It is currently Sat Aug 19, 2017 8:18 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: replacing Cisco VPDN with openL2TP ...
PostPosted: Sat May 31, 2014 7:46 am 

Joined: Fri May 30, 2014 4:36 pm
Posts: 2
Dear all,

hope that somebody will answer my questions.

A few days ago I installed OpenL2TP LNS on CentOS 6.5 and made the testing tunnels and active sessions up and running.
Also "ippoold" and "radiusclient-ng" are both working well.
The main idea is to replace a Cisco 72xx VPDN LNS with OpenL2TP. The LAC side is running on Juniper routers.

openl2tpd.conf:
------------------
# system

# peer profiles
peer profile modify profile_name=default \
lac_lns=lns \
tunnel_profile_name=default \
session_profile_name=default \
ppp_profile_name=default \


# tunnel profiles
tunnel profile modify profile_name=default \
auth_mode=challenge \
secret= ******* \
host_name=lnstest-1 \
max_retries=10 \
retry_timeout=6 \
session_profile_name=default \
ppp_profile_name=default \
mtu=1460


# session profiles
session profile modify profile_name=default \
trace_flags=1863 \
ppp_profile_name=default \
bearer_type=digital \

# ppp profiles

ppp profile modify profile_name=default \
use_radius=yes \
radius_hint=/etc/radiusclient-ng/radiusclient.conf \
dns_ipaddr_pri=xxx.xxx.xxx.xxx \
dns_ipaddr_sec=xxx.xxx.xxx.xxx \
lcp_echo_interval=5 \
auth_eap=no auth_chap=no \
auth_mschapv1=no auth_mschapv2=no \
local_ipaddr=yyy.yyy.yyy.yyy


# locally created tunnels and sessions

# ip_pool_name=default \


l2tp> system show version
OpenL2TP V1.8, built May 27 2014 [09:49:25],
(c) Copyright 2004-2010 Katalix Systems Ltd.
Features: LAC LNS CONF




Questions :

1. is it possible to setup a pool in the same way how it works on Cisco routers ?
We have 4 x /24 networks and we would like to create a consistent pool of 2 x /24 and to use the rest /24 for static IP's assigned by a Radius server.

2. How should I configure "openl2tpd.conf -> ppp profile" to first try to assign the IP by using a radius and if it fails to use a definition from "ippoold" ?

3. Does an openl2tp support a BCP ? Instead of using 2 IP's per a pppX link we would like to provide 1 IP address from an ip pool to every pppoe session and ideally one fixed (or fake) gateway to all sessions.

4. During a testing I have discerned that some sessions are not properly cleaned out once they are terminated. Also some of them are duplicated - the same user with the same IP was registered twice (one active and one stale session).
Is there any method to prevent those scenarios ?

5. What is the limitation of the openl2tp in regards to a number of maximum tunnels and sessions ?
We would like to to build a Linux OpenL2TP router capable to handle ~ 1000 simultaneous sessions and ~1Gb of bandwidth.
Is there any limitation of a Linux kernel and OpenL2TP/ppp implementation that we should consider as well ?


Thank you.
BejcD


Top
 Profile  
 
 Post subject: Re: replacing Cisco VPDN with openL2TP ...
PostPosted: Mon Jun 02, 2014 6:27 am 

Joined: Fri May 30, 2014 4:36 pm
Posts: 2
Hello again,

more details about the question (2) :

the attached "ppp profile" section :

ppp profile modify profile_name=default \
use_radius=yes \
radius_hint=/etc/radiusclient-ng/radiusclient.conf \
ip_pool_name=default \
dns_ipaddr_pri=xxx.xxx.xxx.xxx \
dns_ipaddr_sec=xxx.xxx.xxx.xxx \
lcp_echo_interval=5 \
auth_eap=no auth_chap=no \
auth_mschapv1=no auth_mschapv2=no \
local_ipaddr=yyy.yyy.yyy.yyy


and the log file :

Jun 1 20:30:43 vpdn pppd[1636]: Plugin radius.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: RADIUS plugin initialized.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin radattr.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: RADATTR plugin initialized.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin ippool.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin pppol2tp.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin openl2tp.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: pppd 2.4.5 started by root, uid 0
Jun 1 20:30:43 vpdn pppd[1636]: Using interface ppp1
Jun 1 20:30:43 vpdn pppd[1636]: Connect: ppp1 <-->
Jun 1 20:30:43 vpdn pppd[1636]: PAP peer authentication succeeded for test@mydomain.com
Jun 1 20:30:43 vpdn pppd[1636]: Peer is not authorized to use remote address 10.151.128.185
Jun 1 20:30:43 vpdn pppd[1636]: Connect time 0.0 minutes.
Jun 1 20:30:43 vpdn pppd[1636]: Sent 30 bytes, received 34 bytes.
Jun 1 20:30:43 vpdn pppd[1636]: Connection terminated.
Jun 1 20:30:43 vpdn pppd[1636]: Connect time 0.0 minutes.
Jun 1 20:30:43 vpdn pppd[1636]: Sent 64 bytes, received 38 bytes.
Jun 1 20:30:43 vpdn pppd[1636]: Exit.


/et/ppp/options:
lock
noauth
#proxyarp


* * *

If the "ip_pool_name=default" section is disabled a "Framed-Address=10.151.128.190" configuration parameter works :

Jun 1 14:25:03 vpdn kernel: NET: Unregistered protocol family 24
Jun 1 14:25:06 vpdn kernel: PPP generic driver version 2.4.2
Jun 1 14:25:06 vpdn kernel: NET: Registered protocol family 24
Jun 1 14:25:06 vpdn kernel: PPPoL2TP kernel driver, V1.0
Jun 1 14:25:06 vpdn openl2tpd[4208]: Start, trace_flags=00000000
Jun 1 14:25:06 vpdn openl2tpd[4208]: OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Jun 1 14:25:06 vpdn openl2tpd[4208]: Loading plugin /usr/lib64/openl2tp/ppp_unix.so, version V1.5
Jun 1 14:25:06 vpdn openl2tpd[4208]: Using config file: /etc/openl2tpd.conf
Jun 1 14:30:56 vpdn pppd[4212]: Plugin radius.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: RADIUS plugin initialized.
Jun 1 14:30:56 vpdn pppd[4212]: Plugin radattr.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: RADATTR plugin initialized.
Jun 1 14:30:56 vpdn pppd[4212]: Plugin pppol2tp.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: Plugin openl2tp.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: pppd 2.4.5 started by root, uid 0
Jun 1 14:30:56 vpdn pppd[4212]: Using interface ppp0
Jun 1 14:30:56 vpdn pppd[4212]: Connect: ppp0 <-->
Jun 1 14:30:56 vpdn pppd[4212]: PAP peer authentication succeeded for test@mydomain.com
Jun 1 14:30:56 vpdn pppd[4212]: local IP address 10.1.1.1
Jun 1 14:30:56 vpdn pppd[4212]: remote IP address 10.151.128.190


Thank you.
BejcD


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group