Re: [c-nsp] VPDN multihop/forwarding not working
Right. So I would just add a new vpdn-group with a request-dialin section with an appropriate domain, just as you configured in your vpdn-group TEST you provided earlier.. the vpdn authorization LOCAL_AUTH will ensure the LNS will look for it. Thanks very much for your help Oli! - All working now after adding LOCAL_AUTH to virt-template. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN multihop/forwarding not working
Well, have you defined any of these other realms on the Radius server (with the static cisco password)? If you don't, and if you don't have a vpdn-group with a request-dialin matching their realm, nothing will break, adding the vpdn authorization .. on those vtemplates will just make sure the LNS no longer sends these Radius requests (with the domain).. have you checked the Radius traces since you enabled vpdn multihop? If you have users with @ or / on other vpdn-groups, you will see those? Our current setup is - We have multiple realms all configured on our radius server (no cisco password, just each DSL account i.e. FNN@realm and a random system generated password), and approx 15 vpdn-groups on our LNS that connect to the carriers LACs all accept-dialin and all using virtual-template7 eg: well, if all are referencing virtual-template 7, this is where you can put vpdn authorization LOCAL_AUTH. And as you are currently not providing any VPDN multihop, this configuration shouldn't break anything as the only thing it would affect would be radius-based tunnel authorization. So, we are adding a new dsl realm, connection requests for the new realm will be coming from the same LAC's, but we want to not auth the new realm via our existing radius server - We want our LNS to create an L2TP tunnel to another LNS for this new realm (And then this other LNS will authenticate the DSL tails via another radius server. Right. So I would just add a new vpdn-group with a request-dialin section with an appropriate domain, just as you configured in your vpdn-group TEST you provided earlier.. the vpdn authorization LOCAL_AUTH will ensure the LNS will look for it. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN multihop/forwarding not working
Thanks Oli, Well, have you defined any of these other realms on the Radius server (with the static cisco password)? If you don't, and if you don't have a vpdn-group with a request-dialin matching their realm, nothing will break, adding the vpdn authorization .. on those vtemplates will just make sure the LNS no longer sends these Radius requests (with the domain).. have you checked the Radius traces since you enabled vpdn multihop? If you have users with @ or / on other vpdn-groups, you will see those? Our current setup is - We have multiple realms all configured on our radius server (no cisco password, just each DSL account i.e. FNN@realm and a random system generated password), and approx 15 vpdn-groups on our LNS that connect to the carriers LACs all accept-dialin and all using virtual-template7 eg: vpdn-group CARRIERLAC_1 description CARRIERLAN1_VPDN_GROUP accept-dialin protocol l2tp virtual-template 7 terminate-from hostname CARRIERLAC_1 source-ip xxx.xxx.xxx.xxx local name LNS01 lcp renegotiation always l2tp tunnel password xxx ip mtu adjust interface Virtual-Template7 description DSL TERMINATION ip unnumbered Loopback7 ip flow ingress qos pre-classify ppp authentication chap callin So, we are adding a new dsl realm, connection requests for the new realm will be coming from the same LAC's, but we want to not auth the new realm via our existing radius server - We want our LNS to create an L2TP tunnel to another LNS for this new realm (And then this other LNS will authenticate the DSL tails via another radius server. Hope that makes sense, and that Hotmail hasnt screwed up the formatting too much! Cheers ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN multihop/forwarding not working
Thanks Oli, sorry for not mentioning it, but the command needs to be applied to the vtemplate referenced in the vpdn-group which terminates the original L2TP tunnel from the LAC. You might want to consider putting this on all vtemplates, as this could avoid quite a few Radius requests in case the other user names contain realms (@domain). As we terminate a lot of other realms from various LAC's - Adding this wont break any of the existing realms? (We have a number of vtemplates, and vpdn groups as we already use a number of different realms.but they are all locally terminated on this LNS) So I need to: Add; vpdn authorization LOCAL_AUTH under the virtual template referenced on the vpdn-groups this new realm will use, and for this new realm our LNS should then create an L2TP tunnel to the initiate-to ip under the vpdn conf for the new realm? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN multihop/forwarding not working
Thanks Oli, sorry for not mentioning it, but the command needs to be applied to the vtemplate referenced in the vpdn-group which terminates the original L2TP tunnel from the LAC. You might want to consider putting this on all vtemplates, as this could avoid quite a few Radius requests in case the other user names contain realms (@domain). As we terminate a lot of other realms from various LAC's - Adding this wont break any of the existing realms? (We have a number of vtemplates, and vpdn groups as we already use a number of different realms.but they are all locally terminated on this LNS) Well, have you defined any of these other realms on the Radius server (with the static cisco password)? If you don't, and if you don't have a vpdn-group with a request-dialin matching their realm, nothing will break, adding the vpdn authorization .. on those vtemplates will just make sure the LNS no longer sends these Radius requests (with the domain).. have you checked the Radius traces since you enabled vpdn multihop? If you have users with @ or / on other vpdn-groups, you will see those? So I need to: Add; vpdn authorization LOCAL_AUTH under the virtual template referenced on the vpdn-groups this new realm will use, and for this new realm our LNS should then create an L2TP tunnel to the initiate-to ip under the vpdn conf for the new realm? yes. I think you can put both functions (accept-dialin and request-dialin) in the same vpdn-group? as I said, my vpdn skills are rusty.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN multihop/forwarding not working
Hi Guys, Have a 7200 (LNS) that terminates DSL tails from multiple carriers (Using our radius for auth) - Attempting to forward connection requests for a specific realm to an alternate LNS (So create an L2TP tunnel) Have the following vpdn setup, but the tunnel is not getting created to the initiate-to IPand if the new realm DSL accounts are created on our radius server, they auth? when you configure vpdn multihop, the LNS will try to authorize the domain part of the user (with password cisco) against the configured network authorization method on the vtemplate to retrieve the tunnel forwarding information. IN your scenario this is radius, and the locally configured information is ignored. so either you create a Radius profile like testrealm.com.auPassword = cisco Service-Type = Outbound, Cisco-avpair = vpdn:tunnel-type=l2tp, Cisco-avpair = vpdn:tunnel-id=TEST7200, Cisco-avpair = vpdn:ip-addresses=x.x.x.x, Cisco-avpair = vpdn:source-ip=y.y.y.y, Cisco-avpair = vpdn:l2tp-tunnel-password=xxx or you do something like aaa authorization network LOCAL_AUTH local ! interface virtual-template number vpdn authorization LOCAL_AUTH to use the locally configured tunnel information. my vpdn knowledge is a bit rusty, so not 100% sure if this is still how it's supposed to work ;-) oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN multihop/forwarding not working
Thanks very much Oli, aaa authorization network LOCAL_AUTH local interface virtual-template number vpdn authorization LOCAL_AUTH I've created a virtual-template (Using LOCAL_AUTH as you have suggested), but I am unable to apply the template to the vpdn-group? i.e. with request-dialin configured I am not given an option to add the virtual-template - if accept-dialin is configured (As per all our other vpdn-group setups), a virtual-template can be applied? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN multihop/forwarding not working
Thanks very much Oli, aaa authorization network LOCAL_AUTH local interface virtual-template number vpdn authorization LOCAL_AUTH I've created a virtual-template (Using LOCAL_AUTH as you have suggested), but I am unable to apply the template to the vpdn-group? i.e. with request-dialin configured I am not given an option to add the virtual-template - if accept-dialin is configured (As per all our other vpdn-group setups), a virtual-template can be applied? sorry for not mentioning it, but the command needs to be applied to the vtemplate referenced in the vpdn-group which terminates the original L2TP tunnel from the LAC. You might want to consider putting this on all vtemplates, as this could avoid quite a few Radius requests in case the other user names contain realms (@domain). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPDN multihop/forwarding not working
Hi Guys, Have a 7200 (LNS) that terminates DSL tails from multiple carriers (Using our radius for auth) - Attempting to forward connection requests for a specific realm to an alternate LNS (So create an L2TP tunnel) Have the following vpdn setup, but the tunnel is not getting created to the initiate-to IPand if the new realm DSL accounts are created on our radius server, they auth? vpdn enable vpdn multihop vpdn aaa attribute nas-port vpdn-nas vpdn logging vpdn history failure table-size 50 vpdn search-order domain vpdn domain-delimiter @ suffix vpdn domain-delimiter / prefix vpdn-group TEST description Test for VPDN forward request-dialin protocol l2tp domain testrealm.com.au initiate-to ip xxx.xxx.xxx.xx1 source-ip xxx.xxx.xxx.xx2 local name TEST7200 l2tp tunnel password xxx l2tp tunnel timeout no-session never Cheers for any suggestions ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN Multihop
This is a global variable and will result in all services requiring auth before being forwarded... if they have any VPDN groups which auto forward, it will break them all. ...Skeeve -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ben Steele Sent: Tuesday, 17 February 2009 4:17 PM To: Kurt Bales Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPDN Multihop Try it with vpdn authen-before-forward Ben On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales kwba...@kwbales.net wrote: Hi All, There is probably an obvious answer to this, but I am failing to make it work the way I want so I'm asking the resident experts. We are a wholesale ISP taking DSL tails as L2TP from carriers. We have an LNS which is currently setup to switch these sessions to downstream channel partners based on match against the domain/REALM. For one of the realms on which we receive L2TP sessions, we would like to select a destination (either locally terminated or switched-to-channel-partner) on a per-account basis. These currently are switched to us on a per-account basis by our upstream provider doing per-account authentication and A/V pairs to forward the sessions. Their A/V pairs are setting a tunnel-id for these. We thought was to leverage the multihop-hostname command under a request-dialin configured VPDN-group. The documentation on CCO seems to imply that it can be used to match against a VPDN tunnel-id, but we could not get that to work. multihop-hostname To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command. We tried configuring up a vpdn-group with a multihop hostname/initiate-to/local name/l2tp tunnel password, surely that would be enough to correctly match and therefore switch the session across to the downstream LNS? Unfortunately we could not get it to work, the error coming back was complaining that it could not assign a virtual-template to the session, which would seem to imply an attempt to terminate the session locally Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize action (1 pending sessions) Feb 17 12:14:18: SSS PM [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD) IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Stopping service selection Feb 17 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP _:06839:70B5: Feb 17 12:14:18: L2TP _:06839:70B5: Shutting down session Feb 17 12:14:18: L2TP _:06839:70B5: Result Code Feb 17 12:14:18: L2TP _:06839:70B5: Call disconnected, refer to error msg (2) Feb 17 12:14:18: L2TP _:06839:70B5: Error Code Feb 17 12:14:18: L2TP _:06839:70B5: Insufficient resources (4) Feb 17 12:14:18: L2TP _:06839:70B5: Vendor Error Feb 17 12:14:18: L2TP _:06839:70B5: None (0) Feb 17 12:14:18: L2TP _:06839:70B5: Optional Message Feb 17 12:14:18: L2TP _:06839:70B5: No virtual-template specified Feb 17 12:14:18: L2TP _:06839:70B5: vpdn enable vpdn multihop vpdn aaa attribute nas-port vpdn-nas vpdn redirect vpdn logging vpdn logging local vpdn logging tunnel-drop vpdn history failure table-size 50 vpdn session-limit 2048 vpdn search-order multihop-hostname domain vpdn domain-delimiter @ suffix vpdn domain-delimiter / prefix ! vpdn-group customer3 request-dialin protocol l2tp multihop hostname tunnel-name initiate-to ip downstream LNS IP priority 1 local name my hostname l2tp tunnel password 0 mumble ! Any thoughts/suggestions? Regards, Kurt Bales ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco
[c-nsp] VPDN Multihop
Hi All, There is probably an obvious answer to this, but I am failing to make it work the way I want so I'm asking the resident experts. We are a wholesale ISP taking DSL tails as L2TP from carriers. We have an LNS which is currently setup to switch these sessions to downstream channel partners based on match against the domain/REALM. For one of the realms on which we receive L2TP sessions, we would like to select a destination (either locally terminated or switched-to-channel-partner) on a per-account basis. These currently are switched to us on a per-account basis by our upstream provider doing per-account authentication and A/V pairs to forward the sessions. Their A/V pairs are setting a tunnel-id for these. We thought was to leverage the multihop-hostname command under a request-dialin configured VPDN-group. The documentation on CCO seems to imply that it can be used to match against a VPDN tunnel-id, but we could not get that to work. multihop-hostname To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command. We tried configuring up a vpdn-group with a multihop hostname/initiate-to/local name/l2tp tunnel password, surely that would be enough to correctly match and therefore switch the session across to the downstream LNS? Unfortunately we could not get it to work, the error coming back was complaining that it could not assign a virtual-template to the session, which would seem to imply an attempt to terminate the session locally Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize action (1 pending sessions) Feb 17 12:14:18: SSS PM [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD) IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Stopping service selection Feb 17 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP _:06839:70B5: Feb 17 12:14:18: L2TP _:06839:70B5: Shutting down session Feb 17 12:14:18: L2TP _:06839:70B5: Result Code Feb 17 12:14:18: L2TP _:06839:70B5: Call disconnected, refer to error msg (2) Feb 17 12:14:18: L2TP _:06839:70B5: Error Code Feb 17 12:14:18: L2TP _:06839:70B5: Insufficient resources (4) Feb 17 12:14:18: L2TP _:06839:70B5: Vendor Error Feb 17 12:14:18: L2TP _:06839:70B5: None (0) Feb 17 12:14:18: L2TP _:06839:70B5: Optional Message Feb 17 12:14:18: L2TP _:06839:70B5: No virtual-template specified Feb 17 12:14:18: L2TP _:06839:70B5: vpdn enable vpdn multihop vpdn aaa attribute nas-port vpdn-nas vpdn redirect vpdn logging vpdn logging local vpdn logging tunnel-drop vpdn history failure table-size 50 vpdn session-limit 2048 vpdn search-order multihop-hostname domain vpdn domain-delimiter @ suffix vpdn domain-delimiter / prefix ! vpdn-group customer3 request-dialin protocol l2tp multihop hostname tunnel-name initiate-to ip downstream LNS IP priority 1 local name my hostname l2tp tunnel password 0 mumble ! Any thoughts/suggestions? Regards, Kurt Bales ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN Multihop
Try it with vpdn authen-before-forward Ben On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales kwba...@kwbales.net wrote: Hi All, There is probably an obvious answer to this, but I am failing to make it work the way I want so I'm asking the resident experts. We are a wholesale ISP taking DSL tails as L2TP from carriers. We have an LNS which is currently setup to switch these sessions to downstream channel partners based on match against the domain/REALM. For one of the realms on which we receive L2TP sessions, we would like to select a destination (either locally terminated or switched-to-channel-partner) on a per-account basis. These currently are switched to us on a per-account basis by our upstream provider doing per-account authentication and A/V pairs to forward the sessions. Their A/V pairs are setting a tunnel-id for these. We thought was to leverage the multihop-hostname command under a request-dialin configured VPDN-group. The documentation on CCO seems to imply that it can be used to match against a VPDN tunnel-id, but we could not get that to work. multihop-hostname To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command. We tried configuring up a vpdn-group with a multihop hostname/initiate-to/local name/l2tp tunnel password, surely that would be enough to correctly match and therefore switch the session across to the downstream LNS? Unfortunately we could not get it to work, the error coming back was complaining that it could not assign a virtual-template to the session, which would seem to imply an attempt to terminate the session locally Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize action (1 pending sessions) Feb 17 12:14:18: SSS PM [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD) IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Stopping service selection Feb 17 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP _:06839:70B5: Feb 17 12:14:18: L2TP _:06839:70B5: Shutting down session Feb 17 12:14:18: L2TP _:06839:70B5: Result Code Feb 17 12:14:18: L2TP _:06839:70B5: Call disconnected, refer to error msg (2) Feb 17 12:14:18: L2TP _:06839:70B5: Error Code Feb 17 12:14:18: L2TP _:06839:70B5: Insufficient resources (4) Feb 17 12:14:18: L2TP _:06839:70B5: Vendor Error Feb 17 12:14:18: L2TP _:06839:70B5: None (0) Feb 17 12:14:18: L2TP _:06839:70B5: Optional Message Feb 17 12:14:18: L2TP _:06839:70B5: No virtual-template specified Feb 17 12:14:18: L2TP _:06839:70B5: vpdn enable vpdn multihop vpdn aaa attribute nas-port vpdn-nas vpdn redirect vpdn logging vpdn logging local vpdn logging tunnel-drop vpdn history failure table-size 50 vpdn session-limit 2048 vpdn search-order multihop-hostname domain vpdn domain-delimiter @ suffix vpdn domain-delimiter / prefix ! vpdn-group customer3 request-dialin protocol l2tp multihop hostname tunnel-name initiate-to ip downstream LNS IP priority 1 local name my hostname l2tp tunnel password 0 mumble ! Any thoughts/suggestions? Regards, Kurt Bales ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/