Mikrotik LNS profile selection

dpk · May 25, 2017, 6:19am

Hi fellow Mikrotik users..

I’m fairly new to Mikrotik and looking to use a bunch of Mikrotik CCR devices to replace aging Cisco 7200 routers currently providing LNS termination for customer L2TP sessions.

I’ve managed to get basic LNS functionality working however we’re stuck on working out how to simulate the functionality provided by Cisco’s multiple vpdn-groups and virtual-templates.

Consider the following LNS configuration..
/ppp profile add name=virtual-template1 local-address=172.16.96.222 remote-address=pool1

/ppp profile add name=virtual-template2 local-address=172.16.96.226 remote-address=pool1

/ppp l2tp-secret add address=172.16.96.221/32 secret=xxx
/ppp l2tp-secret add address=172.16.96.225/32 secret=xxx

/interface l2tp-server server
set caller-id-type=ip-address default-profile=virtual-template1 enabled=yesThe last line of config sets the default-profile for the L2TP server to ‘virtual-template1’ but how can we select that an alternate profile for another group of sessions when using RADIUS authentication? This other group of sessions might be using a different authentication realm or originate from a different group of LAC addresses.

There are various profile/virtual-template items that we may wish to update however specifically we have a requirement to use a different local-address for some service types.

With local users defined within the Mikrotik config we see it’s possible to specify the profile used for the session however there doesn’t appear to be any session specific RADIUS attributes that influence the default-profile or the l2tp-server local-address.
! local user
/ppp secret
add disabled=no name=user@realm.com password=test profile=virtual-template2With Cisco we have the ability to use ‘terminate-from hostname’ to establish different service profiles where each vpdn-group can optionally specify a different virtual-template.
vpdn-group DSL
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname DSL-LAC

vpdn-group Wireless
accept-dialin
protocol l2tp
virtual-template 2
terminate-from hostname Wireless-LACHow can we achieve this functionality?
If there is no official support for profile selection using configuration or RADIUS, would it be possible to use scripting to achieve the same?

I see an On-Up script is available on the default-profile but could this change the local-address? Seems likely it would occur too late.

Thanks in advance.

Regards
Darren

dpk · June 20, 2017, 1:45am

Can anyone provide assistance with this? Do you I need to explain the requirement in a different manner or is PPP profile selection for L2TP simply not possible with Mikrotik?

Regards
Darren

nz_monkey · June 20, 2017, 8:53am

The equivalent of Cisco VPDN Profile / SSS or even AAA profile functionality does not currently exist in RouterOS.

I would suggest emailing support@mikrotik.com to request this functionality.

dpk · June 21, 2017, 4:05am

Appreciate the response.. will certainly do as you suggest.

Cheers
Darren

nz_monkey · June 21, 2017, 11:16am

The one place we still have Cisco in our network is as an LNS, and even then we are looking at moving to Nokia vBNG.

Mikrotik are missing AAA routing and SSS equivalent functionality, as well as RADIUS VSA’s to terminate a session into a particular VRF.

Maybe one day…

nocadam · November 20, 2017, 12:43pm

Hi DPK,
Can you connect using a single Virtual-Template?.

I’m trying to change my Cisco for a Mikrotik, but I dont know how to configure a Mikrotik to accpept DSL connections throgh a VPND tunnel against the LACs and validate the ppp with a RADIUS server?

My Cisco config is this:

vpdn enable
!
vpdn-group NAS2XX
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname ITSNAME
source-ip 1.1.1.1
local name MYNAME
lcp renegotiation always
l2tp tunnel password 7 x-x-x-x-x
!
!
interface Virtual-Template1
mtu 1501
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
no logging event link-status
no snmp trap link-status
peer default ip address pool dinamyc-ip-pool
ppp max-bad-auth 10
ppp authentication pap chap callin

\

RADIUS CONFIG
IP POOL CONFIG

I don’t find in the Mikrotik PPP configuration where to insert the local and remote name, and my local interface for my vpdn-group.

Could you achieve this?. If yes, could you post the config, please?

Greetings.