[c-nsp] VPDN Multihop
Skeeve Stevens
skeeve at skeeve.org
Tue Feb 17 05:53:03 EST 2009
This is a global variable and will result in all services requiring auth
before being forwarded... if they have any VPDN groups which auto forward,
it will break them all.
...Skeeve
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Tuesday, 17 February 2009 4:17 PM
To: Kurt Bales
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VPDN Multihop
Try it with "vpdn authen-before-forward"
Ben
On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales <kwbales at kwbales.net> wrote:
> Hi All,
>
> There is probably an obvious answer to this, but I am failing to make
> it work the way I want so I'm asking the resident experts.
>
> We are a wholesale ISP taking DSL tails as L2TP from carriers.
>
> We have an LNS which is currently setup to switch these sessions to
> downstream channel partners based on match against the domain/REALM.
>
> For one of the realms on which we receive L2TP sessions, we would like
> to select a destination (either locally terminated or
> switched-to-channel-partner) on a per-account basis. These currently
> are switched to us on a per-account basis by our upstream provider
> doing per-account authentication and A/V pairs to forward the
> sessions. Their A/V pairs are setting a tunnel-id for these.
>
>
> We thought was to leverage the "multihop-hostname" command under a
> request-dialin configured VPDN-group.
>
> The documentation on CCO seems to imply that it can be used to match
> against a VPDN tunnel-id, but we could not get that to work.
>
> "multihop-hostname
>
> To enable a tunnel switch to initiate a tunnel based on the hostname
> or tunnel ID associated with an ingress tunnel, use the
> multihop-hostname command in VPDN request-dialin subgroup
> configuration mode. To disable this option, use the no form of this
> command."
>
> We tried configuring up a vpdn-group with a multihop
> hostname/initiate-to/local name/l2tp tunnel password, surely that
> would be enough to correctly match and therefore switch the session
> across to the downstream LNS?
>
> Unfortunately we could not get it to work, the error coming back was
> complaining that it could not assign a virtual-template to the
> session, which would seem to imply an attempt to terminate the session
> locally
>
> Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize
> action (1 pending sessions) Feb 17 12:14:18: SSS PM
> [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb
> 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for
> registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need
> More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need
> More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD)
> IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN
> uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17
> 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18:
> L2TUN APP: uid:606handle/665997Stopping service selection Feb 17
> 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP
> _____:06839:000070B5:
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Shutting down session
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Result Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Call disconnected,
> refer to error msg (2)
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Error Code
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Insufficient resources (4)
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Vendor Error
> Feb 17 12:14:18: L2TP _____:06839:000070B5: None (0)
> Feb 17 12:14:18: L2TP _____:06839:000070B5: Optional Message
> Feb 17 12:14:18: L2TP _____:06839:000070B5: "No virtual-template
> specified"
> Feb 17 12:14:18: L2TP _____:06839:000070B5:
>
>
>
> vpdn enable
> vpdn multihop
> vpdn aaa attribute nas-port vpdn-nas
> vpdn redirect
> vpdn logging
> vpdn logging local
> vpdn logging tunnel-drop
> vpdn history failure table-size 50
> vpdn session-limit 2048
> vpdn search-order multihop-hostname domain
> vpdn domain-delimiter @ suffix
> vpdn domain-delimiter / prefix !
> vpdn-group customer3
> request-dialin
> protocol l2tp
> multihop hostname <tunnel-name>
> initiate-to ip <downstream LNS IP> priority 1
> local name <my hostname>
> l2tp tunnel password 0 <mumble> !
>
>
>
>
> Any thoughts/suggestions?
>
>
> Regards,
>
> Kurt Bales
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list