12,266
edits
Category:L2TP Handover: Difference between revisions
m
no edit summary
mNo edit summary |
|||
|
[[Category:Control Pages]]
[[Category:Internet]]
=Related Pages on the A&A Website:=
[[File:Clueless-SIM-l2tp.png|none|frame|L2TP relay settings on the Control Pages]]
=Setting up L2TP Server on FireBrick=▼
=Your L2TP Server Settings=
▲==Setting up L2TP Server on FireBrick==
[[File:L2tp-sessions.png|none|frame|FireBrick Status Page]]
[[FireBrick L2TP Server]]
==Setting up OpenL2TP==
This page documents my experiments setting up an LNS for my RevMobile data SIMs, also see [[FireBrick L2TP Server|How to set up L2TP on a FireBrick]].
I needed the src_ipaddr line in the tunnel profile because my LNS machine has several IP addresses on the same subnet, and the one that the LNS should be using is not the primary IP. openl2tp does not record the IP address that an l2tp packet came to and use that as the source address for the reply ... adding src_ipaddr fixes that.
===Authentication===
Enabling tunnel authentication lets you be confident that you really are talking to doubtless or careless, and not some other LAC. Without it you are limited to just trusting the incoming IP address. What this doesn't do is authenticate the individual PPP sessions over the tunnel. doubtless and careless supply a CHAP username (the SIM's ICCID), challenge and response which will be verified if you enable PPP proxy authentication. The secret that is used is so obvious that it took me nearly 2 months to work it out. It's "password", without the quotes.
===Musings===
PPP over GPRS connections is a bit, well, weird. The PPP connection that pppd on your laptop establishes is not all the way through to your LNS as you might expect. It isn't even terminated in the mobile network -- it's actually terminated on the modem. What this means is that the username and password you give to pppd are verified by the modem -- which just accepts anything you supply.
[[Mobile_IPv6|IPv6]]
===Things to do===
Work out how to identify individual SIMs and supply the correct IP address to each one. If you set 'auth_none' to 'no' in the ppp profile then PPP forces the other end to authenticate -- this is separate from the PPP proxy authentication although it uses the same username and secret. The username is currently a telephone number (447...) so I think I can use that.
My Huawei K4505 doesn't offer a remote address if it doesn't get one from the peer. In this situation, Linux picks 10.64.64.64. My Nokia E51 offers 10.6.6.6 in this situation.
===PPP observations===
Microsoft's PPP implementations up to and including Vista still believe in classful addressing. If you don't want the PPP interface to be the default route, then if they are given a 'class A' address they assume a netmask of 255.0.0.0 and set a corresponding network route, similarly for class B and C addresses. Windows 7 has the option to disable this automatic classful route if you don't set the default route. Nice one Microsoft :-)
| |||