[c-nsp] Vpdn config ?

Olivier CALVANO o.calvano at gmail.com
Fri Mar 20 03:35:50 EDT 2015


Thanks for your answer,

Ok

vpdn multihop => i have
i add: vpdn authen-before-forward

do you know if a second vpdn group is necessary ?

my radius sent to my router:

Sending Access-Accept of id 57 to 172.20.1.1 port 1645
        Tunnel-Medium-Type:0 = IPv4
        Tunnel-Server-Endpoint:0 = "172.20.2.100"
        Tunnel-Type:0 = L2TP
        Message-Authenticator = 0x00000000000000000000000000000000
        Service-Type = Outbound-User
        Tunnel-Assignment-Id:0 = "tunnel-lns"
        Tunnel-Client-Auth-Id:0 = "LAC-172-20-1-1"
        Tunnel-Server-Auth-Id:0 = "LNS-172-20-1-1"
        Tunnel-Client-Endpoint:0 = "172.20.1.1"

all is correct ?  because 172.20.2.100 never receive a L2TP packet from my
router 172.20.1.1
LAC-172-20-1-1 and LNS-172-20-1-1 is on the vpdn-group that receiv the
session of my suplier

with this modification, we have now on my router debug :

Mar 20 07:33:12.708: VPDN Received L2TUN socket message <xCRQ - Session
Incoming>
Mar 20 07:33:12.712: VPDN uid:85 L2TUN socket session accept requested
Mar 20 07:33:12.712: VPDN uid:85 Setting up dataplane for L2-L2, no idb
Mar 20 07:33:12.900: VPDN Received L2TUN socket message <xCCN - Session
Connected>
Mar 20 07:33:12.900: VPDN uid:85 VPDN session up
Mar 20 07:33:13.036: VPDN MGR: Received message, client dialin request
Mar 20 07:33:13.036: VPDN uid:85 L2TUN socket session connect requested
Mar 20 07:33:13.036: VPDN uid:85 Setting up dataplane for L2-L2, no idb
Mar 20 07:33:13.072: %VPDN-6-AUTHENERR: L2TP LNS-172-20-1-1 cannot
authenticate for  tunnel ; Result 4, Error 0, process challenge failed
Mar 20 07:33:13.072: VPDN Received L2TUN socket message <CDN - Session
Disconnected>
Mar 20 07:33:13.072: VPDN uid:85 disconnect (L2X) IETF: 9/nas-error Ascend:
48/Security Fail
Mar 20 07:33:13.072: VPDN uid:85 vpdn shutdown session, result=101,
error=0, vendor_err=0, syslog_error_code=3, syslog_key_type=0
Mar 20 07:33:13.076: VPDN CALL [uid:85]: Received client message client
connect fail
Mar 20 07:33:13.076: VPDN uid:85 disconnect (AAA) IETF: 9/nas-error Ascend:
48/Security Fail
Mar 20 07:33:13.076: VPDN uid:85 vpdn shutdown session, result=101,
error=0, vendor_err=0, syslog_error_code=3, syslog_key_type=0
Mar 20 07:33:13.080: VPDN uid:85 VPDN/AAA: accounting stop sent


VPDN-6-AUTHENERR: L2TP LNS-172-20-1-1 cannot authenticate for  tunnel ?



regards
Olivier




2015-03-20 8:01 GMT+01:00 Oliver Boehmer (oboehmer) <oboehmer at cisco.com>:

> You might need
>
> vpdn multihop
> vpdn authen-before-forward
>
> the first cmd will enable forwarding of sessions to another LNS, and the
> 2nd will allow this forwarding to be done on a per-user (as opposed to
> per-domain/realm) basis
>
>         oli
>
>
> -----Original Message-----
> From: Olivier CALVANO <o.calvano at gmail.com>
> Date: Friday, 20 March 2015 06:39
> To: CiscoNSP List <cisconsp_list at hotmail.com>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Vpdn config ?
>
> >Yes based on realm but based on radius attributs ,  not a physical config
> >on the router.
> >
> >The tunnel destination is sent by the radius of my customer
> >
> >
> >
> >Le vendredi 20 mars 2015, CiscoNSP List <cisconsp_list at hotmail.com> a
> >écrit :
> >
> >>
> >> You want to do VPDN Multihop based on a specific domain? (i.e. forward
> >> connection requests for a specific realm to an alternate LNS (So create
> >>an
> >> L2TP tunnel))
> >>
> >>
> >> If so, I set one of these up a couple of years ago....ill dig up the
> >> working conf if that's what you are trying to do.
> >>
> >>
> >>
> >>
> >>
> >> > Date: Fri, 20 Mar 2015 04:29:43 +0100
> >> > From: o.calvano at gmail.com
> >> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>
> >> > To: cisco-nsp at puck.nether.net
> >> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
> >> > Subject: Re: [c-nsp] Vpdn config ?
> >> >
> >> > i have one vpdn-group only:
> >> >
> >> >
> >> > vpdn-group UserLNS
> >> > accept-dialin
> >> > protocol l2tp
> >> > virtual-template 1
> >> > terminate-from hostname LAC-172-20-1-1
> >> > local name LNS-172-20-1-1
> >> > lcp renegotiation always
> >> > no l2tp tunnel authentication
> >> > l2tp tunnel receive-window 500
> >> > l2tp tunnel retransmit retries 7
> >> > l2tp tunnel retransmit timeout min 2
> >> > l2tp tunnel retransmit timeout max 7
> >> >
> >> >
> >> > interface Virtual-Template1
> >> > description DSL User
> >> > mtu 1460
> >> > ip unnumbered Loopback100
> >> > ip tcp adjust-mss 1420
> >> > no logging event link-status
> >> > no peer default ip address
> >> > keepalive 20
> >> > ppp mtu adaptive
> >> > ppp authentication chap ppp-radius
> >> > ppp multilink
> >> >
> >> >
> >> > It's linked with the loopback100 but i put:
> >> > Tunnel-Client-Endpoint:0 = "172.20.1.1"
> >> >
> >> > "172.20.1.1" is not the IP of Loopback100, it's a problems ?
> >> >
> >> >
> >> >
> >> > because the first tunnel (my supplier to my router) work, this
> >> > vpdn/virtual-template
> >> > is good i think's
> >> >
> >> > but for the second tunnel, my router to my customer, it should not be
> >>a
> >> > second
> >> > vpdn/virtual-template in "out" ?
> >> >
> >> >
> >> > thanks for your help
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > 2015-03-19 10:37 GMT+01:00 Olivier CALVANO <o.calvano at gmail.com
> >> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>>:
> >> >
> >> > > Hi
> >> > >
> >> > > i am search a vpdn config sample for my cisco 7301. I want forward a
> >> ppp
> >> > > connexion
> >> > > to another router.
> >> > >
> >> > > My radius sent to my router a Tunnel-End-Point but he don't forward
> >>(i
> >> see
> >> > > the connection
> >> > > in sh users)
> >> > >
> >> > > thanks for your help
> >> > > olivier
> >> > >
> >> > _______________________________________________
> >> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
> >> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list