PPP over GRPS phones: server-side

PPP over GPRS server-side support

In order to use GPRS dialin, there is some server-side infrastructure needed:

Gateway GPRS Support Node

For the Computer labs, there are two GGSNs, owned and operated by Vodafone, on their GPRS network. They gateway traffic from the GPRS phone to the lab VPN.

VPN

Traffic from the GGSN is tunneled over an IPSec connection back to the Lab's routers. Here is an excerpt from the Cicso configuration to make that happen:


!
! Heathrow configuration file excerpt
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
!
! Key to use when talking to Vodafone peer
crypto isakmp key ******** address vvv.vvv.vvv.vvv
!
crypto ipsec transform-set vf-ts esp-des esp-md5-hmac 
! 
! Setup crypto map for Vodafone peer
crypto map vf-cmap local-address Loopback1
crypto map vf-cmap 1 ipsec-isakmp  
 set peer vvv.vvv.vvv.vvv
 set security-association lifetime seconds 86400
 set transform-set vf-ts 
 match address 191
!
access-list 191 permit ip any 128.232.98.0 0.0.1.255
!
! This is the address we tell our Vodafone IPSec peer about
! Using a Loopback interface address will let us move it later if necessary
interface Loopback1
 ip address 128.232.XXX.XXX 255.255.255.255
 no ip directed-broadcast
!
! The following is a hack to cause us to advertise a route to 128.232.98/23
! over OSPF, otherwise traffic may bypass us. (It must go down IPSec tunnel)
interface Loopback2
 ip address 128.232.99.254 255.255.254.0
 no ip directed-broadcast
 ip ospf network point-to-point
 crypto map vf-cmap
!
! This is our main external interface via the CUDN
interface Vlan99
 description Vlan cudn-backbone 131.111.2.0/24
 ip address 131.111.2.100 255.255.255.0
 ip access-group vlan99-in in
 ip access-group vlan99-out out
 no ip redirects
 no ip directed-broadcast
 ip pim sparse-dense-mode
 ip ospf cost 20
 ip sdr listen
 crypto map vf-cmap
!
! This is the heathrow-gatwick router link. We need the crypto map in
! case gatwick looses direct backbone connectivity and falls over to this link
interface Vlan191
 description Vlan inter-router 128.232.96.32/28
 ip address 128.232.96.36 255.255.255.240
 no ip directed-broadcast
 ip ospf cost 5
 crypto map vf-cmap
!
ip access-list extended vlan99-in
 permit ip 128.232.98.0 0.0.1.255 any
 permit tcp any any established
 ... 
ip access-list extended vlan99-out
 ...

RADIUS

The authentication data that your computer passes to the phone over CHAP or PAP is used to authenticate against a RADIUS server (mob.cl.cam.ac.uk). A sample configuration for radiusd is here.

This work is made possible by the support of

and

$Id$