How to get your L2TP static IP working for Afrihost ADSL/VDSL Connections (this works the same as Internet Solutions, they just dont have a shared key for the setup).
First, make sure you have signed up for a static IP with Afrihost - its R50 extra on a business DSL account per month. Once thats done, here is the setup for your Cisco Router (I've done this exact config on both an 877 and a 1921 ISR, so its pretty universal).
The difference with my setup and other online guides, is that mine does proper NAT over both DSL and L2TP, and keeps working if the tunnel is destroyed, meaning you still at least get working internet in case of a failure.
I'll explain each section as necessary:
Enable CEF, L2TP tunnels won't initiate without this on some models
ip cef
Enable L2TP Congestion control, Afrihost has a thing about too many retransmits on the control channel and drops the tunnel frequently without this.
l2tp congestion-control
Define the L2TP class for shared key authentication, this is just for tunnel control channel:
l2tp-class AFRIHOST-PASS
hidden
authentication
password h3lp
Define the actual psuedowire class and encapsulation techniques, and apply the password class and define the outgoing device (in this case, Dialer1 which is the DSL Connection).
pseudowire-class AFRIHOST-STATIC
encapsulation l2tpv2
protocol l2tpv2 AFRIHOST-PASS
ip local interface Dialer1
This is important, defining the pvc circuit details for the ATM0 (raw ADSL) link.
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
Define the standard ADSL/VDSL authentication process for the Dialer1 device.
interface Dialer1
description AFRIHOST-ADSL
ip address negotiated
no ip proxy-arp
ip mtu 1492 <-- This is important to prevent packet fragmention
ip nat outside
ip virtual-reassembly max-reassemblies 256
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname USERNAME@afrihost.co.za
ppp chap password PASSWORD
ppp pap sent-username USERNAME@afrihost.co.za password PASSWORD
ppp ipcp dns request
Now, we define the actual L2TP tunnel and virtual device for the router, 196.30.121.50 is the endpoint for the Afrihost L2TP Server.
interface Virtual-PPP1
description Afrihost-Static-IP
bandwidth 100000
ip address negotiated
ip mtu 1460 <-- This is important to prevent packet fragmention
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ppp pap sent-username USERNAME@afrihost.co.za password 0 PASSWORD
pseudowire 196.30.121.50 1 pw-class AFRIHOST-STATIC
Now we define routes, make sure the L2TP server always goes out over Dialer1 with the highest priority. We also add 2 routes, with Virtual-PPP1 preferential, but if it goes down for any reason, we have a fallback in Dialer2.
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 5
ip route 0.0.0.0 0.0.0.0 Dialer1 10
ip route 196.30.121.50 255.255.255.255 Dialer1
We define 2 x local access lists (you'll see why down the page).
access-list 1 permit 10.0.0.0 0.0.15.255
access-list 2 permit 10.0.0.0 0.0.15.255
Now, we create route maps for each interface for NAT to work - simply defining the device overloads will only allow ONE to work:
route-map WAN1-NAT permit 1
match ip address 1
match interface Virtual-PPP1 Dialer1
route-map WAN2-NAT permit 1
match ip address 2
match interface Dialer1 Virtual-PPP1
Then we create the NAT overloads for NAT to work for both outgoing interfaces, this way NAT works for both normal DSL and when the L2TP Tunnel is active.
ip nat inside source route-map WAN1-NAT interface Virtual-PPP1 overload
ip nat inside source route-map WAN2-NAT interface Dialer1 overload
Once thats all done, the tunnel should come up, and you should see it in your sh ip:
attree-cisco-dsl#sh ip int br
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM up up
Dialer1 105.237.x.x YES IPCP up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
NVI0 10.0.0.253 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-PPP1 105.208.x.x YES IPCP up up
Vlan1 10.0.0.253 YES NVRAM up up
There you have it. For Internet Solutions setups, just dont define a control channel password:
l2tp-class AFRIHOST-PASS
no password
Hope this helps everyone.
