l2tp-v3 setup

jfulton · February 18, 2025, 5:39pm

I can find a lot of documentation on l2tp and have utilized that for a l2 tunnel to connect two remote networks with a simple bridge setup to extend a circuit across an alternate route during a fiber cut.

The partner i’m working with inquired about passing lldp on that circuit which from what I am reading would require the use of l2tp-v3 ethernet.

I can find the documentation on the wiki but it is pretty sparse with no examples on implementation or what is required to turn that up.

Does anyone have an example of a simple l2tp-v3 tunnel between two CCRs so I can pass l2 protocols? It is on a private network so ipsec/encryption is not required. The backup link has a MTU of 1424 but I need to pass 1600 MTU.

Thanks!

BartoszP · February 18, 2025, 7:16pm

What about EOIP? https://mum.mikrotik.com/presentations/MM15/presentation_2962_1445240964.pdf

jfulton · February 18, 2025, 8:42pm

One of the networks is sitting behind a Starlink terminal, so it is in a private NATed network to a server in Seattle. This is in Alaska transporting public internet to small native villages. I was connected via subsea fiber backhauling to Seattle and peering with Hurricane Electric. Now I am using L2TP to simulate the L2 network from the village to my peer in Seattle, but on either end is a Ciena, and since l2tp v2 doesn’t pass l2 protocols, I lose lldp and cannot utilize (or the transport company I am partnering with cannot utilize) Ciena MCP (Navigator) to configure the equipment. Several of the other workarounds are on OneWeb which I have routed IP space on and I can use EOIP or IPIP to get to those. But for the ones on Starlink, I need layer 2.

These are temporary solutions I need to reconnect these communities until the subsea fiber is repaired. Since the fiber is under the sea ice in the Beaufort Sea, they are estimating that it will be until late September that until they have it repaired.
https://alaskapublic.org/news/2025-01-21/internet-disruptions-reported-in-western-alaska-due-to-apparent-subsea-cable-break

kokaracha · February 22, 2025, 8:32am

Starlink have some limitations ( VPNs that rely on protocols 47 (GRE), 50 (ESP), 51 (AH), 115 (L2TP) are dropped by CGNAT at this time. ).
You must have firstly encrypted P2P VPN ( like wireguard ) , then build L2 circuit between MT peers ( l2tpv3 /eoip ).
Do you have test to transmit Vxlan/ Macsec over Starlink ?

Simple working l2tpv3 vpn in ip and udp mode.

admin@MikroTik] /interface> /interface l2tp-ether print
Flags: X - disabled; D - dynamic; R - running; u - unmanaged 
 0 X  u name="l2tpv3-1" mtu=1500 connect-to=151.237.xx.yy mac-address=FE:01:BD:7F:96:05 use-ipsec=no ipsec-secret="" allow-fast-path=no l2tp-proto-version=l2tpv3-ip circuit-id="" cookie-length=0 digest-hash=none 
        use-l2-specific-sublayer=yes local-address=93.183.xx.yy local-tunnel-id=100 local-session-id=100 remote-tunnel-id=100 remote-session-id=100 unmanaged-mode=yes 

 1   Ru name="l2tpv3-2" mtu=1500 actual-mtu=1500 connect-to=185.242.xx.yy mac-address=FE:1B:51:51:94:B6 use-ipsec=no ipsec-secret="" allow-fast-path=yes l2tp-proto-version=l2tpv3-ip circuit-id="" cookie-length=0 
        digest-hash=none use-l2-specific-sublayer=yes local-address=93.183.xx.yy local-tunnel-id=110 local-session-id=110 remote-tunnel-id=110 remote-session-id=110 unmanaged-mode=yes