Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3292
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

VPN routing L2TP/IPsec

Sat Sep 17, 2022 12:08 pm

I need some help to understand routing to be used with one L2TP/IPsec tunnel that I have setup.

MainRouter (192.168.1.1) --L2TP network 10.0.0.0/24-RemoteClient 192.168.88.0/24
ppp secret: name=work service=l2tp

Both Main Router and Client are Mikrotik
All connecting fine.

But when I try to reach a RDP (192.168.88.10) server at RemoteClient, I need to add a route to MainRouter, so that MainRouter clients know where to go.
I tried to use the IP that the tunnels gives, example 10.0.0.2 and all works fine, until tunnel goes down and up again and the IP did change to 10.0.0.3.
So I did look for an alternative way to set the route. In the MainRouter routing table I do see the VPN connected as this:
Dynamic dest-IP:10.0.0.3 (tunell ip) Gateway:<l2tp-work-1>
So I then added the route for 192.168.88.0/24 to <l2tp-work-1>

This seems to work fine all time, but where do the -1 comes from, and is this the best way to do it? What if it changes to -2...
How should I find out this before the router connected? It needed even to have the < > in the name.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN routing L2TP/IPsec  [SOLVED]

Sat Sep 17, 2022 1:40 pm

How should I find out this before the router connected? It needed even to have the < > in the name.
While there is an answer to this exact question, I'll skip it and answer to what you actually want instead.

The best way is to use the routes parameter of the /ppp secret row at the server (MainRouter) side.

The -1 (or -2, or even -3 if the network behaves really funny at that time) is there because the previous connection had not timed out yet at the server side at the moment the client has established a new one. If multiple tunnels to the same client are established, the system may use any of them to deliver packets, so if one of the tunnels is dead, some packets do not get through. One way to deal with this is to prevent a new tunnel from establishing while an old one is still active, but the effective outcome is the same - until the old tunnel times out, you cannot talk to the client. So it is better to use an on-up script in the /ppp profile to which the /ppp secret row refers to actively remove older tunnels to the same user.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3292
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: VPN routing L2TP/IPsec

Sat Sep 17, 2022 4:36 pm

That did work perfectly. Thanks for the explanation.
Should have seen that field before. :oops:

Who is online

Users browsing this forum: anav, muona, pe1chl, simonefil, TheCat12 and 98 guests