L2TP Tunnel Authentication (ADSL with Mikrotik LNS)

nuskope · July 9, 2012, 7:37am

Hi All,

With some Googleing, and coming though the forum archives i have failed to find much information on L2TP Tunnel Authentication.

Basically we are about to start offing ADSL services, in addition to our wireless ones, And using the same LNS setup would be preferred, as all of our systems are built around Mikrotik.

however, the Wholesale provider, dumps the service off to us as a l2tp tunnel, that will then pass over the PPPOE connections.

want i want to know:

is l2tp tunnel authentication possible?
is it possible for multiple (without limit) l2tp connections from the same LAC?

jandafields · July 9, 2012, 7:05pm

Yes, l2tp has a username and password and optional encryption. PPP → SECRETS (if you are the server) and PPP → INTERFACE, NEW PPP CLIENT (if you are the client).

You can control whether or not you allow multiple simultaneous connections from the same username (in PPP → PROFILE).

nuskope · July 10, 2012, 3:35am

The problem i am having, i see the l2tp request come through. but the it stops and fails before it gets to the part where it tries to Auth agaisnt the mikrotik ppp secrets.

12:58:25 l2tp,debug,packet     rcvd control message from 10.10.10.1:1701 
12:58:25 l2tp,debug,packet     tunnel-id=26, session-id=0, ns=1, nr=1 
12:58:25 l2tp,debug,packet     (M) Message-Type=StopCCN 
12:58:25 l2tp,debug,packet     (M) Result-Code=2 
12:58:25 l2tp,debug,packet      Error-Code=6 
12:58:25 l2tp,debug,packet      Error-Message="Tunnel auth failed for LNS-1@Primus, no chal resp" 
12:58:25 l2tp,debug,packet     105(vendor-id=9)=0x00:01 
12:58:25 l2tp,debug,packet     (M) Assigned-Tunnel-ID=23911 12:58:25 l2tp,debug,packet     sent control message (ack) to 10.10.10.1:1701 
12:58:25 l2tp,debug,packet     tunnel-id=23911, session-id=0, ns=1, nr=2 
12:58:25 l2tp,debug tunnel     26 entering state: dead

I can l2tp in from another mikrotik with no issues at all.
Its just not opening the LAC

jandafields · July 10, 2012, 12:25pm

Oh, I see what you are asking now.

Mikrotik doesn’t currently support LAC. See this topic: http://forum.mikrotik.com/t/feature-request-lac-lns-functionality/23746/1

nuskope · July 12, 2012, 2:17pm

Yes it would seem as though Mikrotik alone at this time cannot do the task.

So We put a Cisco in there, and have it doing the LAC, and passing though the end l2TP-ppp connections.

at this time i have only tested one line, but seems to be working fine. Allowing us to use all our Mikrotik API’s ect on our LNS and our radius.

If anyone wants the conf of the cisco just let me know.

mike

hedele · October 9, 2012, 8:11pm

Hi,

I guess you maybe know that - Routerboards can accept L2TP tunneled DSL connections as LNS if no tunnel authentication is required.
If the LAC is a Cisco router - you have to use “no lt2p tunnel authentication” in the vpdn group.

Relayed ppp sessions will then show up as L2TP server interface on the Routerboard and can be authenticated against PPP secrets or Radius.