Wednesday, April 22, 2009

Configuring multiple PPTP dialin on vrfs

Hi all, I spent a lot of time this week trying to change our unstables pptp "servers" (3 x PIII linux blackboxes), merging into a single Cisco 2811.

First I have read as usual some docs:

- Shivlu's great post "IP Dialing From PC To LNS"

- Cisco IOS Dial Technologies Configuration Guide

Then I made a configuration like this using vrfs to keep the different services isolated:


Click here to view the config [+/-]



ip vrf vpn-1
rd 1:1
vpn id 0:1
route-target export 1:1
route-target import 1:1
!
aaa new-model
!
aaa group server radius radius-vpn-1
server-private 192.168.10.10 auth-port 1812 acct-port 1813 non-standard retransmit 1 key abcd
ip vrf forwarding vpn-1
ip radius source-interface FastEthernet0/0.10
!
aaa authentication ppp authentication-vpn-1 group radius-vpn-1
aaa authorization exec authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa authorization network authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting network accounting-vpn-1
action-type stop-only
group radius-vpn-1
!
ip address-pool local
!
vpdn enable
!
vpdn-group 1
description vpdn for vpn-1
accept-dialin
protocol pptp
virtual-template 1
vpn vrf vpn-1
source-ip A.B.C.D
local name vpn-1
!
class-map match-any peer-2-peer
match protocol bittorrent
match protocol gnutella
match protocol winmx
match protocol edonkey
match protocol kazaa2
match protocol fasttrack
!
policy-map QoS-vpn-1
class peer-2-peer
police 8000 conform-action drop exceed-action drop violate-action drop
class class-default
bandwidth 10240
policy-map PARENT-QoS-vpn-1
class class-default
shape average percent 100
service-policy QoS-vpn-1
!
!
interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding vpn-1
ip address A.B.C.D 255.255.255.0
service-policy output PARENT-QoS-vpn-1
!
interface FastEthernet0/0.101
encapsulation dot1Q 101
ip vrf forwarding vpn-1
ip address 10.1.6.3 255.255.255.0
service-policy output PARENT-QoS-vpn-1
!
interface Virtual-Template1
ip vrf forwarding vpn-1
ip unnumbered FastEthernet0/0.10
peer default ip address pool PPTPPool
ppp pfc local forbid
ppp pfc remote reject
ppp encrypt mppe auto
ppp authentication ms-chap-v2 authentication-vpn-1
ppp authorization authorization-vpn-1
ppp accounting accounting-vpn-1
!
ip local pool PPTPPool 10.1.6.50 10.1.6.200
!
ip route vrf vpn-1 0.0.0.0 0.0.0.0 10.1.6.1


Let's go through the various config sections, in a sort of "operational" order:

1) create the vrf for this pptp vpn... multiple vrfs for multiple pptp dialin, I've configured 3 vrfs on the same 2811..
ip vrf vpn-1
rd 1:1
vpn id 0:1
route-target export 1:1
route-target import 1:1


2) configure the subinterfaces (here I didn't used loopbacks), the service-policy must be applied after class-map and policy-map creation, obviously.
A.B.C.D is the public address for this vpn

interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding vpn-1
ip address A.B.C.D 255.255.255.0
service-policy output PARENT-QoS-vpn-1
!
interface FastEthernet0/0.101
encapsulation dot1Q 101
ip vrf forwarding vpn-1
ip address 10.1.6.3 255.255.255.0
service-policy output PARENT-QoS-vpn-1


3) configure routing for vrf. Here I used a simple static default route for each vrf
ip route vrf vpn-1 0.0.0.0 0.0.0.0 10.1.6.1

Before proceed, it's a good idea to check the vrf routing table and radius reachability, use "show ip route vrf vpn-1" and "ping vrf vpn-1 x.y.z.x" ;-)

4) configure per-vrf AAA using server-groups.
aaa new-model
!
aaa group server radius radius-vpn-1
server-private 192.168.10.10 auth-port 1812 acct-port 1813 non-standard retransmit 1 key abcd
ip vrf forwarding vpn-1
ip radius source-interface FastEthernet0/0.10
!
aaa authentication ppp authentication-vpn-1 group radius-vpn-1
aaa authorization exec authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa authorization network authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting network accounting-vpn-1
action-type stop-only
group radius-vpn-1

I use freeradius, 1812/1813 are freeradius standard ports for auth and acct.
The "ip radius source-interface" is the ip address used in the "NASIpAddress" radius attribute, it's useful if you use a single radius and must understand the different vpns.
Let's read the "Understanding IOS Local AAA" post on Internetwork Expert's blog if you want "more spice" playing with vrfs on ppp interfaces ;-)

5) configure ip address pool for pptp users

ip address-pool local
!
ip local pool PPTPPool 10.1.6.50 10.1.6.200

You need a pool for each vpn/vrf, see virtual-template configuration below.
Note: I've reserved the addresses from 200 to 255 for administration use, the simplest way to do this is adding in the "users" file of freeradius some entries like:
marco.rizzi     NAS-IP-Address == "A.B.C.D"      
Framed-IP-Address = 10.1.6.228,
Reply-Message = "Hello, %u"


6) create the virtual template for pptp users
interface Virtual-Template1
ip vrf forwarding vpn-1
ip unnumbered FastEthernet0/0.10
peer default ip address pool PPTPPool
ppp pfc local forbid
ppp pfc remote reject
ppp encrypt mppe auto
ppp authentication ms-chap-v2 authentication-vpn-1
ppp authorization authorization-vpn-1
ppp accounting accounting-vpn-1

note the ip pool configuration, and the aaa using groups.

7) configure the vpdn-group
vpdn enable
!
vpdn-group 1
description vpdn for vpn-1
accept-dialin
protocol pptp
virtual-template 1
vpn vrf vpn-1
source-ip A.B.C.D
local name vpn-1

the "source-ip" is the interface where the vpdn will allow to connect.

8) [optional] configure some QoS.

class-map match-any peer-2-peer
match protocol bittorrent
match protocol gnutella
match protocol winmx
match protocol edonkey
match protocol kazaa2
match protocol fasttrack
!
policy-map QoS-vpn-1
class peer-2-peer
police 8000 conform-action drop exceed-action drop violate-action drop
class class-default
bandwidth 10240
policy-map PARENT-QoS-vpn-1
class class-default
shape average percent 100
service-policy QoS-vpn-1

(don't forget to apply it under the interfaces with "service-policy")
One of my pptp vpn services allows our users from the internal (private) addresses to receive a public ip address, here the needs to completely drop peer-to-peer traffic, at least the unencrypted one, just to avoid wasting 2811's cpu cycles ,-)
The maximum bw available is also limited to 10Mbps... more than enough for my users requirements.
(with 20 users connected and 2Mbps traffic, cpu reaches 40%...)
See the Ardeen Packeer's post "QOS: Applying CBWFQ to a sub-interface" to understand the needs of a nested policy with shape.


Finally, more than useful for debugging the configuration was the Cisco Document ID 42887 "PPP Troubleshooting Flowchart"

No comments: