Routing

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  L2TP MX240 LNS

     
    Posted 09-13-2017 07:07

    Many apologies if this is the wrong area for this, but believe it is routing oriented:

     

    I am configuring a new ISP network and have the core configured and working with MPLS, IS-IS, IPv6 and Dual-Stacked.... Now I have to start the real work of the PE --> CE .....

     

    The PE also has to act as an LNS for L2TP Tunnels.... Now, I'm pretty much okay with eBGP but I am a complete newbie with regards to configuring the LNS for L2TP.

     

    I am struggling to find any "real World" configuration help with regards to setting up the LNS and can only find the following document:

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/subscriber-management-l2tp-lns.html

     

    Which, in all honesty, is not really helping me that much. Can anyone point me in the right direction to get the required configs I can play with to understand exactly how to configure this?

     

    TIA



  • 2.  RE: L2TP MX240 LNS

     
    Posted 09-14-2017 00:16

    As an add on question. Can I use an SRX1800 as a test LAC for the LNS?



  • 3.  RE: L2TP MX240 LNS

     
    Posted 09-18-2017 00:50

    Hi,

     

    You can refer below two KB. Let me know where exactly you're facing issue with LNS.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24102

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24104


    Regards,

    Rahul N



  • 4.  RE: L2TP MX240 LNS

     
    Posted 09-18-2017 01:36

    Hi Mayar,

     

    Thank you for the links.... unfortunately neither of them work (Either I need a login ID or the document no longer exists)...

     

    My issue is that although I have worked on L2TP before, I have never had to configure one up from Scratch..... I would need to configure an LNS and a LAC so that I can test the configurations before this is placed into a production environment...

     

    I have configured the Core with MPLS, RSVP, IS-IS, IPv6 and IPv4 Dual Stacking and tested, and all of this works fine, but I am having problems with this LNS/LAC configuration and can find no real help regarding an initial configuraiton.

     

     



  • 5.  RE: L2TP MX240 LNS
    Best Answer

     
    Posted 09-18-2017 06:46

    Simple LAC configuration on MX.

     

    Interface configuration:

     [edit]
    jtac@MX-240-2-RE0# show interfaces ge-2/1/9
    description "Towards CLIENT;
    vlan-tagging;
        unit 100 {
        encapsulation ppp-over-ether;
        vlan-id 100;
        }
    
     [edit]
    jtac@MX-240-2-RE0# show interfaces pp0.100
    ppp-options {
        pap;
    }
    pppoe-options {
        underlying-interface ge-2/1/9.100;
        server;
    }
    family inet {
        unnumbered-address lo0.0;
    }

    Access configuration:

    [edit]
    jtac@MX-240-2-RE0# show access domain
    map ppp.com {
        tunnel-profile to-lns;
    }
    
     [edit]
    jtac@MX-240-2-RE0# show access tunnel-profile to-lns  ----> L2TP Tunnel configuration
    tunnel 1 {
        preference 200;
        remote-gateway {
            address 100.0.0.2;
            gateway-name MX-240-1-RE1;
        }
    source-gateway {
        address 100.0.0.1;
        gateway-name LAC1;
    }
    secret "$9$kPz6pu1hclp0Eyrex7"; ## SECRET-DATA
    tunnel-type l2tp;
    }
    
     [edit]
    jtac@MX-240-2-RE0# show access radius-server
    10.209.74.53 {
        port 1812;
        secret "$9$Sbie87ws4ZGiwYJDjHTQ"; ## SECRET-DATA
        source-address 10.209.74.100;
    }
    
    
     [edit]
    jtac@MX-240-2-RE0# show access-profile
    acc-prof;
    
     [edit]
    jtac@MX-240-2-RE0# show access profile acc-prof
    authentication-order radius;
    radius {
        authentication-server [ 10.209.74.53 10.209.74.42 ];
    }





    Sample LNS configuration on MX

    dynamic-profiles { DYNAMIC-PROFILE-1 { interfaces { "$junos-interface-ifd-name" { unit "$junos-interface-unit" { dial-options { l2tp-interface-id l2tp-encapsulation; dedicated; } family inet { unnumbered-address lo0.0; } } } } } } chassis { fpc 2 { pic 0 { inline-services { bandwidth 10g; } } } network-services enhanced-ip; } si-2/0/0 { unit 100 { dial-options { l2tp-interface-id l2tp-encapsulation; --> Static configuration. } family inet { unnumbered-address ge-2/3/1.0; } } } ge-2/3/1 { -----> LAC facing interface unit 0 { family inet { address 100.0.0.2/30; } } } lo0 { unit 0 { family inet { address 100.17.33.4/32; } } unit 1 { family inet { address 202.144.0.100/32; } } } } access { radius-server { 10.209.74.53 { secret "$9$F3LP/pBcSeW87cyMXxN2g"; ## SECRET-DATA source-address 10.209.74.84; } } group-profile ppp { ppp { idle-timeout 200; keepalive 30; } } profile l2tp { client LAC1 { l2tp { maximum-sessions-per-tunnel 1000; interface-id l2tp-encapsulation; shared-secret "$9$o-GHmzF/tpBz3A0O1rl"; ## SECRET-DATA } user-group-profile ppp; } } address-assignment { pool PPPoE-Subs { family inet { network 202.144.50.0/24; range FIRST { low 202.144.50.1; high 202.144.50.254; } } } } services { l2tp { tunnel-group to-lac { l2tp-access-profile l2tp; aaa-access-profile TEST-ACCESS-PROFILE; local-gateway { address 100.0.0.2; } service-interface si-2/0/0; dynamic-profile DYNAMIC-PROFILE-1; } } service-device-pools { pool PPPoE-Subs { interface si-2/0/0; } } }


  • 6.  RE: L2TP MX240 LNS

     
    Posted 09-19-2017 05:46

    Thank you Mayar,

     

    I have stumbled across an issue with regards to this configuration though (although I know it is only a sample)....

     

    The line near the end that says:  "set aaa-access-profile TEST-ACCESS-PROFILE" ..... when trying to commit with this command I get the following error:

     

    [edit services l2tp tunnel-group to-lac aaa-access-profile]
      'aaa-access-profile TEST-ACCESS-PROFILE'
        referenced access profile must be defined
    error: configuration check-out failed: (statements constraint check failed)

     

    Which when I look is right..... the TEST-ACCESS-PROFILE is not referenced anywhere so how is it going to work?

     

    I may be asking something really silly here and many apologies if I am, but, where do I place my config to get the commit to pass please?



  • 7.  RE: L2TP MX240 LNS

     
    Posted 09-19-2017 06:28

    Hi,

     

    You can configure simple test profile like below in case radius authentication is not required.

     

    labroot@ERX-MX960-NS-1# set access profile TEST-ACCESS-PROFILE authentication-order none 

     

    Regards,

    Rahul N