Community discussions

MikroTik App
 
User avatar
tneumann
Member
Member
Topic Author
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

L2TP tunnel authentication

Sat Jun 18, 2005 6:16 pm

I'm just checking out the L2TP server of RouterOS 2.9rc5, and I can not find any information on how to set authentification parameters for an L2TP tunnel itself (not for the PPP sessions running within).

I am used to working with L2TP tunnels on Cisco and Redback systems, and when we're receiving L2TP tunnels from other partner ISP or access providers it is usually desired to configure authorization of L2TP tunnel establishment for every L2TP tunnel peer.

How is this done in RouterOS?

For example, on a Cisco you do something like (quoted from the Cisco documentation on L2TP)
vpdn enable
!
vpdn-group 1

accept dialin l2tp virtual-template 1 remote sp_lac

local name lns

You will also need to configure local username database entries for the LAC and LNS. The entries are used during the tunnel authentication process. The following is an example of these entries:

!
username sp_lac password 7 104D000A0618
username lns password 7 01100F175804 
!
In this example the L2TP partner must identify itself as sp_lac
and provide the correct password (from the username sp_lac password 7 104D000A0618 line) for the L2TP tunnel to be established. Authentication of PPP session coming in via the L2TP tunnel once it is running are not my concern here.

What am I missing here?

--Tom
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Sun Jun 19, 2005 9:20 am

http://www.mikrotik.com/docs/ros/2.8/interface/l2tp

You setup authentication through PPP, open PPP up and create a new secret for the L2TP service.

/ppp secret add ...
 
User avatar
tneumann
Member
Member
Topic Author
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Jun 19, 2005 11:28 am

wildbill442,

thanks for the pointer. I've read that part of the documentation, but I am still not sure
how this will help me.
The scenario shown in the docs at http://www.mikrotik.com/docs/ros/2.8/interface/l2tp
uses L2TP to implement a simple, single point-to-point tunnel.

Basically you could have just as well used PPTP or maybe IPsec for this instead of L2TP.

But that is not the kind of tunnel I'd like to set up. See this diagram to understand what
I'm trying to do

Image

In this setup the left hand MikroTik router (MT1) will act as an access point accepting
incoming PPPoE connections from WLAN clients (unlike in the picture there could be
more than one simultaneously), but instead of terminating and routing
them itself I want MT1 to forward all the PPPoE sessions through the L2TP tunnel to
MT2, where the PPP session will be terminated. For the PPPoE client it would look like
it has a direct PPP connection with MT2, and MT2 does PPP authentication for the client,
provides a client IP address from a pool and connects the client to the internet.

This is the typical PPP wholesale setup used between access providers and ISPs all over
the world, but I believe the documentation page you pointed out implements something
different, doesn't it?

--Tom
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Sun Jun 19, 2005 5:41 pm

I've looked into it about 6 months ago.
You can't really accomplish this kind of setup with RouterOS as it is now.
Which is a shame, i'd jump at doing this. That is, if they implement it right and forward the PPP frames properly.
But why would you want to use something that AFAIK can't transport the L2TP packets over without reducing MTU for tunneled traffic?
 
User avatar
tneumann
Member
Member
Topic Author
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Jun 19, 2005 7:06 pm

But why would you want to use something that AFAIK can't transport the L2TP packets over without reducing MTU for tunneled traffic?
Because everyone and their horse are shoving this up my behind :shock:

Like I said it's just the way the access provider wholesale industry interconnects.
If I want to play with them, I have to play by the rules.

Relating to the very simple setup I outlined in my previous post I agree that I'd have
a ton of alternatives to make this work, like directly connecting MT1 and MT2
on layer 2, or use an EoIP tunnel to accomplish this and run the PPPoE AC on MT2, whatever.

What I described was just a very simple test setup I came up with. In reality there would
also be large numbers of PPPoE connections being delivered from DSL access providers to
me etc., and these guys only deliver via L2TP in the way I described.

--Tom
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Sun Jun 19, 2005 9:56 pm

Couldn't you just create the L2TP tunnel, then create a bridge interface, and add the wireless AP interface and the L2TP interface to the bridge?

The documentation I pointed you to just simply shows how a L2TP tunnel is created and how authentication is established for the tunnel, which I thought was what you were asking..

-bill
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Sun Jun 19, 2005 10:10 pm

Can't bridge L3 only interfaces AFAIK.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Sun Jun 19, 2005 10:43 pm

Can't bridge L3 only interfaces AFAIK.
yeah, bad suggestion... the packets should be forwarded over the L2TP connection...
 
User avatar
tneumann
Member
Member
Topic Author
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Jun 19, 2005 11:42 pm

Unfortunatly, i think you might have to go for one of the big boys toys.
Unless you can live with doing hacks which will probably cost you more than getting the right gear in the first place. Or the people at MikroTik implement. *hint* *hint*
I'm not having a huge problem with this because we already do have the necessary
big boys toys (like Redback SMS and Juniper) in place, at least as LNS, but it would be
really nice to use MikroTik on the LAC side (mainly with wireless) in a way that is compatible
with the big boys toys on the LNS side, and to at least have the possibility to replace
one of those high-end LNS with a MikroTik router in worst case hardware outage situations.

Being able to use a MikroTik device as wireless access point and LAC compatible with the
Redback and Juniper L2TP stuff would be a real plus as it would enable us to extend the very
same subscriber infrastructure that is already in place (on the LNS side) for PPPoE-over-DSL
and old-style PPP dialup over POTS and ISDN to wireless. And, as I said, if RouterOS could handle
the LNS side of things really well one might even be able to reduce the number of
Redback/Juniper/Cisco LNS devices and use MikroTik instead for a new POP.

--Tom
 
spok
newbie
Posts: 48
Joined: Wed Mar 02, 2005 5:16 am
Location: Serbia
Contact:

Tue Jun 21, 2005 11:27 pm

I have problem to setup MT to be LNS.
I whont PPP dialup over ISDN to conect to MT.
Virtual POP (LAC) send me L2TP tunels to my MT.

Please help me..
 
tully
MikroTik Support
MikroTik Support
Posts: 505
Joined: Fri May 28, 2004 11:07 am

Wed Jun 22, 2005 11:42 am

We have looked at this over time, but we needed to complete some base ppp support. We don't have any 'big iron' stuff here to test with. We do have some small Ciscos and we have some more coming for compatibility test and such. Do you know if the small Ciscos will support the LNS features???

Or any suggestions on how we can test such support if we make it.

John
 
spok
newbie
Posts: 48
Joined: Wed Mar 02, 2005 5:16 am
Location: Serbia
Contact:

Wed Jun 22, 2005 1:36 pm

# Cisco 1600 series
# Cisco 1720 VPN Access Router
# Cisco 2500 series
# Cisco 2600

Who is online

Users browsing this forum: MSN [Bot] and 188 guests