[c-nsp] VPDN Multihop on domain
Geyer, Nikolas
nikolas.geyer at cybertrust.com
Wed Apr 26 22:04:23 EDT 2006
Had this problem before, we were accepting L2TP connections from our
wholesale provider and wanted to multihop certain domains to a client of
ours who had their own LNS. The problem (and Cisco documentation
suggests this as well) is you cannot serve as both a LAC and LNS. You
are receiving L2TP sessions from a LAC and therefore your router will
act as a LNS and terminate all connections locally. Once the connection
enters a vpdn group (in this case the group accepting connections from
your provider) it will stop searching vpdn groups and never see that you
want to forward it off somewhere else.
You can get around this using radius attributes (which are searched
before vpdn groups on an incoming connection). This is how we set it up.
For @external.com domain, we used the customers RADIUS server instead of
ours which also included VPDN attributes for each user which would then
initiate a VPDN connection from our router to their LNS.
Hope that makes sense, it's a pain in the ass, but to my knowledge it's
the only way to get what you want to work.
Nik
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve Wright
Sent: Thursday, 27 April 2006 10:58 AM
To: Cisco-Nsp
Subject: [c-nsp] VPDN Multihop on domain
Hi all,
I'm just trying to get VPDN multihop working for a particular project,
however, for some reason, the LAC/LNS terminates as opposed to
forwarding the sessions associated with the domain...
Can anyone see anything obviously wrong in the below config of the VPDN
stuff? I've compared it to the Cisco docs that I can find, and it seems
like I do everything they say, just that the sessions get terminated
locally, as opposed to an L2TP session forming to our test LNS box, and
the session being terminated there :(
vpdn enable
vpdn multihop
vpdn logging
vpdn logging local
vpdn logging user
vpdn session-limit 8000
vpdn ip udp ignore checksum
vpdn search-order domain
vpdn domain-delimiter @ suffix
!
vpdn-group testdsl
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname lac
local name lns
lcp renegotiation always
l2tp tunnel password 0 1234
l2tp tunnel receive-window 500
l2tp tunnel retransmit retries 7
l2tp tunnel retransmit timeout min 2
l2tp tunnel retransmit timeout max 4
!
vpdn-group testlns1
request-dialin
protocol l2tp
domain dsltest.example.com
initiate-to ip 10.0.0.1
local name testlac1
l2tp tunnel password 0 TowardTestLNS1
!
pppoe-forwarding
Thanks for any help that anyone can provide :)
Steve
This message has been scanned for viruses by MailController -
www.MailController.altohiway.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list