09-15-2006 09:52 PM - edited 02-21-2020 02:37 PM
Dear colleagues!
There Is at me working vpdn
i - LNS
service provider - LAC
It is necessary LNS to replace mine with C1760 on PIX515,
but as you probably have guessed it does not work yet:)
So, that at me is:
On PIX are included:
debug ppp io
debug ppp error
debug ppp uauth
debug vpdn error
debug vpdn packet
debug vpdn event
logging to syslog, level debug, but except for a next line I can receive nothing:
%PIX-7-710005: UDP request discarded from PROV_LAC_IP/1701 to outside:MY_LNS_IP/1701
That is service vpdn at me on the device is absent.
Pieces of a config, sh ver with pix:
gw-2(config)# sh ver
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Fri 02-Jul-04 00:07 by morlee
gw-2 up 2 hours 41 mins
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0003.6bf6.efc4, irq 11
1: ethernet1: address is 0003.6bf6.efc5, irq 10
2: ethernet2: address is 0003.479a.fd01, irq 9
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 5
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
-----------------------------------------------
gw-2(config)# sh ru
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list l2tp permit udp host PROV_LAC_IP any eq 1701
access-group l2tp in interface outside
ip local pool l2tp х.х.х.х-х.х.х.х
route outside 0.0.0.0 0.0.0.0 x.x.x.x
sysopt connection permit-l2tp
vpdn group 1 accept dialin l2tp
vpdn group 1 localname FQDN_C1760
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local l2tp
vpdn group 1 client configuration dns x.x.x.x
vpdn group 1 client configuration wins x.x.x.x
vpdn group 1 client authentication aaa RADIUS
vpdn group 1 client accounting RADIUS
vpdn group 1 l2tp tunnel hello 60
vpdn enable outside
--------------------------------------------------
On 1760 piece of the worker vpdn:
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname provname
local name my.domain
lcp renegotiation always
ip mtu adjust
interface Virtual-Template1
ip unnumbered Loopback0
ip helper-address x.x.x.x
ip mtu 576
ip nat inside
peer default ip address dhcp
ppp authentication chap callin
--------------------------------------------------------
the Last 2 ideas:
1. In pix there is no analogue of a command "terminate-from hostname"
2. Logging/debugging obviously do not work, as it is necessary, for example,
if i do debug arp i see it not in syslog, and at myself in session (monitor),
at following options:
logging on
logging timestamp
logging console warning
logging monitor warning
logging buffered warning
logging trap debugging
logging host inside MY_SYSLOG_IP
Changed pix on 6.3 (5) = any difference
09-16-2006 11:28 PM
L2TP with IPSec, as introduced with PIX Firewall Version 6.0, allows the L2TP LNS to interoperate
with the Windows 2000 L2TP client. Interoperability with LACs from Cisco and other vendors is
currently not supported. Only L2TP with IPSec is supported, native L2TP itself is not supported on
PIX Firewall.
If the PIX Firewall IPSec lifetime is set to less than 300 seconds, then the Windows 2000 client ignores
it and replaces it with a 300 second lifetime because the minimum IPSec lifetime supported by the
Windows 2000 client is 300 seconds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide