Page MenuHomeVyOS Platform

Add support for unencrypted L2TPv2 client connections
Open, NormalPublicFEATURE REQUEST

Description

Please can you add support for unencrypted L2TPv2 over UDP (RFC2661) clients to VyOS.

Configuration might look something like this:

set interface l2tpv2 l2tp0 server l2tp.aa.net.uk
set interface l2tpv2 l2tp0 default-route force
set interface l2tpv2 l2tp0 mtu 1492
set interface l2tpv2 l2tp0 enable-ipv6
set interface l2tpv2 l2tp0 user-id <Username>
set interface l2tpv2 l2tp0 password <Password>

Or maybe l2tpv2 is an encapsulation type of another type of interface.

Andrews and Arnold (AAISP) offer this as a commercial service for people using 'inferior broadband':
https://www.aa.net.uk/broadband/l2tp-service/

They provide configuration guides:

The Cisco configuration seems the least intuitive.

As originally asked here:
https://forum.vyos.io/t/l2tp-for-ip-tunnel/3166

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

njh updated the task description. (Show Details)
njh rescinded a token.
njh awarded a token.

Also very interested in this. Ready and willing to test.

njh set Is it a breaking change? to Unspecified (possibly destroys the router).

Not had a lot of time recently, but I have kind of been waiting for the configuration nodes to be ported to Python, so that this can be written in the new / modern way.

Now that this is mostly done, I suspect that it wouldn't be too hard to implement - copying a different PPP based module as a starting point.

It looks like xl2tpd is available in Debian, so won't need packaging separately:
https://packages.debian.org/stable/xl2tpd

And it looks like the Kernel modules exist in my VyOS kernel (VyOS 1.3-rolling-202006110117):

vyos@vyos:~$ grep 'L2TP' /boot/config-4.19.125-amd64-vyos 
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_L2TP=m
CONFIG_L2TP_DEBUGFS=m
CONFIG_L2TP_V3=y
CONFIG_L2TP_IP=m
CONFIG_L2TP_ETH=m
CONFIG_PPPOL2TP=m

Have you had any time to look into this more? I am at a point of wanting to migrate off a Mikrotik RouterOS virtualized instance to a piece of hardware and would love to move to VyOS at the same time.

Willing to test anything that might be needed in order to help move this along.

Should I hold out any hope for this to be implemented? Still willing to help test and do whatever I can to get this in.

I have a couple of routed public /29's which do not need encryption, as they are just internet crossing data anyway, and would like to use VyOS as a central router for all my connectivity before splitting out into the network.

Just adding my +1 for this feature, would be very useful.
If I get time in the coming weeks/months I will try and pick up on the analysis where @njh left off.

dmbaturin triaged this task as Normal priority.Jan 9 2024, 3:24 PM
dmbaturin added a project: VyOS 1.5 Circinus.
dmbaturin edited a custom field.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin set Issue type to improvement.

Looking into this a bit more. This request is to enable VyOS as a LAC - l2tp v2 client support against an LNS server, for which VyOS already has support. Most LAC's are presented to LNSs as PPPoE connections they are authenticated as LAC clients to an LNS. But there are cases such Andrews & Arnold who allow the l2tp tunnel to come from anywhere.

While xl2tpd is the typical linux LAC client, it's old, has a non-standard and a bit of a fugly CLI interface and was deprecated from VyOS when accel-ppp was adopted.

accel-ppp does have support to work as a L2TP LAC against an LNS, but isn't well documented which I believe is leading to some confusion on this ticket:

https://accel-ppp.org/forum/viewtopic.php?t=3459
https://github.com/xebd/accel-ppp/blob/master/accel-pppd/ctrl/l2tp/l2tp.c#L4833

dmbaturin changed Issue type from improvement to Feature (new functionality).