LinuxCommandLibrary

ip-l2tp

Manage L2TP tunnels and sessions

SYNOPSIS

ip l2tp { add | del | show | lookup } [ tunnel | session ] [ OPTIONS ]

PARAMETERS

remote <IPADDR>
    Remote peer IPv4/IPv6 address for tunnel endpoint

local <IPADDR>
    Local source IPv4/IPv6 address

tunnel_id <ID>
    Local tunnel identifier (0-4294967295)

peer_tunnel_id <ID>
    Remote peer's tunnel identifier

udp_sport <PORT>
    Local UDP source port (default auto)

udp_dport <PORT>
    Remote UDP destination port (default 1701)

encap { udp | ip }
    Encapsulation type: UDP or raw IP

cookie { u32 | c32 } <HEX>
    Local 4-byte cookie (u32) or 8-byte (c32)

peer_cookie { u32 | c32 } <HEX>
    Remote peer's cookie

counter
    Enable packet sequence counter in L2TP header

ordering
    Enable strict packet ordering

rexmit
    Enable packet retransmission

session_id <ID>
    Local session identifier

peer_session_id <ID>
    Remote peer's session identifier

ifname <NAME>
    Name for the virtual Ethernet interface

offset <N>
    Offset to L2 payload from session start

peer_offset <N>
    Remote peer's L2 payload offset

l2spec_type ethernet
    Layer 2 specific type (Ethernet pseudowire)

csum { add | strip }
    Add or strip L2 checksums

seq { add | strip }
    Add or strip sequence numbers

DESCRIPTION

ip l2tp is a Linux command from the iproute2 suite for creating, deleting, displaying, and looking up L2TPv3 (Layer 2 Tunneling Protocol version 3) tunnels and sessions. L2TPv3 tunnels Layer 2 frames, like Ethernet, over IP networks, enabling pseudowires for transparent bridging across IP infrastructures, often in service provider or enterprise VPN setups.

Tunnels establish point-to-point connections between peers using unique tunnel IDs. Sessions within tunnels carry specific L2 circuits, mapped to virtual Ethernet interfaces. Supports UDP encapsulation (port 1701 by default) or raw IP, with optional cookies for demux, sequencing, checksums, and retransmits.

Requires root privileges (CAP_NET_ADMIN) and kernel modules: l2tp_core, l2tp_ip, l2tp_eth. Interfaces created appear as ethX-like devices, configurable via ip link for MTU, MAC, etc. Common for metro Ethernet emulation or remote LAN extension.

No built-in encryption; pair with IPsec. Kernel config needs CONFIG_L2TP_V3 and Ethernet pseudowire support.

CAVEATS

Requires kernel 2.6.23+ with L2TPv3 enabled; no encryption (use IPsec); UDP NAT traversal limited; sessions auto-up on tunnel add but need manual ifname config.

KERNEL MODULES

modprobe l2tp_core l2tp_ip l2tp_eth required for operation.
Check with lsmod | grep l2tp.

BASIC EXAMPLE

ip l2tp add tunnel remote 192.0.2.1 local 192.0.2.2 tunnel_id 1 peer_tunnel_id 1
ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1 ifname l2tpeth0
ip link set l2tpeth0 up

HISTORY

Added to iproute2 around 2007 with Linux kernel 2.6.23 L2TPv3 support (James Chapman); enhanced in later kernels for UDP encap, cookies, Ethernet pseudowires.

SEE ALSO

ip(8), ip-link(8), ip-tunnel(8), bridge(8)

Copied to clipboard