[c-nsp] L2TP arriving inside a VRF?

Pshem Kowalczyk pshem.k at gmail.com
Sat May 10 17:34:45 EDT 2008 

HI,

2008/5/11 Nathan <have.an.email at gmail.com>:
> Hi,
>
> I have PPP over L2TP arriving on a router on a dedicated interface,
> and radius tells the router in which VRF to place the PPP connection;
> so far so good.
>
> I would like to have the network on which the L2TP connections arrive
> placed into a VRF. The IP address that the L2TP sessions are
> established with would be in a VRF. Of course the PPP connections must
> still arrive in the same VRF as before. Radius requests could be made
> using the global table or in the L2TP vrf, it doesn't matter to me.
>
> The reason for this is that the L2TP tunnels are coming from a network
> that should not be accessed by my clients, and by very few of my
> routers, I'd prefer to keep it apart.
>
> On a hunch I tried setting a "vpn vrf XXXX" in the vpdn group, but it
> doesn't seem to be that simple.
>
> Is this easily done / well tested / well supported enough to be used
> in production?

We have slightly different setup, but might be of some help to you.
Our L2TP arrives in a vrf and then another L2TP tunnel is established
with another device on our network (also into a vrf).
I believe you can decapsulate the PPP the same way, just buy changing
the radius response to simply accept the user (without specifying the
tunnel parameters)
We use 7301 for that, IOS  12.4(16). Radius sits in a vrf.

aaa authorization network default group radiusProxy

aaa group server radius radiusProxy
 server-private 10.173.15.7 auth-port 1812 acct-port 1813 key 7 xxx
 server-private 10.173.15.8 auth-port 1812 acct-port 1813 key 7 xxx
 ip vrf forwarding ExternalL2TP
 ip radius source-interface Loopback2


vpdn enable
vpdn multihop
vpdn search-order multihop-hostname
!
vpdn-group TCNZ
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
 vpn vrf ExternalL2TP
 local-name akl-mdr-lts1
 lcp renegotiation always
 l2tp tunnel hello 300
 l2tp tunnel password 0 xxx
 l2tp tunnel timeout no-session 1800
 l2tp tunnel retransmit retries 7
 l2tp tunnel retransmit timeout min 2
 l2tp tunnel retransmit timeout max 5

and our standard radius response (freeradius syntax):

 DEFAULT Service-Type == Outbound-User, User-Name =~ "^host:",
NAS-Identifier =~ "^akl-mdr-lts1", Auth-Type := Accept
        Cisco-AVPair += "vpdn:ip-addresses=10.173.255.93/10.173.255.92",
        Cisco-AVPair += "vpdn:tunnel-type=l2tp",
        Cisco-AVPair += "vpdn:vpn-vrf=InternalL2TP",
        Cisco-AVPair += "vpdn:l2tp-tunnel-password=xxxx"

kind regards
Pshem

More information about the cisco-nsp mailing list