I’m just checking out the L2TP server of RouterOS 2.9rc5, and I can not find any information on how to set authentification parameters for an L2TP tunnel itself (not for the PPP sessions running within).
I am used to working with L2TP tunnels on Cisco and Redback systems, and when we’re receiving L2TP tunnels from other partner ISP or access providers it is usually desired to configure authorization of L2TP tunnel establishment for every L2TP tunnel peer.
How is this done in RouterOS?
For example, on a Cisco you do something like (quoted from the Cisco documentation on L2TP)
vpdn enable
!
vpdn-group 1
accept dialin l2tp virtual-template 1 remote sp_lac
local name lns
You will also need to configure local username database entries for the LAC and LNS. The entries are used during the tunnel authentication process. The following is an example of these entries:
!
username sp_lac password 7 104D000A0618
username lns password 7 01100F175804
!
In this example the L2TP partner must identify itself as sp_lac
and provide the correct password (from the username sp_lac password 7 104D000A0618 line) for the L2TP tunnel to be established. Authentication of PPP session coming in via the L2TP tunnel once it is running are not my concern here.
thanks for the pointer. I’ve read that part of the documentation, but I am still not sure
how this will help me.
The scenario shown in the docs at http://www.mikrotik.com/docs/ros/2.8/interface/l2tp
uses L2TP to implement a simple, single point-to-point tunnel.
Basically you could have just as well used PPTP or maybe IPsec for this instead of L2TP.
But that is not the kind of tunnel I’d like to set up. See this diagram to understand what
I’m trying to do
In this setup the left hand MikroTik router (MT1) will act as an access point accepting
incoming PPPoE connections from WLAN clients (unlike in the picture there could be
more than one simultaneously), but instead of terminating and routing
them itself I want MT1 to forward all the PPPoE sessions through the L2TP tunnel to
MT2, where the PPP session will be terminated. For the PPPoE client it would look like
it has a direct PPP connection with MT2, and MT2 does PPP authentication for the client,
provides a client IP address from a pool and connects the client to the internet.
This is the typical PPP wholesale setup used between access providers and ISPs all over
the world, but I believe the documentation page you pointed out implements something
different, doesn’t it?
I’ve looked into it about 6 months ago.
You can’t really accomplish this kind of setup with RouterOS as it is now.
Which is a shame, i’d jump at doing this. That is, if they implement it right and forward the PPP frames properly.
But why would you want to use something that AFAIK can’t transport the L2TP packets over without reducing MTU for tunneled traffic?
Because everyone and their horse are shoving this up my behind
Like I said it’s just the way the access provider wholesale industry interconnects.
If I want to play with them, I have to play by the rules.
Relating to the very simple setup I outlined in my previous post I agree that I’d have
a ton of alternatives to make this work, like directly connecting MT1 and MT2
on layer 2, or use an EoIP tunnel to accomplish this and run the PPPoE AC on MT2, whatever.
What I described was just a very simple test setup I came up with. In reality there would
also be large numbers of PPPoE connections being delivered from DSL access providers to
me etc., and these guys only deliver via L2TP in the way I described.
Couldn’t you just create the L2TP tunnel, then create a bridge interface, and add the wireless AP interface and the L2TP interface to the bridge?
The documentation I pointed you to just simply shows how a L2TP tunnel is created and how authentication is established for the tunnel, which I thought was what you were asking..
I’m not having a huge problem with this because we already do have the necessary
big boys toys (like Redback SMS and Juniper) in place, at least as LNS, but it would be
really nice to use MikroTik on the LAC side (mainly with wireless) in a way that is compatible
with the big boys toys on the LNS side, and to at least have the possibility to replace
one of those high-end LNS with a MikroTik router in worst case hardware outage situations.
Being able to use a MikroTik device as wireless access point and LAC compatible with the
Redback and Juniper L2TP stuff would be a real plus as it would enable us to extend the very
same subscriber infrastructure that is already in place (on the LNS side) for PPPoE-over-DSL
and old-style PPP dialup over POTS and ISDN to wireless. And, as I said, if RouterOS could handle
the LNS side of things really well one might even be able to reduce the number of
Redback/Juniper/Cisco LNS devices and use MikroTik instead for a new POP.
We have looked at this over time, but we needed to complete some base ppp support. We don’t have any ‘big iron’ stuff here to test with. We do have some small Ciscos and we have some more coming for compatibility test and such. Do you know if the small Ciscos will support the LNS features???
Or any suggestions on how we can test such support if we make it.
