Thursday, March 5, 2015

Afrihost L2TP Static IP on Cisco Series ADSL or VDSL Routers

How to get your L2TP static IP working for Afrihost ADSL/VDSL Connections  (this works the same as Internet Solutions, they just dont have a shared key for the setup).

First, make sure you have signed up for a static IP with Afrihost - its R50 extra on a business DSL account per month. Once thats done, here is the setup for your Cisco Router (I've done this exact config on both an 877 and a 1921 ISR, so its pretty universal).

The difference with my setup and other online guides, is that mine does proper NAT over both DSL and L2TP, and keeps working if the tunnel is destroyed, meaning you still at least get working internet in case of a failure.

I'll explain each section as necessary:

Enable CEF, L2TP tunnels won't initiate without this on some models

ip cef

Enable L2TP Congestion control, Afrihost has a thing about too many retransmits on the control channel and drops the tunnel frequently without this.

l2tp congestion-control

Define the L2TP class for shared key authentication, this is just for tunnel control channel:

l2tp-class AFRIHOST-PASS
 hidden
 authentication
 password h3lp

Define the actual psuedowire class and encapsulation techniques, and apply the password class and define the outgoing device (in this case, Dialer1 which is the DSL Connection).

pseudowire-class AFRIHOST-STATIC
 encapsulation l2tpv2
 protocol l2tpv2 AFRIHOST-PASS
 ip local interface Dialer1

This is important, defining the pvc circuit details for the ATM0 (raw ADSL) link.

interface ATM0
 no ip address
 ip nat outside
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 8/35 
  pppoe-client dial-pool-number 1

Define the standard ADSL/VDSL authentication process for the Dialer1 device.

interface Dialer1
 description AFRIHOST-ADSL
 ip address negotiated
 no ip proxy-arp
 ip mtu 1492    <-- This is important to prevent packet fragmention
 ip nat outside
 ip virtual-reassembly max-reassemblies 256
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname USERNAME@afrihost.co.za
 ppp chap password PASSWORD
 ppp pap sent-username USERNAME@afrihost.co.za password PASSWORD
 ppp ipcp dns request

Now, we define the actual L2TP tunnel and virtual device for the router, 196.30.121.50 is the endpoint for the Afrihost L2TP Server.

interface Virtual-PPP1
 description Afrihost-Static-IP
 bandwidth 100000
 ip address negotiated
 ip mtu 1460    <-- This is important to prevent packet fragmention
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ppp pap sent-username USERNAME@afrihost.co.za password 0 PASSWORD
 pseudowire 196.30.121.50 1 pw-class AFRIHOST-STATIC

Now we define routes, make sure the L2TP server always goes out over Dialer1 with the highest priority. We also add 2 routes, with Virtual-PPP1 preferential, but if it goes down for any reason, we have a fallback in Dialer2.

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 5
ip route 0.0.0.0 0.0.0.0 Dialer1 10
ip route 196.30.121.50 255.255.255.255 Dialer1

We define 2 x local access lists (you'll see why down the page).

access-list 1 permit 10.0.0.0 0.0.15.255
access-list 2 permit 10.0.0.0 0.0.15.255

Now, we create route maps for each interface for NAT to work - simply defining the device overloads will only allow ONE to work:

route-map WAN1-NAT permit 1
 match ip address 1
 match interface Virtual-PPP1 Dialer1

route-map WAN2-NAT permit 1
 match ip address 2
 match interface Dialer1 Virtual-PPP1

Then we create the NAT overloads for NAT to work for both outgoing interfaces, this way NAT works for both normal DSL and when the L2TP Tunnel is active.

ip nat inside source route-map WAN1-NAT interface Virtual-PPP1 overload
ip nat inside source route-map WAN2-NAT interface Dialer1 overload

Once thats all done, the tunnel should come up, and you should see it in your sh ip:

attree-cisco-dsl#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
ATM0                       unassigned      YES NVRAM  up                    up    
Dialer1                    105.237.x.x       YES IPCP   up                    up    
FastEthernet0              unassigned      YES unset  up                    up    
FastEthernet1              unassigned      YES unset  up                    down  
FastEthernet2              unassigned      YES unset  up                    down  
FastEthernet3              unassigned      YES unset  up                    down  
NVI0                               10.0.0.253      YES unset  up                    up    
Virtual-Access1            unassigned      YES unset  up                    up    
Virtual-PPP1               105.208.x.x     YES IPCP   up                    up    
Vlan1                            10.0.0.253      YES NVRAM  up                    up  

There you have it. For Internet Solutions setups, just dont define a control channel password:

l2tp-class AFRIHOST-PASS
 no password

Hope this helps everyone.

2 comments:

  1. Hi Kim,

    Thanks for the info. How will this configuration be affected when Afrihost switches all their clients to their new network 21 October 2015. Afrihost mentions that L2TP is not used on their new network . How will the new configuration look like? Thanks. Philip

    ReplyDelete
  2. PS! Apparently the only thing that needs to be changed at the client side router configuration is that L2TP should be dissabled.

    ReplyDelete