L2tpv3 server – Amer Networks E5Web GUI User Manual

L2TP Version 3 (L2TPv3) is a tunneling protocol that is an alternative to standard L2TP (standard
L2TP is also referred to as L2TPv2). L2TPv2 can only tunnel PPP traffic, whereas L2TPv3 has the
key advantage of emulating the properties of an OSI layer 2 service. This is sometimes referred to
as Layer 2 Tunneling or as a pseudowire. This means L2TPv3 can carry Ethernet frames over an IP
network, allowing one or more Ethernet LANs to be joined together across the public internet.
cOS Core L2TPv3 can tunnel both Ethernet as well as VLANs.

Here is a summary of other advantages of L2TPv3 over L2TPv2:

•

Can be carried directly over IP without UDP. L2TPv2 requires UDP.

•

Better security against man-in-the-middle or packet-insertion attacks.

•

Support for many more tunnels or many more sessions within one tunnel.

•

Can be manually configured with static parameters and does not require a control channel.

Other important considerations with L2TPv3 are:

•

Like standard L2TP, L2TPv3 does not provide encryption of transmitted data. If the L2TPv3
tunnel is to be secure, it should be used with IPsec or PPPoE.

•

cOS Core L2TPv3 can only be used with IPv4. IPv6 is not supported by cOS Core at this time.

•

L2TPv3 support in cOS Core allows the Clavister Security Gateway to act as either an L2TPv3
server or a client. Setting up these two functions is described next.

9.5.5.1. L2TPv3 Server

When the Clavister Security Gateway acts as an L2TPv3 server this means it allows connection of
L2TPv3 clients so that networks on either side of the client and server can appear transparently
connected to each other.

The steps for setup are described below. First, setup for non-VLAN scenarios are described and
then setup for VLAN scenarios.

Setting Up a Standard L2TPv3 Server

Standard L2TPv3 setup for packets without VLAN tags requires the following:

A. Define an L2TPv3 Server object.

The object will require the following properties to be set:

i.

Local Network - Set this to the protected network that will be accessed through the
tunnel.

ii.

Inner IP Address - Set this to any IPv4 address within the network used for the Local
Network property. As a convention, it is recommended to use the IPv4 address of the
physical interface connected to the protected network.

iii.

Outer Interface Filter - Set this to be the listening interface for L2TPv3 client
connections. Without IPsec, this is set to a physical Ethernet interface. When using IPsec
for encryption, this is set to the IPsec tunnel object.

iv.

Server IP - Set this to be the IP address of the listening interface.

B. Enable transparent mode for the protected interface.

Chapter 9: VPN

629