PPPoE authentication on a 2811 to be used for GRE tunnel

Unanswered Question
Mar 3rd, 2010

I have an odd situation and so far I can't find any answers or examples of how to do what I am trying to do.  Our company has several branches that have two different circuits.  The fist is an mpls circuit for our pip network, the second is typically cable, dsl or internet t1 depending on what is available in the area of the branch.  We use the second connection to establish a gre vpn tunnel from the branch 2811 to our hq 7206.  Historically we have not used pppoe or authentication for any of our dsl sites but recently one of the carriers we have circuits with has changed their policies to require the pppoe username and password in order to use the dsl service.  My first question is can this be done with my other requirements?  My second questions is if so how the heck do I do it on both the branch 2811 and the hq 7206??  My third question is is this a good idea, why or why not?  My standard branch config is posted below along with the parts of my 7206 config for this branch.  Any help is greatly appreciated.


2811

=====================================

service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname BranchX_2811
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
!
!
ip cef
!
!
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL smtp
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL tftp
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL icmp
ip flow-cache timeout active 1
no ip domain lookup
!
!
!
!
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set t1 esp-3des esp-sha-hmac
mode transport
!
crypto map VPNSETTINGS local-address FastEthernet0/1
crypto map VPNSETTINGS 102 ipsec-isakmp
set peer v.v.v.v <----7206 at HQ
set transform-set t1
match address GRE-VPN-HQ
!
!
!
interface TunnelBranchX
description VPN Tunnel
bandwidth 1536
ip address T.T.T.T 255.255.255.252
ip accounting output-packets
ip mtu 1400
ip route-cache flow
load-interval 30
delay 100
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination d.d.d.d <----dsl static ip
!
interface Loopback0
ip address 11.11.11.11 255.255.255.0
ip virtual-reassembly
!
interface FastEthernet0/0
description LAN
ip address L.L.L.L 255.255.255.0 secondary
ip address L.L.L.L 255.255.255.192 secondary
ip address L.L.L.L 255.255.255.0
ip helper-address
ip helper-address
ip accounting output-packets
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
description SBC DSL
ip address d.d.d.d 255.255.255.248 <----dsl static ip
ip access-group ALLOWED-IN in
ip accounting output-packets
ip inspect FIREWALL out
ip flow ingress
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
crypto map VPNSETTINGS
!
interface Serial0/0/0
description   
bandwidth 128
no ip address
ip flow ingress
encapsulation frame-relay IETF
ip route-cache flow
logging event dlci-status-change
load-interval 30
no fair-queue
service-module t1 timeslots 1-2
!
interface Serial0/0/0.200 point-to-point
description  
bandwidth 128
ip address m.m.m.m 255.255.255.252
ip accounting output-packets
frame-relay interface-dlci xxx  
!
router eigrp 999
network L.L.L.L 0.0.0.255
network L.L.L.L 0.0.0.63
network T.T.T.T 0.0.0.3
network L.L.L.L 0.0.0.255
distribute-list 11 out
no auto-summary
eigrp stub connected
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network L.L.L.L mask 255.255.255.0
network L.L.L.L mask 255.255.255.192
network L.L.L.L mask 255.255.255.0
neighbor m.m.m.m remote-as 65000
neighbor m.m.m.m soft-reconfiguration inbound
neighbor m.m.m.m route-map ALLOW_DEFAULT in
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 T.T.T.T <----TUNNEL
ip route 0.0.0.0 0.0.0.0 m.m.m.m 10 <-------MPLS
ip route v.v.v.v 255.255.255.255 dg.dg.dg.dg <---7206 at hq via dsl gw
!
ip flow-export source FastEthernet0/0
ip flow-export version 5 peer-as
ip flow-export destination x.x.x.x 2055
!
no ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
!
ip access-list standard x.x.x.x
permit x.x.x.x
!
ip access-list extended ALLOWED-IN
permit gre any host d.d.d.d
permit esp any host d.d.d.d
permit udp any host d.d.d.d eq isakmp
ip access-list extended GRE-VPN-HQ
permit gre any host v.v.v.v
!
!
ip prefix-list Permitted_BGP seq 10 permit 0.0.0.0/0
ip prefix-list Permitted_BGP seq 20 permit 0.0.0.0/0 ge 16 le 16
ip prefix-list Permitted_BGP seq 30 permit x.x.x.x/15
ip prefix-list Permitted_BGP seq 40 permit x.x.x.x/24
ip prefix-list Permitted_BGP seq 50 permit x.x.x.x/24
ip prefix-list Permitted_BGP seq 60 permit x.x.x.x/24
ip prefix-list Permitted_BGP seq 70 permit x.x.x.x/24
ip prefix-list Permitted_BGP seq 80 permit x.x.x.x/24
ip prefix-list Permitted_BGP seq 90 permit x.x.x.x/24
ip prefix-list Permitted_BGP seq 100 permit x.x.x.x/15
ip prefix-list Permitted_BGP seq 110 permit x.x.x.x/15
ip prefix-list Permitted_BGP seq 120 permit x.x.x.x 0/24
ip prefix-list Permitted_BGP seq 130 permit 0.0.0.0/0 ge 32
access-list 11 deny   11.11.11.0 0.0.0.255
access-list 11 permit any
access-list 40 permit x.x.x.x
access-list 40 permit x.x.x.x
access-list 40 permit x.x.x.x
access-list 40 permit x.x.x.x 0.0.0.63
snmp-server community x.x.x.x RO 40
snmp-server community x.x.x.x RO xxx-SNMP
route-map ALLOW_DEFAULT permit 10
match ip address prefix-list Permitted_BGP
!
!
snmp ifmib ifalias long
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key
!

7206

======================================


crypto map VPNSETTINGS 950 ipsec-isakmp
set peer d.d.d.d <----dsl static ip
set transform-set t1
match address GRE-950-BranchX


interface TunnelBranchX
description VPN TUNNEL TO BranchX
bandwidth 1536

ip address T.T.T.T 255.255.255.252
ip mtu 1400
delay 1000
keepalive 10 3
tunnel source FastEthernet1/0
tunnel destination d.d.d.d <----dsl static ip


ip route d.d.d.d 255.255.255.255 vg.vg.vg.vg <------7206 gateway


ip access-list extended GRE-950-BranchX
permit gre host v.v.v.v host d.d.d.d

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pompeychimes Wed, 03/03/2010 - 08:28

1. Looking at your config I don't see any reason why it can't be done.

2. A sample config for your 2811 is provided below. You shouldn't have to do anything on your 7206.

3. Its not a bad idea. Its just another layer of technology to deal with.


!
interface FastEthernet0/1
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address x.x.x.x x.x.x.x

encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password password
ppp pap sent-username username password password

crypto map VPNSETTINGS
!

interface TunnelBranchX

tunnel source Dialer1

!

Rachel Goodwin Wed, 03/03/2010 - 08:33

Thanks for the reply pompey.  One question.  Would I move the static ip from my f0/1 interface to the dialer interface?

Actions

This Discussion