Project VOLANS: Setting up VPN using L2TP

:: Setting up VPN using L2TP ::
HOME

Click Here for Comparison Chart for different VPN solutions

Recipe to set up VPN using l2tpd

l2tpd is a prototype implementation for the Layer 2 Tunneling Protocol decribed in RFC2661.
Start by downloading the tarball for the latest version (0.69). The following instructions apply only to l2tpd-0.69.
The source code is not configured using one of GNU's autoconfiguration tools. Hence one has to use make all to compile. Later you will have to manually copy the l2tpd executable to /usr/local/sbin or any other preferred location.

There are some documents and configurarion in the ./doc directory. I had to manully transfer the manual pages to appropriate directories.

[shashank@mia doc]# ls
l2tp-secrets.5  l2tp-secrets.sample  l2tpd.8  l2tpd.conf.5  l2tpd.conf.sample  origREADME  rfc2661.txt

[shashank@mia doc]# gzip l2tp-secrets.5
[shashank@mia doc]# gzip l2tpd.8
[shashank@mia doc]# gzip l2tpd.conf.5
[shashank@mia doc]# ls
l2tp-secrets.5.gz  l2tp-secrets.sample  l2tpd.8.gz  l2tpd.conf.5.gz  l2tpd.conf.sample  origREADME  rfc2661.txt

[shashank@mia doc]# cp ./l2tpd.8.gz /usr/share/man/man8
[shashank@mia doc]# cp ./l2tp-secrets.5.gz /usr/share/man/man5
[shashank@mia doc]# cp ./l2tpd.conf.5.gz /usr/share/man/man5

Now man l2tpd; man l2tpd.conf and man l2tp-secrets should show you the help file. Hopefully all this should change in the future. (Hint:Just the Makefile needs to be changed a bit to do this.)

I am asssuming that we are using the following setup with mia as the client(LAC) and zidler as the server(LNS). However the configuration files that I list here, will allow any one to be the LNS or LAC.
Before starting out, I have decided that I will use /etc/l2tp to store all my configuration files.
```
[shashank@mia l2tp]# ls | more
l2tp-secrets                     ==> Used to store all the secrets
l2tpd.conf                       ==> Used to store the configuration for l2tpd
options.l2tp                     ==> Used to store the configuration options for pppd.
```
NOTE: When run as an LAC, the l2tpd always passes just two options to pppd (passive and -detach). However the version of the pppd(2.4.2) that I am using, has replaced the -detach option, with nodetach. As a result of this, I was getting "Serial Line is Looped back Error", which was due to pppd detaching itself from the terminal.
HOW TO SOLVE THIS PROBLEM: There are two ways for doing this:
1. hack into the source and change the -detach option to nodetach and recompile.
2. pppd reads default options from the options file /etc/ppp/options, if no specific options file is specified. I just put the nodetach option in this file and everything worked out well. Below is the file:
```
# cat /etc/ppp/options
lock
noauth 
debug 
dump 
logfd 2 
passive 
nodetach
noccp 
novj 
novjccomp 
nopcomp 
noaccomp
```

Let me start with Zidler. Below I list the contents of the three files mentioned above. All the options are almost self explanatory. If in doubt, read the man pages.

shashank@zidler:/etc/l2tp# cat l2tp-secrets 
# Secrets for authenticating l2tp tunnels
# us    them    secret
zidler  mia     abcd1234
---------------------------------------------------------------------------------
shashank@zidler:/etc/l2tp# cat l2tpd.conf 
[global]                                                ; Global parameters:
port = 1701                                             ; * Bind to port 1701
auth file = /etc/l2tp/l2tp-secrets                      ; * Where our challenge secrets are
access control = no                                     ; * Refuse connections without IP match
; rand source = dev                                     ; Source for entropy for random
;                                                       ; numbers, options are:
;                                                       ; dev - reads of /dev/urandom
;                                                       ; sys - uses rand()
;                                                       ; egd - reads from egd socket
;                                                       ; egd is not yet implemented
;


[lns default]                                           ; Our fallthrough LNS definition
exclusive = yes                                         ; * Only permit one tunnel per host
ip range = 192.168.254.202-192.168.254.210              ; * Allocate from this IP range
lac = 131.193.50.165                                    ; * These can connect as LAC's
hidden bit = no                                         ; * Use hidden AVP's?
local ip = 192.168.254.201                              ; * Our local IP to use
length bit = yes                                        ; * Use length bit in payload?
refuse authentication = yes                             ; * Refuse authentication altogether
;require chap = yes                                     ; * Require CHAP auth. by peer
;refuse pap = yes                                       ; * Refuse PAP authentication
; refuse chap = no                                      ; * Refuse CHAP authentication
; require authentication = yes                          ; * Require peer to authenticate
; unix authentication = no                              ; * Use /etc/passwd for auth.
name = zidler                                           ; * Report this as our hostname
ppp debug = yes                                         ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options                         ; * ppp options file
pppoptfile = /etc/l2tp/options.l2tp                     ; * ppp options file
; call rws = 10                                         ; * RWS for call (-1 is valid)
; tunnel rws = 4                                        ; * RWS for tunnel (must be > 0)
; flow bit = yes                                        ; * Include sequence numbers
; challenge = yes                                       ; * Challenge authenticate peer ; 
;

[lac mia]                                               ; Example VPN LAC definition
lns = 131.193.50.165                                    ; * Who is our LNS?
; lns = lns2.marko.net                                  ; * A backup LNS (not yet used)
; redial = yes                                          ; * Redial if disconnected?
; redial timeout = 15                                   ; * Wait n seconds between redials
; max redials = 5                                       ; * Give up after n consecutive failures
; hidden bit = yes                                      ; * User hidden AVP's?
; local ip = 192.168.1.1                                ; * Force peer to use this IP for us
; remote ip = 192.168.1.2                               ; * Force peer to use this as their IP
; length bit = no                                       ; * Use length bit in payload?
refuse authentication = yes                             ; * Refuse authentication altogether
; require pap = no                                      ; * Require PAP auth. by peer
; require chap = yes                                    ; * Require CHAP auth. by peer
; refuse pap = yes                                      ; * Refuse PAP authentication
; refuse chap = no                                      ; * Refuse CHAP authentication
; require authentication = yes                          ; * Require peer to authenticate
name = zidler                                           ; * Report this as our hostname
ppp debug = yes                                         ; * Turn on PPP debugging
pppoptfile = /etc/l2tp/options.l2tp                     ; * ppp options file IGNORED HERE
; call rws = 10                                         ; * RWS for call (-1 is valid)
; tunnel rws = 4                                        ; * RWS for tunnel (must be > 0)
; flow bit = yes                                        ; * Include sequence numbers
; challenge = yes                                       ; * Challenge authenticate peer 
;
; [lac cisco]                                           ; Another quick LAC
; lns = cisco.marko.net                                 ; * Required, but can take from default
; require authentication = yes
---------------------------------------------------------------------------------
shashank@zidler:/etc/l2tp# cat options.l2tp 
lock
noauth
debug
dump
logfd 2
logfile /var/log/l2tpd.log
nodetach
noccp
novj
novjccomp
nopcomp
noaccomp

Now turning towards mia. Below I list the contents of the three files: Again all the options are almost self explanatory. If in doubt, read the man pages.

[shashank@mia l2tp]# cat l2tp-secrets
# Secrets for authenticating l2tp tunnels
# us    them    secret
mia     zidler  abcd1234
---------------------------------------------------------------------------------
[shashank@mia l2tp]# cat l2tpd.conf
[global]                                                ; Global parameters:
port = 1701                                             ; * Bind to port 1701
auth file = /etc/l2tp/l2tp-secrets                      ; * Where our challenge secrets are
access control = no                                     ; * Refuse connections without IP match
; rand source = dev                                     ; Source for entropy for random
;                                                       ; numbers, options are:
;                                                       ; dev - reads of /dev/urandom
;                                                       ; sys - uses rand()
;                                                       ; egd - reads from egd socket
;                                                       ; egd is not yet implemented
;

[lns default]                                           ; Our fallthrough LNS definition
exclusive = yes                                         ; * Only permit one tunnel per host
ip range = 192.168.254.202-192.168.254.210              ; * Allocate from this IP range
lac = 131.193.50.184                                    ; * These can connect as LAC's
hidden bit = no                                         ; * Use hidden AVP's?
local ip = 192.168.254.200                              ; * Our local IP to use
length bit = yes                                        ; * Use length bit in payload?
refuse authentication = yes                             ; * Refuse authentication altogether
;require chap = yes                                     ; * Require CHAP auth. by peer
;refuse pap = yes                                       ; * Refuse PAP authentication
;refuse chap = no                                       ; * Refuse CHAP authentication
;require authentication = yes                           ; * Require peer to authenticate
;unix authentication = no                               ; * Use /etc/passwd for auth.
name = mia                                              ; * Report this as our hostname
ppp debug = yes                                         ; * Turn on PPP debugging
pppoptfile = /etc/l2tp/options.l2tp                             ; * ppp options file
; call rws = 10                                         ; * RWS for call (-1 is valid)
; tunnel rws = 4                                        ; * RWS for tunnel (must be > 0)
; flow bit = yes                                        ; * Include sequence numbers
; challenge = yes                                       ; * Challenge authenticate peer ; 
;

[lac zidler]                                            ; Example VPN LAC definition
lns = 131.193.50.184                                    ; * Who is our LNS?
; lns = lns2.marko.net                                  ; * A backup LNS (not yet used)
; redial = yes                                          ; * Redial if disconnected?
; redial timeout = 15                                   ; * Wait n seconds between redials
; max redials = 5                                       ; * Give up after n consecutive failures
; hidden bit = yes                                      ; * User hidden AVP's?
; local ip = 192.168.1.1                                ; * Force peer to use this IP for us
; remote ip = 192.168.1.2                               ; * Force peer to use this as their IP
; length bit = no                                       ; * Use length bit in payload?
refuse authentication = yes                             ; * Refuse authentication altogether
; require pap = no                                      ; * Require PAP auth. by peer
; require chap = yes                                    ; * Require CHAP auth. by peer
; refuse pap = yes                                      ; * Refuse PAP authentication
; refuse chap = no                                      ; * Refuse CHAP authentication
; require authentication = yes                          ; * Require peer to authenticate
name = mia                                              ; * Report this as our hostname
ppp debug = yes                                         ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options                         ; * ppp options file for this lac
pppoptfile = /etc/l2tp/options.l2tp                     ; * ppp options file for this lac
; call rws = 10                                         ; * RWS for call (-1 is valid)
; tunnel rws = 4                                        ; * RWS for tunnel (must be > 0)
; flow bit = yes                                        ; * Include sequence numbers
; challenge = yes                                       ; * Challenge authenticate peer 
;
; [lac cisco]                                           ; Another quick LAC
; lns = cisco.marko.net                                 ; * Required, but can take from default
; require authentication = yes
---------------------------------------------------------------------------------
[shashank@mia l2tp]# cat options.l2tp 
lock         
noauth    
debug        
dump         
logfd 2      
logfile /var/log/l2tpd.log  
nodetach
noccp 
novj 
novjccomp 
nopcomp 
noaccomp

To start using L2TP use the following command to start the l2tp daemon on both the LAC and LNS. If in doubt use l2tpd --help to view more options.
```
#> l2tpd -D -c /etc/l2tp/l2tpd.conf -s /etc/l2tp/l2tp-secrets
```
The above command will create a file /var/run/l2tp-control. Commands can be given to the l2tp daemon by echo'ing them to this file.
Since -D option is given, the l2tpd will execute in foreground and you can view all the messages on the terminal.

I then give the following commands to the l2tpd on zidler, from another terminal: Below I also show the corresponding output spit out by l2tpd (on the first terminal).

shashank@zidler:/etc/l2tp# echo "t mia" > /var/run/l2tp-control 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
shashank@zidler:/etc/l2tp# /usr/local/sbin/l2tpd -D -c /etc/l2tp/l2tpd.conf
--SNIP--
do_control: Got message t mia (5 bytes long)
do_control: Attempting to tunnel to mia
ourtid = 17405, entropy_buf = 43fd
l2tp_call:Connecting to host mia, port 1701
check_control: control, cid = 0, Ns = 0, Nr = 1
handle_avps: handling avp's for tunnel 17405, call 0
message_type_avp: message type 2 (Start-Control-Connection-Reply)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
bearer_caps_avp: supported peer bearers:
firmware_rev_avp: peer reports firmware version 1680 (0x0690)
hostname_avp: peer reports hostname 'eriwan'
vendor_avp: peer reports vendor 'l2tpd.org'
assigned_tunnel_avp: using peer's tunnel 33663
receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
control_finish: Connection established to 131.193.50.165, 1701.  Local: 17405, Remote: 33663.
check_control: control, cid = 0, Ns = 1, Nr = 2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

shashank@zidler:/etc/l2tp# echo "s" > /var/run/l2tp-control
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--SNIP--
do_control: Got message s (1 bytes long)
====== l2tpd statistics ========
 Scheduler entries:
1: HELLO to 33663
Total Events scheduled: 1
Number of tunnels open: 1
Highest file descriptor: 6
Tunnel , ID = 17405 (local), 33663 (remote) to 131.193.50.165:1701
   control_seq_num = 3, control_rec_seq_num = 2,
   cLr = 3
==========Config File===========
LAC entry mia, LNS is/are: 131.193.50.165
================================
--SNIP--
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

shashank@zidler:/etc/l2tp# echo "c 17405" > /var/run/l2tp-control
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--SNIP--
do_control: Got message c 17405 (7 bytes long)
do_control: Attempting to call on tunnel 17405
ourcid = 47307, entropy_buf = b8cb
lac_call: Calling on tunnel 17405
check_control: control, cid = 0, Ns = 3, Nr = 5
handle_avps: handling avp's for tunnel 17405, call 47307
message_type_avp: message type 11 (Incoming-Call-Reply)
assigned_call_avp: using peer's call 32532
control_finish: Call established with 131.193.50.165, Local: 47307, Remote: 32532, Serial: 1
start_pppd: I'm running:  "/usr/sbin/pppd" "passive" "-detach" 
check_control: control, cid = 0, Ns = 4, Nr = 5
check_control: control, cid = 32532, Ns = 4, Nr = 6
--SNIP--
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Just a side note. A tcpdump taken on zidler will show you how the messages are exchanged. The below output might help to set correspoding options for pppd. For more information, read the explanation given in here, point (x).

shashank@zidler:/home/shashank# tcpdump -i eth0 dst port 1701
tcpdump: listening on eth0
19:10:36.631383 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF)
19:10:36.632393 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[TLS](52784/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF)
19:10:36.636087 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[TLS](22626/0)Ns=1,Nr=1 *MSGTYPE(SCCCN)  (DF)
19:10:36.636306 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[TLS](52784/0)Ns=1,Nr=2 ZLB (DF)
19:10:51.331677 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[TLS](22626/0)Ns=2,Nr=1 *MSGTYPE(ICRQ) *ASSND_SESS_ID(4193) *CALL_SER_NUM(1) *BEARER_TYPE()  (DF)
19:10:51.332070 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[TLS](52784/4193)Ns=1,Nr=3 *MSGTYPE(ICRP) *ASSND_SESS_ID(57712)  (DF)
19:10:51.332074 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[TLS](52784/0)Ns=2,Nr=3 ZLB (DF)
19:10:51.333774 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[TLS](22626/57712)Ns=3,Nr=2 *MSGTYPE(ICCN) *TX_CONN_SPEED(10000000) *FRAMING_TYPE(S) *RX_CONN_SPEED(10000000)  (DF)
19:10:51.341311 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[TLS](52784/4193)Ns=2,Nr=4 ZLB (DF)
19:10:51.365145 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[](22626/57712) {LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=d80f4134, PFC, ACFC} (DF)
19:10:51.373232 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[L](52784/4193) {LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=84e6d656, PFC, ACFC} (DF)
19:10:51.374095 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[L](52784/4193) {LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=d80f4134, PFC, ACFC} (DF)
19:10:51.374144 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[](22626/57712) {LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=84e6d656, PFC, ACFC} (DF)
19:10:51.403745 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[L](52784/4193) {CCP 14: Conf-Req(1), Deflate, MVRCA} (DF)
19:10:51.403833 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[L](52784/4193) {IPCP 18: Conf-Req(1), IP-Comp VJ-Comp, IP-Addr=192.168.254.200} (DF)
19:10:51.516074 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[](22626/57712) {CCP 14: Conf-Req(1), Deflate, MVRCA} (DF)
19:10:51.516261 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[](22626/57712) {IPCP 18: Conf-Req(1), IP-Comp VJ-Comp, IP-Addr=zidler.ece.uic.edu} (DF)
19:10:51.516605 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[L](52784/4193) {CCP 14: Conf-Ack(1), Deflate, MVRCA} (DF)
19:10:51.516766 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[L](52784/4193) {IPCP 12: Conf-Nak(1), IP-Addr=192.168.254.202} (DF)
19:10:51.517523 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[](22626/57712) {CCP 14: Conf-Ack(1), Deflate, MVRCA} (DF)
19:10:51.517712 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[](22626/57712) {IPCP 18: Conf-Ack(1), IP-Comp VJ-Comp, IP-Addr=192.168.254.200} (DF)
19:10:51.518440 zidler.ece.uic.edu.l2tp > mia.ece.uic.edu.l2tp:  l2tp:[](22626/57712) {IPCP 18: Conf-Req(2), IP-Comp VJ-Comp, IP-Addr=192.168.254.202} (DF)
19:10:51.518647 mia.ece.uic.edu.l2tp > zidler.ece.uic.edu.l2tp:  l2tp:[L](52784/4193) {IPCP 18: Conf-Ack(2), IP-Comp VJ-Comp, IP-Addr=192.168.254.202} (DF)

Check if the ppp0 interface has come up using ifconfig. Should look like:

[shashank@mia shashank]# ifconfig
--SNIP--
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.254.200  P-t-P:192.168.254.202  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:72 (72.0 b)  TX bytes:66 (66.0 b)

Use the route command to add routes to the remote LAN's. For example:

zidler:#>route add -net 192.168.0.0 netmask 255.255.255.0 dev ppp0
--------------------------------------------------------------------
mia:#>route add -net 192.168.2.0 netmask 255.255.255.0 dev ppp0

Use netstat -rn and ping to check the connectivity.
Use killall -9 l2tpd_process_id to take down the interface. You can even do so using the following commands echo'ed to /var/run/l2tp-control. Here "callID" and "tunnelID" can be found by echo'ing "s" to /var/run/l2tp-control.
```
zidler#>echo "h callID" > /var/run/l2tp-control
zidler#>echo "d tunnelID" > /var/run/l2tp-control
```

Avg. overhead (No compression)

The below diagram traces the path taken by a packet as it travels over the tunnel formed by LinVPN.
The TCP/IP/Ethernet layers add known amount of header/trailer which are trivial to find out. Hence, I will not explain them here. I will concentrate only on the overhead added by PPP and L2TP layer.

PPP protocol adds a maximum overhead of 8 bytes and a minimum of 5 bytes [The Point-to-Point Protocol (PPP), RFC1661, §2 ] [PPP in HDLC-like Framing, RFC1662, § 3.1] The PPP frame format from the RFC's is reproduced below for future reference:
(Note: Padding field is optional and our PPP implementation does not use padding)

           +----------+----------+----------+
           |   Flag   | Address  | Control  |
           | 01111110 | 11111111 | 00000011 |
           +----------+----------+----------+
           +----------+-------------+---------+
           | Protocol | Information | Padding |
           | 8/16 bits|      *      |    *    |
           +----------+-------------+---------+
           +----------+----------+
           |   FCS    |   Flag   |
           |16/32 bits| 01111110 |
           +----------+----------+

PPP uses character/byte stuffing to escape the flags characters. However, in our experiments, we make sure that the input to PPP does not have any character that will be escaped.

The L2TP protocol, strips of the flags, FCS and any stuffed bytes from the PPP frames and adds its own header. [Layer 2 Tunneling Protocol, RFC2661, § 5.3]. The format of the header can be obtained by referring to Layer 2 Tunneling Protocol, RFC2661, § 3.1, and is provided below for future reference:

  0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |T|L|x|x|S|x|O|P|x|x|x|x|  Ver  |          Length (opt)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Tunnel ID           |           Session ID          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             Ns (opt)          |             Nr (opt)          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Offset Size (opt)        |    Offset pad... (opt)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

T==> Message Type(0-->data, 1-->control)
L==> Length field is present
S==> Ns and Nr fields are present.
0==> Offset size field is present
P==> Priority.

NOTE: For data channel, only (Flags + version), Tunnel ID and Session ID fields are present.

Disabling compression in PPP (the current L2tp implementation does not support compression), we conducted a series of experiments with varying application input sizes. The input data for this experiment was totally random An example of such data is shown below:
```
seq_no: 0
Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3;                             
"Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/
U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4q                   
```
This data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
The results are presented below here.

Avg. overhead (Full compression)
1. l2tp does not provide any compression routine. Hence we had to rely on only the PPP layer to provide compression. This can be aceived by commenting out the following options in /etc/ppp/options and /etc/l2tp/options.l2tp (at both client/server):
```
noccp
novj
novjccomp
nopcomp
noaccomp
```
  The results are presented here.
2. The input data for this experiment was again totally random. An example of such data is shown below:
```
seq_no: 0 
Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3;
"Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/
U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4q
```
  This data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
3. Using compression, it is not possible to estimate the amount of overhead, as the amount of compression really depends on the entropy in the data. It is entirely possible for the data on the wire to be lesser in size to the input data. For e.g. when we used an input data of size 1200 bytes (each having a value "S"), we found that the packet size on the wire was just 130 Bytes.
Inbuilt support for Routing:
1. L2tp tunnels, do not have inbuilt routing mechanisms. As a result the user has to take care of establishing routes to remote networks. This can be done in the following ways:
  - Static routes can be added after the PPP link comes up. I used this method, since the other methods failed for me.
```
route add -net network/netmask dev $interface 
```
    Although the above method is simple for small networks, it becomes exceedingly difficult to maintain such routes once your network reaches a decent size (> 5 nodes, say). Hence one should avoid using this method, unless you have a very small network.
  - Another way is to use a routing software that will set up/tear down the routes automatically. One such software to consider is Gnu Zebra with one of its components: OSPF. At the time of this writing, I could not find much documentation on how to configure zebra, and since I was not working with any complex network architectures, I preferred to use the first method. However, I do plan to include the steps to set up zebra in future.
Using Algorithm Plug-in's
1. The l2tp protocol supports basic peer authentication using CHAP. It does not provide any security (encryption, integrity or authentication) to data packets and in turn relies on the lower layers to provide these services (for e.g. ipsec can be used for this). Hence there is no question of using algorithm plug-in's.
Scalability of the solution
1. The L2tP solution for forming VPN's is highly unscalable. (This may not be true
2. I think will be used only in Road Warrior kind of scenarios.
3. For e.g. If a company has 'N' different sites, then it would be necessary to have O(N^2) point-to-point PPP-over-SSH links and each site will have to maintain an entry in the routing table for (N-1) other sites. I think a full mesh will be necessary in this case, as the complexity of maintaining any other network infrastructure will be prohibitively high.