Hi (possibly Rahul) 🙂
This, I hope, is the last piece of the jigsaw on L2TP.
I have my network operating correctly against RADIUS server and all is good. I need to complete one last set of tests and that involves pinging from end to end on the same subnet (client site to client site).
For the IGP I have chosen IS-IS as an easy to impliment and maintain protocol (except this one part 🙂 ). I have configured, on the LNS, a pool of addresses to be assigned out to the client "IP Address Negotiated" interface and it receives those okay, in the range of 192.168.1.0/24. The problem is that the address range is not routable and therefore cannot ping the far end device from client end.
Normal Juniper ISIS configuration is as follows:
set interface ge-0/2/0 unit 0 family iso
set protocols isis interface ge-0/2/0.0
That is it (as the NETD has already been assigned to the loopback).
When the above is configured, the addressing and networks associated with the interface are routed by ISIS.
I can inject the static route used by the radius and the actual tunnel end points and that works.
I CANNOT, get the pool addressing to route through the network no matter what I try. Am I being dumb? I tried the si interfqce, no luck..... I tried static routing, no luck..... I am not sure where to inject this so there is a route for the pool address range.
Any help would be great please.
Thank you for the response.
I have successfully implemented the following:
set routing-options static route 192.168.1.0/24 reject
set policy-options policy-statement dyn-vpn-route term 1 from instance master set policy-options policy-statement dyn-vpn-route term 1 from route-filter 192.168.1.0/24 exact set policy-options policy-statement dyn-vpn-route term 1 then accept set policy-options policy-statement dyn-vpn-route term 2 then reject
set protocols isis export dyn-vpn-route
Thank you for your help again 🙂
Thought it may be appropriate here to post a warning regarding the configuration used:
It appears that although everything seems to be working perfectly there was a slight issue that I had:
On the MX240 that I am using as an LNS, it appeared that ISIS was accepting route advertisement entering from the MX240 Core and anything attached to it, but the MX240 itself was not advertising the other way. So the static route to the LAC and the VPN assigned traffic and any other external routes were not being advertised. Therefore, the user could not be authenticated against the RADIUS because there was no route back. I removed the config and it all worked again okay.
Can you let me know a reason why the following would cause that:
set policy-options policy-statement dyn-vpn-route term 1 from instance master
After completing traceoptions on ISIS it was showing "Reject routes" and naming "instance master" as the reason. I know that the Instance Master utilises the inet0 routing table.... any ideas Rahul?