openl2tp.org
http://forums.openl2tp.org/

replacing Cisco VPDN with openL2TP ...
http://forums.openl2tp.org/viewtopic.php?f=3&t=134
Page 1 of 1

Author:  bejcd [ Sat May 31, 2014 7:46 am ]
Post subject:  replacing Cisco VPDN with openL2TP ...

Dear all,

hope that somebody will answer my questions.

A few days ago I installed OpenL2TP LNS on CentOS 6.5 and made the testing tunnels and active sessions up and running.
Also "ippoold" and "radiusclient-ng" are both working well.
The main idea is to replace a Cisco 72xx VPDN LNS with OpenL2TP. The LAC side is running on Juniper routers.

openl2tpd.conf:
------------------
# system

# peer profiles
peer profile modify profile_name=default \
lac_lns=lns \
tunnel_profile_name=default \
session_profile_name=default \
ppp_profile_name=default \


# tunnel profiles
tunnel profile modify profile_name=default \
auth_mode=challenge \
secret= ******* \
host_name=lnstest-1 \
max_retries=10 \
retry_timeout=6 \
session_profile_name=default \
ppp_profile_name=default \
mtu=1460


# session profiles
session profile modify profile_name=default \
trace_flags=1863 \
ppp_profile_name=default \
bearer_type=digital \

# ppp profiles

ppp profile modify profile_name=default \
use_radius=yes \
radius_hint=/etc/radiusclient-ng/radiusclient.conf \
dns_ipaddr_pri=xxx.xxx.xxx.xxx \
dns_ipaddr_sec=xxx.xxx.xxx.xxx \
lcp_echo_interval=5 \
auth_eap=no auth_chap=no \
auth_mschapv1=no auth_mschapv2=no \
local_ipaddr=yyy.yyy.yyy.yyy


# locally created tunnels and sessions

# ip_pool_name=default \


l2tp> system show version
OpenL2TP V1.8, built May 27 2014 [09:49:25],
(c) Copyright 2004-2010 Katalix Systems Ltd.
Features: LAC LNS CONF




Questions :

1. is it possible to setup a pool in the same way how it works on Cisco routers ?
We have 4 x /24 networks and we would like to create a consistent pool of 2 x /24 and to use the rest /24 for static IP's assigned by a Radius server.

2. How should I configure "openl2tpd.conf -> ppp profile" to first try to assign the IP by using a radius and if it fails to use a definition from "ippoold" ?

3. Does an openl2tp support a BCP ? Instead of using 2 IP's per a pppX link we would like to provide 1 IP address from an ip pool to every pppoe session and ideally one fixed (or fake) gateway to all sessions.

4. During a testing I have discerned that some sessions are not properly cleaned out once they are terminated. Also some of them are duplicated - the same user with the same IP was registered twice (one active and one stale session).
Is there any method to prevent those scenarios ?

5. What is the limitation of the openl2tp in regards to a number of maximum tunnels and sessions ?
We would like to to build a Linux OpenL2TP router capable to handle ~ 1000 simultaneous sessions and ~1Gb of bandwidth.
Is there any limitation of a Linux kernel and OpenL2TP/ppp implementation that we should consider as well ?


Thank you.
BejcD

Author:  bejcd [ Mon Jun 02, 2014 6:27 am ]
Post subject:  Re: replacing Cisco VPDN with openL2TP ...

Hello again,

more details about the question (2) :

the attached "ppp profile" section :

ppp profile modify profile_name=default \
use_radius=yes \
radius_hint=/etc/radiusclient-ng/radiusclient.conf \
ip_pool_name=default \
dns_ipaddr_pri=xxx.xxx.xxx.xxx \
dns_ipaddr_sec=xxx.xxx.xxx.xxx \
lcp_echo_interval=5 \
auth_eap=no auth_chap=no \
auth_mschapv1=no auth_mschapv2=no \
local_ipaddr=yyy.yyy.yyy.yyy


and the log file :

Jun 1 20:30:43 vpdn pppd[1636]: Plugin radius.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: RADIUS plugin initialized.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin radattr.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: RADATTR plugin initialized.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin ippool.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin pppol2tp.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: Plugin openl2tp.so loaded.
Jun 1 20:30:43 vpdn pppd[1636]: pppd 2.4.5 started by root, uid 0
Jun 1 20:30:43 vpdn pppd[1636]: Using interface ppp1
Jun 1 20:30:43 vpdn pppd[1636]: Connect: ppp1 <-->
Jun 1 20:30:43 vpdn pppd[1636]: PAP peer authentication succeeded for test@mydomain.com
Jun 1 20:30:43 vpdn pppd[1636]: Peer is not authorized to use remote address 10.151.128.185
Jun 1 20:30:43 vpdn pppd[1636]: Connect time 0.0 minutes.
Jun 1 20:30:43 vpdn pppd[1636]: Sent 30 bytes, received 34 bytes.
Jun 1 20:30:43 vpdn pppd[1636]: Connection terminated.
Jun 1 20:30:43 vpdn pppd[1636]: Connect time 0.0 minutes.
Jun 1 20:30:43 vpdn pppd[1636]: Sent 64 bytes, received 38 bytes.
Jun 1 20:30:43 vpdn pppd[1636]: Exit.


/et/ppp/options:
lock
noauth
#proxyarp


* * *

If the "ip_pool_name=default" section is disabled a "Framed-Address=10.151.128.190" configuration parameter works :

Jun 1 14:25:03 vpdn kernel: NET: Unregistered protocol family 24
Jun 1 14:25:06 vpdn kernel: PPP generic driver version 2.4.2
Jun 1 14:25:06 vpdn kernel: NET: Registered protocol family 24
Jun 1 14:25:06 vpdn kernel: PPPoL2TP kernel driver, V1.0
Jun 1 14:25:06 vpdn openl2tpd[4208]: Start, trace_flags=00000000
Jun 1 14:25:06 vpdn openl2tpd[4208]: OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Jun 1 14:25:06 vpdn openl2tpd[4208]: Loading plugin /usr/lib64/openl2tp/ppp_unix.so, version V1.5
Jun 1 14:25:06 vpdn openl2tpd[4208]: Using config file: /etc/openl2tpd.conf
Jun 1 14:30:56 vpdn pppd[4212]: Plugin radius.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: RADIUS plugin initialized.
Jun 1 14:30:56 vpdn pppd[4212]: Plugin radattr.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: RADATTR plugin initialized.
Jun 1 14:30:56 vpdn pppd[4212]: Plugin pppol2tp.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: Plugin openl2tp.so loaded.
Jun 1 14:30:56 vpdn pppd[4212]: pppd 2.4.5 started by root, uid 0
Jun 1 14:30:56 vpdn pppd[4212]: Using interface ppp0
Jun 1 14:30:56 vpdn pppd[4212]: Connect: ppp0 <-->
Jun 1 14:30:56 vpdn pppd[4212]: PAP peer authentication succeeded for test@mydomain.com
Jun 1 14:30:56 vpdn pppd[4212]: local IP address 10.1.1.1
Jun 1 14:30:56 vpdn pppd[4212]: remote IP address 10.151.128.190


Thank you.
BejcD

Page 1 of 1 All times are UTC [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/