MikroTik L2TP Client to Juniper device

Hardware MikroTik hardware general
1

I need to setup an L2TP tunnel to my provider to obtain a static IP address over my ADSL link (PPPoE). The PPPoE connection has a dynamic IP.

The provider requires that I setup the L2TP tunnel with a shared secret. From what I have been reading on the forum and other sources it looks like MikroTik doesn’t support setting up an L2TP tunnel with a shared secret.

NOTE: This is NOT IPSEC. The provider clearly states not to use IPSEC.

The only configuration instructions provided to me by the provider is the following:

  • L2TP Service IP
  • Shared secret
  • Username
  • Password

See error below:

Aug/16/2013 23:56:27 l2tp,debug session 1 entering state: wait-reply
Aug/16/2013 23:56:27 l2tp,debug,packet rcvd control message from xxx.xxx.xxx.xxx:1701
Aug/16/2013 23:56:27 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=1, nr=2
Aug/16/2013 23:56:27 l2tp,debug,packet     (M) Message-Type=StopCCN
Aug/16/2013 23:56:27 l2tp,debug,packet     (M) Assigned-Tunnel-ID=15358
Aug/16/2013 23:56:27 l2tp,debug,packet     (M) Result-Code=4
Aug/16/2013 23:56:27 l2tp,debug,packet         Error-Code=6
Aug/16/2013 23:56:27 l2tp,debug,packet         Error-Message="tunnel receive scccn avp missing challenge response"
Aug/16/2013 23:56:27 l2tp,debug,packet sent control message to xxx.xxx.xxx.xxx:1701
Aug/16/2013 23:56:27 l2tp,debug,packet     tunnel-id=15358, session-id=0, ns=2, nr=2
Aug/16/2013 23:56:27 l2tp,debug,packet     (M) Message-Type=ICRQ
Aug/16/2013 23:56:27 l2tp,debug,packet     (M) Assigned-Session-ID=1
Aug/16/2013 23:56:27 l2tp,debug,packet     (M) Call-Serial-Number=8
Aug/16/2013 23:56:27 l2tp,debug,packet     (M) Bearer-Type=0x0
Aug/16/2013 23:56:27 l2tp,debug,packet sent control message (ack) to xxx.xxx.xxx.xxx:1701
Aug/16/2013 23:56:27 l2tp,debug,packet     tunnel-id=15358, session-id=0, ns=3, nr=2
Aug/16/2013 23:56:27 l2tp,debug tunnel 9 entering state: dead
Aug/16/2013 23:56:27 l2tp,debug session 1 entering state: dead
Aug/16/2013 23:56:27 l2tp,ppp,info l2tp-out: terminating... - session closed
Aug/16/2013 23:56:27 l2tp,ppp,debug l2tp-out: LCP lowerdown
Aug/16/2013 23:56:27 l2tp,ppp,debug l2tp-out: LCP down event in initial state
Aug/16/2013 23:56:27 l2tp,ppp,info l2tp-out: disconnected

Error-Message=“tunnel receive scccn avp missing challenge response”

Is there a workaround for this? If not is there any chance that MikroTik will include this functionality in future versions of ROS?

Please also see this (old) related thread: http://forum.mikrotik.com/t/l2tp-chap-authentication-response/34557/1

2

Hi SamCt

You had any luck with this so far?

If you have more details pertaining to the tunnel then perhaps we can assist you with setting this up?

3

@CyberT - no luck so far. This is the only details provided by the ISP: https://www.axxess.co.za/staticip.php

4

OK I’m Busy with just about the same thing:

http://www.afrihost.com/site/page/static_ip_configuration_settings


I will let you know when i have it running.

I get to more or less where you are at the moment, I have the same result, Are you running the latest ROS?

My one router is stuck on 5.25 at the moment, I haven’t tested of the 6.4 one as yet, but expect more or less the same result.

Will let you know when i see something, otherwise ill do an ipdump for the guys, I have already opened a ticket with support, and will let you know back and post my config the moment i get it to work.

I also found some of this
http://pastebin.com/wT8KwrnB

and then i see there is someone that is using their username@axxess as username and leaving out the .co.za
http://askubuntu.com/questions/340325/problem-connecting-to-isp-server-using-xl2tpd-as-client-ubuntu-server-13-04

So that might be his answer,

If we could find an running l2tp tunnel to that ip we could perhaps use those settings to replicate as far as possible into this, the best i can see, is the secret under the Ipsec area to configure the secret, and i cant say that thats correct, coz the afrihost page to the same server in MTN buss says that Ipsec = no, so i’m gathering that i might be on the wrong track with that.

CyberT

5

Hi CyberT

Please try the following

Add the L2TP interface under the PPP menu
On the security tab
add the h3lp password there and change the service to l2tp, please make sure you have the correct profile selected as when you created the l2tp client ie (default/default-enryption)

don’t know if you should change anything else but if it does not work try adding the Remote address = server address

Gys

6

Hi Can you please give me the terminal command for this, I don’t seem to see the “security tab”

Its the Preshared Key That’s Getting to me down i think, i think thats what its moaning about, But i have no idea where to configure the preshared key for outgoing connections?

/interface l2tp-client
add add-default-route=no allow=pap connect-to=<<L2TP SERVER IP>> dial-on-demand=no \
    disabled=yes max-mru=1460 max-mtu=1460 mrru=disabled name=AfrihostStaticIP \
    password=<<ADSLPASSWORD>> profile=l2tp-Out user=<<ADSLUSERNAME>>@afrihost.co.za




/ppp profile
add change-tcp-mss=default name=l2tp-Out only-one=default use-compression=\
    default use-encryption=no use-mpls=default use-vj-compression=default
7

Hi cyberT

Sorry my mistake the tab is secrets not security

Gys

8

Is there way you can test this from your side, as far as i can see that only relates to incoming users, and does not relate to outgoing users at all, I have tried it in a way, but all that i can do is match the interface to the name, so how the 2 would tie together i cant say. Is there a way you can test this from your side?

9

Hi cyberT

sorry dont have static ip’s

gys

10

ok I found the following:

What’s new in 5.7 (2011-Sep-14 10:54):

*) ipsec - new exchange mode (main-l2tp) for l2tp tunnel users to allow
FQDN as a peer ID with preshared key authorization in main mode;


But how to use that, I dont know…

11

RouterOS does not support tunnel password which is used for LAC/LNS.

And ipsec main-l2tp mode has nothing to do with it. It should be used for windows l2tp/ipsec client connections.

12

Will it be supported at a time? As it is the latest craze in South Africa if an static IP is required over ADSL?

13

+1 here

Is it easily possible for you to add this in v6? If you can/plan to. a timeline would be good.
Also is there a reason you dont currently support it?

14

Hi Support

I am sure many of us need this feature available. I really don’t want to buy a Billion or ZyXel just for this feature.

I need to configure an L2TP tunnel with secret and no IPSEC, in order to receive my ISP assigned Static IP, but now Mikrotik is not able to do this. Will this ever be supported by Mikrotik?

Regards

Dirk

15

BUMP!

I just came here with the same question and the bottom line is you can’t use Axxess/Afrihost L2TP Static IP’s on a Mikrotik Router.

Has anyone else managed to get something going?

I guess Afrihost wouldn’t turn off the tunnel authentication from their side, as I believe that would be the ideal thing to do. They should rather block invalid users using their firewall and not tunnel authentication.

Just my 2c

16

I think that server is actually sitting inside the MTN-Buss Infra, and i don’t think that those 2 ISP’s are the only ones that use that server for statics, Its a pity that they haven’t sorted it out yet. Not sure why they havent. I saw a few releases ago they did work on the module to add more encoding proto’s. So lets hope and see…