[c-nsp] Vpdn config ?

Fri Mar 20 04:05:42 EDT 2015

A tunnel-password is obligatory ?
Sent by the radius ?

Because with my suplier we dont have tunnel-password

I cant test now but it's a track I'll watch

Regards
Olivier

Le vendredi 20 mars 2015, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> a
écrit :

>  my vpdn knowledge is a bit rusty, you're definitely missing a
> "Tunnel-Password" for authentication with the remote LNS. You don't need a
> 2nd vpdn-group for this
>
>  oli
>
>   From: Olivier CALVANO <o.calvano at gmail.com
> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>>
> Date: Friday, 20 March 2015 08:35
> To: Oliver Boehmer <oboehmer at cisco.com
> <javascript:_e(%7B%7D,'cvml','oboehmer at cisco.com');>>
> Cc: CiscoNSP List <cisconsp_list at hotmail.com
> <javascript:_e(%7B%7D,'cvml','cisconsp_list at hotmail.com');>>, "
> cisco-nsp at puck.nether.net
> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>" <
> cisco-nsp at puck.nether.net
> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>>
> Subject: Re: [c-nsp] Vpdn config ?
>
>    Thanks for your answer,
>
>  Ok
>
> vpdn multihop => i have
> i add: vpdn authen-before-forward
>
>  do you know if a second vpdn group is necessary ?
>
>  my radius sent to my router:
>
> Sending Access-Accept of id 57 to 172.20.1.1 port 1645
>         Tunnel-Medium-Type:0 = IPv4
>         Tunnel-Server-Endpoint:0 = "172.20.2.100"
>         Tunnel-Type:0 = L2TP
>         Message-Authenticator = 0x00000000000000000000000000000000
>         Service-Type = Outbound-User
>         Tunnel-Assignment-Id:0 = "tunnel-lns"
>         Tunnel-Client-Auth-Id:0 = "LAC-172-20-1-1"
>         Tunnel-Server-Auth-Id:0 = "LNS-172-20-1-1"
>         Tunnel-Client-Endpoint:0 = "172.20.1.1"
>
>  all is correct ?  because 172.20.2.100 never receive a L2TP packet from
> my router 172.20.1.1
> LAC-172-20-1-1 and LNS-172-20-1-1 is on the vpdn-group that receiv the
> session of my suplier
>
>  with this modification, we have now on my router debug :
>
> Mar 20 07:33:12.708: VPDN Received L2TUN socket message <xCRQ - Session
> Incoming>
> Mar 20 07:33:12.712: VPDN uid:85 L2TUN socket session accept requested
> Mar 20 07:33:12.712: VPDN uid:85 Setting up dataplane for L2-L2, no idb
> Mar 20 07:33:12.900: VPDN Received L2TUN socket message <xCCN - Session
> Connected>
> Mar 20 07:33:12.900: VPDN uid:85 VPDN session up
> Mar 20 07:33:13.036: VPDN MGR: Received message, client dialin request
> Mar 20 07:33:13.036: VPDN uid:85 L2TUN socket session connect requested
> Mar 20 07:33:13.036: VPDN uid:85 Setting up dataplane for L2-L2, no idb
> Mar 20 07:33:13.072: %VPDN-6-AUTHENERR: L2TP LNS-172-20-1-1 cannot
> authenticate for  tunnel ; Result 4, Error 0, process challenge failed
> Mar 20 07:33:13.072: VPDN Received L2TUN socket message <CDN - Session
> Disconnected>
> Mar 20 07:33:13.072: VPDN uid:85 disconnect (L2X) IETF: 9/nas-error
> Ascend: 48/Security Fail
> Mar 20 07:33:13.072: VPDN uid:85 vpdn shutdown session, result=101,
> error=0, vendor_err=0, syslog_error_code=3, syslog_key_type=0
> Mar 20 07:33:13.076: VPDN CALL [uid:85]: Received client message client
> connect fail
> Mar 20 07:33:13.076: VPDN uid:85 disconnect (AAA) IETF: 9/nas-error
> Ascend: 48/Security Fail
> Mar 20 07:33:13.076: VPDN uid:85 vpdn shutdown session, result=101,
> error=0, vendor_err=0, syslog_error_code=3, syslog_key_type=0
> Mar 20 07:33:13.080: VPDN uid:85 VPDN/AAA: accounting stop sent
>
>
> VPDN-6-AUTHENERR: L2TP LNS-172-20-1-1 cannot authenticate for  tunnel ?
>
>
>
>  regards
>  Olivier
>
>
>
>
> 2015-03-20 8:01 GMT+01:00 Oliver Boehmer (oboehmer) <oboehmer at cisco.com
> <javascript:_e(%7B%7D,'cvml','oboehmer at cisco.com');>>:
>
>> You might need
>>
>> vpdn multihop
>> vpdn authen-before-forward
>>
>> the first cmd will enable forwarding of sessions to another LNS, and the
>> 2nd will allow this forwarding to be done on a per-user (as opposed to
>> per-domain/realm) basis
>>
>>         oli
>>
>>
>> -----Original Message-----
>> From: Olivier CALVANO <o.calvano at gmail.com
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>>
>> Date: Friday, 20 March 2015 06:39
>> To: CiscoNSP List <cisconsp_list at hotmail.com
>> <javascript:_e(%7B%7D,'cvml','cisconsp_list at hotmail.com');>>
>> Cc: "cisco-nsp at puck.nether.net
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>" <
>> cisco-nsp at puck.nether.net
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>>
>> Subject: Re: [c-nsp] Vpdn config ?
>>
>> >Yes based on realm but based on radius attributs ,  not a physical config
>> >on the router.
>> >
>> >The tunnel destination is sent by the radius of my customer
>> >
>> >
>> >
>> >Le vendredi 20 mars 2015, CiscoNSP List <cisconsp_list at hotmail.com
>> <javascript:_e(%7B%7D,'cvml','cisconsp_list at hotmail.com');>> a
>> >écrit :
>> >
>> >>
>> >> You want to do VPDN Multihop based on a specific domain? (i.e. forward
>> >> connection requests for a specific realm to an alternate LNS (So create
>> >>an
>> >> L2TP tunnel))
>> >>
>> >>
>> >> If so, I set one of these up a couple of years ago....ill dig up the
>> >> working conf if that's what you are trying to do.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> > Date: Fri, 20 Mar 2015 04:29:43 +0100
>> >> > From: o.calvano at gmail.com
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>
>> >> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>');>
>> >> > To: cisco-nsp at puck.nether.net
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
>> >> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>');>
>>  >> > Subject: Re: [c-nsp] Vpdn config ?
>> >> >
>> >> > i have one vpdn-group only:
>> >> >
>> >> >
>> >> > vpdn-group UserLNS
>> >> > accept-dialin
>> >> > protocol l2tp
>> >> > virtual-template 1
>> >> > terminate-from hostname LAC-172-20-1-1
>> >> > local name LNS-172-20-1-1
>> >> > lcp renegotiation always
>> >> > no l2tp tunnel authentication
>> >> > l2tp tunnel receive-window 500
>> >> > l2tp tunnel retransmit retries 7
>> >> > l2tp tunnel retransmit timeout min 2
>> >> > l2tp tunnel retransmit timeout max 7
>> >> >
>> >> >
>> >> > interface Virtual-Template1
>> >> > description DSL User
>> >> > mtu 1460
>> >> > ip unnumbered Loopback100
>> >> > ip tcp adjust-mss 1420
>> >> > no logging event link-status
>> >> > no peer default ip address
>> >> > keepalive 20
>> >> > ppp mtu adaptive
>> >> > ppp authentication chap ppp-radius
>> >> > ppp multilink
>> >> >
>> >> >
>> >> > It's linked with the loopback100 but i put:
>> >> > Tunnel-Client-Endpoint:0 = "172.20.1.1"
>> >> >
>> >> > "172.20.1.1" is not the IP of Loopback100, it's a problems ?
>> >> >
>> >> >
>> >> >
>> >> > because the first tunnel (my supplier to my router) work, this
>> >> > vpdn/virtual-template
>> >> > is good i think's
>> >> >
>> >> > but for the second tunnel, my router to my customer, it should not be
>> >>a
>> >> > second
>> >> > vpdn/virtual-template in "out" ?
>> >> >
>> >> >
>> >> > thanks for your help
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > 2015-03-19 10:37 GMT+01:00 Olivier CALVANO <o.calvano at gmail.com
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>
>>  >> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>');>>:
>> >> >
>> >> > > Hi
>> >> > >
>> >> > > i am search a vpdn config sample for my cisco 7301. I want forward
>> a
>> >> ppp
>> >> > > connexion
>> >> > > to another router.
>> >> > >
>> >> > > My radius sent to my router a Tunnel-End-Point but he don't forward
>> >>(i
>> >> see
>> >> > > the connection
>> >> > > in sh users)
>> >> > >
>> >> > > thanks for your help
>> >> > > olivier
>> >> > >
>> >> > _______________________________________________
>> >> > cisco-nsp mailing list cisco-nsp at puck.nether.net
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
>> >> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>');>
>>  >> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> >_______________________________________________
>> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
>> >https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>