Home  Prev  cOS Core 15.00.01 Administration Guide  Next

11.5. L2TP Version 3

L2TP Version 3 (L2TPv3) is a tunneling protocol that is an alternative to standard L2TP (standard L2TP is also referred to as L2TPv2). L2TPv2 can only tunnel PPP traffic, whereas L2TPv3 has the key advantage of emulating the properties of an OSI layer 2 service. This is sometimes referred to as Layer 2 Tunneling or as a pseudowire. This means L2TPv3 can carry Ethernet frames over an IP network, allowing one or more Ethernet LANs to be joined together across the Internet. cOS Core L2TPv3 can tunnel both Ethernet as well as VLANs.

[Note] Note: HA clusters do not support L2TPv3

cOS Core high availability clusters do not support L2TPv3. It should not be configured with a cluster. This limitation is discussed further in an article in the Clavister Knowledge Base at the following link:

https://kb.clavister.com/324735705

Here is a summary of other advantages of L2TPv3 over L2TPv2:

Other important considerations with L2TPv3 are:

Passthrough Settings

Both the cOS Core L2TPv3 client and server objects have two pass through properties associated with them:

It should be noted that these properties are disabled by default and when enabled, the traffic that they allow to flow will not be subject to any rules or policies in the cOS Core configuration.

11.5.1. L2TPv3 Server

When the Clavister firewall acts as an L2TPv3 server this means it allows connection of L2TPv3 clients so that networks on either side of the client and server can appear transparently connected to each other.

The steps for setup are described below. First, setup for non-VLAN scenarios are described and then setup for VLAN scenarios.

Setting Up a Standard L2TPv3 Server

Standard L2TPv3 setup for packets without VLAN tags requires the following:

  • A. Define an L2TPv3 Server object.

    The object will require the following properties to be set:

    1. Local Network - Set this to the protected network that will be accessed through the tunnel.

    2. Inner IP Address - Set this to any IPv4 address within the network used for the Local Network property. As a convention, it is recommended to use the IPv4 address of the physical interface connected to the protected network.

    3. Outer Interface Filter - Set this to be the listening interface for L2TPv3 client connections. Without IPsec, this is set to a physical Ethernet interface. When using IPsec for encryption, this is set to the IPsec tunnel object.

    4. Server IP - Set this to be the IP address of the listening interface.

  • B. Enable transparent mode for the protected interface.

    Change the properties of the Ethernet interface connected to the protected network so that Transparent Mode is enabled.

  • C. Set any required L2TPv3 Server advanced options.

    Some L2TPv3 clients may require the setting of the option Host Name or Router ID for the server object. If the Host Name is set to None, the tunnel's Inner IP Address is used for this setting.

The illustration below shows a typical setup for L2TPv3 where the protected network on interface If3 can be accessed by L2TPv3 clients connecting to the L2TPv3 server listening on the interface If2.

An L2TPv3 Example

Figure 11.4. An L2TPv3 Example

Setting up the above scenario is covered in the example below.

Example 11.20. L2TPv3 Server Setup

Assume an L2TPv3 Server object called my_l2tpv3_if is to be set up so that L2TPv3 clients can connect to it on the If2 interface. The aim is to have the protected network If3_net on the If3 interface accessible to these clients using L2TPv3.

Command-Line Interface

A. First, define the L2TPv3 Server object: 

Device:/> add Interface L2TPv3Server my_l2tpv3_if
			IP=If3_ip
			LocalNetwork=If3_net
			Interface=If2
			ServerIP=If2_ip

B. Next, enable transparent mode on the protected interface If3: 

Device:/> set Interface Ethernet If3 AutoSwitchRoute=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. First, define an L2TPv3 Server object:

  1. Go to: Network > Interfaces and VPN > L2TPv3 Servers > Add > L2TPv3 Server
  2. Now enter:
    • Name: my_l2tpv3_if
    • Inner IP Address: If3_ip
    • Local Network: If3_net
    • Outer Interface Filter: If2
    • Server IP: If2_ip
  3. Click OK

B. Next, enable transparent mode on the protected interface If3:

  1. Go to: Network > Interfaces and VPN > Ethernet
  2. Select the If3 interface
  3. Select the option Enable transparent mode
  4. Click OK

The Protocol Property

The L2TPv3 Server configuration object has a Protocol property which defines the transport method for L2TPv3 communication at a lower protocol level. There are two options available:

  • UDP

    Using UDP as the lower level transport protocol is the default setting for this property and is recommended. It ensures that communication is able to traverse most network equipment and particularly if NAT is being employed in the path through network.

  • IP

    Using IP as the transport protocol allows packet processing to be optimized and therefore provides a means to transport data using less processing resources. However, some network equipment may not allow traversal and problems can occur where NAT is employed in the path through the network. Such problems can be solved by using UDP instead.

Using IPsec for Encryption

As with standard L2TP (L2TPv2), L2TPv3 does not provide encryption. To make communication secure, L2TPv3 should be therefore set up in conjunction with an IPsec Tunnel object and the listening interface then becomes the tunnel.

The setup of the IPsec tunnel follows the same procedure as for standard L2TP and this is described in Section 11.4.2, L2TP Servers.

Example 11.21. L2TPv3 Server Setup With IPsec

Assume the same scenario as the previous example, but this time the L2TPv3 tunnel is itself being tunneled through an IPsec Tunnel object called my_ipsec_tunnel.

Setup of the IPsec tunnel is not shown in this example but follows the same setup described in Section 11.4.2, L2TP Servers.

Command-Line Interface

A. First, define the L2TPv3 Server object: 

Device:/> add Interface L2TPv3Server my_l2tpv3_if
			IP=If3_ip
			LocalNetwork=If3_net
			Interface=my_ipsec_tunnel
			ServerIP=If2_ip

B. Next, enable transparent mode on the protected interface If3: 

Device:/> Set Interface Ethernet If3 AutoSwitchRoute=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. First, define an L2TPv3 Server object:

  1. Go to: Network > Interfaces and VPN > L2TPv3 Servers > Add > L2TPv3 Server
  2. Now enter:
    • Name: my_l2tpv3_if
    • Inner IP Address: If3_ip
    • Local Network: If3_net
    • Outer Interface Filter: my_ipsec_tunnel
    • Server IP: If2_ip
  3. Click OK

B. Next, enable transparent mode on the protected interface If3:

  1. Go to: Network > Interfaces and VPN > Ethernet
  2. Select the If3 interface
  3. Select the option Enable transparent mode
  4. Click OK

Setup With VLANs

The cOS Core L2TPv3 server can handle VLAN tagged Ethernet frames so that a protected internal network can be accessed by external clients over VLAN connections.

To do this with cOS Core, a pair of VLANs need to be configured, both with the same VLAN ID as the ID used by the clients. One VLAN is configured on the local, protected Ethernet interface. The other VLAN is configured on the L2TPv3 server interface. Both of these VLANs must have transparent mode enabled. In addition, a new routing table must be defined for each pair and each VLAN in the pair is made a member of that table.

The following is a summary of the setup steps for VLAN:

  • A. Define an L2TPv3 server interface object as described previously but do not enable transparent mode on the protected Ethernet interface.

  • B. Set up a VLAN interface object in the cOS Core configuration with the following properties:

    1. The VLAN ID is the same as the VLAN ID of packets sent by clients.

    2. The interface is the protected Ethernet interface.

    3. The network is the same as the protected local network.

    4. The IPv4 address for the VLAN is any arbitrary IP from the protected local network.

    5. Transparent mode for this VLAN is enabled.

  • C. Set up a second VLAN interface object with the following properties:

    1. The VLAN ID is the same as the previous VLAN and the same as the ID of packets sent by clients.

    2. The interface is the L2TPv3 Server object defined previously.

    3. The network is the same as the protected local network.

    4. The IPv4 address for the VLAN is any arbitrary IP from the protected local network but different from the previous VLAN.

    5. Transparent mode for this VLAN is enabled.

  • D. Define a new RoutingTable object for the pair.

  • E. Make each VLAN a member of this new routing table.

Example 11.22. L2TPv3 Server Setup For VLANs

Assume an L2TPv3 tunnel called my_l2tpv3_if is to be set up so that L2TPv3 clients can connect on the If2 interface. The protected network If3_net on the If3 interface will be accessible to these clients.

In addition, the clients will access over a VLAN within the tunnel that has a VLAN ID of 555.

It is assumed two arbitrary IPv4 addresses called If3_arbitrary_ip1 and If3_arbitrary_ip2 from the protected network If3_net have already been defined in the cOS Core address book.

Command-Line Interface

A. First, define an L2TPv3 Server object: 

Device:/> add Interface L2TPv3Server my_l2tpv3_if
			IP=If3_ip
			LocalNetwork=If3
			Interface=If2
			ServerIP=If2_ip

B. Next, create a VLAN object on the protected interface If3: 

Device:/> add Interface VLAN my_vlan_local
			Ethernet=If3
			VLANID=555
			IP=If3_arbitrary_ip1
			Network=If3_net
			AutoSwitchRoute=Yes

C. Last, create a VLAN object on the L2TPv3 tunnel interface my_l2tpv3_if: 

Device:/> add Interface VLAN my_vlan_l2tpv3
			Ethernet=my_l2tpv3_if
			VLANID=555
			IP=If3_arbitrary_ip2
			Network=If3_net
			AutoSwitchRoute=Yes

D. Define a new RoutingTable object for this VLAN pair: 

Device:/> add RoutingTable my_vlan_rt

E. Make each VLAN in the pair a member of this new routing table: 

Device:/> set Interface VLAN my_vlan_local
			MemberOfRoutingTable=Specific
			RoutingTable=my_vlan_rt

Device:/> set Interface VLAN my_vlan_l2tpv3
			MemberOfRoutingTable=Specific
			RoutingTable=my_vlan_rt

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. First, define an L2TPv3 Server object:

  1. Go to: Network > Interfaces and VPN > L2TPv3 Servers > Add > L2TPv3 Server
  2. Now enter:
    • Name: my_l2tpv3_if
    • Inner IP Address: If3_ip
    • Local Network: If3_net
    • Outer Interface Filter: If2
    • Server IP: If2_ip
  3. Click OK

B. Next, create a VLAN object on the protected interface If3:

  1. Go to: Network > Interfaces and VPN > VLAN > Add > VLAN
  2. Select the If3 interface
  3. Now enter:
    • Name: my_vlan_local
    • Interface: If3
    • VLAN ID: 555
    • IP Address: If3_arbitrary_ip1
    • Network: If3_net
  4. Select the option Enable transparent mode
  5. Click OK

C. Create a VLAN object on the L2TPv3 tunnel interface my_l2tpv3_if:

  1. Go to: Network > Interfaces and VPN > VLAN > Add > VLAN
  2. Select the If3 interface
  3. Now enter:
    • Name: my_vlan_l2tpv3
    • Interface: my_l2tpv3_if
    • VLAN ID: 555
    • IP Address: If3_arbitrary_ip2
    • Network: If3_net
  4. Select the option Enable transparent mode
  5. Click OK

D. Define a new RoutingTable object for this VLAN pair:

  1. Go to: Network > Routing > Routing Tables > Add > Routing Table
  2. For Name enter my_vlan_rt
  3. Click OK

E. Make each VLAN in the pair a member of this new routing table:

  1. Go to: Network > Interfaces and VPN > VLAN
  2. Select my_vlan_local and edit the object:
    • Go to Virtual Routing
    • Select Make interface a member of a specific routing table
    • For the Routing Table select my_vlan_rt
    • Click OK
  3. Select my_vlan_l2tpv3 and edit the object:
    • Go to Virtual Routing
    • Select Make interface a member of a specific routing table
    • For the Routing Table select my_vlan_rt
    • Click OK

11.5.2. L2TPv3 Client

A Clavister firewall can also act as an L2TPv3 client. This allows a remote firewall configured as an L2TPv3 client to act as a concentrator of traffic from locally connected clients so it is sent through a single L2TPv3 tunnel to an L2TPv3 server.

The following steps are required to configure cOS Core to be an L2TPv3 client:

  • A. Define an L2TPv3Client object with the following properties:
    1. Inner IP Address - The local IP address inside the tunnel. This is usually the IP address of the physical interface which is the local tunnel endpoint
    2. Local Network - The protected local network accessible through the tunnel.
    3. Pseudowire Type - This will normally be Ethernet. Set to VLAN for VLANs
    4. Protocol - This will normally be UDP.
    5. Remote Endpoint - The IP address of the server.
  • B. Enable transparent mode on the inner interface where the protected network is located.

Example 11.23. L2TPv3 Client Setup

In this example, an L2TPv3 Client object called my_l2tpv3_client is to be created. This will connect with the L2TPv3 server with the IP address l2tpv3_server_ip.

This client will connect to the server over an IPsec tunnel called l2tpv3_ipsec_tunnel. It is assumed that the tunnel has already been defined.

Command-Line Interface

A. First, define the L2TPv3Client object: 

Device:/> add Interface L2TPv3Client my_l2tpv3_client
			IP=inner_client_ip
			LocalNetwork=If1_net
			PseudowireType=Ethernet
			Protocol=UDP
			RemoteEndpoint=l2tpv3_server_ip

B. Next, enable transparent mode on the protected interface If1: 

Device:/> set Interface Ethernet If1 AutoSwitchRoute=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. First, define an L2TPv3 Client object:

  1. Go to: Network > Interfaces and VPN > L2TPv3 Client > Add > L2TPv3 Client
  2. Now enter:
    • Name: my_l2tpv3_client
    • Inner IP Address: inner_client_ip
    • Local Network: If1_net
    • Pseudowire Type: Ethernet
    • Protocol: UDP
    • Remote Endpoint: l2tpv3_server_ip
  3. Click OK

B. Next, enable transparent mode on the protected interface If1:

  1. Go to: Network > Interfaces and VPN > Ethernet
  2. Select the If1 interface
  3. Select the option Enable transparent mode
  4. Click OK

Using IPsec for Encryption

As stated previously, L2TPv3 does not provide encryption. For encryption across the Internet, IPsec should be used. The following example shows how this is achieved by specifying the IPsec tunnel to be used as a property of the L2TPv3 client object.

Example 11.24. L2TPv3 Client Setup With IPsec

This example is the same as the previous example but uses an IPsec tunnel to the server for encryption. It is assumed that the IPsec tunnel object has already been defined with the name l2tpv3_ipsec_tunnel.

IPsec tunnel setup is not shown here but it will follow the exact same procedure for L2TP which is shown in Example 11.19, “Setting Up an L2TP Tunnel Over IPsec”.

Command-Line Interface

A. Define the L2TPv3Client object: 

Device:/> add Interface L2TPv3Client my_l2tpv3_client
			IP=inner_client_ip
			LocalNetwork=If1_net
			PseudowireType=Ethernet
			Protocol=UDP
			RemoteEndpoint=l2tpv3_server_ip
			IPsecInterface=l2tpv3_ipsec_tunnel

B. Next, enable transparent mode on the protected interface If1: 

Device:/> set Interface Ethernet If1 AutoSwitchRoute=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. First, define an L2TPv3 Client object:

  1. Go to: Network > Interfaces and VPN > L2TPv3 Client > Add > L2TPv3 Client
  2. Now enter:
    • Name: my_l2tpv3_client
    • Inner IP Address: inner_client_ip
    • Local Network: If1_net
    • Pseudowire Type: Ethernet
    • Protocol: UDP
    • Remote Endpoint: l2tpv3_server_ip
    • IPsecInterface: l2tpv3_ipsec_tunnel
  3. Click OK

B. Next, enable transparent mode on the protected interface If1:

  1. Go to: Network > Interfaces and VPN > Ethernet
  2. Select the If1 interface
  3. Select the option Enable transparent mode
  4. Click OK

Setup With VLANs

The cOS Core L2TPv3 client can handle VLAN tagged Ethernet frames so that a protected internal network can access an external network over VLAN connections. The setup of the VLANs is done in the same way as for the server and this is fully described in Section 11.5.1, L2TPv3 Server.

When setting up the L2TPv3 client object, the PseudowireType property must be set to the value VLAN.

Home  Prev   Next