L2TP Bind issues and Framed-route configuration

L2TP related questions
Post Reply
tj-19
Posts: 12
Joined: 10 Jun 2019, 20:42

L2TP Bind issues and Framed-route configuration

Post by tj-19 » 14 Nov 2019, 15:32

Hi All,

I'm having trouble getting the L2TP module working with Freeradius.

I've slotted ACCEL-PPP into an existing L2TPNS configuration and I keep seeing the following errors in the accel-ppp log, when I try to establish an L2TP tunnel.

[2019-11-14 15:05:18]: error: : radius:bind: Cannot assign requested address
[2019-11-14 15:05:18]: warn: : radius: server(1) not responding
[2019-11-14 15:05:18]: warn: radius: server(1) not responding
[2019-11-14 15:05:18]: warn: : radius: no available servers
[2019-11-14 15:05:18]: info: : XXXX: authentication failed
[2019-11-14 15:05:18]: info: XXXX: authentication failed

Could someone please tell me, how I can further debug this issue and if possible could someone share a working L2TP configuration, please?

Is it also possible to override the framed-route received in the radius reply and instead return the LNS interface IP?

For example, I have the following configured:-

Framed-route = 0.0.0.0/0 XXX.XXX.XXX.XXX in my Radius reply.

Is it possible to configure ACCEL-PPP to insert a different framed route than the one provided by the Radius reply?

This will make it easier to test ACCEL-PPP.

Thank you

dimka88
Posts: 588
Joined: 13 Oct 2014, 05:51
Contact:

Re: L2TP Bind issues and Framed-route configuration

Post by dimka88 » 14 Nov 2019, 17:39

Hi, can you provide [radius] section? Try also set `verbose=1` in all section, and also set [log]level=5, then restart daemon.

tj-19
Posts: 12
Joined: 10 Jun 2019, 20:42

Re: L2TP Bind issues and Framed-route configuration

Post by tj-19 » 15 Nov 2019, 00:17

Hi,

I've managed to get my Radius configuration working.

But it appears I may have found two issues:-

1) Domain stripping is not working. When I try [Radius] default-realm=1, it does not present just the user part of the login for Radius authentication. Instead it presents user@1 as the username. If I just try, default-realm= then user@ is presented.

2) My LTS/LAC use an L2TP secret. I've tried setting secret=password in [l2tp]. According to the logs the peer password does not match. But it is correct, even though I see this in the log:- impossible to authenticate peer: invalid Challenge Response sent by peer (wrong secret)

Any ideas?

Thanks

dimka88
Posts: 588
Joined: 13 Oct 2014, 05:51
Contact:

Re: L2TP Bind issues and Framed-route configuration

Post by dimka88 » 17 Nov 2019, 14:25

Hi, about `default-realm`, this option appends domain to username. For delete domain, I think need implement new feature.
default-realm=realm
By default is disabed.

Append specified realm to username. For example default-realm=example.com accel-ppp send to RADIUS server username@example.com
2) I tried this on my HomeLAB with cisco 7206 as LAC, and it works correct. Provide your accel-ppp.conf, your LAC config and accel-ppp logs

tj-19
Posts: 12
Joined: 10 Jun 2019, 20:42

Re: L2TP Bind issues and Framed-route configuration

Post by tj-19 » 18 Nov 2019, 17:13

Thanks for your inputs.

I was following your reply to my post about how to set-up realm stripping.

viewtopic.php?f=8&t=2390&start=10#p6608

Where you said default-realm=1 would separate the username from the domain.

I would be grateful if you could incorporate this feature as it is very useful.

Unfortunately, the LTS/LAC provider will not share their config. All I know is they use Juniper in their core network.

I have tried to emulate L2TP tunnels with a Shared Secret without IPSec using the following Windows Reg patch.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters

Create a DWORD called ProhibitIpSec and set it to 1

This works fine for L2TPNS but not for the L2TP module in ACCEL-PPP, when you set the secret = Share Secret with LAC.

All I see in the Log is:- impossible to authenticate peer: invalid Challenge Response sent by peer (wrong secret)

Can you provide a solution for using Debian or Ubuntu to emulate a connection coming from a LAC with a Shared Secret?

My ACCEL-PPP config looks like this:-

[modules]
l2tp
auth_chap_md5
radius

[ppp]
verbose=5
min-mtu=1280
mtu=1500
mru=1500
accomp=deny
pcomp=deny
ccp=0
ipv4=require
ipv6=deny
lcp-echo-timeout=120
unit-cache=1

[l2tp]
verbose=5
called-sid=mac
secret=shared secret with LAC
recorder-timeout=0
interface=eth0

[radius]
nas-identifier=lns-test
nas-ip-address=XXX.XXX.XXX.XXX (Internet Facing IP ADDRESS of LNS)
gw-ip-address= XXX.XXX.XXX.XXX (Internet Facing IP ADDRESS of LNS)
server=RADIUS-IP,PASSWORD,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=RADIUS-IP:3799,PASSWORD
verbose=5
timeout=3
max-try=3
acct-timeout=120
acct-delay-time=0
acct-on=on

I’ve also come across another issue with the framed route.

I can’t set a specific interface in the Framed-Route using Radius with ACCEL-PPP i.e. “0.0.0.0/0 XXX.XXX.XXX.XXX 1”

I can only set Framed-Route "0.0.0.0/0 0.0.0.0 1"

What do you set when you have a multi-homed LNS? I.e you provide the LNS for smaller operators, who just provide Radius Authentication for their customers using their own IP address space?

tj-19
Posts: 12
Joined: 10 Jun 2019, 20:42

Re: L2TP Bind issues and Framed-route configuration

Post by tj-19 » 21 Nov 2019, 23:37

Hi,

Sorry to be pain, but do you have any updates for me please?

Thanks

dimka88
Posts: 588
Joined: 13 Oct 2014, 05:51
Contact:

Re: L2TP Bind issues and Framed-route configuration

Post by dimka88 » 23 Nov 2019, 11:14

Hi, sorry, I don't have time in this month. You can also join to our telegram chat and to ask for help https://t.me/accel_ppp

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest