Instructions for Track 1 L2TP Lab

Instructions for Track 1 L2TP Lab

In these instructions the network number is listed at 10.x.1.2, etc. You should substitute your group’s number for the “x.” For example, group 1 would use 10.1.1.2, group 2 would use 10.2.1.2, and so on.

Each group [1, 2, 3 & 4] will need to do the following tasks…

Configure your router with two interfaces with the following networks: 10.x.1.0/24 and 10.x.2.0/24. The router should appear as 10.x.1.1 and 10.x.2.1 respectively. Routing between the two networks should be enabled.
Setup a Linux computer to act as your group’s RADIUS server. This machine should be assigned the IP Address 10.x.2.3. Create a user account, the user name should be in the form user@realm using the configuration shown in appendix 1. Add an entry for your LNS (10.x.2.1) to the clients file.
Connect your RADIUS server and telnet server to the appropriate interfaces on your router.
Configure your terminal server to use “domain” based tunnel selection. You will use the realm name for your domain name. Refer to the sample configuration in appendix 2.
Configure your router as your LNS using the sample configuration appendix 3 as a guide. You will also configure the router/LNS as a RADIUS client for your RADIUS server at 10.x.2.3.
Setup a Windows 95 computer to act as a PPP client (windows networking) configure the dialer to call your group’s terminal server.

Place a call from the PPP client to the terminal server and make sure you are logged in and a PPP session starts.
Use winipcfg to verify that the IP Address that was assigned to your PPP client is the one you specified in the users file.

Telnet from the PPP client to the “telnet server” (telnet 10.x.2.5) and login as group1, group2, etc., the password is the same as the group name. Verify your IP Address using the “w” command. Verify that the PPP client and “telnet server” are on the same logical network using the traceroute command.

APPENDIX 1

/etc/raddb/clients

#----------------------------------------------------------------------

# This file contains a list of clients which are allowed to

# make authentication requests and their encryption key.

# The first field is a valid hostname.

# The second field (seperated by blanks or tabs) is the

# encryption key.

# To use radpwtst and the radtest script you must create an entry

# for the radius server (this machine)

#Client Name Key

#---------------- -------------------

127.0.0.1 secret

10.1.2.1 secret

10.1.2.3 secret

/etc/raddb/users

mary@service.com Password = "ave"

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IP-Address = 10.x.2.128,

Framed-IP-Netmask = 255.255.255.0

APPENDIX 2

LAC Configuration (with Domain Based Tunnel Selection)

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname lac

aaa new-model

aaa authentication ppp default local

username test password 0 test

ip subnet-zero

vpdn enable

vpdn-group 1

request-dialin

protocol l2tp

domain service.com

initiate-to ip 10.1.1.1

local name lac

l2tp tunnel password secret

modemcap entry v90:FD=&f2:MSC=s0=1

interface Ethernet0/0

ip address 10.1.1.2 255.255.255.0

no ip directed-broadcast

interface Group-Async1

ip unnumbered Ethernet0/0

no ip directed-broadcast

encapsulation ppp

async mode interactive

ppp authentication pap

group-range 33 48

ip classless

line con 0

transport input none

line 33 48

autoselect during-login

autoselect ppp

modem Dialin

modem autoconfigure type v90

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

APPENDIX 3

LNS Configuration (with RADIUS Server)

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname lns

aaa new-model

aaa authentication ppp default group radius local

aaa authorization network default group radius local

username partner password 0 partner

ip subnet-zero

vpdn enable

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname lac

l2tp tunnel password secret

interface Ethernet0/0

ip address 10.1.1.1 255.255.255.0

no ip directed-broadcast

interface Ethernet1/0

ip address 10.1.2.1 255.255.255.0

no ip directed-broadcast

interface Virtual-Template1

ip unnumbered Ethernet0/0

no ip directed-broadcast

no peer default ip address

ppp authentication pap

ip classless

no ip http server

radius-server host 10.1.2.3 auth-port 1812 acct-port 1813

radius-server key secret

line con 0

transport input none

line aux 0

line vty 0 4

APPENDIX 4

Viewing VPDN Information on the LAC and LNS

LAC Commands

Display a summary of all active VPN tunnels.

LAC# show vpdn

LNS Commands

To view information about active sessions.

LNS#show caller

To view detailed information about the L2TP session

LNS# show caller user mary@service.com

To display the detailed information about the virtual access interface for mary@service.com

LNS#show interface virtual-access 1

Display VPN session information including interface, tunnel, username, packets, status and window statistics.

Display VPN tunnel information including tunnel protocol, ID, local and remote tunnel names, packets sent and received, tunnel and transport status

Debug Output on LAC

# debug ppp authentication

# debug ppp negociation

# debug vpdn event

# debug vpdn l2x-events

Debug Output on LNS

# debug vpdn events

# debug vpdn l2x-events

# debug ppp negociation

# debug ppp authentication

# debug ppp vtemplate

# debug aaa authentication

Attribute
Name	Number	Data Type	Tagged?
Tunnel-Type	64	integer	Yes
Tunnel-Medium-Type	65	integer	Yes
Tunnel-Client-Endpoint	66	string	Yes
Tunnel-Server-Endpoint	67	string	Yes
Acct-Tunnel-Connection	68	string
Tunnel-Password	69	string	Yes
Tunnel-Private-Group-ID	81	string	Yes
Tunnel-Assignment-ID	82	string	Yes
Tunnel-Preference	83	integer	Yes
Acct-Tunnel-Packets-Lost	86	integer
Tunnel-Client-Auth-ID	90	string	Yes
Tunnel-Server-Auth-ID	91	string	Yes