Category:L2TP Handover: Difference between revisions
No edit summary |
mNo edit summary |
||
(53 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
<indicator name="Front">[[File:Menu-datasim.svg|link=:Category:Data SIMs|30px|Back up to the Data SIM Category Page]]</indicator><indicator name="L2TP">[[File:Menu-L2TP.svg|link=:Category:L2TP|30px|Back up to the L2TP Category]]</indicator> |
|||
⚫ | |||
= Mobile and DSL L2TP Handover: Overview = |
|||
⚫ | |||
Our "data-only" SIMs allow for the possibility of L2TP hand over to your own LNS. (Note: our SIP2SIM SIMs don't have this ability - sorry) |
|||
[[Category:Mobile]] |
|||
Less common, but still possible, is relaying a DSL circuit to your own LNS, eg, an ADSL, VDSL, FTTP etc circuit. |
|||
=Related Pages on the A&A Website:= |
|||
*[http://www.aaisp.net.uk/kb-telecoms-mobilel2tp.html www.aaisp.net.uk/kb-telecoms-mobilel2tp.html] |
|||
---- |
|||
This means that the data SIM (or DSL line) connects directly in to your network, and you control the IP address allocation, routing and any fire-walling or filtering as you wish. |
|||
= Overview = |
|||
Data SIMs from A&A can be terminated at A&A (in which you'll get a static public IP) or A&A can relay the L2TP on to your own server. |
|||
The settings for a SIM can be set on the control pages. For DSL connections the L2TP settings are set by staff, so please do contact them for any changes or setup. The information that would be requested is: |
|||
This page documents my experiments setting up an LNS for my RevMobile data SIMs. |
|||
*Target IP (with an optional backup IP) - the L2TP server at your side |
|||
*Host - the hostname we present |
|||
*Secret - the password we use (optional) |
|||
⚫ | |||
For the LNS, I used [http://www.openl2tp.org/ OpenL2TP] running on Linux ([http://www.debian.org/ Debian] 'squeeze'). I did some experiments with xl2tpd as well. |
|||
{{CPbox|#Click on the SIM ICCID you want to edit |
|||
⚫ | |||
#Fill in the L2TP relay information there}} |
|||
You can enter the IP address of your LNS (and an alternative if you like), and a shared secret if you want to do tunnel authentication. |
|||
[[File:Clueless-SIM-l2tp.png|none|frame|L2TP relay settings on the Control Pages]] |
|||
=Setting up OpenL2TP= |
|||
==DSL Configuration== |
|||
The OpenL2TP [http://www.openl2tp.org/downloads download page] offers version 1.8, which compiles straight out of the tarball. |
|||
*Wholesalers will usually already have their configuration set to relay based on their realm. |
|||
*For individual circuits please contact staff to set up relaying on to your own L2TP server. |
|||
=Technical Pages= |
|||
This is the configuration I'm using -- with my IP addresses and tunnel secret removed, naturally! If you don't want tunnel authentication, leave out the 'secret=' and 'auth_mode=' lines. |
|||
For more technical information, please see: |
|||
*[[L2TP Tunnels and Credentials|L2TP Sessions and Credentials]] |
|||
*[[Mobile L2TP Technical|Mobile L2TP Technical information]] |
|||
=Device Configuration= |
|||
peer profile create profile_name=doubtless |
|||
See the pages below for example configurations of L2TP servers. |
|||
peer profile modify profile_name=doubtless \ |
|||
tunnel_profile_name=aaisp-in \ |
|||
session_profile_name=aaisp-in \ |
|||
ppp_profile_name=aaisp-in \ |
|||
peer_ipaddr=90.155.53.8 \ |
|||
peer_port=1701 \ |
|||
peer profile create profile_name=careless |
|||
peer profile modify profile_name=careless \ |
|||
tunnel_profile_name=aaisp-in \ |
|||
session_profile_name=aaisp-in \ |
|||
ppp_profile_name=aaisp-in \ |
|||
peer_ipaddr=90.155.53.9 \ |
|||
peer_port=1701 \ |
|||
tunnel profile create profile_name=aaisp-in |
|||
tunnel profile modify profile_name=aaisp-in \ |
|||
secret=<your secret here> \ # leave out if you don't want tunnel authentication |
|||
auth_mode=challenge \ # leave out if you don't want tunnel authentication |
|||
src_ipaddr=<your LNS IP> \ |
|||
our_udp_port=1701 \ |
|||
mtu=1500 \ |
|||
peer_profile_name=aaisp-in \ |
|||
session_profile_name=aaisp-in \ |
|||
ppp_profile_name=aaisp-in \ |
|||
session profile create profile_name=aaisp-in |
|||
session profile modify profile_name=aaisp-in \ |
|||
ppp_profile_name=aaisp-in \ |
|||
ppp profile create profile_name=aaisp-in |
|||
ppp profile modify profile_name=aaisp-in \ |
|||
auth_pap=yes \ |
|||
auth_chap=yes \ |
|||
auth_mschapv1=no \ |
|||
auth_mschapv2=no \ |
|||
auth_eap=no \ |
|||
auth_none=yes \ |
|||
auth_peer=no \ |
|||
dns_ipaddr_pri=<DNS IP to give to SIM> \ |
|||
local_ipaddr=<IP address of LNS endpoint on PPP link> \ |
|||
remote_ipaddr=<IP address to give to SIM> \ |
|||
⚫ | |||
I needed the src_ipaddr line in the tunnel profile because my LNS machine has several IP addresses on the same subnet, and the one that the LNS should be using is not the primary IP. openl2tp does not record the IP address that an l2tp packet came to and use that as the source address for the reply ... adding src_ipaddr fixes that. |
|||
⚫ | |||
=Authentication= |
|||
Enabling tunnel authentication lets you be confident that you really are talking to doubtless or careless, and not some other LAC. Without it you are limited to just trusting the incoming IP address. What this doesn't do is authenticate the individual PPP sessions over the tunnel. doubtless and careless supply a CHAP username (the SIM's ICCID), challenge and response which will be verified if you enable PPP proxy authentication. The secret that is used is so obvious that it took me nearly 2 months to work it out. It's "password", without the quotes. |
|||
=Musings= |
|||
PPP over GPRS connections is a bit, well, weird. The PPP connection that pppd on your laptop establishes is not all the way through to your LNS as you might expect. It isn't even terminated in the mobile network -- it's actually terminated on the modem. What this means is that the username and password you give to pppd are verified by the modem -- which just accepts anything you supply. |
|||
The proxy authentication username that the LAC presents is a UK 07xxx phone number. It also presents a CHAP authentication ID, challenge and response. These are ignored unless you enable allow_ppp_proxy. |
|||
The 'calling number' and 'called number' in the incoming call request are the SIM's ICCID. |
|||
The two devices that I've been using -- a Vodafone (Huawei) K4505 and a Nokia E51 -- behave noticeably differently when it comes to PPP and particularly IPCP. |
|||
=Things to do= |
|||
* Work out how to identify individual SIMs and supply the correct IP address to each one. If you set 'auth_none' to 'no' in the ppp profile then PPP forces the other end to authenticate -- this is separate from the PPP proxy authentication although it uses the same username and secret. The username is currently a telephone number (447...) so I think I can use that. |
Latest revision as of 21:00, 11 August 2019
Mobile and DSL L2TP Handover: Overview
Our "data-only" SIMs allow for the possibility of L2TP hand over to your own LNS. (Note: our SIP2SIM SIMs don't have this ability - sorry)
Less common, but still possible, is relaying a DSL circuit to your own LNS, eg, an ADSL, VDSL, FTTP etc circuit.
This means that the data SIM (or DSL line) connects directly in to your network, and you control the IP address allocation, routing and any fire-walling or filtering as you wish.
The settings for a SIM can be set on the control pages. For DSL connections the L2TP settings are set by staff, so please do contact them for any changes or setup. The information that would be requested is:
- Target IP (with an optional backup IP) - the L2TP server at your side
- Host - the hostname we present
- Secret - the password we use (optional)
SIM Configuration
Accessing This Feature
Access is via the Control Pages as follows:
- Log in to the Control Pages with your xxx@a login
- Click on the SIM ICCID you want to edit
- Fill in the L2TP relay information there
You can enter the IP address of your LNS (and an alternative if you like), and a shared secret if you want to do tunnel authentication.
DSL Configuration
- Wholesalers will usually already have their configuration set to relay based on their realm.
- For individual circuits please contact staff to set up relaying on to your own L2TP server.
Technical Pages
For more technical information, please see:
Device Configuration
See the pages below for example configurations of L2TP servers.
Pages in category 'L2TP Handover'
The following 5 pages are in this category, out of 5 total.