Site-to-Site L2VPN

Denikin80 · November 16, 2016, 9:41am

A have two Mikrotik routers with public ip addresses.
Need to establish L2VPN between them.
Basic scheme:

–LAN 192.168.0.0—> R1(v6.10) <—internet—> R2(v6.37.1) <—LAN 192.168.0.0—

I tried L2TP (PPTP) + BCP bridging → routers can ping each other, and ARP table is filled with MAC’s of computers in both sides of LANs,
but copmuters in LAN’s cannot ping each other (firewall is disabled on both routers)
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Read_More
http://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(PPP_tunnel_bridging)
Tried MPLS+VPLS, but can’t do this since does not have OSPF neighborship via internet. Or if i establish OSPF neighborship via tonnel (PPTP+BCP) then a cant bind VPLS to LAN interface as he is already binded to BCP.
http://wiki.mikrotik.com/wiki/Manual:MPLS_L2VPN_vs_Juniper

Guess i do it in the wrong way.

nichky · November 17, 2016, 10:38am

You want to do Site-to-Site L2TP? just follow the part of that. You got the link of that. Did you try to do? Show us your config.

Denikin80 · November 18, 2016, 4:28am

Ok i’am explain in more detail.
I want not only Site-to-Site VPN, but also L2 bridging.

Configured PPTP + BCP Bridging like in this instruction http://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(PPP_tunnel_bridging)
or another config - L2TP + EoIP bridge
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
https://ru.scribd.com/document/48678295/Mikrotik-VPN

The result is the same.

Host1 <–LAN 192.168.0.0–>[bare metal Mikrotik]<—Internet—>[CHR vm Mikrotik]<–LAN 192.168.0.0> Host2
Ping test (LAN):

Host1 → CHR vm Mikrotik - OK
Host1 → Host2 - Fail
bare metal Mikrotik → CHR vm Mikrotik - OK
bare metal Mikrotik → Host2 - Fail

Host2 → bare metal Mikrotik - Fail
Host2 → Host1 - Fail
CHR vm Mikrotik → bare metal Mikrotik - OK
CHR vm Mikrotik → Host1 - OK

CHR vm Mikrotik (PPTP server):

[admin@MikroTik] > interface pptp-server print detail
Flags: X - disabled, D - dynamic, R - running
 0  DR name="<pptp-ppp1>" user="ppp1" mtu=1450 mru=1460
       client-address="xx.xx.xx.xx" uptime=39m6s
       encoding="MPPE128 stateless"

[admin@MikroTik] > interface bridge print
 1  R name="bridge_local" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled
      arp-timeout=auto mac-address=00:50:56:01:07:95 protocol-mode=rstp
      priority=0x8000 auto-mac=no admin-mac=00:50:56:01:07:95
      max-message-age=20s forward-delay=15s transmit-hold-count=6
      ageing-time=5m

[admin@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE              BRIDGE              PRIORITY  PATH-COST    HORIZON
 0    ether1                 bridge_local            0x80         10       none
 1  D <pptp-ppp1>            bridge_local            0x80         10       none

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   yy.yy.yy.yy/24    yy.yy.yy.yy     ether2
 1   192.168.120.1/24   192.168.120.0   bridge_local

bare metal Mikrotik (PPTP client):

[admin@MikroTik] > interface pptp-client print detail
Flags: X - disabled, R - running
 0  R name="pptp-out1" max-mtu=1450 max-mru=1450 mrru=disabled
      connect-to=yy.yy.yy.yy user="ppp1" password="xxx"
      profile=ppp_bridging keepalive-timeout=disabled add-default-route=no
      dial-on-demand=no allow=mschap1,mschap2

[admin@MikroTik] > interface bridge print
1  R name="bridge_local" mtu=1500 l2mtu=1588 arp=enabled
      mac-address=4C:5E:0C:98:B9:BB protocol-mode=rstp priority=0x8000
      auto-mac=no admin-mac=4C:5E:0C:98:B9:BB max-message-age=20s
      forward-delay=15s transmit-hold-count=6 ageing-time=5m

[admin@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE              BRIDGE              PRIORITY  PATH-COST    HORIZON
 0    ether1-master-local    bridge_local            0x80         10       none
 1  D (unknown)              bridge_local            0x80         10       none

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; lan
     192.168.120.203/24 192.168.120.0   bridge_local
 1   ;;; internet
     xx.xx.xx.xx/30   xx.xx.xx.xx   ether2-slave-local
...

rjscomms · November 18, 2016, 9:50am

How about this

https://www.manitonetworks.com/mikrotik/2016/3/9/eoip-tunnel

haiderasyed · April 23, 2018, 12:59pm

Dear All,

We are trying to configure l2vpn by using targeted ldp between two CEs using mikrotik as PE on one side and juniper on other side.

| |
|- - - - - - - - - L2 Circuit - - - - - - - - - - - - |
| |
CE - - - → Mikrotik - - - - → MPLS CLOUD - - - - → Juniper - - - → CE
(PE) (PE)

L2circuit is up but the CE devices are not able to ping each other. Below given is the configuration of both ends. Do anyone have any idea what is missing?

Mikrotik:
/mpls ldp
set enabled=yes lsr-id=192.168.112.254 transport-address=192.168.112.254

/mpls ldp neighbor
add transport=202.163.74.254

/mpls traffic-eng interface
add bandwidth=700Mbps interface=gre-tunnel1

/interface vpls
add advertised-l2mtu=1550 cisco-style=yes cisco-style-id=513 disabled=no l2mtu=1550 mac-address=02:98:F3:FD:8D:60 mtu=1550 name=l2-qta pw-type=tagged-ethernet
remote-peer=202.163.74.254

/routing bgp peer
add address-families=l2vpn,vpnv4 name=quetta remote-address=202.163.74.254 remote-as=9541 tcp-md5-key=cyb3rn3t ttl=default update-source=192.168.112.254

Juniper:
show configuration protocols bgp
group internal {
type internal;
local-address 202.163.74.254;
log-updown;
family inet {
unicast;
}
family inet-vpn {
unicast;
}
authentication-key “$9$Escyrvdb2oaUVb.5z6u0X7N-Yo”; ## SECRET-DATA
export NHS;
tcp-mss 512;
neighbor 192.168.112.254 {
description " *** mikrotik-engg-lab ***";
}
}

show configuration protocols mpls label-switched-path qtacore-mikrotik-engg-lab-loose
from 202.163.74.254;
to 192.168.112.254;
metric 250;
no-cspf;
optimize-timer 300;
adaptive;

show configuration protocols l2circuit
neighbor 192.168.112.254 {
interface ge-0/0/1.513 {
virtual-circuit-id 513;
description mikrotik-engg-l2;
no-control-word;
mtu 1550;
}
}

show configuration interfaces ge-0/0/1.513
description “*** mikrotik-engg-l2 ***”;
encapsulation vlan-ccc;
vlan-id 513;
family ccc;

l2circuit status:

Juniper:

Neighbor: 192.168.112.254
Interface Type St Time last up # Up trans
ge-0/0/1.513(vc 513) rmt Up Apr 23 17:19:50 2018 1
Local interface: ge-0/0/1.513, Status: Up, Encapsulation: VLAN
Description: mikrotik-engg-l2
Remote PE: 192.168.112.254, Negotiated control-word: No
Incoming label: 188288, Outgoing label: 6711

Mikrotik:

[admin@MikroTik] /interface vpls> monitor 2
remote-label: 188288
local-label: 6711
remote-status: