welterde/l2tpns
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Convert docbook documentation to markdown, add build mechanism using pandoc

Browse source
This commit is contained in:
Julien Rabier 2021-01-31 17:06:23 +01:00
parent db5ff8c356
commit 72609641db
26 changed files with 4273 additions and 6022 deletions
Download patch file Download diff file Expand all files Collapse all files

682
docs/manpages/startup-config.5 Normal file
View file

@ -0,0 +1,682 @@
.SH NAME
.PP
startup-config - configuration file for l2tpns
.SH SYNOPSIS
.PP
/etc/l2tpns/startup-config
.SH DESCRIPTION
.PP
\f[B]startup-config\f[R] is the configuration file for \f[B]l2tpns\f[R]
.PP
The format is plain text, in the same format as accepted by the
configuration mode of l2tpns\[cq]s telnet administrative interface.
Comments are indicated by either the character # or !.
.SS SETTINGS
.PP
Settings are specified with
.IP \[bu] 2
\f[B]set\f[R] \f[C]variable\f[R] \f[C]value\f[R]
.PP
A list of the possible configuration directives follows.
Each of these should be set by a line like:
.IP \[bu] 2
\f[B]set\f[R] \f[I]configstring\f[R] \f[I]\[lq]value\[rq]\f[R]
.IP \[bu] 2
\f[B]set\f[R] \f[I]ipaddress\f[R] \f[I]192.168.1.1\f[R]
.IP \[bu] 2
\f[B]set\f[R] \f[I]boolean\f[R] \f[I]true\f[R]
.PP
The following \f[C]variables\f[R] may be set:
.IP \[bu] 2
\f[B]accounting_dir\f[R] (string)
.RS 2
.PP
If set to a directory, then every 5 minutes the current usage for every
connected use will be dumped to a file in this directory.
Each file dumped begins with a header, where each line is prefixed by #.
Following the header is a single line for every connected user, fields
separated by a space.
.PP
The fields are username, ip, qos, uptxoctets, downrxoctets, origin
(optional).
The qos field is 1 if a standard user, and 2 if the user is throttled.
The origin field is dump if \f[B]account_all_origin\f[R] is set to true
(origin value: L=LAC data, R=Remote LNS data, P=PPPOE data).
.RE
.IP \[bu] 2
\f[B]account_all_origin\f[R] (boolean)
.RS 2
.PP
If set to true, all origin of the usage is dumped to the accounting file
(LAC+Remote LNS+PPPOE)(default false).
.RE
.IP \[bu] 2
\f[B]allow_duplicate_users\f[R] (boolean)
.RS 2
.PP
Allow multiple logins with the same username.
If false (the default), any prior session with the same username will be
dropped when a new session is established.
.RE
.IP \[bu] 2
\f[B]auth_tunnel_change_addr_src\f[R] (boolean)
.RS 2
.PP
This parameter authorize to change the source IP of the tunnels l2tp.
This parameter can be used when the remotes BAS/LAC are l2tpns server
configured in cluster mode, but that the interface to remote LNS are not
clustered (the tunnel can be coming from different source IP) (default:
no).
.RE
.IP \[bu] 2
\f[B]bind_address\f[R] (ip address)
.RS 2
.PP
It\[cq]s the listen address of the l2tp udp protocol sent and received
to LAC.
This address is also assigned to the tun interface if no iftun_address
is specified.
Packets containing user traffic should be routed via this address if
given, otherwise the primary address of the machine.
.RE
.IP \[bu] 2
\f[B]bind_multi_address\f[R] (ip address)
.RS 2
.PP
This parameter permit one to listen several address of the l2tp udp
protocol (and set several address to the tun interface).
.PP
WHEN this parameter is set, It OVERWRITE the parameters
\[lq]bind_address\[rq] and \[lq]iftun_address\[rq].
.PP
these can be interesting when you want do load-balancing in cluster mode
of the uploaded from the LAC.
For example you can set a bgp.prepend(MY_AS) for Address1 on LNS1 and a
bgp.prepend(MY_AS) for Address2 on LNS2 (see BGP AS-path prepending).
.PP
example of use with 2 address:
.PP
\f[B]set\f[R] \f[I]bind_multi_address\f[R] \[lq]64.14.13.41,
64.14.13.42\[rq]
.RE
.IP \[bu] 2
\f[B]cluster_address\f[R] (ip address)
.RS 2
.PP
Multicast cluster address (default: 239.192.13.13).
See the section on Clustering for more information.
.RE
.IP \[bu] 2
\f[B]Bcluster_port\f[R] (int)
.RS 2
.PP
UDP cluster port (default: 32792).
See the section on Clustering for more information.
.RE
.IP \[bu] 2
\f[B]cluster_interface\f[R] (string)
.RS 2
.PP
Interface for cluster packets (default: eth0).
.RE
.IP \[bu] 2
\f[B]cluster_mcast_ttl\f[R] (int)
.RS 2
.PP
TTL for multicast packets (default: 1).
.RE
.IP \[bu] 2
\f[B]cluster_hb_interval\f[R] (int)
.RS 2
.PP
Interval in tenths of a second between cluster heartbeat/pings.
.RE
.IP \[bu] 2
\f[B]cluster_hb_timeout\f[R] (int)
.RS 2
.PP
Cluster heartbeat timeout in tenths of a second.
A new master will be elected when this interval has been passed without
seeing a heartbeat from the master.
.RE
.IP \[bu] 2
\f[B]cluster_master_min_adv\f[R] (int)
.RS 2
.PP
Determines the minimum number of up to date slaves required before the
master will drop routes (default: 1).
.RE
.IP \[bu] 2
\f[B]debug\f[R] (int)
.RS 2
.PP
Set the level of debugging messages written to the log file.
The value should be between 0 and 5, with 0 being no debugging, and 5
being the highest.
A rough description of the levels is:
\[bu] .RS 2
.IP "0." 3
Critical Errors - Things are probably broken
.RE
\[bu] .RS 2
.IP "1." 3
Errors - Things might have gone wrong, but probably will recover
.RE
\[bu] .RS 2
.IP "2." 3
Warnings - Just in case you care what is not quite perfect
.RE
\[bu] .RS 2
.IP "3." 3
Information - Parameters of control packets
.RE
\[bu] .RS 2
.IP "4." 3
Calls - For tracing the execution of the code
.RE
\[bu] .RS 2
.IP "5." 3
Packets - Everything, including a hex dump of all packets processed\&...
probably twice
.RE
.PP
Note that the higher you set the debugging level, the slower the program
will run.
Also, at level 5 a LOT of information will be logged.
This should only ever be used for working out why it doesn\[cq]t work at
all.
.RE
.IP \[bu] 2
\f[B]dump_speed\f[R] (boolean)
.RS 2
.PP
If set to true, then the current bandwidth utilization will be logged
every second.
Even if this is disabled, you can see this information by running the
uptime command on the CLI.
.RE
.IP \[bu] 2
\f[B]disable_sending_hello\f[R] (boolean)
.RS 2
.PP
Disable l2tp sending HELLO message for Apple compatibility.
Some OS X implementation of l2tp no manage the L2TP \[lq]HELLO
message\[rq].
(default: no).
.RE
.IP \[bu] 2
\f[B]echo_timeout\f[R] (int)
.RS 2
.PP
Time between last packet sent and LCP ECHO generation (default: 10
(seconds)).
.RE
.IP \[bu] 2
\f[B]guest_account\f[R]
.RS 2
.PP
Allow multiple logins matching this specific username.
.RE
.IP \[bu] 2
\f[B]icmp_rate\f[R] (int)
.RS 2
.PP
Maximum number of host unreachable ICMP packets to send per second.
.RE
.IP \[bu] 2
\f[B]idle_echo_timeout\f[R] (int)
.RS 2
.PP
Drop sessions who have not responded within idle_echo_timeout seconds
(default: 240 (seconds))
.RE
.IP \[bu] 2
\f[B]iftun_address\f[R] (ip address)
.RS 2
.PP
This parameter is used when you want a tun interface address different
from the address of \[lq]bind_address\[rq] (For use in cases of specific
configuration).
If no address is given to iftun_address and bind_address, 1.1.1.1 is
used.
.RE
.IP \[bu] 2
\f[B]l2tp_mtu\f[R] (int)
.RS 2
.PP
MTU of interface for L2TP traffic (default: 1500).
Used to set link MRU and adjust TCP MSS.
.RE
.IP \[bu] 2
\f[B]l2tp_secret\f[R] (string)
.RS 2
.PP
The secret used by l2tpns for authenticating tunnel request.
Must be the same as the LAC, or authentication will fail.
Only actually be used if the LAC requests authentication.
.RE
.IP \[bu] 2
\f[B]lock_pages\f[R] (boolean)
.RS 2
.PP
Keep all pages mapped by the l2tpns process in memory.
.RE
.IP \[bu] 2
\f[B]log_file\f[R] (string)
.RS 2
.PP
This will be where all logging and debugging information is written
to.This may be either a filename, such as /var/log/l2tpns, or the string
syslog:facility, where facility is any one of the syslog logging
facilities, such as local5.
.RE
.IP \[bu] 2
\f[B]multi_read_count\f[R] (int)
.RS 2
.PP
Number of packets to read off each of the UDP and TUN fds when returned
as readable by select (default: 10).
Avoids incurring the unnecessary system call overhead of select on busy
servers.
.RE
.IP \[bu] 2
\f[B]packet_limit\f[R] (int>
.RS 2
.PP
Maximum number of packets of downstream traffic to be handled each tenth
of a second per session.
If zero, no limit is applied (default: 0).
Intended as a DoS prevention mechanism and not a general throttling
control (packets are dropped, not queued).
.RE
.IP \[bu] 2
\f[B]peer_address\f[R] (ip address)
.RS 2
.PP
Address to send to clients as the default gateway.
.RE
.IP \[bu] 2
\f[B]pid_file\f[R] (string)
.RS 2
.PP
If set, the process id will be written to the specified file.
The value must be an absolute path.
.RE
.IP \[bu] 2
\f[B]ppp_keepalive\f[R] (boolean)
.RS 2
.PP
Change this value to no to force generation of LCP ECHO every
echo_timeout seconds, even there are activity on the link (default: yes)
.RE
.IP \[bu] 2
\f[B]ppp_restart_time\f[R] (int)
.IP \[bu] 2
\f[B]ppp_max_configure\f[R] (int)
.IP \[bu] 2
\f[B]ppp_max_failure\f[R] (int)
.RS 2
.PP
PPP counter and timer values, as described in Section 4.1 of RFC1661.
.PP
\f[I]ppp_restart_time\f[R], Restart timer for PPP protocol negotiation
in seconds (default: 3).
.PP
\f[I]ppp_max_configure\f[R], Number of configure requests to send before
giving up (default: 10).
.PP
\f[I]ppp_max_failure\f[R], Number of Configure-Nak requests to send
before sending a Configure-Reject (default: 5).
.RE
.IP \[bu] 2
\f[B]primary_dns\f[R] (ip address), \f[B]secondary_dns\f[R] (ip address)
.RS 2
.PP
Whenever a PPP connection is established, DNS servers will be sent to
the user, both a primary and a secondary.
If either is set to 0.0.0.0, then that one will not be sent.
.RE
.IP \[bu] 2
\f[B]primary_radius\f[R] (ip address), \f[B]secondary_radius\f[R] (ip
address)
.RS 2
.PP
Sets the RADIUS servers used for both authentication and accounting.
If the primary server does not respond, then the secondary RADIUS server
will be tried.
.PP
Note: in addition to the source IP address and identifier, the RADIUS
server must include the source port when detecting duplicates to
suppress (in order to cope with a large number of sessions coming
on-line simultaneously l2tpns uses a set of udp sockets, each with a
separate identifier).
.RE
.IP \[bu] 2
\f[B]primary_radius_port\f[R] (short), \f[B]secondary_radius_port\f[R]
(short)
.RS 2
.PP
Sets the authentication ports for the primary and secondary RADIUS
servers.
The accounting port is one more than the authentication port.
If no RADIUS ports are given, the authentication port defaults to 1645,
and the accounting port to 1646.
.RE
.IP \[bu] 2
\f[B]radius_accounting\f[R] (boolean)
.RS 2
.PP
If set to true, then RADIUS accounting packets will be sent.
This means that a \f[B]Start\f[R] record will be sent when the session
is successfully authenticated, and a \f[B]Stop\f[R] record will be sent
when the session is closed.
.RE
.IP \[bu] 2
\f[B]radius_interim\f[R] (int)
.RS 2
.PP
If radius_accounting is on, defines the interval between sending of
RADIUS interim accounting records (in seconds).
.RE
.IP \[bu] 2
\f[B]radius_secret\f[R] (string)
.RS 2
.PP
This secret will be used in all RADIUS queries.
If this is not set then RADIUS queries will fail.
.RE
.IP \[bu] 2
\f[B]radius_authtypes\f[R] (string)
.RS 2
.PP
A comma separated list of supported RADIUS authentication methods
(\[lq]pap\[rq] or \[lq]chap\[rq]), in order of preference (default
\[lq]pap\[rq]).
.RE
.IP \[bu] 2
\f[B]radius_dae_port\f[R] (short)
.RS 2
.PP
Port for DAE RADIUS (Packet of Death/Disconnect, Change of
Authorization) requests (default: 3799).
.RE
.IP \[bu] 2
\f[B]radius_bind_min\f[R], \f[B]radius_bind_max\f[R] (int)
.RS 2
.PP
Define a port range in which to bind sockets used to send and receive
RADIUS packets.
Must be at least RADIUS_FDS (64) wide.
Simplifies firewalling of RADIUS ports (default: dynamically assigned).
.RE
.IP \[bu] 2
\f[B]random_device\f[R] (string)
.RS 2
.PP
Path to random data source (default /dev/urandom).
Use \[dq]\[dq] to use the rand() library function.
.RE
.IP \[bu] 2
\f[B]scheduler_fifo\f[R] (boolean)
.RS 2
.PP
Sets the scheduling policy for the l2tpns process to SCHED_FIFO.
This causes the kernel to immediately preempt any currently running
SCHED_OTHER (normal) process in favour of l2tpns when it becomes
runnable.
Ignored on uniprocessor systems.
.RE
.IP \[bu] 2
\f[B]send_garp\f[R] (boolean)
.RS 2
.PP
Determines whether or not to send a gratuitous ARP for the bind_address
when the server is ready to handle traffic (default: true).
This value is ignored if BGP is configured.
.RE
.IP \[bu] 2
\f[B]tundevicename\f[R] (string)
.RS 2
.PP
Name of the tun interface (default: \[lq]tun0\[rq]).
.RE
.IP \[bu] 2
\f[B]throttle_speed\f[R] (int)
.RS 2
.PP
Sets the default speed (in kbits/s) which sessions will be limited to.
If this is set to 0, then throttling will not be used at all.
Note: You can set this by the CLI, but changes will not affect currently
connected users.
.RE
.IP \[bu] 2
\f[B]throttle_buckets\f[R] (int)
.RS 2
.PP
Number of token buckets to allocate for throttling.
Each throttled session requires two buckets (in and out).
.RE
.SS DHCPv6 And IPv6 SETTINGS
.IP \[bu] 2
\f[B]dhcp6_preferred_lifetime\f[R] (int)
.RS 2
.PP
The preferred lifetime for the IPv6 address and the IPv6 prefix address,
expressed in units of seconds (see rfc3315).
.RE
.IP \[bu] 2
\f[B]dhcp6_valid_lifetime\f[R] (int)
.RS 2
.PP
The valid lifetime for the IPv6 address and the IPv6 prefix address,
expressed in units of seconds (see rfc3315).
.RE
.IP \[bu] 2
\f[B]dhcp6_server_duid\f[R] (int)
.RS 2
.PP
DUID Based on Link-layer Address (DUID-LL) (see rfc3315).
.RE
.IP \[bu] 2
\f[B]primary_ipv6_dns\f[R], \f[B]secondary_ipv6_dns\f[R] (Ipv6 address)
.RS 2
.PP
IPv6 DNS servers will be sent to the user (see rfc3646).
.RE
.IP \[bu] 2
\f[B]default_ipv6_domain_list\f[R] (string)
.RS 2
.PP
The Domain Search List (ex: \[lq]fdn.fr\[rq]) (see rfc3646).
.RE
.IP \[bu] 2
\f[B]ipv6_prefix\f[R] (Ipv6 address)
.RS 2
.PP
Enable negotiation of IPv6.
This forms the the first 64 bits of the client allocated address.
The remaining 64 come from the allocated IPv4 address and 4 bytes of 0.
.RE
.SS LAC SETTINGS
.IP \[bu] 2
\f[B]bind_address_remotelns\f[R] (ip address)
.RS 2
.PP
Address of the interface to listen the remote LNS tunnels.
If no address is given, all interfaces are listened (Any Address).
.RE
.IP \[bu] 2
\f[B]bind_portremotelns\f[R] (short)
.RS 2
.PP
Port to bind for the Remote LNS (default: 65432).
.RE
.PP
A static REMOTES LNS configuration can be entered by the command:
.IP \[bu] 2
\f[B]setforward\f[R] \f[I]MASK\f[R] \f[I]IP\f[R] \f[I]PORT\f[R]
\f[I]SECRET\f[R]
.RS 2
.PP
where MASK specifies the mask of users who have forwarded to remote LNS
(ex: \[lq]/friendISP\[at]company.com\[rq]).
.PP
where IP specifies the IP of the remote LNS (ex: \[lq]66.66.66.55\[rq]).
.PP
where PORT specifies the L2TP Port of the remote LNS (Normally should be
1701) (ex: 1701).
.PP
where SECRET specifies the secret password the remote LNS (ex:
mysecret).
.RE
.PP
The static REMOTE LNS configuration can be used when the friend ISP not
have a proxied Radius.
.PP
If a proxied Radius is used, It will return the RADIUS attributes:
.IP \[bu] 2
Tunnel-Type:1 = L2TP
.IP \[bu] 2
Tunnel-Medium-Type:1 = IPv4
.IP \[bu] 2
Tunnel-Password:1 = \[lq]LESECRETL2TP\[rq]
.IP \[bu] 2
Tunnel-Server-Endpoint:1 = \[lq]88.xx.xx.x1\[rq]
.IP \[bu] 2
Tunnel-Assignment-Id:1 = \[lq]friendisp_lns1\[rq]
.IP \[bu] 2
Tunnel-Type:2 += L2TP
.IP \[bu] 2
Tunnel-Medium-Type:2 += IPv4
.IP \[bu] 2
Tunnel-Password:2 += \[lq]LESECRETL2TP\[rq]
.IP \[bu] 2
Tunnel-Server-Endpoint:2 += \[lq]88.xx.xx.x2\[rq]
.IP \[bu] 2
Tunnel-Assignment-Id:2 += \[lq]friendisp_lns2\[rq]
.SS PPPOE SETTINGS
.IP \[bu] 2
\f[B]pppoe_if_to_bind\f[R] (string)
.RS 2
.PP
PPPOE server interface to bind (ex: \[lq]eth0.12\[rq]), If not specified
the server PPPOE is not enabled.
For the pppoe clustering, all the interfaces PPPOE of the clusters must
use the same HW address (MAC address).
.RE
.IP \[bu] 2
\f[B]pppoe_service_name\f[R] (string)
.RS 2
.PP
PPPOE service name (default: NULL).
.RE
.IP \[bu] 2
\f[B]pppoe_ac_name\f[R] (string)
.RS 2
.PP
PPPOE access concentrator name (default: \[lq]l2tpns-pppoe\[rq]).
.RE
.IP \[bu] 2
\f[B]pppoe_only_equal_svc_name\f[R] (boolean)
.RS 2
.PP
If set to yes, the PPPOE server only accepts clients with a
\[lq]service-name\[rq] different from NULL and a \[lq]service-name\[rq]
equal to server \[lq]service-name\[rq] (default: no).
.RE
.SS BGP ROUTING
.PP
The routing configuration section is entered by the command
.PP
\f[B]router\f[R] \f[B]bgp\f[R] \f[I]as\f[R]
.PP
where \f[I]as\f[R] specifies the local AS number.
.PP
Subsequent lines prefixed with \f[B]neighbour\f[R] \f[I]peer\f[R] define
the attributes of BGP neighhbours.
Valid commands are:
.PP
\f[B]neighbour\f[R] \f[I]peer\f[R] \f[B]remote-as\f[R] \f[I]as\f[R]
.PP
\f[B]neighbour\f[R] \f[I]peer\f[R] \f[B]timers\f[R] \f[I]keepalive\f[R]
\f[I]hold\f[R]
.PP
Where \f[I]peer\f[R] specifies the BGP neighbour as either a hostname or
IP address, \f[I]as\f[R] is the remote AS number and
\f[I]keepalive\f[R], \f[I]hold\f[R] are the timer values in seconds.
.SS NAMED ACCESS LISTS
.PP
Named access lists may be defined with either of
.IP \[bu] 2
\f[B]ip\f[R] \f[B]access-list\f[R] \f[B]standard\f[R] \f[I]name\f[R]
.IP \[bu] 2
\f[B]ip\f[R] \f[B]access-list\f[R] \f[B]extended\f[R] \f[I]name\f[R]
.PP
Subsequent lines starting with permit or deny define the body of the
access-list.
.SS Standard Access Lists
.PP
Standard access lists are defined with:
.IP \[bu] 2
{\f[B]permit\f[R]|\f[B]deny\f[R]} \f[I]source\f[R] [\f[I]dest\f[R]]
.PP
Where \f[I]source\f[R] and \f[I]dest\f[R] specify IP matches using one
of:
.IP \[bu] 2
\f[I]address\f[R] \f[I]wildard\f[R]
.IP \[bu] 2
\f[B]host\f[R] \f[I]address\f[R]
.IP \[bu] 2
\f[B]any\f[R]
.PP
\f[I]address\f[R] and \f[I]wildard\f[R] are in dotted-quad notation,
bits in the \f[I]wildard\f[R] indicate which address bits in
\f[I]address\f[R] are relevant to the match (0 = exact match; 1 =
don\[cq]t care).
.PP
The shorthand `host address' is equivalent to `\f[I]address\f[R]
\f[B]0.0.0.0\f[R]'; `\f[B]any\f[R]' to `\f[B]0.0.0.0\f[R]
\f[B]255.255.255.255\f[R]'.
.SS Extended Access Lists
.PP
Extended access lists are defined with:
.IP \[bu] 2
{\f[B]permit\f[R]|\f[B]deny\f[R]} \f[I]proto\f[R] \f[I]source\f[R]
[\f[I]ports\f[R]] \f[I]dest\f[R] [\f[I]ports\f[R]] [\f[I]flags\f[R]]
.PP
Where \f[I]proto\f[R] is one of \f[B]ip\f[R], \f[B]tcp\f[R] or
\f[B]udp\f[R], and \f[I]source\f[R] and \f[I]dest\f[R] are as described
above for standard lists.
.PP
For TCP and UDP matches, source and destination may be optionally
followed by a ports specification:
.IP \[bu] 2
{\f[B]eq|neq|gt|lt\f[R]} \f[I]port\f[R]
.IP \[bu] 2
\f[B]range\f[R] \f[I]from\f[R] \f[I]to\f[R]
.PP
\f[I]flags\f[R] may be one of:
.IP \[bu] 2
{\f[B]match-any|match-all\f[R]}
{\f[B]+|-\f[R]}{\f[B]fin|syn|rst|psh|ack|urg\f[R]} \&...
.RS 2
.PP
Match packets with any or all of the tcp flags set (+) or clear (-).
.RE
.IP \[bu] 2
\f[B]established\f[R]
.RS 2
.PP
Match \[lq]established\[rq] TCP connections: packets with RST or ACK
set, and SYN clear.
.RE
.IP \[bu] 2
\f[B]fragments\f[R]
.RS 2
.PP
Match IP fragments.
May not be specified on rules with layer 4 matches.
.RE
.SH SEE ALSO
.PP
l2tpns(8) (http://man.he.net/man8/l2tpns)