help with a L2TP tunnel

bit_herder · February 27, 2007, 6:05am

Hi, I have 2 MT routers at clients that are on the internet and I wish to connect them together and route traffic between them securely for some windows file sharing application to pass data between servers on the respective networks.

Using the manual I have been able to connect the routers together via l2tp tunnel. Routers can ping each other over the tunnel, so that is working fine.

My question is this… can I assign my l2tp IP addresses on the same network as my local (natted) network on the l2tp server MT (10.2.1.x)? Then when the client MT connects, it will have a natted IP that I can use from the remote (L2TP client) network?

It seems like this way I would not have to add interfaces and IP addresses specifically for the VPN on the L2TP server side of things. And I wouldnt have to add routing… let me know if my thinking is off..

Im sorry if this is not very clear. Hopefully someone understands what I am trying to get at. If there is an easier way to accomplish what I am trying to do please let me know.

Thanks in advance,
Chris

acim · February 27, 2007, 8:37am

Do you want same network class addresses on both sides of your tunnel? Maybe you can use this example

http://www.mikrotik.com/testdocs/ros/2.9/interface/eoip_content.php#5.19.3

It’s probably possible to use L2 tunnel instead of PPP, just add EoIP and bridging.

bit_herder · February 27, 2007, 10:06pm

Thank you for replying. If I use EOIP tunnel, and my NAT IP scheme is different at remote_lan and office_lan (office_lan is 10.2.1.x and remote_lan is 192.168.1.x), then I still have to do some routing to make the connection from clients on these LANs, correct?

Is there much overhead associated with this?

Thanks again and sorry if these seem silly questions… I am new to WAN stuff…

Chris

acim · February 27, 2007, 11:35pm

office_lan is 10.2.1.x

Then on this router you add this route:

add dst-address=192.168.1.0/24 gateway=ip_address_of_tunnel_interface_on_remote_lan_router

remote_lan is 192.168.1.x

And here opposite:

add dst-address=10.2.1.0/24 gateway=ip_address_of_tunnel_interface_on_office_lan_router

bit_herder · February 28, 2007, 12:34am

So just to confirm, I will set up

l2tp VPN (already done)
eoip over that
routing

I will try tonight. Thanks.

bit_herder · February 28, 2007, 4:50am

Hi.

I have set this up, and I am sure the L2TP is working becasue I can ping the inside interfaces of both routers from the other router.

However, I cannot ping anything other than the router, IE from one router I cannot ping any machines on the LAN on the other router.

Everything appears to be working, I see traffic going thru the bridge interfaces, nothing that I can see in the firewalls should be stopping the data.

Any idea on things to check?

bit_herder · February 28, 2007, 6:27am

Everything looks ok. When I initially enable the bridges data flows over the eoip interface, but i still cannot ping anything on the remote lan. Exactly the same behavior as with just the L2TP connection up. The routing addition does let me ping the inside (LAN) interface of the remote router, but thats it.

I have no way of knowing if eoip is working. I suspect its not. L2TP is for sure and the bridging works im sure. By the way I am adding the LAN interface to the bridge, correct?

I have GRE enabled, so thats not it.

I turn off any “reject” stuff in the firewall, still no love.

Any ideas? I just want these 2 LANs to be able to talk to each other…

bit_herder · February 28, 2007, 5:23pm

It was a firewall rule blocking traffic back =P

Thanks!