Page 1 of 1

L2TP Server

Posted: Thu Aug 25, 2005 12:16 am
by wkm001
I have followed the instructions below. Now how do I get a win2k box to connect to it? Do I need to configure stuff in the /ip ipsec area? Should I be using something else? I'm trying to use a client PC and have it connect to a Tik box that will form a secure connection to the LAN side of the Tik box.

Casey

Connecting a Remote Client via L2TP Tunnel
The following example shows how to connect a computer to a remote office network over L2TP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels).

Please, consult the respective manual on how to set up a L2TP client with the software you are using.



The router in this example:

[RemoteOffice]

Interface ToInternet 192.168.81.1/24

Interface Office 10.150.1.254/24

The client computer can access the router through the Internet.

On the L2TP server a user must be set up for the client:

[admin@RemoteOffice] ppp secret> add name=ex service=l2tp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""

[admin@RemoteOffice] ppp secret>
Then the user should be added in the L2TP server list:

[admin@RemoteOffice] interface l2tp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 FromLaptop ex
[admin@RemoteOffice] interface l2tp-server>
And the server must be enabled:

[admin@RemoteOffice] interface l2tp-server server> set enabled=yes
[admin@RemoteOffice] interface l2tp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@RemoteOffice] interface l2tp-server server>
Finally, the proxy APR must be enabled on the 'Office' interface:

[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>

Posted: Thu Aug 25, 2005 10:19 am
by Eugene
AFAIK, windows uses IPsec for means of L2TP tunnel protection. You can either disable IPsec for L2TP on W2K box (some obscure registry key, ask Google) or enable RouterOS to use IPsec for this too. The fastest way to do so would be to issue the following command:
/ip ipsec peer add address=<W2K machine IP address> secret=<IPsec secret you have configured on W2K box> generate-policy=yes
And of course, you should know how to configure IPsec on Windows side :wink:

Posted: Thu Aug 25, 2005 7:50 pm
by andrewluck
NAT traversal isn't supported on the MT L2TP server (unless I've missed something on 2.9).

With this in mind, PPTP has a better chance of working.

Regards

Andrew

Posted: Fri Aug 26, 2005 8:57 am
by normis
NAT traversal isn't supported on the MT L2TP server (unless I've missed something on 2.9). 
there is nothing to support, l2tp is NAT friendly by it's nature. it is not like pptp. so your comment is not true.

Posted: Fri Aug 26, 2005 9:37 am
by tneumann
there is nothing to support, l2tp is NAT friendly by it's nature. it is not like pptp. so your comment is not true.
L2TP is NAT friendly, yes, but once it gets encapsulated inside IPsec, and that's what Andrew is talking about,
you'd have to argue about the NAT friendliness of IPsec ...

--Tom

Posted: Fri Aug 26, 2005 9:41 am
by normis
you are not forced to use ipsec

Posted: Fri Aug 26, 2005 10:48 am
by andrewluck
While you're not forced to use IPSEC for technical reasons, to disable it you need to alter a registry key on all client PCs. This will break all other IPSEC traffic on that PC. Hence my preference for PPTP until MT support NAT-T. It's a lot less trouble.

Regards

Andrew

Posted: Fri Aug 26, 2005 1:31 pm
by tneumann
Hence my preference for PPTP until MT support NAT-T. It's a lot less trouble.
For completeness, let's just mention that client-side PPTP isn't exactly NAT friendly either. If the PPTP client is located behind a NAT device, that device needs to have special support for PPTP in its NAT code when more than one PPTP client needs to go through the NAT device concurrently.

Most very cheap DSL/Cable NAT-routers for the home user market have problems with this - most of their NAT implementations are so broken, they can suck black holes through nano-tubes :?