[c-nsp] Problems with multiple VPDN hops

Steve McCrory SteveMc at netservicesplc.com
Thu Apr 23 15:03:13 EDT 2009 

We have ADSL tails coming into our network from several BT L2TP tunnels
terminating on Cisco LNS routers (7301s)

 

We normally either terminate the sessions locally on our first LNS
routers or forward the sessions, using Radius attributes to other LNS
routers (our's our wholesale customers).

 

What we would like to achieve is to take the L2TP tunnels from BT and
forward them twice across our network as such:

 

End User<--pppoa-->BT<--L2TP-->LNS1<--L2TP-->LNS2<--L2TP-->LNS3

 

As mentioned above, we normally terminate users on LNS1 and assign IP
addresses, or forward the sessions to LNS2. We would like to establish
an additional tunnel to LNS3 but so far have found this difficult and
the sessions seem to stall, in a sort of half-authenticated state on LNS
2.

 

We are using Radius to apply the forwarding rules, which we have
configured as follows:

 

# First hop from LNS1 to LNS2

DEFAULT         NAS-IP-Address !~ "\^213\.130\.147\.56\$", User-Name =~
"-shapetest at work\$", Auth-Type := Accept

        Framed-Protocol = PPP,

        Service-Type    = Framed-User,

        Tunnel-Type := "L2TP",

        Tunnel-Medium-Type := "IP",

        Tunnel-Client-Auth-ID := "brantest",

        Tunnel-Server-Endpoint := "213.130.147.56",

        Tunnel-Password := "oNi6egXZ"

 

# Second hop forwards from LNS2 to LNS3

DEFAULT         NAS-IP-Address =~ "\^213\.130\.147\.56\$", User-Name =~
"-shapetest at work\$", Auth-Type := Accept

      Framed-Protocol = PPP,

      Service-Type    = Framed-User,

      Tunnel-Type := "L2TP",

      Tunnel-Medium-Type := "IP",

      Tunnel-Client-Auth-ID := "netservint",

      Tunnel-Server-Endpoint := "213.130.145.50",

      Tunnel-Password := "oNi6egXZ"

 

We also have the following vpdn groups configured on our LNS routers:

 

LNS2:

 

vpdn-group test1

 accept-dialin

  protocol l2tp

  virtual-template 2

 terminate-from hostname test1

 source-ip 213.130.147.56

 lcp renegotiation on-mismatch

 l2tp tunnel password 7 XXXXXXXXXX

 l2tp tunnel receive-window 10

 

LNS3:

 

vpdn-group test2

 accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname test2

 source-ip 213.130.145.50

 lcp renegotiation always

 l2tp tunnel password 7 XXXXXXXXX

 l2tp tunnel receive-window 10

 

What I'd like to know is if it's possible to use radius to essentially
switch packets from one L2TP tunnel into another when they reach LNS2.

 

We know that the VPDN and Radius configuration are correct on LNS2
because we can successfully terminate sessions on this router and assign
IP addresses

 

Thanks 

 

Steven

 

Steven McCrory

 

Senior Network Engineer

 

Netservices PLC

Waters Edge Business Park

Modwen Road

Manchester, M5 3EZ

 

www.netservicesplc.com <http://www.netservicesplc.com> 

 



--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------

More information about the cisco-nsp mailing list