Community discussions

MikroTik App
 
wkm001
just joined
Topic Author
Posts: 15
Joined: Thu Mar 03, 2005 12:04 am
Location: Salem Virginia

L2TP Server

Thu Aug 25, 2005 12:16 am

I have followed the instructions below. Now how do I get a win2k box to connect to it? Do I need to configure stuff in the /ip ipsec area? Should I be using something else? I'm trying to use a client PC and have it connect to a Tik box that will form a secure connection to the LAN side of the Tik box.

Casey

Connecting a Remote Client via L2TP Tunnel
The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels).

Please, consult the respective manual on how to set up a L2TP client with the software you are using.



The router in this example:

[RemoteOffice]

Interface ToInternet 192.168.81.1/24

Interface Office 10.150.1.254/24

The client computer can access the router through the Internet.

On the L2TP server a user must be set up for the client:

[admin@RemoteOffice] ppp secret> add name=ex service=l2tp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""

[admin@RemoteOffice] ppp secret>
Then the user should be added in the L2TP server list:

[admin@RemoteOffice] interface l2tp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 FromLaptop ex
[admin@RemoteOffice] interface l2tp-server>
And the server must be enabled:

[admin@RemoteOffice] interface l2tp-server server> set enabled=yes
[admin@RemoteOffice] interface l2tp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@RemoteOffice] interface l2tp-server server>
Finally, the proxy APR must be enabled on the 'Office' interface:

[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Thu Aug 25, 2005 10:19 am

AFAIK, windows uses IPsec for means of L2TP tunnel protection. You can either disable IPsec for L2TP on W2K box (some obscure registry key, ask Google) or enable RouterOS to use IPsec for this too. The fastest way to do so would be to issue the following command:
/ip ipsec peer add address=<W2K machine IP address> secret=<IPsec secret you have configured on W2K box> generate-policy=yes
And of course, you should know how to configure IPsec on Windows side :wink:
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Thu Aug 25, 2005 7:50 pm

NAT traversal isn't supported on the MT L2TP server (unless I've missed something on 2.9).

With this in mind, PPTP has a better chance of working.

Regards

Andrew
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24493
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Fri Aug 26, 2005 8:57 am

NAT traversal isn't supported on the MT L2TP server (unless I've missed something on 2.9). 
there is nothing to support, l2tp is NAT friendly by it's nature. it is not like pptp. so your comment is not true.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Fri Aug 26, 2005 9:37 am

there is nothing to support, l2tp is NAT friendly by it's nature. it is not like pptp. so your comment is not true.
L2TP is NAT friendly, yes, but once it gets encapsulated inside IPsec, and that's what Andrew is talking about,
you'd have to argue about the NAT friendliness of IPsec ...

--Tom
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24493
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Fri Aug 26, 2005 9:41 am

you are not forced to use ipsec
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Fri Aug 26, 2005 10:48 am

While you're not forced to use IPSEC for technical reasons, to disable it you need to alter a registry key on all client PCs. This will break all other IPSEC traffic on that PC. Hence my preference for PPTP until MT support NAT-T. It's a lot less trouble.

Regards

Andrew
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Fri Aug 26, 2005 1:31 pm

Hence my preference for PPTP until MT support NAT-T. It's a lot less trouble.
For completeness, let's just mention that client-side PPTP isn't exactly NAT friendly either. If the PPTP client is located behind a NAT device, that device needs to have special support for PPTP in its NAT code when more than one PPTP client needs to go through the NAT device concurrently.

Most very cheap DSL/Cable NAT-routers for the home user market have problems with this - most of their NAT implementations are so broken, they can suck black holes through nano-tubes :?

Who is online

Users browsing this forum: dirman and 86 guests