SRX Services Gateway
Highlighted
SRX Services Gateway

BT Business Broadband on SRX110H2-VA

‎04-13-2015 12:44 AM

Hi,

I am really struggling to configure the SRX110 for our ADSL BT Business Broadband (This uses PPPoA).

I have followed the guides in the KB article http://kb.juniper.net/InfoCenter/index?page=content&id=KB25400

However although the ADSL Sync light goes a steady green, it never appears to authenticate.

I have notice that when putting the password in, the SRX obfuscates or hashes the password.

When I look at the config now, there are 3 different hashed calues where the passwords would be, I was expecting to just see the same hashed value 3 times..

 

Has anyone any experience of setting these up in the UK on a BT ADSL line?

 

This is my current config (Passwords removed)

## Last changed: 2015-04-09 20:11:18 GMT
version 12.1X44-D35.5;
system {
    host-name SRX110;
    time-zone GMT;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user user1 {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## 
SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.1;
            }
            https {
                system-generated-certificate;
                interface vlan.1;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings pt-1/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    at-1/0/0 {
        description ADSL;
        encapsulation atm-pvc;
        atm-options {
            vpi 0;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            description PPPoA;
            encapsulation atm-ppp-vc-mux;
            vci 0.38;
            ppp-options {
                chap {
                    access-profile BT;
                    passive;
                }
                pap {
                    default-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SE
CRET-DATA
                    local-name "xxxxxx8@hg7.btclick.com";
                    local-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECR
ET-DATA
                    passive;
                }
            }
            family inet {
                dhcp;
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop at-1/0/0.0;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            screen untrust-screen;
        }
        security-zone untrust {
            interfaces {
                at-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile BT {
        client "B317928@hg7.btclick.com" chap-secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
    }
}
vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
}

 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: BT Business Broadband on SRX110H2-VA

‎04-13-2015 12:53 AM

HI,

 

As far as I know BT does chap auth. I would remove the pap auth settings from your config also your

 

family inet {
                dhcp;

 

needs to be replaced by

 

family inet {
negotiate-address;

 

something below will work (in the past) I have had this working.

 

at-1/0/0 {
description ADSL;
enable;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
description PPPoA;
encapsulation atm-ppp-vc-mux;
vci 0.38;
ppp-options {
chap {
default-chap-secret "xxxxxxxxxx"; ## SECRET-DATA
local-name "username@hg70.btclick.com.";
passive;
}
}
family inet {
negotiate-address;

 

hope this helps

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: BT Business Broadband on SRX110H2-VA

‎04-13-2015 01:18 AM

Marc,

that was a massive help, thankyou - I now have an external IP address on the AT-1/0/0 interface and it appears authenticated.

 

I still cant reach the internet from the inside, Im assuming a routing issue here, but again, I followed the KB guide to set this up, and Im now struggling to see what I can do...

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author jwhitemass@outlook.com
‎08-26-2015 01:27 AM

Re: BT Business Broadband on SRX110H2-VA

‎04-13-2015 01:23 AM

I see that you nat from zone internal to zone internet.

 

But your external interface at-1/0/0.0 is part of zone untrust. I would suggest moving interface at-1/0/0.0 from zone untrust

towards zone internet.

 

I guess everything starts working then.

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: BT Business Broadband on SRX110H2-VA

‎04-13-2015 01:29 AM

Marc, you are a gent! All is working now, many thanks for your help Smiley Happy