problem about Mikrotik L2tp

xjian3890 · November 27, 2023, 4:29am

I am using MikroTik CCR 1036 as an L2TP server and noticed that, with different secrets, the server displays the same IP address for two L2TP clients and same direct routing entries.
BGP routing entries to the destination also show two distinct, and 50% packets loss!

as below:
ip address print:
48 D 10.1.2.254/32 10.1.34.201
232 D 10.1.2.254/32 10.1.34.201

ip route print:
151 ADC 10.1.34.201/32 10.1.2.254 0

BGP routing:
479 ADb 10.254.16.199/32 10.1.34.201 20

The IP addresses and L2TP configurations for the two spoke devices are as follows:
Spoke1:
ip address print:
5 D 10.1.34.201/32 10.1.2.254 l2tp-test-hub-02

l2tp-client configuration:
add connect-to=xxxxxxx disabled=no keepalive-timeout=disabled name=l2tp-test-hub-02 password=testing1 user=test-0162

Spoke 2:
ip address print:
11 D 10.1.2.33/32 10.1.2.254 l2tp-test-hub-02

l2tp-client configuration:
add connect-to=xxxxxxx disabled=no keepalive-timeout=disabled name=l2tp-test-hub-02 password=testing2 user=test-0033

Thank you very much. Is there anyone who can help take a look and identify the issue?

sindy · November 27, 2023, 7:07pm

Do you use /ppp secret items or RADIUS (User Manager or an external one) to store the configuration of the L2TP clients?

xjian3890 · November 28, 2023, 2:15am

I believe that the L2TP server is not managed by AAA or any other server with IP allocation capabilities.

sindy · November 28, 2023, 8:07am

Show me the two /ppp secret rows in question, remove passwords before posting of course:
/ppp secret print where name~“test-(0033|0162)”

xjian3890 · November 28, 2023, 8:31am

Thank you for your help,

ppp secret configuration :

/ppp secret
add name=test-0033 password=testing2 profile=testing-prof
remote-address=10.1.2.33 service=l2tp

add name=test-0162 password=testing1 profile=testing-prof
remote-address=10.1.34.201 service=l2tp

profile configuration:

/ppp profile
add local-address=10.1.2.254 name=testing-prof only-one=yes use-encryption=required

sindy · November 28, 2023, 10:10am

That looks pretty normal - distinct remote-address values, no pool used on either the /ppp secret row or on the /ppp profile row.
What are the L2TP clients, also Mikrotiks or something else? I can imagine the client can suggest an address of its choice and the server may accept it, but already that would be a bug. If this is not the case, I can only imagine a bug or a RAM issue on the CCR.

sindy · December 6, 2023, 4:54pm

So a recent experience from another installation suggests that the L2TP server does not check for duplicities - if one client gets an address from a pool and an address that fits into the pool is assigned to another client using the remote-address parameter of the /ppp secret row for that client, you end up with two clients getting the same address from the server. So I can imagine that, unless you have set only-one in the PPP profile to yes, one of the two clients that conflicted could restart and establish a new connection while the old one was still up at the server; since the address assigned to that client by means of explicit remote-address was occupied, the server has assigned an unused one from the pool. But unused from the pool perspective, not from the perspective of the L2TP server itself. Would this be a plausible scenario in your setup, i.e. is there a pool configured as remote-address for the PPP profile to which the client’s row of /ppp secret or the /interface l2tp-server server setting refers, and does that pool overlap with the explicitly configured client addresses?