I have followed the instructions below. Now how do I get a win2k box to connect to it? Do I need to configure stuff in the /ip ipsec area? Should I be using something else? I'm trying to use a client PC and have it connect to a Tik box that will form a secure connection to the LAN side of the Tik box.

Casey

Connecting a Remote Client via L2TP Tunnel
The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels).

Please, consult the respective manual on how to set up a L2TP client with the software you are using.



The router in this example:

[RemoteOffice]

Interface ToInternet 192.168.81.1/24

Interface Office 10.150.1.254/24

The client computer can access the router through the Internet.

On the L2TP server a user must be set up for the client:

[admin@RemoteOffice] ppp secret> add name=ex service=l2tp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""

[admin@RemoteOffice] ppp secret>
Then the user should be added in the L2TP server list:

[admin@RemoteOffice] interface l2tp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running

NAME USER MTU CLIENT-ADDRESS UPTIME ENC...

0 FromLaptop ex
[admin@RemoteOffice] interface l2tp-server>
And the server must be enabled:

[admin@RemoteOffice] interface l2tp-server server> set enabled=yes
[admin@RemoteOffice] interface l2tp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@RemoteOffice] interface l2tp-server server>
Finally, the proxy APR must be enabled on the 'Office' interface:

[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running

NAME MTU MAC-ADDRESS ARP

0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>

AFAIK, windows uses IPsec for means of L2TP tunnel protection. You can either disable IPsec for L2TP on W2K box (some obscure registry key, ask Google) or enable RouterOS to use IPsec for this too. The fastest way to do so would be to issue the following command:

/ip ipsec peer add address=<W2K machine IP address> secret=<IPsec secret you have configured on W2K box> generate-policy=yes

And of course, you should know how to configure IPsec on Windows side

NAT traversal isn’t supported on the MT L2TP server (unless I’ve missed something on 2.9).

With this in mind, PPTP has a better chance of working.

Regards

Andrew

NAT traversal isn't supported on the MT L2TP server (unless I've missed something on 2.9).

there is nothing to support, l2tp is NAT friendly by it’s nature. it is not like pptp. so your comment is not true.

L2TP is NAT friendly, yes, but once it gets encapsulated inside IPsec, and that’s what Andrew is talking about,
you’d have to argue about the NAT friendliness of IPsec …

–Tom

you are not forced to use ipsec

While you’re not forced to use IPSEC for technical reasons, to disable it you need to alter a registry key on all client PCs. This will break all other IPSEC traffic on that PC. Hence my preference for PPTP until MT support NAT-T. It’s a lot less trouble.

Regards

Andrew

For completeness, let’s just mention that client-side PPTP isn’t exactly NAT friendly either. If the PPTP client is located behind a NAT device, that device needs to have special support for PPTP in its NAT code when more than one PPTP client needs to go through the NAT device concurrently.

Most very cheap DSL/Cable NAT-routers for the home user market have problems with this - most of their NAT implementations are so broken, they can suck black holes through nano-tubes