Mikrotik as L2TP Client connected to Mikrotik L2TP server

jerryroy1 · August 31, 2020, 12:29am

I have two Mikrotiks. One side as L2TP server (Main) and other as L2TP Client (Spoke). I am unable to pass traffic beyond the Lan interface of either side. The L2TP client side (Spoke) obtains IP address via DHCP from ISP. It connects to Main and I can ping from Main (L2TP server) side IP from IP 192.168.1.1 to Spoke side IP 192.168.61.1 and Vice versa. I am unable to ping anything beyond these “LAN” or Inside IP addresses.

I am totally drawing a blank on what to look at now. I believe I should be doing source Nat but at this moment, I am not clear. (See attached)

Thanks for looking.
SPOKE.rsc (3.54 KB)
MAIN-site.rsc (15.9 KB)

jerryroy1 · August 31, 2020, 7:50pm

OK, traffic in one direction is resolved with a masquerade rule on the spoke side.

I have the routers all working in one direction they can all ping thru to the core network 192.168.1.0/24. What the current issue is the route back, the Production router can ping the inside interface of each spoke but no further and only if I set a route to the interface after the L2TP Ipsec tunnel comes up.

What am I missing here?

mducharme · August 31, 2020, 8:53pm

The masquerade is a band-aid. If you want bidirectional communication, don’t use masquerade, instead create routes in both directions.

jerryroy1 · August 31, 2020, 8:59pm

How do I create a route on the core side to the spoke subnet if there is no interface or IP to use? The interface is created dynamically when the spoke mikrotik connects.

xvo · August 31, 2020, 9:42pm

There are several options:

You can create L2TP Server Binding - which is a static interface.
You can specify the routes that you want to be added when the client connects, directly in PPP secret menu.
https://wiki.mikrotik.com/wiki/Manual:PPP_AAA#Properties_2

jerryroy1 · August 31, 2020, 10:43pm

Masquerade has been removed and a static route has been added so it will use interface on the Main router. I hope I did it right. I used the same username that I have already created under the Secrets menu on this interface. Still no traffic in one direction from main side 192.168.1.0/24 to spoke subnet 192.168.61.0/24. I can ping only the spoke side lan interface of 192.168.61.1 from the Main MT router. See L2TP Server Binding interface I added (below) called R1-l2tp-in1 and it has a route to the spoke subnet 192.168.61.0/24

[PRODUCTION MAIN SIDE] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

snipped…
6 ADC 192.168.1.0/24 192.168.1.1 inside 0
7 ADC 192.168.1.251/32 192.168.1.1 R1-l2tp-in1 0
8 A S 192.168.60.0/24 192.168.99.1 gre-tunnel-to-1… 5
9 A S 192.168.61.0/24 R1-l2tp-in1 1
10 ADC 192.168.99.1/32 192.168.99.1 loopback-gre-site1 0
[PRODUCTION] >

Spoke-routes.txt (2.18 KB)

xvo · September 1, 2020, 10:50am

You can’t use interface as a gateway in this case. It has to be remote router’s tunnel address: 192.168.1.251

jerryroy1 · September 2, 2020, 4:34am

Doesn’t work still

xvo · September 2, 2020, 7:06am

Have you done the same on the other side?

Also you better change the addresses on the tunnel itself so they are not from your local subnet.