VPDN Configuration Task List

To configure VPDNs on the home gateway router, complete the following steps:

Step 1 Create a virtual template interface, and enter the interface configuration mode:

interface virtual-template number

Step 2 Identify the virtual template interface type and number on the LAN:

ip unnumbered interface number

Step 3 Enable PPP encapsulation on the virtual template interface:

encapsulation ppp

Step 4 Enable PPP authentication on the virtual template interface:

ppp authentication {chap I ppp}

Step 5 Enable the global configuration command to allow virtual private networking on the NAS and home gateway routers:

vpdn enable

Step 6 Specify the remote host (the NAS), the local name (the home gateway) to use for authenticating, and the virtual template to use:

Home gateway router:

vpdn incoming nas-name hgw-name virtual-template number

NAS configuration:

vpdn outgoing domain-name NAS-nameip ip ip-address

NOTE You can also enable the NAS to authenticate users via TACACS+ or RADIUS using AAA commands.

A typical configuration file on a UNIX server has a configuration similar to the following configuration:

LAC Radius Configuration - Sample Sanjose.cisco.com Password = "cisco" Service-Type = Outbound-User, cisco-avpair = "vpdn:tunnel-id=DEFGH", cisco-avpair = "vpdn:tunnel-type=l2tp", cisco-avpair = "vpdn:ip-addresses=10.31.1.9", cisco-avpair = "vpdn:l2tp-tunnel-password=ABCDE"

The configuration on the LAC defines the specific av-pairs, namely the tunnel-id, tunnel-type, ip-address, and l2tp password.

Example 5-13 displays a typical NAS/LAC configuration using TACACS+.

Example 5-13 Sample NAS/LAC Configuration hostname NAS-LAC aaa new-model aaa authentication login default local aaa authentication login CONSOLE none aaa authentication ppp default if-needed group tacacs+ aaa authorization network default group tacacs+ enable password cciesarecool username Melanie password 0 verysecretpassword continues

Example 5-13 Sample NAS/LAC Configuration (Continued)

vpdn enable

interface Ethernet0

ip address 131.108.1.1 255.255.255.0

interface Dialer1

Description USER dials in and is assigned this

interface

ip unnumbered Ethernet0

encapsulation ppp

dialer-group 1

peer d\efault ip address pool IPaddressPool

ppp authentication chap

ip local pool IPaddressPool 10.10.10.1 10.10.K

5.254

tacacs-server host 3.3.3.3

tacacs-server key extremelysecrtetpassword

dialer-list 1 protocol ip permit

line con 0

login authentication CONSOLE

transport input none

line 1 96

autoselect during-login

autoselect ppp

modem Dialin

line aux 0

line vty 0 4

Example 5-13 displays the ISP router that typically supplies the tunnel-id to the HGW and IP address to the dial users.

Example 5-14 displays a typical configuration the home gateway router.

Example 5-14 Sample HGY/LNS Configuration hostname HGY-LNS aaa new-model aaa authentication login default local aaa authentication login CONSOLE none aaa authentication ppp default if-needed group tacacs+

aaa authorization network default group tacacs+

enable password cciesarecool vpdn enable vpdn-group DEFAULTcanbeanyname ! Default L2TP VPDN group accept-dialin protocol any virtual-template 1

Example 5-14 Sample HGY/LNS Configuration (Continued)

local name LNS lcp renegotiation always l2tp tunnel password 0 secretpwd interface Virtual-Templatel ip unnumbered FastEthernet0/0 peer default ip address pool IPaddressPool ppp authentication chap ip local pool IPaddressPool 11.11.11.1 11.11.11.254 !

tacacs-server host 3.3.3.3

tacacs-server key easypwd !

NOTE You are not expected to demonstrate your IOS syntax knowledge for VPDN. They are presented here for completeness, along with the two sample configuration files. For more quality examples, please visit www.cisco.com/warp/public/471/#vpdn.

Was this article helpful?

0 0

Post a comment