dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8777
share rss forum feed


sagsag

@bezeqint.net

[Config] How to setup Cisco router as an L2TP/PPTP "client"?

Hi,

I'm trying to set up a Cisco 1812 to connect to an Internet over cables service.
The way we have it here is we need to create a PPTP or L2TP connection to the ISP's LNS.
I've made several tries to get that to work, but to no avail, perhaps I'm missing something?
If anyone is willing to share a similar working configuration I'd be very grateful.
I will post here my current configuration.
My configuration is a little more complex than my question above, because I'm actually trying to setup dual-WAN links.
The first link, the one I'm having problems with, should use credentials from Dialer0 and connect with L2TP or PPTP through FastEthernet0.
The second link is actually working well. It is a simple PPPoE connection, using credentials from Dialer1, connecting through FastEthernet1.

Many thanks in advance!



sagsag

@bezeqint.net

My current configuration:

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname moooo
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name moo.
ip name-server 192.168.0.241
ip name-server 192.168.0.240
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group 1
request-dialin
protocol l2tp
initiate-to ip 172.26.255.245
!
!
!
!
!
!
bridge irb
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 172.26.255.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$
ip address 10.0.0.140 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 2
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
switchport access vlan 10
!
interface FastEthernet9
switchport access vlan 10
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
no ip address
bridge-group 1
!
interface Vlan10
no ip address
bridge-group 10
!
interface Dialer0
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer vpdn
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname lalalala
ppp chap password 7 lililili
ppp pap sent-username lalalala password 7 lililili
!
interface Dialer1
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 2
dialer idle-timeout 0
dialer persistent
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname lolololo
ppp chap password 7 lililili
ppp pap sent-username lolololo password 7 lililili
!
interface BVI1
description Internal$ES_LAN$$FW_INSIDE$
ip address 192.168.0.230 255.255.255.0
ip access-group 102 in
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface BVI10
description DMZ+Wireless$FW_DMZ$
ip address 192.168.10.254 255.255.255.0
ip access-group 103 in
ip helper-address 192.168.0.241
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip forward-protocol udp bootpc
ip route 0.0.0.0 0.0.0.0 Dialer1 10
ip route 172.26.255.245 255.255.255.255 FastEthernet0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 3 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.10 231 interface Dialer1 231
ip nat inside source static udp 192.168.0.10 231 interface Dialer1 231
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1,BVI10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 102 remark Filter for packets incoming from VLAN 1
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip host 192.168.0.241 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Filter for packets incoming from VLAN 10
access-list 103 remark SDM_ACL Category=1
access-list 103 remark PPTP TCP port
access-list 103 permit tcp any host 192.168.0.241 eq 1723
access-list 103 remark PPTP GRE
access-list 103 permit gre any host 192.168.0.241
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit udp any any eq bootps
access-list 103 permit udp any any eq bootpc
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark PPTP TCP port
access-list 104 permit tcp any host 192.168.0.241 eq 1723
access-list 104 remark PPTP GRE
access-list 104 permit gre any host 192.168.0.241
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
banner login CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

2 edits
reply to sagsag

Re: [Config] How to setup Cisco router as an L2TP/PPTP "client"?

This can be done with L2TP Client-Initiated Tunneling (not PPTP as far as I am aware), but requires pseudowires in order to accomplish it.

See »www.cisco.com/en/US/products/sw/···592.html for information related to this configuration.

Since you have an 1812 running IOS 12.4 I'd say you have a good chance at accomplishing this, but you'll need either Advanced IP or Advanced Enterprise Services.



sagsag

@bezeqint.net

Hi Tom,

Thanks for your reply.
I've actually ran into this solution about a day after I've posted here, and I understood this is what I had to implement in the first place.
I've had so far only a little time to test this configuration, which is still not working for me, but at least now I can see dialup attempts in the debug logging, whereas before there was nothing. So perhaps I missed something, I still have to look into it.

Thanks again.



sagsag

@bezeqint.net

Well, I've checked it again last night, and I really did miss something small in the configuration.
I've used "ppp authentication ... optional callin", whereas I should have used "ppp authentication ... callin".

The configuration guide I've followed to setup my router supersets the 12.3 IOS "L2TP Client-Initiated Tunneling" guide, which you've graciously provided. The guide is a generic Client-Initiated Dial-In VPDN Tunneling for the 12.4T IOS, and is available here:
»www.cisco.com/en/US/products/ps6···b6d.html

I have another question. Dialer interfaces can be configured to be persistent, but the persistent setting cannot be applied to a virtual-ppp interface.
Does anybody know how can I make a Virtual-PPP interface persistent?

Thanks.