug packet
Set this to 'yes' to enable printing of L2TP packet debugging information. Note:
Output goes to STDOUT, so use this only in conjunction with the -D command line
option.
debug state
Set this to 'yes' to enable syslog output of FSM debugging information.
debug tunnel
Set this to 'yes' to enable syslog output of tunnel debugging information.
max retries
Specify how many retries before a tunnel is closed. If there is no tunnel, then
stop re-transmitting. The default is 5.
LNS SECTION
exclusive
If set to 'yes', only one control tunnel will be allowed to be built between 2
peers.
(no) ip range
Specify the range of IP addresses the LNS will assign to the connecting LAC PPP
tunnels. Multiple ranges can be defined. Using the 'no' statement disallows the use
of that particular range. Ranges are defined using the format IP - IP (example:
1.1.1.1 - 1.1.1.10). Note that either at least one ip range option must be given,
or you must set assign ip to no.
assign ip
Set this to 'no' if xl2tpd should not assign IP addresses out of the pool defined
with the ip range option. This can be useful if you have some other means to
assign IP addresses, e. g. a pppd that supports RADIUS AAA.
(no) lac
Specify the IP addresses of LAC's which are allowed to connect to xl2tpd acting as
a LNS. The format is the same as the ip range option.
hidden bit
If set to 'yes', xl2tpd will use the AVP hiding feature of L2TP. To get more
information about hidden AVP's and AVP in general, refer to rfc2661 (add URL?)
local ip
Use the following IP as xl2tpd's own IP address.
local ip range
Specify the range of addresses the LNS will assign as the local address to
connecting LAC PPP tunnels. This option is mutually exclusive with the local ip
option and is useful in cases where it is desirable to have a unique IP address for
each tunnel. Specify the range value exactly like the ip range option. Note that
the assign ip option has no effect on this option.
length bit
If set to 'yes', the length bit present in the l2tp packet payload will be used.
(refuse | require) chap
Will require or refuse the remote peer to get authenticated via CHAP for the ppp
authentication.
(refuse | require) pap
Will require or refuse the remote peer to get authenticated via PAP for the ppp
authentication.
(refuse | require) authentication
Will require or refuse the remote peer to authenticate itself.
unix authentication
If set to 'yes', /etc/passwd will be used for remote peer ppp authentication.
hostname
Will report this as the xl2tpd hostname in negotiation.
ppp debug
This will enable the debug for pppd.
pass peer
Pass the peer's IP address to pppd as ipparam. Enabled by default.
pppoptfile
Specify the path for a file which contains pppd configuration parameters to be
used.
call rws
This option is deprecated and no longer functions. It used to be used to define the
flow control window size for individual L2TP calls or sessions. The L2TP standard
(RFC2661) no longer defines flow control or window sizes on calls or sessions.
tunnel rws
This defines the window size of the control channel. The window size is defined as
the number of outstanding unacknowledged packets, not as a number of bytes.
flow bits
If set to 'yes', sequence numbers will be included in the communication. The
feature to use sequence numbers in sessions is currently broken and does not
function.
challenge
If set to 'yes', use challenge authentication to authenticate peer.
rx bps If set, the receive bandwidth maximum will be set to this value
tx bps If set, the transmit bandwidth maximum will be set to this value
LAC SECTION
The following are LAC specific configuration flags. Most of those described in the LNS
section may be used in a LAC context, where it makes common sense (essentially l2tp
protocols tuning flags and authentication / ppp related ones).
lns Set the dns name or ip address of the LNS to connect to.
autodial
If set to 'yes', xl2tpd will automatically dial the LAC during startup.
redial If set to 'yes', xl2tpd will attempt to redial if the call get disconnected. Note
that, if enabled, xl2tpd will keep passwords in memory: a potential security risk.
redial timeout
Wait X seconds before redial. The redial option must be set to yes to use this
option. Defaults to 30 seconds.
max redials
Will give up redial tries after X attempts.
FILES
/etc/xl2tpd/xl2tpd.conf
Configuration file of xl2tpd, used by default.
/etc/xl2tpd/l2tp-secrets
Secrets file, used by default.
/var/run/xl2tpd/l2tp-control
Control file, used by default.
BUGS
Please use the github project page https://github.com/xelerance/xl2tpd to send bugreports,
issues and any other feedback
SEE ALSO
xl2tpd(8), xl2tpd-control(8), pppd(8)
COPYLEFT
This program is free software; you can redistribute it and/or modify it under the terms of
the GNU General Public License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program
(see the file LICENSE); if not, see https://www.gnu.org/licenses/, or contact Free
Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
CONTRIBUTORS
Alexander Dorokhov <alex.dorokhov@gmail.com>
Alexander Naumov <alexander_naumov@opensuse.org>
AUTHORS
Forked from l2tpd by Xelerance: https://github.com/xelerance/xl2tpd
Michael Richardson <mcr@xelerance.com>
Paul Wouters <paul@xelerance.com>
Samir Hussain <shussain@xelerance.com>
Previous development was hosted at sourceforge (http://www.sourceforge.net/projects/l2tpd)
by:
Scott Balmos <sbalmos@iglou.com>
David Stipp <dstipp@one.net>
Jeff McAdams <jeffm@iglou.com>
Based off of l2tpd version 0.61. Many thanks to Jacco de Leeuw <jacco2@dds.nl> for
maintaining l2tpd.
Copyright (C)1998 Adtran, Inc.
Mark Spencer <markster@marko.net>
Sep 2020 xl2tpd.conf(5)