"L2TP Client" vs. "L2TP Server"

I followed instructions I found in the wiki to setup the PPP/L2TP server on my Mikrotik RouterOS 6.42 (stable). In fairly short order, I was able to setup the unit to accept connections from both my iPhone and also Windows clients.

Having a few Windows Server 2008 machines already performing this task, I figured it would be interesting to go into PPP/Add New/L2TP Client and get the Mikrotik to connect to one of the Windows servers. I’m able to connect to these same servers using the same iPhone and Windows clients I’m connecting to the Mikrotik router, configured similarly.

Turns out it hasn’t been so simple. When I place a checkmark under “Use IPsec” and enter my secret, I don’t get a connection going but instead get this in my log:

969 Apr/28/2018 18:20:32 memory ipsec, info initiate new phase 1 (Identity Protection): mik.mik.mik.mik[500]<=>win.win.win.win[500]
970 Apr/28/2018 18:20:33 memory ipsec, info ISAKMP-SA established mik.mik.mik.mik[4500]-win.win.win.win[4500] spi:thisisalongnumberI’mreplacingdon’tknowwhatitis
971 Apr/28/2018 18:21:27 memory l2tp, ppp, info l2tp-out1: initializing…
972 Apr/28/2018 18:21:27 memory l2tp, ppp, info l2tp-out1: connecting…
973 Apr/28/2018 18:21:27 memory system, info device changed by root
974 Apr/28/2018 18:21:51 memory l2tp, ppp, info l2tp-out1: terminating… - session closed
975 Apr/28/2018 18:21:51 memory l2tp, ppp, info l2tp-out1: disconnected
976 Apr/28/2018 18:21:51 memory l2tp, ppp, info l2tp-out1: initializing…
977 Apr/28/2018 18:21:51 memory l2tp, ppp, info l2tp-out1: connecting…
978 Apr/28/2018 18:22:03 memory l2tp, ppp, info l2tp-out1: terminating…
979 Apr/28/2018 18:22:03 memory l2tp, ppp, info l2tp-out1: disabled

where mik.mik.mik.mik = the WAN address of my Mikrotik router, and win.win.win.win = the WAN address of the Windows server to which I’m trying to connect.

Also having an Untangle UTM at a site, supporting IPsec, also support iPhone and Windows clients, I tried the same thing but similarly fell flat on my face.

So following instructions found in the Mikrotik Wiki, I was able to go into IP/IPsec on the Mikrotik and get an IPsec tunnel running between the Mikrotik and the Untangle (after a bunch of false starts as I learned about getting the stage 1 and stage 2 settings working between the two different types of devices).

But I guess I’m a little lost in terms of where I’d use the PPP/Add New/L2TP, is that not supposed to support a connection to (for example) a Windows server or an Untangle UTM? Would I always go into the IP/IPsec properties instead?

Sorry for the rather dumb newbie question.

First, to get more information from the logs (actually, so much that it is easy to drown in it), do the following:

/system logging add topics=l2tp

Normally only

info

and higher severity messages are logged; the above command makes all

l2tp

messages be logged, including

debug

severity, which gives you a better indication of what has happened.

What could have happened is that you didn’t have the ppp client configured properly (the ****

name

is the local name of the interface, the

user

and

password

must match your user account at server side). Or there could have been some issue with the IPsec, causing your l2tp messages to get nowhere. If this is the case, you will see only sent l2tp messages but no responses in the log.

To get ipsec debug messages logged, do ****

/system logging add topics=ipsec

.

If you get lost in the log, you can always post it here. Obfuscating IP addresses and user names makes sense, obfuscating SPIs is a waste of time as they change dynamically so they are GDPR-safe already

Thank you for the help!

Yes I was being overwhelmed by trying to read those IPsec logs, they were overwhelming my browsers. But I finally figured out I could “echo” them to an active telnet session and that helped.

I was able to disable modp on the default IPSec Proposals on the Mikrotik and then I connected.

But I’m still not sure what this L2TP/IPSec client is used for, is it primarily for connecting to VPN services or would one actually use it for router-to-router connections in a small business two-site setup?

I typically use ****

log print follow-only file=some-file-name where topics~"ipsec|l2tp"

, then I download the file and analyse it offline.

But I’m still not sure what this L2TP/IPSec client is used for, is it primarily for connecting to VPN services or would one actually use it for router-to-router connections in a small business two-site setup?

For router to router connections, either plain IPsec or some other tunnelling protocol over IPsec are better suited. Plain IPsec behaves quite unusually in terms that it “steals” already routed packets, so you route the packets into the IPsec tunnel by matching them to IPsec policies. And if you need dynamic routing protocols like OSPF to work between the routers, the only way is to use GRE or IPIP over IPsec in transport mode.

The role of l2tp-client interface in Mkrotik is important for those using “public VPNs” to overcome some censorship or territorial limitations of services on commercial basis (if you want to watch an IPTV channel from a country for which it is blocked based on IP address of the client). These “public VPN” services are designed for individual user PCs to L2TP/IPsec is one of most popular protocols with them.

Ok got it, thank you for all your help, Sindy!

Sorry to bother, but I still did not quite understand the difference. I understand that both l2tp-server and t2tp-client are used to establish a l2tp tunnel with a server (and I understand that this tunnel may not be encrypted). If I understand correctly, then l2tp-server establishes a connection and can choose route LAN requests through the interface. The actual “consumers” of the connection reside in LAN. And l2tp server can provide an interface that one can connect to from internet - if the remote l2tp server is forwarding to it (e.g. case of getting a static IP address through l2tp in case if the mikrotik router is behind CGNAT).

But what is the role of l2tp client then? If it is for a machine that would connect to remote VPN, then mikrotik router is not the “consumer” and the actual user of this traffic would reside in LAN still. So what is the difference then between l2tp-client and l2tp server?

Sorry if this sounds dumb, but I am trying to understand.

The terms “client” and “server” come from regular business, where the client requests a service and the server provides that service. Other protocol standards call the client an “initiator” and the server a “responder”, which better illustrates their respective roles during establishment of the connection. It also helps remove the confusion between “server” as a process and “server” as a hardware.

L2TP in general behaves in accord with this concept - the server listens for incoming connection requests from clients and the client initiates a connection to a server. In L2TP in RouterOS in particular, the server side configuration may be a bit confusing at first glance, because there are two items in the configuration tree: /interface l2tp-server and /interface l2tp-server server. The latter contains the common settings of the server, the former is a list of local ends of the tunnels - whenever a client successfully connects, a tunnel interface is dynamically created at the server. The name of that interface may be created dynamically as well, or you may reserve a static name for a given client account (/ppp secret item).

Once the tunnel is established, you can think of it as of any L3 interface, so you can use all the routing capabilities like with any other interface. However, on the server side, you can specify destination prefixes to be routed via that tunnel once it comes up using the routes parameters of /ppp secret items.

So in a typical home use case, the Mikrotik acting as an L2TP client in one country has a dedicated routing table that uses the L2TP tunnel as a default gateway, and uses some firewall mangle rules and/or routing rules to make particular LAN hosts use that table rather than the main one, and the server in another country handles that traffic as if it came from a local LAN host. So the TV connected to the client Mikrotik appears to the streaming service as being located in the country where the Mikrotik server is located.

In a typical business use case, the Mikrotik clients in home offices connect to the server in the headquarters, and the routing at clients uses the L2TP tunnel to let the LAN hosts access the resources in the enterprise network rather than the internet.

Thanks, this is very helpful. I am at the stage where I have managed to achieve a client connection. But then I do not quite know how to make sure the connection is usable - i.e. when I try to ping from the router using the interface I get destination unreachable from the server (IP) I have connected my client to. Otherwise server shows status connected:

/interface/l2tp-client/print
0  R name="l2tpaa" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=ip.ad.re.ss user="user1" password="password" 
      profile=default keepalive-timeout=60 use-peer-dns=no use-ipsec=no ipsec-secret="" allow-fast-path=no add-default-route=no 
      dial-on-demand=no allow=mschap2 l2tp-proto-version=l2tpv2 l2tpv3-digest-hash=md5

What would be the way to test connectivity through that interface? I have tried pinging the interfaces (timeout), pinging 1.1.1.1 and then I get dest unreachable.

Start from adding a route for the test. At the client, add a route dst-address=1.1.1.1 gateway=l2tpaa , and try pinging from the client router itself, not specifying the interface. Depending on the actual use case, you may need multiple routes at both the client and the server, or a src-nat/masquerade rule on the client, some policy routing on the client (policy routing means you use also other information than the destination address to choose a route). Describe the use case to get a less generic suggestion.

Thanks sindy,

I worked quite a bit on that, but I am bogged down a little in mysterious connection not happening scenarios. I wrote it up here and added my config as well. If you could take a look, that would be much appreciated. http://forum.mikrotik.com/t/cannot-port-forward-through-dstnat/164120/5