Issue:
L2TP Server bug - replies from wrong IP address
Description:
When a router has multiple IP addresses on an interface, an L2TP server always uses the lowest IP address as the source address of L2TP packets, which makes the L2TP connection impossible to establish.
Versions affected:
6.14-6.0, 5.x
How to reproduce:
Connect 2 RB’s on ether5. Apply configs:
L2TP AC:
/interface l2tp-server server
set enabled=yes
/ip address
add address=10.0.0.1/24 interface=ether5 network=10.0.0.0
add address=1.1.1.1/32 interface=ether5 network=1.1.1.1
/ip firewall mangle
add action=log chain=input port=1701 protocol=udp
add action=log chain=output port=1701 protocol=udp
/ppp secret
add name=123 password=123
/system identity
set name=ACL2TP client:
/interface l2tp-client
add connect-to=1.1.1.1 name=l2tp-out1 password=123 user=123
/ip address
add address=10.0.0.2/24 interface=ether5 network=10.0.0.0
/ip route
add distance=1 gateway=10.0.0.1
/system identity
set name=ClientL2TP will not establish. Looking at the logs will show that the L2TP server replies with a wrong IP address:
Notes:
This is really annoying, especially if you have a public IP which the clients use to connect to the L2TP server on a loopback.
The lowest IP address of the incoming interface will still be used, instead of the public IP on the loopback, making the L2TP AC not work.
You can use NAT as a workaround.
/ip firewall nat
add action=dst-nat chain=dstnat comment=“Fix for an L2TP src-address bug” dst-address=“Address you want your L2TP client to connect to”
dst-port=1701 protocol=udp to-addresses="src-address that L2TP sends wrong packets with"Support TicketID:
Ticket#2013020866000414