PPP configurations

[trevorh13]

I am trying to set up a basic link between to 2501's in the lab. They are connected back to back via s0. The configs are as follws:

Router1

interface Ethernet0
ip address 192.32.10.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 192.32.11.1 255.255.255.0
encapsulation ppp
no keepalive
ppp authentication pap
ppp pap sent-username router password 7 00141215174C04140B
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.32.11.2
!
line con 0
line aux 0
line vty 0 4
login
!
end

Can anyone help me idetify where I have gone wrong with this? Any help would be greatly appreciated.

Cheers.

Router2

interface Ethernet0
ip address 192.32.12.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 192.32.11.2 255.255.255.0
encapsulation ppp
no keepalive
clockrate 56000
ppp authentication pap
ppp pap sent-username router password 7 051B071C325B411B1D
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.32.11.1
!
line con 0
line aux 0
line vty 0 4
login
!
end

Router#

 

[jeter]

click here and you will need a CCO login.

http://www.cisco.com/warp/customer/793/access_dial/pppmultilink.html

heres a paste of the site!!


These configurations can be used for routers connected via leased lines or routers that have the channel service unit/data service unit (CSU/DSU) or ISDN terminal adapter (TA) configured to dial (Cisco routers have not been configured to dial telephone numbers).


Network Diagram


Configurations
Cisco 2509
hostname 2509
!

username 2511 password cisco
username tito password cisco
no ip domain-lookup
!
interface Loopback0
ip address 192.168.10.2 255.255.255.0

interface Serial0
no ip address
encapsulation ppp
dialer in-band
dialer rotary-group 1
no fair-queue
pulse-time 1
!
interface Serial1
no ip address
encapsulation ppp
dialer in-band
dialer rotary-group 1
no fair-queue
clockrate 56000
pulse-time 1
!
interface Dialer1
ip unnumbered Loopback0
encapsulation ppp
dialer in-band
dialer idle-timeout 300
dialer map ip 192.168.20.1 name 2511 broadcast
dialer load-threshold 2 either
dialer-group 1
no fair-queue
ppp authentication chap
ppp multilink
ppp direction callout <-- this is a hidden command - see the note below.

!

ip route 192.168.20.1 255.255.255.255 Dialer1

dialer-list 1 protocol ip permit


!
end

2509#

Cisco 2511
version 11.2
!
hostname 2511
!
username 2509 password 0 cisco
username tito password 0 cisco
!
interface Loopback0
ip address 192.168.20.1 255.255.255.0
!
interface Serial0
no ip address
encapsulation ppp
dialer in-band
dialer rotary-group 1
no fair-queue
pulse-time 1
!
interface Serial1
no ip address
encapsulation ppp
dialer in-band
dialer rotary-group 1
no fair-queue
clockrate 56000
pulse-time 1
!
interface Dialer1
ip unnumbered Loopback0
encapsulation ppp
dialer in-band
dialer idle-timeout 999
dialer map ip 192.168.10.2 name 2509 broadcast
dialer load-threshold 2 either
dialer-group 1
no fair-queue
ppp authentication chap
!
ip route 192.168.10.2 255.255.255.255 Dialer1
!
dialer-list 1 protocol ip permit


Note

The ppp direction callout command is a hidden command used when a router is confused as to who dialed who (when connected back-to-back or connected via leased lines and the CSU/DSU or ISDN TA are configured to dial). The ppp direction callin command may also be used. Use either of these commands.

Local router= use callout
remote router= use callin
If you do not use this command, the router will connect for a moment and then disconnect.

On router 2509, debug will show CHAP spoofppp: cdp_reqci: received CONFACK.


PPP Serial0: Send CHAP Challenge id=18
PPP Serial0: CHAP Challenge id=80 received from 2511
PPP Serial0: ignoring spoofed CHAP Challenge
PPP Serial0: Send CHAP Challenge id=19
PPP Serial0: CHAP Challenge id=81 received from 2511
PPP Serial0: ignoring spoofed CHAP Challenge
On the Cisco 2511, the debug will show &quot;Waiting for peer....&quot;


*Mar 16 18:55:24.273: Se1 CHAP: O CHALLENGE id 71 len 25 from &quot;2511&quot;
*Mar 16 18:55:24.277: Se0 CHAP: I CHALLENGE id 10 len 25 from &quot;2509&quot;
*Mar 16 18:55:24.277: Se0 CHAP: Waiting for peer to authenticate first
*Mar 16 18:55:24.281: Se1 CHAP: I CHALLENGE id 9 len 25 from &quot;2509&quot;
*Mar 16 18:55:24.281: Se1 CHAP: Waiting for peer to authenticate first
2511#
*Mar 16 18:55:34.257: Se0 CHAP: I CHALLENGE id 11 len 25 from &quot;2509&quot;
*Mar 16 18:55:34.257: Se0 CHAP: Waiting for peer to authenticate first
*Mar 16 18:55:34.421: Se0 CHAP: O CHALLENGE id 84 len 25 from &quot;2511&quot;
*Mar 16 18:55:34.425: Se1 CHAP: O CHALLENGE id 72 len 25 from &quot;2511&quot;
*Mar 16 18:55:35.261: Se1 CHAP: I CHALLENGE id 10 len 25 from &quot;2509&quot;
*Mar 16 18:55:35.261: Se1 CHAP: Waiting for peer to authenticate first
*Mar 16 18:55:44.297: Se0 CHAP: I CHALLENGE id 12 len 25 from &quot;2509&quot;
*Mar 16 18:55:44.297: Se0 CHAP: Waiting for peer to authenticate first
*Mar 16 18:55:44.665: Se0 CHAP: O CHALLENGE id 85 len 25 from &quot;2511&quot;
*Mar 16 18:55:44.669: Se1 CHAP: O CHALLENGE id 73 len 25 from &quot;2511&quot;
*Mar 16 18:55:45.301: Se1 CHAP: I CHALLENGE id 11 len 25 from &quot;2509&quot;
*Mar 16 18:55:45.301: Se1 CHAP: Waiting for peer to authenticate first

Another Example
In this example, both routers are configured with virtual-templates. The routers are connected back-to-back and the multilink session will not idle-out. No static routes needed, a host route is installed after PPP negotiations.

Use Cisco IOS® Software Release 11.3 or later to use Virtual Template for PPP Multilink.

Cisco 2509
hostname 2509
!
username 2511 password cisco
username tito password cisco
!
multilink virtual-template 1
!
interface Loopback0
ip address 192.168.10.2 255.255.255.0

!
interface Virtual-Template1
ip unnumbered Loopback0
no ip mroute-cache
ppp authentication chap
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
pulse-time 1
!
interface Serial1
no ip address
encapsulation ppp
no fair-queue
clockrate 56000
ppp multilink
pulse-time 1
!
end

2509#

Cisco 2511
2511#
version 11.2
!
hostname 2511
!
!
username 2509 password 0 cisco
username tito password 0 cisco
no ip domain-lookup
multilink virtual-template 1
!
interface Loopback0
ip address 192.168.20.1 255.255.255.0
!
interface Virtual-Template1
ip unnumbered Loopback0
no ip mroute-cache
ppp authentication chap
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
ppp multilink
pulse-time 1
!
interface Serial1
no ip address
encapsulation ppp
clockrate 56000
ppp multilink
pulse-time 1
!
end

2511#

==================sh ppp multilink============
2511#sh pp multi

Bundle 2509, 2 members, Master link is Virtual-Access1
0 lost fragments, 0 reordered, 0 unassigned, sequence 0x32/0x32 rcvd/sent
0 discarded, 0 lost received, 1/255 load

Member Links: 2
Serial1
Serial0
2511#


Debug and Verification Tips
show ip route connected - To see if the IP route for the virtual-access is installed.
show int virtual-access xx - To check the status of a particular virtual-access interface.
debug ppp negotiation - To see if a client is passing PPP negotiation. You can also check what options (callback, Multilink PPP (MLP), and so on) and what protocols (IP, IPX, and so on) are being negotiated.
debug ppp authentication - To see if a client is passing authentication.
debug vtemplate - To see what virtual-template configurations are used.
debug vprofile - To see what configuration options are applied to the virtual-access interface. Jeter@LasVegas.com
J.Fisher CCNA

 

[trevorh13]

I have figured out how to add PPP via the &quot;encap ppp&quot; command and it works with no authentication. However I can't seem to get PAP authentication to work (I haven't tried CHAP yet!) I am under the impression that with PAP the username is the name of the router and password is whatever you specify. What I don't understand is how you configure the remote router to accept connection from that particular user name? Is this done via a dialer list or similar?

Also do I really need to know how to do this for the exam or am I trying to go too deep? I have several study resources and all of them seem to stop at saying that you use the encap ppp command and that PPP supports PAP and CHAP authentication across synchronous and asynchronous lines.

 

[simonreed]

Trevor,

Try disabling password encryption using the global command:
no service password-encryption.

This should work.

If you do a :debug ppp packet
you should see it failing password authentication if the password is encrypted by service password-encryption.

Simon

 

[mildmanrd]

trevorh13,
let's assume that hostname router1 is your local router and hostname router2 is your remote router. On your remote router, you need to add the username router1 and the password it should expect.

ex.
router2(config)#username router1 password whatever

then on router1 you need to make sure you are sending the right username\password combo

ex.
router1(config-if)#ppp pap sent-username router1 password whatever

try this and see if it works

 

[trevorh13]

Haven't had chance to try it yet but Isuspected that it was the case that the remote router had no idea what it should accept as a username and password. Unfortunately none of the books offered much help and the online help is only really useful if you know what you are looking for. Many thanks.