Hi All,
I'm having trouble getting the L2TP module working with Freeradius.
I've slotted ACCEL-PPP into an existing L2TPNS configuration and I keep seeing the following errors in the accel-ppp log, when I try to establish an L2TP tunnel.
[2019-11-14 15:05:18]: error: : radius:bind: Cannot assign requested address
[2019-11-14 15:05:18]: warn: : radius: server(1) not responding
[2019-11-14 15:05:18]: warn: radius: server(1) not responding
[2019-11-14 15:05:18]: warn: : radius: no available servers
[2019-11-14 15:05:18]: info: : XXXX: authentication failed
[2019-11-14 15:05:18]: info: XXXX: authentication failed
Could someone please tell me, how I can further debug this issue and if possible could someone share a working L2TP configuration, please?
Is it also possible to override the framed-route received in the radius reply and instead return the LNS interface IP?
For example, I have the following configured:-
Framed-route = 0.0.0.0/0 XXX.XXX.XXX.XXX in my Radius reply.
Is it possible to configure ACCEL-PPP to insert a different framed route than the one provided by the Radius reply?
This will make it easier to test ACCEL-PPP.
Thank you
L2TP Bind issues and Framed-route configuration
Re: L2TP Bind issues and Framed-route configuration
Hi, can you provide [radius] section? Try also set `verbose=1` in all section, and also set [log]level=5, then restart daemon.
Re: L2TP Bind issues and Framed-route configuration
Hi,
I've managed to get my Radius configuration working.
But it appears I may have found two issues:-
1) Domain stripping is not working. When I try [Radius] default-realm=1, it does not present just the user part of the login for Radius authentication. Instead it presents user@1 as the username. If I just try, default-realm= then user@ is presented.
2) My LTS/LAC use an L2TP secret. I've tried setting secret=password in [l2tp]. According to the logs the peer password does not match. But it is correct, even though I see this in the log:- impossible to authenticate peer: invalid Challenge Response sent by peer (wrong secret)
Any ideas?
Thanks
I've managed to get my Radius configuration working.
But it appears I may have found two issues:-
1) Domain stripping is not working. When I try [Radius] default-realm=1, it does not present just the user part of the login for Radius authentication. Instead it presents user@1 as the username. If I just try, default-realm= then user@ is presented.
2) My LTS/LAC use an L2TP secret. I've tried setting secret=password in [l2tp]. According to the logs the peer password does not match. But it is correct, even though I see this in the log:- impossible to authenticate peer: invalid Challenge Response sent by peer (wrong secret)
Any ideas?
Thanks
Re: L2TP Bind issues and Framed-route configuration
Hi, about `default-realm`, this option appends domain to username. For delete domain, I think need implement new feature.
2) I tried this on my HomeLAB with cisco 7206 as LAC, and it works correct. Provide your accel-ppp.conf, your LAC config and accel-ppp logsdefault-realm=realm
By default is disabed.
Append specified realm to username. For example default-realm=example.com accel-ppp send to RADIUS server username@example.com
Re: L2TP Bind issues and Framed-route configuration
Thanks for your inputs.
I was following your reply to my post about how to set-up realm stripping.
viewtopic.php?f=8&t=2390&start=10#p6608
Where you said default-realm=1 would separate the username from the domain.
I would be grateful if you could incorporate this feature as it is very useful.
Unfortunately, the LTS/LAC provider will not share their config. All I know is they use Juniper in their core network.
I have tried to emulate L2TP tunnels with a Shared Secret without IPSec using the following Windows Reg patch.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
Create a DWORD called ProhibitIpSec and set it to 1
This works fine for L2TPNS but not for the L2TP module in ACCEL-PPP, when you set the secret = Share Secret with LAC.
All I see in the Log is:- impossible to authenticate peer: invalid Challenge Response sent by peer (wrong secret)
Can you provide a solution for using Debian or Ubuntu to emulate a connection coming from a LAC with a Shared Secret?
My ACCEL-PPP config looks like this:-
[modules]
l2tp
auth_chap_md5
radius
[ppp]
verbose=5
min-mtu=1280
mtu=1500
mru=1500
accomp=deny
pcomp=deny
ccp=0
ipv4=require
ipv6=deny
lcp-echo-timeout=120
unit-cache=1
[l2tp]
verbose=5
called-sid=mac
secret=shared secret with LAC
recorder-timeout=0
interface=eth0
[radius]
nas-identifier=lns-test
nas-ip-address=XXX.XXX.XXX.XXX (Internet Facing IP ADDRESS of LNS)
gw-ip-address= XXX.XXX.XXX.XXX (Internet Facing IP ADDRESS of LNS)
server=RADIUS-IP,PASSWORD,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=RADIUS-IP:3799,PASSWORD
verbose=5
timeout=3
max-try=3
acct-timeout=120
acct-delay-time=0
acct-on=on
I’ve also come across another issue with the framed route.
I can’t set a specific interface in the Framed-Route using Radius with ACCEL-PPP i.e. “0.0.0.0/0 XXX.XXX.XXX.XXX 1”
I can only set Framed-Route "0.0.0.0/0 0.0.0.0 1"
What do you set when you have a multi-homed LNS? I.e you provide the LNS for smaller operators, who just provide Radius Authentication for their customers using their own IP address space?
I was following your reply to my post about how to set-up realm stripping.
viewtopic.php?f=8&t=2390&start=10#p6608
Where you said default-realm=1 would separate the username from the domain.
I would be grateful if you could incorporate this feature as it is very useful.
Unfortunately, the LTS/LAC provider will not share their config. All I know is they use Juniper in their core network.
I have tried to emulate L2TP tunnels with a Shared Secret without IPSec using the following Windows Reg patch.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
Create a DWORD called ProhibitIpSec and set it to 1
This works fine for L2TPNS but not for the L2TP module in ACCEL-PPP, when you set the secret = Share Secret with LAC.
All I see in the Log is:- impossible to authenticate peer: invalid Challenge Response sent by peer (wrong secret)
Can you provide a solution for using Debian or Ubuntu to emulate a connection coming from a LAC with a Shared Secret?
My ACCEL-PPP config looks like this:-
[modules]
l2tp
auth_chap_md5
radius
[ppp]
verbose=5
min-mtu=1280
mtu=1500
mru=1500
accomp=deny
pcomp=deny
ccp=0
ipv4=require
ipv6=deny
lcp-echo-timeout=120
unit-cache=1
[l2tp]
verbose=5
called-sid=mac
secret=shared secret with LAC
recorder-timeout=0
interface=eth0
[radius]
nas-identifier=lns-test
nas-ip-address=XXX.XXX.XXX.XXX (Internet Facing IP ADDRESS of LNS)
gw-ip-address= XXX.XXX.XXX.XXX (Internet Facing IP ADDRESS of LNS)
server=RADIUS-IP,PASSWORD,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=RADIUS-IP:3799,PASSWORD
verbose=5
timeout=3
max-try=3
acct-timeout=120
acct-delay-time=0
acct-on=on
I’ve also come across another issue with the framed route.
I can’t set a specific interface in the Framed-Route using Radius with ACCEL-PPP i.e. “0.0.0.0/0 XXX.XXX.XXX.XXX 1”
I can only set Framed-Route "0.0.0.0/0 0.0.0.0 1"
What do you set when you have a multi-homed LNS? I.e you provide the LNS for smaller operators, who just provide Radius Authentication for their customers using their own IP address space?
Re: L2TP Bind issues and Framed-route configuration
Hi,
Sorry to be pain, but do you have any updates for me please?
Thanks
Sorry to be pain, but do you have any updates for me please?
Thanks
Re: L2TP Bind issues and Framed-route configuration
Hi, sorry, I don't have time in this month. You can also join to our telegram chat and to ask for help https://t.me/accel_ppp
Re: L2TP Bind issues and Framed-route configuration
Hi tj-19, strip-realm already implemnted https://github.com/accel-ppp/accel-ppp/ ... 8981519c19