10
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
No edit summary |
|||
=Setting up OpenL2TP=
The OpenL2TP [http://www.openl2tp.org/downloads download page]
This is the configuration I'm using -- with my IP addresses and tunnel secret removed, naturally! If you don't want tunnel authentication, leave out the 'secret=' and 'auth_mode=' lines.
peer profile create profile_name=doubtless
peer profile modify profile_name=doubtless \
tunnel_profile_name=
session_profile_name=
ppp_profile_name=
peer_ipaddr=90.155.53.
peer_port=1701 \
peer profile create profile_name=careless
peer profile modify profile_name=careless \
tunnel_profile_name=aaisp-in \
peer_ipaddr=90.155.53.9 \
peer_port=1701 \
tunnel profile create profile_name=
tunnel profile modify profile_name=
secret=<your secret here> \ # leave out if you don't want tunnel authentication
auth_mode=challenge \ # leave out if you don't want tunnel authentication
src_ipaddr=<your LNS IP> \
our_udp_port=1701 \
peer_profile_name=
▲ session_profile_name=doubtless \
session_profile_name=aaisp-in \
▲ ppp_profile_name=doubtless \
ppp_profile_name=aaisp-in \
session profile create profile_name=
session profile modify profile_name=
ppp_profile_name=
ppp profile create profile_name=
ppp profile modify profile_name=
auth_pap=yes \
auth_chap=yes \
local_ipaddr=<IP address of LNS endpoint on PPP link> \
remote_ipaddr=<IP address to give to SIM> \
▲ mtu=1280 \
I needed the src_ipaddr line in the tunnel profile because my LNS machine has several IP addresses on the same subnet, and the one that the LNS should be using is not the primary IP. openl2tp does not record the IP address that an l2tp packet came to and use that as the source address for the reply ... adding src_ipaddr fixes that.
=Authentication=
Enabling tunnel authentication lets you be confident that you really are talking to doubtless or careless, and not some other LAC. Without it you are limited to just trusting the incoming IP address. What this doesn't do is authenticate the individual PPP sessions over the tunnel. doubtless
=Musings=
PPP over GPRS connections is a bit, well, weird. The PPP connection that pppd on your laptop establishes is not all the way through to your LNS as you might expect. It isn't even terminated in the mobile network -- it's actually terminated on the modem. What this means is that the username and password you give to pppd are verified by the modem -- which just accepts anything you supply.
The proxy authentication username that the LAC presents is a UK 07xxx phone number. It also presents a CHAP authentication ID, challenge and response. These are ignored unless you enable allow_ppp_proxy
The 'calling number' and 'called number' in the incoming call request are the SIM's ICCID.
=Things to do=
* Work out how to identify individual SIMs and supply the correct IP address to each one. If you set 'auth_none' to 'no' in the ppp profile then PPP forces the other end to authenticate -- this is separate from the PPP proxy authentication although it uses the same username and secret. The username is currently a telephone number (447...) so I think I can use that.
|
edits