VPDN L2TP (LNS) on 515 does not work !

a.kluchka · ‎09-15-2006

Dear colleagues!

There Is at me working vpdn

i - LNS

service provider - LAC

It is necessary LNS to replace mine with C1760 on PIX515,

but as you probably have guessed it does not work yet:)

So, that at me is:

On PIX are included:

debug ppp io

debug ppp error

debug ppp uauth

debug vpdn error

debug vpdn packet

debug vpdn event

logging to syslog, level debug, but except for a next line I can receive nothing:

%PIX-7-710005: UDP request discarded from PROV_LAC_IP/1701 to outside:MY_LNS_IP/1701

That is service vpdn at me on the device is absent.

Pieces of a config, sh ver with pix:

gw-2(config)# sh ver

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(4)

Compiled on Fri 02-Jul-04 00:07 by morlee

gw-2 up 2 hours 41 mins

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.6bf6.efc4, irq 11

1: ethernet1: address is 0003.6bf6.efc5, irq 10

2: ethernet2: address is 0003.479a.fd01, irq 9

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 3

Maximum Interfaces: 5

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted (R) license.

-----------------------------------------------

gw-2(config)# sh ru

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list l2tp permit udp host PROV_LAC_IP any eq 1701

access-group l2tp in interface outside

ip local pool l2tp х.х.х.х-х.х.х.х

route outside 0.0.0.0 0.0.0.0 x.x.x.x

sysopt connection permit-l2tp

vpdn group 1 accept dialin l2tp

vpdn group 1 localname FQDN_C1760

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local l2tp

vpdn group 1 client configuration dns x.x.x.x

vpdn group 1 client configuration wins x.x.x.x

vpdn group 1 client authentication aaa RADIUS

vpdn group 1 client accounting RADIUS

vpdn group 1 l2tp tunnel hello 60

vpdn enable outside

--------------------------------------------------

On 1760 piece of the worker vpdn:

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname provname

local name my.domain

lcp renegotiation always

ip mtu adjust

interface Virtual-Template1

ip unnumbered Loopback0

ip helper-address x.x.x.x

ip mtu 576

ip nat inside

peer default ip address dhcp

ppp authentication chap callin

--------------------------------------------------------

the Last 2 ideas:

1. In pix there is no analogue of a command "terminate-from hostname"

2. Logging/debugging obviously do not work, as it is necessary, for example,

if i do debug arp i see it not in syslog, and at myself in session (monitor),

at following options:

logging on

logging timestamp

logging console warning

logging monitor warning

logging buffered warning

logging trap debugging

logging host inside MY_SYSLOG_IP

Changed pix on 6.3 (5) = any difference

a.kluchka · ‎09-16-2006

L2TP with IPSec, as introduced with PIX Firewall Version 6.0, allows the L2TP LNS to interoperate

with the Windows 2000 L2TP client. Interoperability with LACs from Cisco and other vendors is

currently not supported. Only L2TP with IPSec is supported, native L2TP itself is not supported on

PIX Firewall.

If the PIX Firewall IPSec lifetime is set to less than 300 seconds, then the Windows 2000 client ignores

it and replaces it with a 300 second lifetime because the minimum IPSec lifetime supported by the

Windows 2000 client is 300 seconds.