L2TP

RouterOS General
1

Hi,

Ok, I must confess, I haven’t looked at this myself yet (except for reading the document), but I can already see some issues I may have… Perhaps someone can shed some light for me…

Looking at http://www.mikrotik.com/docs/ros/2.9/interface/l2tp , let me first just inform the webmaster, loads of broken links for images…

Secondly, I require MT to be a L2TP client connecting to a Cisco L2TP Server via IPSec. The only half decent mention of IPSec in the L2TP Manual…

It may also be useful to use L2TP just as any other tunneling protocol with or without encryption. The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note that it is default mode for Microsoft L2TP client) as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP/IP data packets to the IPsec system.

That doesn’t help me at all in regards to setting it up.

Using the Cisco VPN Client, it seems to me that the entire IPSec configuration is automatically neogotiated, and then the tunnel is established over UDP as it should. How would this be setup in MT? I’d love for MT to rather handle the L2TP Tunnel instead of having to do it manually all the time by using the Cisco VPN Client…

Is the IPSec part handled by /ip ipsec, and the tunnel handled seperately by /ppp l2tp-client? :confused:

2

Actually yes, l2tp part handled under / interfaces l2tp-client
and ipsec part handled under / ip ipsec

I don’t know if routeros supports NAT-T though, which may or may not be compatible with your cisco.

Your not heading for one of the simplest topics in networking. :slight_smile:

3

Thanks for the encouragement :smiley: Tunneling ain't to much of a pain, figuring out how it's been imlpemented might be though... Will see how it goes and if it's to much troubles, I may just stick to the VPN Client from Cisco

\

C

4

Using the Cisco VPN client doesn’t involve L2TP. It’s pure IPSEC using either ESP packets or UDP / TCP if you’ve enabled NAT-T.

Usually, the only time you involve L2TP in VPNs is if you’re got MS involved anywhere, either as the client or the server. Somewhere along the line MS have made the decision not to support IPSEC without L2TP.

So, if you’re talking to a Cisco, just use IPSEC. MT doesn’t support NAT-T but if you’re doing router to router tunnelling then that usually doesn’t matter.

As an aside, I have had IPSEC working through an MT using NAT, in this case it was the Cisco VPN client where the server didn’t have NAT-T enabled. ESP packets do actually survive being NATTed (unlike AH). However, I suspect this wouldn’t work with more than one tunnel open.

Regards

Andrew

5

Yeah, but see… Windows is involved…

The Cisco VPN Client does create a L2TP Tunnel, it’s not the ‘well known’ VPN Client that creates only IPSec tunnels… This is a actual L2TP Client, asking for a username / password to connect to the VPN, and dynamically configuring a IPSec tunnel arround that to encrypt the data flows.

I’ll play with this a bit next week and see what I can come up with I guess.