[c-nsp] Vpdn config ?

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Fri Mar 20 04:17:01 EDT 2015


If you don't want tunnel authentication, you would need to include

Cisco-avpair = "vpdn:l2tp-tunnel-authen=no"

in the radius response.. not sure if there is an IETF attribute for this..

From: Olivier CALVANO <o.calvano at gmail.com<mailto:o.calvano at gmail.com>>
Date: Friday, 20 March 2015 09:05
To: Oliver Boehmer <oboehmer at cisco.com<mailto:oboehmer at cisco.com>>
Cc: CiscoNSP List <cisconsp_list at hotmail.com<mailto:cisconsp_list at hotmail.com>>, "cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>" <cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>>
Subject: Re: Vpdn config ?

A tunnel-password is obligatory ?
Sent by the radius ?

Because with my suplier we dont have tunnel-password

I cant test now but it's a track I'll watch

Regards
Olivier

Le vendredi 20 mars 2015, Oliver Boehmer (oboehmer) <oboehmer at cisco.com<mailto:oboehmer at cisco.com>> a écrit :
my vpdn knowledge is a bit rusty, you're definitely missing a "Tunnel-Password" for authentication with the remote LNS. You don't need a 2nd vpdn-group for this

oli

From: Olivier CALVANO <o.calvano at gmail.com<javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>>
Date: Friday, 20 March 2015 08:35
To: Oliver Boehmer <oboehmer at cisco.com<javascript:_e(%7B%7D,'cvml','oboehmer at cisco.com');>>
Cc: CiscoNSP List <cisconsp_list at hotmail.com<javascript:_e(%7B%7D,'cvml','cisconsp_list at hotmail.com');>>, "cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>" <cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>>
Subject: Re: [c-nsp] Vpdn config ?

Thanks for your answer,

Ok

vpdn multihop => i have
i add: vpdn authen-before-forward

do you know if a second vpdn group is necessary ?

my radius sent to my router:

Sending Access-Accept of id 57 to 172.20.1.1 port 1645
        Tunnel-Medium-Type:0 = IPv4
        Tunnel-Server-Endpoint:0 = "172.20.2.100"
        Tunnel-Type:0 = L2TP
        Message-Authenticator = 0x00000000000000000000000000000000
        Service-Type = Outbound-User
        Tunnel-Assignment-Id:0 = "tunnel-lns"
        Tunnel-Client-Auth-Id:0 = "LAC-172-20-1-1"
        Tunnel-Server-Auth-Id:0 = "LNS-172-20-1-1"
        Tunnel-Client-Endpoint:0 = "172.20.1.1"

all is correct ?  because 172.20.2.100 never receive a L2TP packet from my router 172.20.1.1
LAC-172-20-1-1 and LNS-172-20-1-1 is on the vpdn-group that receiv the session of my suplier

with this modification, we have now on my router debug :

Mar 20 07:33:12.708: VPDN Received L2TUN socket message <xCRQ - Session Incoming>
Mar 20 07:33:12.712: VPDN uid:85 L2TUN socket session accept requested
Mar 20 07:33:12.712: VPDN uid:85 Setting up dataplane for L2-L2, no idb
Mar 20 07:33:12.900: VPDN Received L2TUN socket message <xCCN - Session Connected>
Mar 20 07:33:12.900: VPDN uid:85 VPDN session up
Mar 20 07:33:13.036: VPDN MGR: Received message, client dialin request
Mar 20 07:33:13.036: VPDN uid:85 L2TUN socket session connect requested
Mar 20 07:33:13.036: VPDN uid:85 Setting up dataplane for L2-L2, no idb
Mar 20 07:33:13.072: %VPDN-6-AUTHENERR: L2TP LNS-172-20-1-1 cannot authenticate for  tunnel ; Result 4, Error 0, process challenge failed
Mar 20 07:33:13.072: VPDN Received L2TUN socket message <CDN - Session Disconnected>
Mar 20 07:33:13.072: VPDN uid:85 disconnect (L2X) IETF: 9/nas-error Ascend: 48/Security Fail
Mar 20 07:33:13.072: VPDN uid:85 vpdn shutdown session, result=101, error=0, vendor_err=0, syslog_error_code=3, syslog_key_type=0
Mar 20 07:33:13.076: VPDN CALL [uid:85]: Received client message client connect fail
Mar 20 07:33:13.076: VPDN uid:85 disconnect (AAA) IETF: 9/nas-error Ascend: 48/Security Fail
Mar 20 07:33:13.076: VPDN uid:85 vpdn shutdown session, result=101, error=0, vendor_err=0, syslog_error_code=3, syslog_key_type=0
Mar 20 07:33:13.080: VPDN uid:85 VPDN/AAA: accounting stop sent


VPDN-6-AUTHENERR: L2TP LNS-172-20-1-1 cannot authenticate for  tunnel ?



regards
Olivier




2015-03-20 8:01 GMT+01:00 Oliver Boehmer (oboehmer) <oboehmer at cisco.com<javascript:_e(%7B%7D,'cvml','oboehmer at cisco.com');>>:
You might need

vpdn multihop
vpdn authen-before-forward

the first cmd will enable forwarding of sessions to another LNS, and the
2nd will allow this forwarding to be done on a per-user (as opposed to
per-domain/realm) basis

        oli


-----Original Message-----
From: Olivier CALVANO <o.calvano at gmail.com<javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>>
Date: Friday, 20 March 2015 06:39
To: CiscoNSP List <cisconsp_list at hotmail.com<javascript:_e(%7B%7D,'cvml','cisconsp_list at hotmail.com');>>
Cc: "cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>" <cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>>
Subject: Re: [c-nsp] Vpdn config ?

>Yes based on realm but based on radius attributs ,  not a physical config
>on the router.
>
>The tunnel destination is sent by the radius of my customer
>
>
>
>Le vendredi 20 mars 2015, CiscoNSP List <cisconsp_list at hotmail.com<javascript:_e(%7B%7D,'cvml','cisconsp_list at hotmail.com');>> a
>écrit :
>
>>
>> You want to do VPDN Multihop based on a specific domain? (i.e. forward
>> connection requests for a specific realm to an alternate LNS (So create
>>an
>> L2TP tunnel))
>>
>>
>> If so, I set one of these up a couple of years ago....ill dig up the
>> working conf if that's what you are trying to do.
>>
>>
>>
>>
>>
>> > Date: Fri, 20 Mar 2015 04:29:43 +0100
>> > From: o.calvano at gmail.com<javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com<javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>');>
>> > To: cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>');>
>> > Subject: Re: [c-nsp] Vpdn config ?
>> >
>> > i have one vpdn-group only:
>> >
>> >
>> > vpdn-group UserLNS
>> > accept-dialin
>> > protocol l2tp
>> > virtual-template 1
>> > terminate-from hostname LAC-172-20-1-1
>> > local name LNS-172-20-1-1
>> > lcp renegotiation always
>> > no l2tp tunnel authentication
>> > l2tp tunnel receive-window 500
>> > l2tp tunnel retransmit retries 7
>> > l2tp tunnel retransmit timeout min 2
>> > l2tp tunnel retransmit timeout max 7
>> >
>> >
>> > interface Virtual-Template1
>> > description DSL User
>> > mtu 1460
>> > ip unnumbered Loopback100
>> > ip tcp adjust-mss 1420
>> > no logging event link-status
>> > no peer default ip address
>> > keepalive 20
>> > ppp mtu adaptive
>> > ppp authentication chap ppp-radius
>> > ppp multilink
>> >
>> >
>> > It's linked with the loopback100 but i put:
>> > Tunnel-Client-Endpoint:0 = "172.20.1.1"
>> >
>> > "172.20.1.1" is not the IP of Loopback100, it's a problems ?
>> >
>> >
>> >
>> > because the first tunnel (my supplier to my router) work, this
>> > vpdn/virtual-template
>> > is good i think's
>> >
>> > but for the second tunnel, my router to my customer, it should not be
>>a
>> > second
>> > vpdn/virtual-template in "out" ?
>> >
>> >
>> > thanks for your help
>> >
>> >
>> >
>> >
>> >
>> > 2015-03-19 10:37 GMT+01:00 Olivier CALVANO <o.calvano at gmail.com<javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com<javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>');>>:
>> >
>> > > Hi
>> > >
>> > > i am search a vpdn config sample for my cisco 7301. I want forward a
>> ppp
>> > > connexion
>> > > to another router.
>> > >
>> > > My radius sent to my router a Tunnel-End-Point but he don't forward
>>(i
>> see
>> > > the connection
>> > > in sh users)
>> > >
>> > > thanks for your help
>> > > olivier
>> > >
>> > _______________________________________________
>> > cisco-nsp mailing list cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
>> <javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>');>
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net<javascript:_e(%7B%7D,'cvml','cisco-nsp at puck.nether.net');>
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list