Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 105
Registered: ‎08-09-2010
0 Kudos

L2TP MX240 LNS

[ Edited ]

Many apologies if this is the wrong area for this, but believe it is routing oriented:

 

I am configuring a new ISP network and have the core configured and working with MPLS, IS-IS, IPv6 and Dual-Stacked.... Now I have to start the real work of the PE --> CE .....

 

The PE also has to act as an LNS for L2TP Tunnels.... Now, I'm pretty much okay with eBGP but I am a complete newbie with regards to configuring the LNS for L2TP.

 

I am struggling to find any "real World" configuration help with regards to setting up the LNS and can only find the following document:

 

https://www.juniper.net/documentation/en_US/junos/topics/example/subscriber-management-l2tp-lns.html

 

Which, in all honesty, is not really helping me that much. Can anyone point me in the right direction to get the required configs I can play with to understand exactly how to configure this?

 

TIA

Highlighted
Contributor
Posts: 105
Registered: ‎08-09-2010
0 Kudos

Re: L2TP MX240 LNS

As an add on question. Can I use an SRX1800 as a test LAC for the LNS?

Juniper Employee
Posts: 8
Registered: ‎10-19-2011
0 Kudos

Re: L2TP MX240 LNS

Hi,

 

You can refer below two KB. Let me know where exactly you're facing issue with LNS.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24102

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24104


Regards,

Rahul N

Contributor
Posts: 105
Registered: ‎08-09-2010
0 Kudos

Re: L2TP MX240 LNS

Hi Mayar,

 

Thank you for the links.... unfortunately neither of them work (Either I need a login ID or the document no longer exists)...

 

My issue is that although I have worked on L2TP before, I have never had to configure one up from Scratch..... I would need to configure an LNS and a LAC so that I can test the configurations before this is placed into a production environment...

 

I have configured the Core with MPLS, RSVP, IS-IS, IPv6 and IPv4 Dual Stacking and tested, and all of this works fine, but I am having problems with this LNS/LAC configuration and can find no real help regarding an initial configuraiton.

 

 

Juniper Employee
Posts: 8
Registered: ‎10-19-2011
0 Kudos

Re: L2TP MX240 LNS

Simple LAC configuration on MX.

 

Interface configuration:

 [edit]
jtac@MX-240-2-RE0# show interfaces ge-2/1/9
description "Towards CLIENT;
vlan-tagging;
    unit 100 {
    encapsulation ppp-over-ether;
    vlan-id 100;
    }

 [edit]
jtac@MX-240-2-RE0# show interfaces pp0.100
ppp-options {
    pap;
}
pppoe-options {
    underlying-interface ge-2/1/9.100;
    server;
}
family inet {
    unnumbered-address lo0.0;
}

Access configuration:

[edit]
jtac@MX-240-2-RE0# show access domain
map ppp.com {
    tunnel-profile to-lns;
}

 [edit]
jtac@MX-240-2-RE0# show access tunnel-profile to-lns  ----> L2TP Tunnel configuration
tunnel 1 {
    preference 200;
    remote-gateway {
        address 100.0.0.2;
        gateway-name MX-240-1-RE1;
    }
source-gateway {
    address 100.0.0.1;
    gateway-name LAC1;
}
secret "$9$kPz6pu1hclp0Eyrex7"; ## SECRET-DATA
tunnel-type l2tp;
}

 [edit]
jtac@MX-240-2-RE0# show access radius-server
10.209.74.53 {
    port 1812;
    secret "$9$Sbie87ws4ZGiwYJDjHTQ"; ## SECRET-DATA
    source-address 10.209.74.100;
}


 [edit]
jtac@MX-240-2-RE0# show access-profile
acc-prof;

 [edit]
jtac@MX-240-2-RE0# show access profile acc-prof
authentication-order radius;
radius {
    authentication-server [ 10.209.74.53 10.209.74.42 ];
}





Sample LNS configuration on MX

dynamic-profiles { DYNAMIC-PROFILE-1 { interfaces { "$junos-interface-ifd-name" { unit "$junos-interface-unit" { dial-options { l2tp-interface-id l2tp-encapsulation; dedicated; } family inet { unnumbered-address lo0.0; } } } } } } chassis { fpc 2 { pic 0 { inline-services { bandwidth 10g; } } } network-services enhanced-ip; } si-2/0/0 { unit 100 { dial-options { l2tp-interface-id l2tp-encapsulation; --> Static configuration. } family inet { unnumbered-address ge-2/3/1.0; } } } ge-2/3/1 { -----> LAC facing interface unit 0 { family inet { address 100.0.0.2/30; } } } lo0 { unit 0 { family inet { address 100.17.33.4/32; } } unit 1 { family inet { address 202.144.0.100/32; } } } } access { radius-server { 10.209.74.53 { secret "$9$F3LP/pBcSeW87cyMXxN2g"; ## SECRET-DATA source-address 10.209.74.84; } } group-profile ppp { ppp { idle-timeout 200; keepalive 30; } } profile l2tp { client LAC1 { l2tp { maximum-sessions-per-tunnel 1000; interface-id l2tp-encapsulation; shared-secret "$9$o-GHmzF/tpBz3A0O1rl"; ## SECRET-DATA } user-group-profile ppp; } } address-assignment { pool PPPoE-Subs { family inet { network 202.144.50.0/24; range FIRST { low 202.144.50.1; high 202.144.50.254; } } } } services { l2tp { tunnel-group to-lac { l2tp-access-profile l2tp; aaa-access-profile TEST-ACCESS-PROFILE; local-gateway { address 100.0.0.2; } service-interface si-2/0/0; dynamic-profile DYNAMIC-PROFILE-1; } } service-device-pools { pool PPPoE-Subs { interface si-2/0/0; } } }
Contributor
Posts: 105
Registered: ‎08-09-2010
0 Kudos

Re: L2TP MX240 LNS

Thank you Mayar,

 

I have stumbled across an issue with regards to this configuration though (although I know it is only a sample)....

 

The line near the end that says:  "set aaa-access-profile TEST-ACCESS-PROFILE" ..... when trying to commit with this command I get the following error:

 

[edit services l2tp tunnel-group to-lac aaa-access-profile]
  'aaa-access-profile TEST-ACCESS-PROFILE'
    referenced access profile must be defined
error: configuration check-out failed: (statements constraint check failed)

 

Which when I look is right..... the TEST-ACCESS-PROFILE is not referenced anywhere so how is it going to work?

 

I may be asking something really silly here and many apologies if I am, but, where do I place my config to get the commit to pass please?

Juniper Employee
Posts: 8
Registered: ‎10-19-2011
0 Kudos

Re: L2TP MX240 LNS

Hi,

 

You can configure simple test profile like below in case radius authentication is not required.

 

labroot@ERX-MX960-NS-1# set access profile TEST-ACCESS-PROFILE authentication-order none 

 

Regards,

Rahul N