cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10794
Views
12
Helpful
29
Replies

L2TP configuration on CISCO 871

mariov652
Level 1
Level 1

Hi,

We've just taken charge of a new internet connection with a new service provider. Access is over a coaxial cable and the link is advertised to go upto 100Mbps. We have 2 ISP-provided modems that sync up and work fine.

However, I'd like to change the modems from 'router' to 'bridge' in order to move over some existing site-to-site VPN's from another provider (standard ADSL internet access) using existing CISCO 871's to continue providing the internet firewalling and VPN.

This works fine, except that, to allow us to use static IP Address, we need to create an L2TP tunnel to be assigned the static address (from the modem config).

I have the L2TP authentication and server details from the modem config.

The CISCO 871 is assigned a DHCP address to the WAN interface (fastethernet 4), however the L2TP tunnel does not come up correctly.

My current config is below and I'd appreciate if someone is able to point me in the right direction / documentation to set this up correctly:

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ip nat outside

ip virtual-reassembly

ppp pap sent-username xxxxx password 0 xxxxx

ppp ipcp dns request accept

pseudowire x.x.x.x 2 pw-class ISP

interface Vlan1

description Internal LAN

ip address y.y.y.y 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route <l2tp server ip> 255.255.255.255 FastEthernet4

Thanks for any advice,

Mario

29 Replies 29

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Mario,

two notes:

you need to define the pseudo-wire with

pseudowire-class ISP

encapsulation l2tpv2

!

!

I have a remote branch configured like this but it is a 2821 with

c2800nm-adventerprisek9-mz.124-24.T.bin

Hope to help

Giuseppe

Hi Giuseppe,

Thanks for that. I did notice a message (when creating the Virtual interface) indicating something was missing, but wasn't sure the correct syntax details.

I'm using IOS "c870-advipservicesk9-mz.124-24.T1.bin" and I understand the CISCO 871 supports L2TP. So, in theory, this should work as your setup does.

Even with the above change in place though, the Virtual-PPP1 interface shows line protocol as down.

It's frustrating because the WAN interface receives the ISP assigned DHCP address, but I don't see any error messages regarding the Virtual interface for the L2TP.

Can you recommend and debug commands for me to try and see why it won't come up?

Regards,

Mario

Just to add to the above, I've found some references to enabling VPDN.

Is this along the correct route to take for me to receive static IP from the ISP, or is this used only for outside users to dial-in to the firewall over l2tp?

Thanks,

Mario

Hello Mario,

enabling VPDN shouldn't be needed, I haven't it enabled on my router.

to troubleshoot this

I've found the following release note

CSCek59078

Symptoms: An L2TPv3 session is established when voluntary tunneling is configured and both peers have corresponding configurations. However, after you configure a pseudowire on a virtual PPP interface on one of the peers, the session on this peer is up but the line protocol is down, an a "virtual-PPP1 is up, line protocol is down" error message is generated.

Conditions: This symptom is observed when the virtual PPP interface is first deleted via the no interface virtual-ppp number command and then reconfigured via the interface virtual-ppp number command before you configure a pseudowire on the virtual PPP interface.

Workaround: Before you configure a pseudowire on the virtual PPP interface, ensure that the virtual PPP interface has never been unconfigured via the no interface virtual-ppp number configuration command.

try to destroy virtual-ppp1

no interface virtual-ppp1

and configure a new virtual-ppp (2 for example) now after having the pseudowire configured

Hope to help

Giuseppe

Hi again,

One of the biggest problems for me with this is that I have no experience of configuring L2TP until now. So I am pretty sure my lack of experience with this is hampering my efforts...

That been said, I've deleted the Virtual-PP1 and created new ones. I've also changed the encapsulation on the "pseudowire-class ISP" to version 3 and 2 for good measure. Unfortunately the line protocol stays down.

I have no control on the configuration on the other side, just that the ISP provided modem comes up fine with a DHCP assigned IP and a static IP over L2TP.

I really don't see why they couldn't assign a static IP with the first assignment, but I suppose they have their reasons for setting it up this way.

Are you (or anyone else) able to provide me with syntax to produce debug output for the Virtual-PPP L2TP connection?

Just to confirm, my physical WAN port (Fa4) is assigned a DHCP address by the ISP, The connection is there and I have internet access fine with that. It is the L2TP connection that assigns us a static IP that is not coming up.

Hello Mario,

use L2TPv2 not L2TPv3.

start with using

term mon

int virtual-ppp x

shut

debug ppp negotiation

debug ppp authentication

int virtual-ppp x

no shut

Hope to help

Giuseppe

I've changed the config, again starting from fresh. This time using l2tpv2 and then specifying the "pseudowire-class ip local int " as the WAN interface (fa4) - This because when I assigned it to the Virtual-PPP interface, a message appears complaining that the interface (Virt-PPP) has not been assigned an IP address.

The L2TP interface is assigned automatically on the ISP modem, so it should be assigned (negotiated) on the Virtual interface. The above message confuses me as I cannot assign the pseudo wire to the Virtual interface unless it has an IP, but it will only get an IP once negotiated as far as I understand it.

pseudowire-class ISP

encapsulation l2tpv2

ip local interface FastEthernet4

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

load-interval 30

speed 100

full-duplex

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp pap sent-username xxxxxx password 0 xxxxxxx

ppp ipcp dns request accept

pseudowire 2 pw-class ISP

ip route 255.255.255.255 FastEthernet4

The line protocol stays down still. looking at the debug log, the following output is diplayed:

*Oct 19 16:19:01.603: Vp1 PPP: Outbound cdp packet dropped

*Oct 19 16:19:01.607: %LINK-3-UPDOWN: Interface Virtual-PPP1, changed state to up

*Oct 19 16:19:01.607: Vp1 PPP: Using vpn set call direction

*Oct 19 16:19:01.607: Vp1 PPP: Treating connection as a callout

*Oct 19 16:19:01.607: Vp1 PPP: Session handle[7B000005] Session id[7]

*Oct 19 16:19:01.607: Vp1 PPP: Phase is ESTABLISHING, Active Open

*Oct 19 16:19:01.607: Vp1 PPP: Authorization required

*Oct 19 16:19:01.607: Vp1 PPP: No remote authentication for call-out

*Oct 19 16:19:01.607: Vp1 LCP: O CONFREQ [Closed] id 191 len 10

*Oct 19 16:19:01.607: Vp1 LCP: MagicNumber 0x24CD5A2B (0x050624CD5A2B)

*Oct 19 16:19:03.611: Vp1 LCP: Timeout: State REQsent

*Oct 19 16:19:03.611: Vp1 LCP: O CONFREQ [REQsent] id 192 len 10

*Oct 19 16:19:03.611: Vp1 LCP: MagicNumber 0x24CD5A2B (0x050624CD5A2B)

*Oct 19 16:19:05.627: Vp1 LCP: Timeout: State REQsent

*Oct 19 16:19:05.627: Vp1 LCP: O CONFREQ [REQsent] id 193 len 10

*Oct 19 16:19:05.627: Vp1 LCP: MagicNumber 0x24CD5A2B (0x050624CD5A2B)

Ok,

I've started with clean config (write-erase), and I think I may be getting somewhere (at least I can something is not configured 100% correctly.

Below are the steps I've taken and the corressponding result. Can you see what I'm leaving out?

myrouter(config)#interface FastEthernet4

myrouter(config-if)# description WAN interface to ISP

myrouter(config-if)# ip address dhcp

myrouter(config-if)#load-interval 30

myrouter(config-if)# speed 100

myrouter(config-if)# full-duplex

myrouter(config-if)#exit

*Oct 19 15:06:49.703: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet4 assigned DHCP address x.x.x.x, mask 255.255.252.0, hostname myrouter

myrouter(config)#ip route 255.255.255.255 FastEthernet4

myrouter(config)#pseudowire-class ISP

myrouter(config-pw-class)#encapsulation l2tpv3

myrouter(config-pw-class)#exit

myrouter(config)#interface Virtual-PPP1

myrouter(config-if)# description L2TP dialer to ISP

myrouter(config-if)# ip address negotiated

myrouter(config-if)#

*Oct 19 15:07:25.955: %LINK-3-UPDOWN: Interface Virtual-PPP1, changed state to up

myrouter(config-if)#ppp pap sent-username password 0

myrouter(config-if)# ppp ipcp dns request accept

myrouter(config-if)#exit

myrouter(config)#pseudowire-class ISP

myrouter(config-pw-class)#ip local interface Virtual-PPP1

% Warning, the interface Virtual-PPP1 has no configured IP address.

No pseudo-wire will be initiated until this interface is

configured to a valid address.

myrouter(config-pw-class)#exit

myrouter(config)#int Virtual-PPP1

myrouter(config-if)#pseudowire 2 pw-class ISP

Please make sure pw-class ISP is configured and valid [Unconfigured ip local interface]

myrouter(config-if-xconn)#end

Xconnect configuration on this circuit is incomplete

The resulting show run provides:

pseudowire-class ISP

! Incomplete config [Unconfigured ip local interface]

encapsulation l2tpv3

ip local interface Virtual-PPP1

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp pap sent-username password 0

ppp ipcp dns request accept

pseudowire 2 pw-class ISP

! Incomplete or Invalid Xconnect config

Thanks

Hello Mario,

ip local interface has to be Fa4

use

pseudowire-class ISP

encapsulation l2tp

ip local interface fa4

the "WAN" interface is fa4 virtual-ppp is a sort of VPN interface and cannot use the pseudowire and at the same time cannot be the source ip address for the pseudowire itself.

I'm sorry I didn't see this before

Hope to help

Giuseppe

Hi,

I've been monitoring the packets on the fa4 interface on the 871 and the modem's LAN interface.

I've noticed that the 871 sends out DHCP discover messages, these are replied to by the ISP's DHCP server and the fa4 interface is assigned a DHCP internet-address.

So far so good. However, the next step should be the negotiation of the l2tp tunnel from the Virtual interface.

Once the fa4 interface is assigned the DHCP address, no other traffic is sent to the ISP. The Virtual interface comes up when the fa4 interface is assigned an ip address (the pseudowire uses the ip local as above), but I would expect some sort of packets from the 871 to initiate negotiation with the ISP.

If I manually shut / no shut the virtual interface, I still see no packets sent out.

Can you see if I am missing anything at all in my configuration below:

pseudowire-class ISP

encapsulation l2tpv2

ip local interface FastEthernet4

interface FastEthernet4

description WAN interface to ISP

ip address dhcp

load-interval 30

speed 100

full-duplex

interface Virtual-PPP1

description L2TP dialer to ISP

ip address negotiated

ppp pap sent-username xxxxx password 0 xxxxxx

ppp ipcp dns request accept

pseudowire 2 encapsulation l2tpv2 pw-class ISP

Am I correct that the initiation for the l2tp tunnel should come from the 871?

Mario

Hello Mario,

now the configuration looks like correct.

you still need a static route using as next-hop the virtual-ppp 1.

>> Am I correct that the initiation for the l2tp tunnel should come from the 871?

let's give it a reason to dial.

try to ping an ip address that is not in the routing table and that uses the static route with next-hop = virtual-ppp 1

you can also use debug dialer

debug ppp negotiation

to see it triggers PPP over L2TP setup

Hope to help

Giuseppe

Ok, so even with the static route in place, I still saw no l2tp traffic leaving the WAN interface.

Then, just to try something different, I removed ip-routing and set "ip default-gateway" to the ISP's gateway (on the same subnet as my DHCP assigned address).

I then started to get l2tp on the wire.

From a packet trace, it turns out the system on the other side is a Juniper device, so I hope this is not going to become and inter-operatibility issue.

Anyway, a sequence of of l2tp messages occurs as follows:

C - My CISCO device

J - the remote Juniper device (Also noticed it reports its hostname as 'LNS')

C -> J: CONTROL 'whoami'

J -> C: CONTROL 'whoami'

C -> J: START-CONTROL-CONNECTED

C -> J: INCOMING-CALL-REQUEST

J -> C: ASSIGNED SESSION

C -> J: Error: Failed to setup data plane

J -> C: ACK

5 seconds...

C -> J: STOP-CONTROL (No Application/Session timer expired]

J -> C: ACK

So, it looks like the session negotiation would not even begin because my 871 cuts the connection immediately after a session is assigned.

Does this make any sense?

Also, I notice these initial l2tp packets being sent whether the Virtual-PPP interface is up or not. Do you know if this is normal?

My device is unable to get to the stage to send ppp authentication, so is this a problem at layer 2 / hardware level?

Mario

P.S. - Thanks for your help with this Giuseppe. I don't expect you to answer all my questions posted, but I hope my trials helps someone at a later stage with a similar problem.

Hi Mario,

You need to have a static route to CMTS(Cable provider).

Go to the router and trace the ip address of your LNS.

The first ip address that you see is a CMTS address.

Create static route to CMTS like this:

ip route 255.255.255.255 Fastethernet4.

Create static route to your LNS IP address in same way.

It should be work as well.

I'm past my router config.

--------------------------------------

pseudowire-class DIALER

encapsulation l2tpv2

ip local interface FastEthernet0/0

!

!

!

!

!

interface FastEthernet0/0

des To_Cable

ip address dhcp

speed 100

full-duplex

!

!

interface Virtual-PPP1

description TO_BEZEQ_BEN-LEUMI

ip address negotiated

no ip virtual-reassembly

no cdp enable

ppp pap sent-username xxxx password xxxx

pseudowire 212.199.170.59 1 pw-class DIALER

!

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route 10.218.192.1 255.255.255.255 FastEthernet0/0

ip route 212.199.170.59 255.255.255.255 FastEthernet0/0

----------------------------------------

Router#traceroute 212.199.170.59

Type escape sequence to abort.

Tracing the route to 212.199.170.59

1 10.218.192.1 28 msec 8 msec 12 msec (This one a CMTS)

2 LNSPT08-lo4261.012.net.il (212.199.172.17) 140 msec 12 msec *

3 LNSPT08-lo4261.012.net.il (212.199.172.17) 40 msec 12 msec 16 msec

Hi and thanks for your comment.

I've made sure the static routes are in place correctly. I get the same result as in my previous post i.e. the 871 sends a disconnect and kills the session that initializes.

I've attached a network capture of the packets for the conversation along the line and and also the config on my 871 again.

There's not much to it.

"DHCP request, IP assigned, L2TP initiated, L2TP disconnected."

Based on your and Giuseppe's feedback the configuration on my device seems correct.

I thought maybe the ISP had an ACL preventing unkown mac-addresses from retrieving static IP's. However as the session initially seems to be setup, I don't think this is the case.

My tracert..

1 * * *

2 *

81.67.2.33 4 msec 8 msec

3 80.236.0.34 8 msec 8 msec 4 msec

4 212.198.4.18 8 msec 12 msec 8 msec

5 212.198.0.17 8 msec 8 msec 12 msec

myrouter#sh ip route

Default gateway is 85.171.16.1

Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco