L2TP configuration on CISCO 871

Unanswered Question
Oct 16th, 2009

Hi,

We've just taken charge of a new internet connection with a new service provider. Access is over a coaxial cable and the link is advertised to go upto 100Mbps. We have 2 ISP-provided modems that sync up and work fine.

However, I'd like to change the modems from 'router' to 'bridge' in order to move over some existing site-to-site VPN's from another provider (standard ADSL internet access) using existing CISCO 871's to continue providing the internet firewalling and VPN.

This works fine, except that, to allow us to use static IP Address, we need to create an L2TP tunnel to be assigned the static address (from the modem config).

I have the L2TP authentication and server details from the modem config.

The CISCO 871 is assigned a DHCP address to the WAN interface (fastethernet 4), however the L2TP tunnel does not come up correctly.

My current config is below and I'd appreciate if someone is able to point me in the right direction / documentation to set this up correctly:

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ip nat outside

ip virtual-reassembly

ppp pap sent-username xxxxx password 0 xxxxx

ppp ipcp dns request accept

pseudowire x.x.x.x 2 pw-class ISP

interface Vlan1

description Internal LAN

ip address y.y.y.y 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route <l2tp server ip> 255.255.255.255 FastEthernet4

Thanks for any advice,

Mario

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Giuseppe Larosa Fri, 10/16/2009 - 08:22

Hello Mario,

two notes:

you need to define the pseudo-wire with

pseudowire-class ISP

encapsulation l2tpv2

!

!

I have a remote branch configured like this but it is a 2821 with

c2800nm-adventerprisek9-mz.124-24.T.bin

Hope to help

Giuseppe

mariov652 Mon, 10/19/2009 - 00:58

Hi Giuseppe,

Thanks for that. I did notice a message (when creating the Virtual interface) indicating something was missing, but wasn't sure the correct syntax details.

I'm using IOS "c870-advipservicesk9-mz.124-24.T1.bin" and I understand the CISCO 871 supports L2TP. So, in theory, this should work as your setup does.

Even with the above change in place though, the Virtual-PPP1 interface shows line protocol as down.

It's frustrating because the WAN interface receives the ISP assigned DHCP address, but I don't see any error messages regarding the Virtual interface for the L2TP.

Can you recommend and debug commands for me to try and see why it won't come up?

Regards,

Mario

mariov652 Mon, 10/19/2009 - 02:37

Just to add to the above, I've found some references to enabling VPDN.

Is this along the correct route to take for me to receive static IP from the ISP, or is this used only for outside users to dial-in to the firewall over l2tp?

Thanks,

Mario

Giuseppe Larosa Mon, 10/19/2009 - 03:52

Hello Mario,

enabling VPDN shouldn't be needed, I haven't it enabled on my router.

to troubleshoot this

I've found the following release note

CSCek59078

Symptoms: An L2TPv3 session is established when voluntary tunneling is configured and both peers have corresponding configurations. However, after you configure a pseudowire on a virtual PPP interface on one of the peers, the session on this peer is up but the line protocol is down, an a "virtual-PPP1 is up, line protocol is down" error message is generated.

Conditions: This symptom is observed when the virtual PPP interface is first deleted via the no interface virtual-ppp number command and then reconfigured via the interface virtual-ppp number command before you configure a pseudowire on the virtual PPP interface.

Workaround: Before you configure a pseudowire on the virtual PPP interface, ensure that the virtual PPP interface has never been unconfigured via the no interface virtual-ppp number configuration command.

try to destroy virtual-ppp1

no interface virtual-ppp1

and configure a new virtual-ppp (2 for example) now after having the pseudowire configured

Hope to help

Giuseppe

mariov652 Mon, 10/19/2009 - 05:10

Hi again,

One of the biggest problems for me with this is that I have no experience of configuring L2TP until now. So I am pretty sure my lack of experience with this is hampering my efforts...

That been said, I've deleted the Virtual-PP1 and created new ones. I've also changed the encapsulation on the "pseudowire-class ISP" to version 3 and 2 for good measure. Unfortunately the line protocol stays down.

I have no control on the configuration on the other side, just that the ISP provided modem comes up fine with a DHCP assigned IP and a static IP over L2TP.

I really don't see why they couldn't assign a static IP with the first assignment, but I suppose they have their reasons for setting it up this way.

Are you (or anyone else) able to provide me with syntax to produce debug output for the Virtual-PPP L2TP connection?

Just to confirm, my physical WAN port (Fa4) is assigned a DHCP address by the ISP, The connection is there and I have internet access fine with that. It is the L2TP connection that assigns us a static IP that is not coming up.

Giuseppe Larosa Mon, 10/19/2009 - 06:27

Hello Mario,

use L2TPv2 not L2TPv3.

start with using

term mon

int virtual-ppp x

shut

debug ppp negotiation

debug ppp authentication

int virtual-ppp x

no shut

Hope to help

Giuseppe

mariov652 Mon, 10/19/2009 - 07:56

I've changed the config, again starting from fresh. This time using l2tpv2 and then specifying the "pseudowire-class ip local int " as the WAN interface (fa4) - This because when I assigned it to the Virtual-PPP interface, a message appears complaining that the interface (Virt-PPP) has not been assigned an IP address.

The L2TP interface is assigned automatically on the ISP modem, so it should be assigned (negotiated) on the Virtual interface. The above message confuses me as I cannot assign the pseudo wire to the Virtual interface unless it has an IP, but it will only get an IP once negotiated as far as I understand it.

pseudowire-class ISP

encapsulation l2tpv2

ip local interface FastEthernet4

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

load-interval 30

speed 100

full-duplex

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp pap sent-username xxxxxx password 0 xxxxxxx

ppp ipcp dns request accept

pseudowire 2 pw-class ISP

ip route 255.255.255.255 FastEthernet4

The line protocol stays down still. looking at the debug log, the following output is diplayed:

*Oct 19 16:19:01.603: Vp1 PPP: Outbound cdp packet dropped

*Oct 19 16:19:01.607: %LINK-3-UPDOWN: Interface Virtual-PPP1, changed state to up

*Oct 19 16:19:01.607: Vp1 PPP: Using vpn set call direction

*Oct 19 16:19:01.607: Vp1 PPP: Treating connection as a callout

*Oct 19 16:19:01.607: Vp1 PPP: Session handle[7B000005] Session id[7]

*Oct 19 16:19:01.607: Vp1 PPP: Phase is ESTABLISHING, Active Open

*Oct 19 16:19:01.607: Vp1 PPP: Authorization required

*Oct 19 16:19:01.607: Vp1 PPP: No remote authentication for call-out

*Oct 19 16:19:01.607: Vp1 LCP: O CONFREQ [Closed] id 191 len 10

*Oct 19 16:19:01.607: Vp1 LCP: MagicNumber 0x24CD5A2B (0x050624CD5A2B)

*Oct 19 16:19:03.611: Vp1 LCP: Timeout: State REQsent

*Oct 19 16:19:03.611: Vp1 LCP: O CONFREQ [REQsent] id 192 len 10

*Oct 19 16:19:03.611: Vp1 LCP: MagicNumber 0x24CD5A2B (0x050624CD5A2B)

*Oct 19 16:19:05.627: Vp1 LCP: Timeout: State REQsent

*Oct 19 16:19:05.627: Vp1 LCP: O CONFREQ [REQsent] id 193 len 10

*Oct 19 16:19:05.627: Vp1 LCP: MagicNumber 0x24CD5A2B (0x050624CD5A2B)

mariov652 Mon, 10/19/2009 - 06:28

Ok,

I've started with clean config (write-erase), and I think I may be getting somewhere (at least I can something is not configured 100% correctly.

Below are the steps I've taken and the corressponding result. Can you see what I'm leaving out?

myrouter(config)#interface FastEthernet4

myrouter(config-if)# description WAN interface to ISP

myrouter(config-if)# ip address dhcp

myrouter(config-if)#load-interval 30

myrouter(config-if)# speed 100

myrouter(config-if)# full-duplex

myrouter(config-if)#exit

*Oct 19 15:06:49.703: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet4 assigned DHCP address x.x.x.x, mask 255.255.252.0, hostname myrouter

myrouter(config)#ip route 255.255.255.255 FastEthernet4

myrouter(config)#pseudowire-class ISP

myrouter(config-pw-class)#encapsulation l2tpv3

myrouter(config-pw-class)#exit

myrouter(config)#interface Virtual-PPP1

myrouter(config-if)# description L2TP dialer to ISP

myrouter(config-if)# ip address negotiated

myrouter(config-if)#

*Oct 19 15:07:25.955: %LINK-3-UPDOWN: Interface Virtual-PPP1, changed state to up

myrouter(config-if)#ppp pap sent-username password 0

myrouter(config-if)# ppp ipcp dns request accept

myrouter(config-if)#exit

myrouter(config)#pseudowire-class ISP

myrouter(config-pw-class)#ip local interface Virtual-PPP1

% Warning, the interface Virtual-PPP1 has no configured IP address.

No pseudo-wire will be initiated until this interface is

configured to a valid address.

myrouter(config-pw-class)#exit

myrouter(config)#int Virtual-PPP1

myrouter(config-if)#pseudowire 2 pw-class ISP

Please make sure pw-class ISP is configured and valid [Unconfigured ip local interface]

myrouter(config-if-xconn)#end

Xconnect configuration on this circuit is incomplete

The resulting show run provides:

pseudowire-class ISP

! Incomplete config [Unconfigured ip local interface]

encapsulation l2tpv3

ip local interface Virtual-PPP1

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp pap sent-username password 0

ppp ipcp dns request accept

pseudowire 2 pw-class ISP

! Incomplete or Invalid Xconnect config

Thanks

Giuseppe Larosa Mon, 10/19/2009 - 09:02

Hello Mario,

ip local interface has to be Fa4

use

pseudowire-class ISP

encapsulation l2tp

ip local interface fa4

the "WAN" interface is fa4 virtual-ppp is a sort of VPN interface and cannot use the pseudowire and at the same time cannot be the source ip address for the pseudowire itself.

I'm sorry I didn't see this before

Hope to help

Giuseppe

mariov652 Thu, 10/22/2009 - 05:59

Hi,

I've been monitoring the packets on the fa4 interface on the 871 and the modem's LAN interface.

I've noticed that the 871 sends out DHCP discover messages, these are replied to by the ISP's DHCP server and the fa4 interface is assigned a DHCP internet-address.

So far so good. However, the next step should be the negotiation of the l2tp tunnel from the Virtual interface.

Once the fa4 interface is assigned the DHCP address, no other traffic is sent to the ISP. The Virtual interface comes up when the fa4 interface is assigned an ip address (the pseudowire uses the ip local as above), but I would expect some sort of packets from the 871 to initiate negotiation with the ISP.

If I manually shut / no shut the virtual interface, I still see no packets sent out.

Can you see if I am missing anything at all in my configuration below:

pseudowire-class ISP

encapsulation l2tpv2

ip local interface FastEthernet4

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

load-interval 30

speed 100

full-duplex

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp pap sent-username xxxxx password 0 xxxxxx

ppp ipcp dns request accept

pseudowire 2 encapsulation l2tpv2 pw-class ISP

Am I correct that the initiation for the l2tp tunnel should come from the 871?

Mario

Giuseppe Larosa Thu, 10/22/2009 - 12:06

Hello Mario,

now the configuration looks like correct.

you still need a static route using as next-hop the virtual-ppp 1.

>> Am I correct that the initiation for the l2tp tunnel should come from the 871?

let's give it a reason to dial.

try to ping an ip address that is not in the routing table and that uses the static route with next-hop = virtual-ppp 1

you can also use debug dialer

debug ppp negotiation

to see it triggers PPP over L2TP setup

Hope to help

Giuseppe

mariov652 Fri, 10/23/2009 - 06:20

Ok, so even with the static route in place, I still saw no l2tp traffic leaving the WAN interface.

Then, just to try something different, I removed ip-routing and set "ip default-gateway" to the ISP's gateway (on the same subnet as my DHCP assigned address).

I then started to get l2tp on the wire.

From a packet trace, it turns out the system on the other side is a Juniper device, so I hope this is not going to become and inter-operatibility issue.

Anyway, a sequence of of l2tp messages occurs as follows:

C - My CISCO device

J - the remote Juniper device (Also noticed it reports its hostname as 'LNS')

C -> J: CONTROL 'whoami'

J -> C: CONTROL 'whoami'

C -> J: START-CONTROL-CONNECTED

C -> J: INCOMING-CALL-REQUEST

J -> C: ASSIGNED SESSION

C -> J: Error: Failed to setup data plane

J -> C: ACK

5 seconds...

C -> J: STOP-CONTROL (No Application/Session timer expired]

J -> C: ACK

So, it looks like the session negotiation would not even begin because my 871 cuts the connection immediately after a session is assigned.

Does this make any sense?

Also, I notice these initial l2tp packets being sent whether the Virtual-PPP interface is up or not. Do you know if this is normal?

My device is unable to get to the stage to send ppp authentication, so is this a problem at layer 2 / hardware level?

Mario

P.S. - Thanks for your help with this Giuseppe. I don't expect you to answer all my questions posted, but I hope my trials helps someone at a later stage with a similar problem.

iaa_cisco Sun, 10/25/2009 - 11:39

Hi Mario,

You need to have a static route to CMTS(Cable provider).

Go to the router and trace the ip address of your LNS.

The first ip address that you see is a CMTS address.

Create static route to CMTS like this:

ip route 255.255.255.255 Fastethernet4.

Create static route to your LNS IP address in same way.

It should be work as well.

I'm past my router config.

--------------------------------------

pseudowire-class DIALER

encapsulation l2tpv2

ip local interface FastEthernet0/0

!

!

!

!

!

interface FastEthernet0/0

des To_Cable

ip address dhcp

speed 100

full-duplex

!

!

interface Virtual-PPP1

description TO_BEZEQ_BEN-LEUMI

ip address negotiated

no ip virtual-reassembly

no cdp enable

ppp pap sent-username xxxx password xxxx

pseudowire 212.199.170.59 1 pw-class DIALER

!

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route 10.218.192.1 255.255.255.255 FastEthernet0/0

ip route 212.199.170.59 255.255.255.255 FastEthernet0/0

----------------------------------------

Router#traceroute 212.199.170.59

Type escape sequence to abort.

Tracing the route to 212.199.170.59

1 10.218.192.1 28 msec 8 msec 12 msec (This one a CMTS)

2 LNSPT08-lo4261.012.net.il (212.199.172.17) 140 msec 12 msec *

3 LNSPT08-lo4261.012.net.il (212.199.172.17) 40 msec 12 msec 16 msec

mariov652 Tue, 10/27/2009 - 08:42

Hi and thanks for your comment.

I've made sure the static routes are in place correctly. I get the same result as in my previous post i.e. the 871 sends a disconnect and kills the session that initializes.

I've attached a network capture of the packets for the conversation along the line and and also the config on my 871 again.

There's not much to it.

"DHCP request, IP assigned, L2TP initiated, L2TP disconnected."

Based on your and Giuseppe's feedback the configuration on my device seems correct.

I thought maybe the ISP had an ACL preventing unkown mac-addresses from retrieving static IP's. However as the session initially seems to be setup, I don't think this is the case.

My tracert..

1 * * *

2 *

81.67.2.33 4 msec 8 msec

3 80.236.0.34 8 msec 8 msec 4 msec

4 212.198.4.18 8 msec 12 msec 8 msec

5 212.198.0.17 8 msec 8 msec 12 msec

myrouter#sh ip route

Default gateway is 85.171.16.1

Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty

Giuseppe Larosa Tue, 10/27/2009 - 09:14

Hello Mario,

only one point of attention:

you have disabled ip routing and then you use specific ip static routes.

I would expect you to be able to use

ip default-gateway

when ip routing is disabled.

Actually if you look at your own IP routing table when ip routing is disabled it shows you only the default-gateway as expected.

the ip static routes can be not effective when ip routing is disabled.

this may be a problem, I would enable ip routing again.

All other parts of your config look like fine.

Hope to help

Giuseppe

mariov652 Tue, 10/27/2009 - 09:56

Hi Giuseppe,

The reason I had removed ip routing is because only once this was removed did I start to see the L2TP messages sent from my 871.

Removing the static routes to (except for the one to the L2TP server and the virtual-ppp1), the resulting routing table likes like:

Gateway of last resort is 85.171.16.1 to network 0.0.0.0

85.0.0.0/22 is subnetted, 1 subnets

C 85.171.16.0 is directly connected, FastEthernet4

212.198.0.0/32 is subnetted, 1 subnets

S 212.198.0.161 [254/0] via 85.171.16.1, FastEthernet4

195.132.16.0/32 is subnetted, 1 subnets

S 195.132.16.228 is directly connected, FastEthernet4

S* 0.0.0.0/0 [254/0] via 85.171.16.1

The 212.198.0.161 is assigned automatically.

I'll do some additional reading on routing to try and understand why the L2TP is sent out one way and not the other.

iaa_cisco Tue, 10/27/2009 - 09:18

It's look like you get the public IP address from your ISP.Please issue command: "sh ip int b" , if your see on fastethernet4 IP address 85.171.19.151 yor'e connected and don't need virtual ppp.

P.S.

I can telnet your router on this IP!!!

85.171.19.151

mariov652 Tue, 10/27/2009 - 09:40

Thanks and you are right, for the moment I've left things 'open' while I test to avoid having acl's and fw cause this problem. There is nothing connected behind the router yet and as it's DHCP this address wil change.

The reason I need virtual ppp is because we require a static ip. The ISP provides this to us by first assigning a DHCP address and then an L2TP session is established with a static IP address - This is the part which is not working.

This works fine with the ISP supplied modem, but so far not on our 871..

iaa_cisco Tue, 10/27/2009 - 23:49

(The reason I need virtual ppp is because we require a static ip. The ISP provides this to us by first assigning a DHCP address and then an L2TP session is established with a static IP address - This is the part which is not working.)

-----------------------------------------

It's not necessarily have to be through L2TP.The ISP can assing you static ip address through DHCP(P2P) per modem mac address or something like that!

One more think .Do you spoke with ISP?

Ask them what you need to do for setup L2TP? What ip address terminate the L2TP connections?

In my case the cable company and ISP two deferent companies.In this situation the cable company jast teminate me and assign dynamic ip address, after that reroute me through VRF or MPLS to my ISP and then connection terminated with L2TP.

In you case, i guess the cable company and ISP is the same company and if you ask for static ip address they can provide you without any L2TP connection.

Try to clarify this!

iaa_cisco Tue, 10/27/2009 - 23:55

One more think.

Connect your cable modem to computer and setup L2TP connection on computer.

If you success, something wrong in router config if not success, the ISP is not provide you L2TP service.

mariov652 Thu, 10/29/2009 - 04:44

Firstly, yourself and Giuseppe have been a great source in helping me understand this better. Thank you so much to both of you.

Yes, I've tried speaking with the ISP and as this is not a more expensive 'business' service I keep getting the run-around, even though this is a line for a company. For now, I'm stuck with getting the static IP via L2TP unfortunately.

Since your last message though, it seems they must have changed something on their end. With the same config as before (with L2TP messages going back and forth, all of a sudden I began to receive ppp config-request messages from their LNS to my device!

Looking at the packets, I noticed requests for CHAP authentication and I changed the authentication on the virtual-ppp interface accordingly.

The virtual interface config now looks like this:

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp chap hostname xxxxxxxx

ppp chap password 0 xxxxxxx

ppp ipcp dns request accept

pseudowire 195.132.16.228 1 pw-class ISP

The virtual-ppp interface finally came up for the first time!

Unfortunately that's not the end of the story (although i think I'm pretty much 95% there)....

I mentioned before that I only noticed L2TP messages when I had ip routing removed and set a static default route to the ISP's router assigned via DHCP. Part of the trouble (even from the beginning of this post) seems to be the routing on my device. I'll explain:

[For both examples below, The DHCP assigned IP to Fa4 here at the time was 85.169.125.x/22; and the static IP assigned to the virtual-ppp interface is 212.198.x.x/32]

With the routing config below, (no static routes set), the virtual-ppp interface comes up and stays up.

myrouter#sh run | inc ip route

myrouter#

myrouter#sh ip route

....

Gateway of last resort is 85.169.124.1 to network 0.0.0.0

85.0.0.0/22 is subnetted, 1 subnets

C 85.169.124.0 is directly connected, FastEthernet4

212.198.x.x/32 is subnetted, 1 subnets

S 212.198.0.162 [254/0] via 85.169.124.1, FastEthernet4

195.132.16.0/32 is subnetted, 1 subnets

C 195.132.16.229 is directly connected, Virtual-PPP1

212.198.x.x/32 is subnetted, 1 subnets

C 212.198.x.x is directly connected, Virtual-PPP1

S* 0.0.0.0/0 [254/0] via 85.169.124.1

The route 195.132.16.229 via virtual-ppp1 above is the ISP 'router' for the L2TP tunnel in the same network as the LNS.

Traceroute to the LNS gives me

Tracing the route to 195.132.16.28

1 * * * --> The real IP obviously changes depending on the DHCP IP assigned.

2 81.67.2.33 8 msec 12 msec 12 msec

3 80.236.0.34 8 msec 8 msec 32 msec

4 212.198.4.x 12 msec 8 msec 12 msec

5 212.198.0.x 12 msec 12 msec 12 msec

myrouter#

When adding static routes as below, the virtual-ppp1 interfaces bounces up and down:

myrouter(config)#ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

myrouter(config)#ip route 195.132.16.228 255.255.255.255 Fastethernet4

myrouter(config)#

*Oct 29 11:18:36.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to down

myrouter#sh run | inc ip route

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route 195.132.16.228 255.255.255.255 FastEthernet4

and then a few seconds later the routing changes to..

myrouter#sh ip route

Gateway of last resort is 85.169.124.1 to network 0.0.0.0

85.0.0.0/22 is subnetted, 1 subnets

C 85.169.124.0 is directly connected, FastEthernet4

212.198.x.x/32 is subnetted, 1 subnets

S 212.198.x.x [254/0] via 85.169.124.1, FastEthernet4

195.132.16.0/32 is subnetted, 1 subnets

S 195.132.16.228 is directly connected, FastEthernet4

S* 0.0.0.0/0 [254/0] via 85.169.124.1

I get the same result if I add a static route to the router in the L2TP tunnel (195.132.16.229)

mariov652 Thu, 10/29/2009 - 05:00

Just to add to the above.

Immediately after the static routes are added, the routing table changes to:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

85.0.0.0/22 is subnetted, 1 subnets

C 85.169.124.0 is directly connected, FastEthernet4

212.198.0.0/32 is subnetted, 1 subnets

S 212.198.0.162 [254/0] via 85.169.124.1, FastEthernet4

195.132.16.0/32 is subnetted, 2 subnets

C 195.132.16.229 is directly connected, Virtual-PPP1

S 195.132.16.228 is directly connected, FastEthernet4

212.198.x.x/32 is subnetted, 1 subnets

C 212.198.x.x is directly connected, Virtual-PPP1

S* 0.0.0.0/0 is directly connected, Virtual-PPP1

Then, after a few seconds it looks like:

Gateway of last resort is 85.169.124.1 to network 0.0.0.0

85.0.0.0/22 is subnetted, 1 subnets

C 85.169.124.0 is directly connected, FastEthernet4

212.198.0.0/32 is subnetted, 1 subnets

S 212.198.0.162 [254/0] via 85.169.124.1, FastEthernet4

195.132.16.0/32 is subnetted, 1 subnets

C 195.132.16.229 is directly connected, Virtual-PPP1

212.198.x.x/32 is subnetted, 1 subnets

C 212.198.x.x is directly connected, Virtual-PPP1

S* 0.0.0.0/0 [254/0] via 85.169.124.1

and the virtual interface then remains down.

Is this normal behaviour?

mariov652 Thu, 10/29/2009 - 06:20

Of course...

This is with no static routes and provides the virtual interface as up up

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname myrouter

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

!

!

dot11 syslog

ip source-route

!

!

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

archive

log config

hidekeys

!

!

pseudowire-class ISP

encapsulation l2tpv2

ip local interface FastEthernet4

!

!

!

interface FastEthernet0

duplex full

speed 100

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

load-interval 30

speed 100

full-duplex

!

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp chap hostname xxxxxx

ppp chap password 0 xxxxxxx

ppp ipcp dns request accept

pseudowire 195.132.16.228 1 pw-class ISP

!

interface Vlan1

shutdown

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

no cdp run

!

!

!control-plane

!

!

iaa_cisco Thu, 10/29/2009 - 06:25

You can surf the internet? Mean when the virtual-ppp connected .

mariov652 Thu, 10/29/2009 - 07:06

Yes I have tested with ping, but this works only if the source address is Fa4. No access if I make the source address Virtual-PPP1.

Also, I can configure NAT for an internal device, but only for the Fa4 interface as "ip nat outside". Not for the Virtual interface - for the same reason as the ping failing I think.

Below is the current routing table:

Gateway of last resort is 85.169.124.1 to network 0.0.0.0

85.0.0.0/22 is subnetted, 1 subnets

C 85.169.124.0 is directly connected, FastEthernet4

212.198.0.0/32 is subnetted, 1 subnets

S 212.198.0.161 [254/0] via 85.169.124.1, FastEthernet4

195.132.16.0/32 is subnetted, 1 subnets

C 195.132.16.229 is directly connected, Virtual-PPP1

212.198.x.x/32 is subnetted, 1 subnets

C is directly connected, Virtual-PPP1

S* 0.0.0.0/0 [254/0] via 85.169.124.1

And, as above, if I add static 0.0.0.0 route to Virtual-PPP1, the interface goes down.

A screen-shot from the ISP modem is attached. This is where I got the L2TP details originally.

The modem is set in 'pass through mode' and the 871 connected to one of the ports.

I noticed the modem config have a check for RIP routing enabled (when in routing modem and not using the 871). I haven't configured RIP on the 871. Would this make a difference?

mariov652 Thu, 10/29/2009 - 07:58

I'm going to spend some additional time learning / reading the various routing protocols.

I'm sure the answer is very close, I just need to spend some time and understand more deeply how the protocols work.

Once I understand that, and if I still need help I'll come back with a decent question.

If I'm able to work it out, I'll post back the solution.

Mario

mariov652 Wed, 11/04/2009 - 08:18

Hi Giuseppe & iaa_cisco...

Ok, after much thought and a little holiday this is now working. The answer seems obvious, but it just took a little while to get there...

The biggest trouble was that I did not understand why the link would drop when I added the static IP routes, as explained in the previous messages.

It finally dawned that in order to keep the L2TP tunnel up, the route to the L2TP server needs to be available. The route I was adding for the L2TP server was not correct. I needed to add the remote gateway IP, which was assigned by DHCP, to the syntax.

So, my working config for receiving an IP via DHCP and then an L2TP tunnel for static IP is as follows (chap authentication in this case):

pseudowire-class ISP

encapsulation l2tpv2

ip local interface

!

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

load-interval 30

!

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxxxx

ppp ipcp dns request accept

pseudowire 1 pw-class ISP

!

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route 255.255.255.255 dhcp --> This is where I was going wrong!

Thanks again for all the assistance along the way!

I hope somebody will be able to avoid going through the same pain by reading this thread sometime...

Ciao,

Giuseppe Larosa Thu, 11/05/2009 - 00:06

Hello Mario,

this is good news and your findings makes sense.

Actually in my case the ip address on the physical interface is not assigned by DHCP.

Sorry for having missed this aspect of the issue.

I've rated your post with the working solution as it deserves.

Hope to help

Giuseppe

Actions

This Discussion