e7db528544
To support proxy LCP negotiation. Note: we *have* to take the auth id from the proxy answer, otherwise we would replay previous ids, for which the client might cache the answer and thus ignore our new challenge and just repeat their outdated answer.
174 lines
4.5 KiB
Text
174 lines
4.5 KiB
Text
# Debugging level
|
|
set debug 3
|
|
|
|
# Log file: comment out to use stderr, use "syslog:facility" for syslog
|
|
set log_file "/var/log/l2tpns"
|
|
|
|
# Write pid to this file
|
|
set pid_file "/var/run/l2tpns.pid"
|
|
|
|
# This host name, if different from the OS one
|
|
#set hostname "localhost"
|
|
|
|
# Shared secret with LAC
|
|
set l2tp_secret "secret"
|
|
|
|
# MTU of interface for L2TP traffic
|
|
#set l2tp_mtu 1500
|
|
|
|
# MRRU for MP traffic
|
|
#set mp_mrru 1614
|
|
|
|
# PPP counter and timer values
|
|
#set ppp_restart_time 3
|
|
#set ppp_max_configure 10
|
|
#set ppp_max_failure 5
|
|
|
|
# Can be set to "on-mismatch" to enable proxy LCP negotiation
|
|
# (e.g. if LAC cannot pass LCP through)
|
|
#set lcp_renegotiation "always"
|
|
|
|
# Only 2 DNS server entries are allowed
|
|
set primary_dns 10.0.0.1
|
|
set secondary_dns 10.0.0.2
|
|
|
|
# Can have multiple radius server entries, but ony one radius secret
|
|
set primary_radius 10.0.0.3
|
|
#set primary_radius_port 1812
|
|
#set secondary_radius 0.0.0.0
|
|
#set secondary_radius_port 1812
|
|
set radius_secret "secret"
|
|
# Set this to yes once you have confirmed that your RADIUS server provides MessageAuthenticator in its responses
|
|
#set radius_require_message_authenticator auto
|
|
|
|
# Acceptable authentication types (pap, chap) in order of preference
|
|
#set radius_authtypes "pap"
|
|
|
|
# Turn on or off Radius Accounting
|
|
#set radius_accounting no
|
|
|
|
# Port for DAE RADIUS requests
|
|
#set radius_dae_port 3799
|
|
|
|
# Allow multiple logins for the same username
|
|
#set allow_duplicate_users no
|
|
|
|
# Kill timedout sessions ? (default yes)
|
|
#set kill_timedout_sessions no
|
|
|
|
# Allow multiple logins for specific username
|
|
#set guest_account ""
|
|
|
|
# Write usage accounting files into specified directory
|
|
#set accounting_dir "/var/run/l2tpns/acct"
|
|
|
|
# Listen address for L2TP
|
|
#set bind_address 1.1.1.1
|
|
|
|
# Listen address for CLI
|
|
set cli_bind_address 127.0.0.1
|
|
|
|
# Send a gratiuitous ARP for bind address
|
|
#set send_garp no
|
|
|
|
# Gateway address given to clients
|
|
#set peer_address 0.0.0.0
|
|
|
|
# Default throttle rate in kb/s
|
|
#set throttle_speed 0
|
|
|
|
# Number of buckets to allocate for throttling
|
|
#set throttle_buckets 3000
|
|
|
|
# If set to true, dump current speed to stderr every second
|
|
#set dump_speed no
|
|
|
|
# Number of packets to read from tun/udp/cluster fd when select
|
|
# returns readable
|
|
#set multi_read_count 10
|
|
|
|
# Set scheduling priority of process to SCHED_FIFO
|
|
#set scheduler_fifo no
|
|
|
|
# Lock pages into memory
|
|
#set lock_pages no
|
|
|
|
# Maximum number of host unreachable packets to send per second
|
|
#set icmp_rate 0
|
|
|
|
# Maximum number of downstream packets per 0.1s to handle for each
|
|
# session (0 = ulimited)
|
|
#set packet_limit 0
|
|
|
|
# Cluster multicast address, interface
|
|
#set cluster_address 239.192.13.13
|
|
#set cluster_port 32792
|
|
#set cluster_interface eth0
|
|
|
|
# Cluster multicast TTL
|
|
#set cluster_mcast_ttl 1
|
|
|
|
# Cluster timers (1/10th second)
|
|
#set cluster_hb_interval 5
|
|
#set cluster_hb_timeout 150
|
|
|
|
# Minimum number of slaves before master withdraws routes
|
|
#set cluster_master_min_adv 1
|
|
|
|
# IPv6 address prefix
|
|
#set ipv6_prefix ::
|
|
|
|
# Only 2 IPv6 DNS server entries are allowed
|
|
#set primary_ipv6_dns 2001:db8::1
|
|
#set secondary_ipv6_dns 2001:db8::2
|
|
|
|
# BGP NEXT_HOP path attribute
|
|
#set nexthop 10.0.1.1
|
|
#set nexthop6 2001:db8::1
|
|
|
|
# Route metric (lower is preferred)
|
|
#set route_metric 1
|
|
# Route protocol number to use
|
|
#set route_protocol 42
|
|
|
|
# Time between last packet sent and LCP ECHO generation (default 10 seconds)
|
|
#set echo_timeout 10
|
|
# Drop sessions who have not responded within idle_echo_timeout seconds (default 240 seconds)
|
|
#set idle_echo_timeout 240
|
|
# Change this value to no to force generation of LCP ECHO every echo_timeout seconds, even there are activity on the link (default yes)
|
|
set ppp_keepalive yes
|
|
|
|
# Drop/kill sessions
|
|
#load plugin "sessionctl"
|
|
|
|
# Throttle/snoop based on RADIUS
|
|
#load plugin "autothrottle"
|
|
#load plugin "autosnoop"
|
|
|
|
# Control throttle/snoop with nsctl
|
|
#load plugin "throttlectl"
|
|
#load plugin "snoopctl"
|
|
|
|
# Punt RX speed if not supplied
|
|
#load plugin "setrxspeed"
|
|
|
|
# Remove domain from username
|
|
#load plugin "stripdomain"
|
|
|
|
# Walled garden
|
|
#load plugin "garden"
|
|
|
|
# Kernel acceleration, enable on no more than one instance on the same machine!
|
|
#set kernel_accel yes
|
|
#
|
|
# You will probably want to also enable MSS clamping, which l2tpns won't be able to do any more:
|
|
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
# ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
# or
|
|
# nft add rule inet filter forward tcp flags syn tcp option maxseg size set rt mtu
|
|
#
|
|
# and allow dhcpv6 traffic:
|
|
# iptables -A INPUT -i ppp+ -p udp --sport 546 --dport 547 -j ACCEPT
|
|
#
|
|
# and increase the memory available for igmp6 for DHCPv6 and RS:
|
|
# sysctl net.core.optmem_max=10485760
|