Community discussions

MikroTik App
just joined
Topic Author
Posts: 3
Joined: Mon Mar 23, 2020 4:28 am


Fri May 22, 2020 10:35 am

Hi all,
We have a similar issue at our end too with PPPOE WAN and L2TP/IPSEC VPN.

We basically have a RB951G-2HnD with LT2P/IPSEC configured, that is connected to the internet via a PPPOE connection to a bridged modem
Following a reboot of either the modem or the mikrotik router the PPPOE connection would not be able to connect again.
The only way we found to revive the PPPOE connection is to disable the L2TP server from the PPP section on the mikrotik (disabling the VPN).

Any help on this matter would be greatly appreciated.
just joined
Topic Author
Posts: 3
Joined: Mon Mar 23, 2020 4:28 am

Re: <issue> PPPOE WAN and L2TP/IPSEC VPN

Tue May 26, 2020 7:30 am

hi, the config as below:

ppp profile add name=ipsec_vpn local-address= dns-server=
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2
/ip ipsec policy set [ find default=yes ] src-address= dst-address= protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="mikrotik" peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
/ip pool add name=vpn-pool range=
/ppp profile
set default local-address= remote-address=vpn-pool
/ppp secret
add name=user1 password=123
add name=user2 password=234

/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: <issue> PPPOE WAN and L2TP/IPSEC VPN

Tue May 26, 2020 10:05 am

I can see that you've modified the /ppp profile row named default so it now contains a fixed value for local-address and a pool for remote-address. What I can not see, because you've only published the part of configuration which you assume to contain the issue, is any row in /ppp profile without local-address set, nor the /interface pppoe-client configuration.

The thing is that all PPP-based interfaces refer to some row in /ppp profile, and all of them use the row named default or default-encryption by default unless you set something else manually. So by modifying the /ppp profile named default to suit the use for /ppp secret rows, you force your idea of local and remote IP address to be used for the tunnel also to the PPPoE server, and the bad luck is that the IPCP negotiation somehow successfully overrides this under some specific circumstances although it never should, so the misconfiguration is hard to spot. Whether and how is disabling the L2TP server related to that success is unclear to me.

So to avoid the need to assign a dedicated row in /ppp profile to every row in /ppp secret, I would suggest that you add another /ppp profile row dedicated for use with the /interface pppoe-client, which will not restrict local-address and remote-address, and make the /interface pppoe-client refer to it:

/ppp profile add name=pppoe-client change-tcp-mss=yes
/interface pppoe-client set [find] profile=pppoe-client
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot], Maggiore81 and 70 guests