ASL-Corp members, Bureaucrats, Check users, Structured Discussions bots, oversight, Suppressors, Administrators, Upload Wizard campaign editors
1,714
edits
Changes
Jump to navigation
Jump to search
Line 209:
Line 209: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→L2TP Ethernet Pseudowires: Created initial article
==L2TP Ethernet Pseudowires==
==L2TP Ethernet Pseudowires==
{{go to top}}
{{go to top}}
===Linux===
Create an L2TP ethernet pseudowires connection using the Linux kernel's L2TP drivers along with the ip utility.
Note: This setup does not have any security. You will need to route it over IPSEC to create a secure connection.
In this example we use separate systems to establish the tunnels across the Gateway (which represents the Internet). You can do the same setup directly on two systems to connect them over the Internet if you only need a one-to-one L2TP link.
====Topology====
{| class="wikitable" style="text-align: center; width: 35%"
|+ L2TP Tunnel Topology
! System
! Network
|-
| Gateway
| eth1: 1.1.1.1/30; eth2: 2.2.2.1.30
|-
| Tunnel1
| eth1/l2tpeth0 (bridged); eth1: 192.168.0.3/24; eth2: 1.1.1.2/30
|-
| Tunnel2
| eth1/l2tpeth0 (bridged); eth1: 192.168.0.4/24; eth2: 2.2.2.2/30
|}
====Configuration====
*Enable IP forwarding on Gateway, '''Tunnel1''' and '''Tunnel2''' systems by running this command on each:
# echo 1 > /proc/sys/net/ipv4/ip_forward
*Establish L3 connectivity between '''Tunnel1''' and '''Tunnel2''' systems:
On '''Tunnel1''' run:
# ip route add 2.2.2.0/30 via 1.1.1.1
On '''Tunnel2''' run:
# ip route add 1.1.1.0/30 via 2.2.2.1
Check to make sure both sides can ping each other:
#tunnel1:~# ping -c1 2.2.2.2
PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_req=1 ttl=63 time=1.03 ms
#tunnel2:~# ping -c1 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_req=1 ttl=63 time=1.20 ms
*Load L2TPv3 ethernet pseudowire module on '''Tunnel1''' and '''Tunnel2''' systems:
# modprobe l2tp_eth
*Configure l2tp interface on '''Tunnel1''':
# ip l2tp add tunnel tunnel_id 1000 peer_tunnel_id 2000 encap udp local 1.1.1.2 remote 2.2.2.2 udp_sport 6000 udp_dport 5000
# ip l2tp add session tunnel_id 1000 session_id 3000 peer_session_id 4000
*Check configuration of tunnel on '''Tunnel1''' system:
# ip l2tp show tunnel
Tunnel 1000, encap UDP
From 1.1.1.2 to 2.2.2.2
Peer tunnel 2000
UDP source / dest ports: 6000/5000
# ip l2tp show session
Session 3000 in tunnel 1000
Peer session 4000, tunnel 2000
interface name: l2tpeth0
offset 0, peer offset 0
*Configure l2tp interface on '''Tunnel2''':
# ip l2tp add tunnel tunnel_id 2000 peer_tunnel_id 1000 encap udp local 2.2.2.2 remote 1.1.1.2 udp_sport 5000 udp_dport 6000
# ip l2tp add session tunnel_id 2000 session_id 4000 peer_session_id 3000
*Check configuration of tunnel on '''Tunnel2''' system:
# ip l2tp show tunnel
Tunnel 2000, encap UDP
From 2.2.2.2 to 1.1.1.2
Peer tunnel 1000
UDP source / dest ports: 5000/6000
# ip l2tp show session
Session 4000 in tunnel 2000
Peer session 3000, tunnel 1000
interface name: l2tpeth0
offset 0, peer offset 0
*Check MTU of newly created interfaces
# ip a s dev l2tpeth0
l2tpeth0: <BROADCAST,MULTICAST> mtu 1488 qdisc noop state DOWN qlen 1000
link/ether 1a:8f:6e:04:3f:a3 brd ff:ff:ff:ff:ff:ff
*Adjust MTU and enforce MSS on eth1 on both '''Tunnel1''' and '''Tunnel2''' systems to prevent fragmentation that can cause issues:
# ip link set eth1 mtu 1446
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1406:1536 -j TCPMSS --set-mss 1406
*Install bridge-utils on '''Tunnel1''' and '''Tunnel2''' systems:
# apt-get install bridge-utils
*Bridge the L2TP interface to eth1 on both the '''Tunnel1''' and '''Tunnel2''' systems so that is can communicate over the network:
# brctl addbr l2tp
# brctl addif l2tp eth1 l2tpeth0
*Check bridge configuration on '''Tunnel1''' and '''Tunnel2''' systems:
# brctl show
bridge name bridge id STP enabled interfaces
l2tp 8000.1a8f6e043fa3 no eth1 l2tpeth0
*Turn up the new l2tpeth0 interface on '''Tunnel1''' and '''Tunnel2''' systems so that it can be used:
# ip l set dev l2tpeth0 up
# ip l set dev l2tp up
Assuming you've done everything correctly here, you should now be able to use the '''Tunnel1''' and '''Tunnel2''' systems to send traffic over the same subnet on each side.
Example:
*Using the setup above, assume you have two additional systems setup.
**Computer1 -> Tunnel1
**Computer1 has eth1 configured with 192.168.0.3/24
**Computer2 -> Tunnel12
**Computer 2 has eth1 configured wtih 192.168.0.4/24
*Do a ping test to make sure Computer1 can talk to Computer2 through the l2tp link:
# ping -c5 192.168.0.4
64 bytes from 192.168.0.4: icmp_req=1 ttl=64 time=3.85 ms
64 bytes from 192.168.0.4: icmp_req=2 ttl=64 time=1.93 ms
64 bytes from 192.168.0.4: icmp_req=3 ttl=64 time=1.91 ms
64 bytes from 192.168.0.4: icmp_req=4 ttl=64 time=1.87 ms
64 bytes from 192.168.0.4: icmp_req=5 ttl=64 time=1.89 ms
*Successful output means that Computer1 can talk to Computer2 over the l2tp link since you're created a L2 link between each system.
The path that data will travel is:
Computer1 -> Tunnel1 -> Gateway -> Tunnel2 -> Computer2
'''''Reminder: There is no encryption on this setup, and since you've done a bridge at the L2 level'''.''
== OpenVPN ==
== OpenVPN ==