Routing

Expand all | Collapse all

Inject L2TP pool into isis

Jump to Best Answer
  • 1.  Inject L2TP pool into isis

     
    Posted 10-30-2017 08:23

    Hi (possibly Rahul)  🙂

     

    This, I hope, is the last piece of the jigsaw on L2TP. 

    I have my network operating correctly against  RADIUS server and all is good. I need to complete one last set of tests and that involves pinging from end to end on the same subnet (client site to client site).

    For the IGP I have chosen IS-IS as an easy to impliment and maintain protocol (except this one part 🙂  ). I have configured, on the LNS, a pool of addresses to be assigned out to the client "IP Address Negotiated" interface and it receives those okay, in the range of 192.168.1.0/24. The problem is that the address range is not routable and therefore cannot ping the far end device from client end.

    Normal Juniper ISIS configuration is as follows:

     

    set interface ge-0/2/0 unit 0 family iso

    set protocols isis interface ge-0/2/0.0

     

    That is it (as the NETD has already been assigned to the loopback).

     

    When the above is configured, the addressing and networks associated with the interface are routed by ISIS.

    I can inject the static route used by the radius and the actual tunnel end points and that works.

     

    I CANNOT, get the pool addressing to route through the network no matter what I try. Am I being dumb? I tried the si interfqce, no luck..... I tried static routing, no luck..... I am not sure where to inject this so there is a route for the pool address range.

     

    Any help would be great please.

     

    Thanks



  • 2.  RE: Inject L2TP pool into isis
    Best Answer

     
    Posted 10-30-2017 08:34
    Hi,

    Can you try export policy on isis using from protocol access-internal then accept.

    Regards,
    Rahul


  • 3.  RE: Inject L2TP pool into isis

     
    Posted 10-30-2017 10:20

    Hi Rahul,

     

    Thank you for the response.

     

    I have successfully implemented the following:

     

     set routing-options static route 192.168.1.0/24 reject

     set policy-options policy-statement dyn-vpn-route term 1 from instance master
     set policy-options policy-statement dyn-vpn-route term 1 from route-filter 192.168.1.0/24 exact
     set policy-options policy-statement dyn-vpn-route term 1 then accept
     set policy-options policy-statement dyn-vpn-route term 2 then reject

     set protocols isis export dyn-vpn-route

     

    Works perfectly.

     

    Thank you for your help again 🙂

     



  • 4.  RE: Inject L2TP pool into isis

     
    Posted 11-08-2017 01:14

    Hi Rahul,

     

    Thought it may be appropriate here to post a warning regarding the configuration used:

     

    It appears that although everything seems to be working perfectly there was a slight issue that I had:

     

    On the MX240 that I am using as an LNS, it appeared that ISIS was accepting route advertisement entering from the MX240 Core and anything attached to it, but the MX240 itself was not advertising the other way. So the static route to the LAC and the VPN assigned traffic and any other external routes were not being advertised. Therefore, the user could not be authenticated against the RADIUS because there was no route back. I removed the config and it all worked again okay.

     

    Can you let me know a reason why the following would cause that:

    set policy-options policy-statement dyn-vpn-route term 1 from instance master

     

    After completing traceoptions on ISIS it was showing "Reject routes" and naming "instance master" as the reason. I know that the Instance Master utilises the inet0 routing table.... any ideas Rahul?

     

    Thanks