Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1332904
  • 博文数量: 436
  • 博客积分: 7854
  • 博客等级: 少将
  • 技术积分: 3225
  • 用 户 组: 普通用户
  • 注册时间: 2007-12-18 16:30
文章分类

全部博文(436)

文章存档

2013年(2)

2012年(56)

2011年(70)

2010年(308)

分类:

2010-04-24 17:53:49

following open source implementations:

l2tpd: originally by Mark Spencer, Jeff McAdams and others (project webpage previously at and ). Now maintained by Damion de Soto and Robert Vogelgesang, but development seems to have stalled. Included with Debian/Ubuntu and Mandriva.

xl2tpd: a version of l2tpd by Xelerance, the main authors of Openswan. In active development. xl2tpd is included with Fedora and Debian/Ubuntu. The upcoming version 1.2.x is expected to support the PPPoL2TP module (CONFIG_PPPOL2TP) that is included in Linux kernel 2.6.23+. Data packets will then be processed by the kernel (fast!), only the control messages will be processed by the userland daemon.

rp-l2tp: an L2TP server implementation by Roaring Penguin, of rp-pppoe fame. Development has stalled.

OpenL2TP: already supports the PPPoL2TP module in Linux kernel 2.6.23+. A patch is available for older kernel versions, which requires (re-)compiling the PPPoL2TP module for those kernel versions. Binary RPMs are available for some distributions. When used with Openswan or ipsec-tools (racoon) OpenL2TP has been tested with several L2TP/IPsec clients and servers including Windows 2000/XP, Mac OS X and Draytek. It has also been tested with a Cisco 3600 router and a commercial IXIA network protocol tester in configurations without IPsec. In active development.

l2tpns: this is an L2TP server with an integrated PPP server by Optus Internet Engineering. The functionality of the PPP server is limited, compared to pppd. Unlike l2tpd, it cannot be used as a client, only as a server. "l2tpns does not require pppd or any kernel patches. It can support up to 65535 active sessions on a single box. Also supports ISP features like speed throttling, walled garden, usage accounting, and more". An example L2TP/IPsec configuration is provided by Alan Whinery and another one by Wolfgang Hennerbichler. l2tpns is in active development and appears to be the preferred L2TP daemon in Debian/Ubuntu.

l2tp: a kernel-mode implementation. Seems to be defunct, no new versions since January 2002. Apple's L2TP client plugin for pppd. I don't know if this one can be used for anything else but Mac OS X (there is also an L2TP kernel extension?). Is the server part from Mac OS X Server available as well?

internet-l2tp: = l2tpd + wrapper scripts in Portuguese? sl2tps is a simple, statically configured L2TP server for FreeBSD (alpha quality). It probably won't run on Linux but I am just mentioning it for completeness.

I have mainly used l2tpd and its fork xl2tpd. It was the first L2TP server available, it has been released under the GPL and it is probably the easiest L2TP server to use because of three reasons:

L2tpd has a simple configuration file called l2tpd.conf which is reasonably intuitive to configure.

L2tpd runs in user mode so there is no kernel recompilation needed. Recompiling the kernel is often a lot of trouble.

L2tpd has built-in support for IP pools which means that l2tpd can dynamically assign internal IP addresses from a pool that l2tpd maintains.

The other L2TP servers require installation of a RADIUS server to maintain an IP pool.

L2tpd uses pppd. This is a well-known PPP implementation which is very complete and has several authentication options and plugins.

There are also some drawbacks:

L2tpd runs in user mode and uses pppd, so it is slower than kernel mode L2TP servers.

L2tpd is in maintenance mode. No new features are to be expected, but bugfixes and security vulnerabilities will be fixed if reported.

   There is not a very active user community (older archive). There are some concerns about the code quality and possibly security issues in l2tpd. It seems to me that l2tpd is great to get started and easy to use for small setups.

   However, for a serious deployment with a considerable number of clients, you will probably want to use one of the other L2TP servers: rp-l2tp, l2tpns or possibly OpenL2TP.

For practical use you will also need a RADIUS, LDAP or other authentication server. Debian, for instance, now prefers l2tpns over l2tpd.

The authors of l2tpd, rp-l2tp, l2tpns and OpenL2TP use their software in commercial settings.

However, I don't know how robust these L2TP implementations are.

I have confidence in Openswan, and pppd is used by lots of people all over the world, but Open Source L2TP implementations are fairly new on the scene. Emphasis seems to be on functionality.

Security may not have been that much of a concern.

This may not be too much of a problem, as long as the L2TP server is not exposed directly to the Internet (see these security considerations).

That is because users can only access the L2TP daemon once they have been authenticated through Openswan, which was designed with security in mind.

Dossy Shiobara reports that rp-l2tp works for L2TP/IPsec, which I can confirm.

One thing to note is that both l2tpd and rp-l2tp use the same location for their daemon: /usr/sbin/l2tpd.

That is very unfortunate but in most cases you will only install one of these two daemons so it should not be that much of a problem.

Rp-l2tp seems to have a better code base than l2tpd. Most of the L2TP daemons (l2tpd is the exception) have the drawback that they cannot assign dynamic internal (virtual) IP addresses by themselves.

This is not an issue if you want to assign fixed internal addresses to your users. But this is a problem if you want to assign dynamic IP addresses to users.

Three solutions have been proposed:

the L2TP servers could be extended so that they hand out IP addresses dynamically.

This approach more or less violates the OSI networking layering model but this is how l2tpd does it. Nobody has implemented this solution for the other L2TP daemons (yet).

The second solution is to let the PPP server obtain IP addresses from a DHCP server that you already might have on your network. For this to work you need a pppd plugin called ppp-dhcp (for more information read this thread, with additional configuration tips by Ben McKeegan in this thread).

The third solution is to use pppd version 2.4.2 or later which supports RADIUS (alternatively, there is a plugin for pppd 2.4.1 by Anton Voronin, see also this post). The RADIUS solution is of course the most flexible but it requires a RADIUS server which adds to the complexity, especially if you have only a few users. Your RADIUS server must support a feature called "IP pools" if you want to use it with PPP (I believe FreeRADIUS does).

Except when you use l2tpns, you will also need a PPP server since L2TP is used to tunnel PPP. Most distributions ship with a PPP server (pppd). No sample PPP configuration files were included with l2tpd, so I made some myself (included with the l2tpd RPM mentioned above). Again, I don't claim that these are the best but they should get you started. Finetuning the l2tpd and pppd configuration and/or switching to a different L2TP implementation may be required for the best results. According to Wolfgang Hennerbichler, Windows 2000/XP/Vista and Mac OS X also support DHCP in order to retrieve settings such as domain names, static routes etc. from the VPN server. You need a DHCP server that supports "DHCP Informational" messages, such as ISC DHCPD 3.x or higher. Only Mac OS X 10.5 ("Leopard") and Windows 2000/XP/Vista clients support these messages at this time.

阅读(838) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~