Is there any way to have the ppp server interfaces (pptp, l2tp, etc) always use the same ip as its source address? I know mangling and policy routing can take care of it, but it seems like when a connection is made to the MT ppp server it should bind itself to the same ip the entire conversation. With 2 connections to the internet the tunnel will keep going down because MT keeps flip flopping its source address, even though the endpoint is only connecting to a single wan IP on a single interface.
Sam
Which route would I filter and modify the pref-src? The l2tp server profile addresses are both 10.x addresses, what I need is to use the same public IP for that tunnel endpoint. So your somewhat right, i need to set the pref-src for the l2tp server connection - not the privates being routed thru the tunnel.
Sam
Sam
Okay, im back to this problem and can't seem to make anything work - except for setting static routes to the destination.
An overview of what I'm trying to accomplish:
Basically its a mikrotik with dual gateways, using ECMP and allowing L2TP/PPTP connections from outside. The tunnel drops and reconnects everytime ECMP gives the tunnel endpoint a different route. The replies from Mikrotik to the l2tp-client come from the alternate gateway address therefore breaking the security and tearing down the tunnel. I believe this happens for l2tp / ipsec solely because udp/1701 is not connection-tracked for very long, therefore the connection table times out and takes the next gateway choice. PPTP might not have this problem because its tcp/gre and in the table longer.
It would be best to tell clients to use 10.30.1.1 as their tunnel endpoint so that they get the redundancy of both connections coming in. I want the response packets to come from 10.30.1.1 but go out either gateway. Simple NAT usually takes care of this, however since MT is generating the tunnel and you can't NAT output I can't accomplish this. Who knows if that option would even work.
How can I tell Mikrotik to bind its ppp/l2tp/pptp server to a specific IP so that I can force it to use a single IP? I can't be entering static routes for a single gateway for each remote destination, especially if they are dynamic addresses.
The SOLUTION is to force RouterOS to use the same source IP throughout the tunnel lifetime... not sure how easy that is to implement though.
Thx all
An overview of what I'm trying to accomplish:
Basically its a mikrotik with dual gateways, using ECMP and allowing L2TP/PPTP connections from outside. The tunnel drops and reconnects everytime ECMP gives the tunnel endpoint a different route. The replies from Mikrotik to the l2tp-client come from the alternate gateway address therefore breaking the security and tearing down the tunnel. I believe this happens for l2tp / ipsec solely because udp/1701 is not connection-tracked for very long, therefore the connection table times out and takes the next gateway choice. PPTP might not have this problem because its tcp/gre and in the table longer.
It would be best to tell clients to use 10.30.1.1 as their tunnel endpoint so that they get the redundancy of both connections coming in. I want the response packets to come from 10.30.1.1 but go out either gateway. Simple NAT usually takes care of this, however since MT is generating the tunnel and you can't NAT output I can't accomplish this. Who knows if that option would even work.
How can I tell Mikrotik to bind its ppp/l2tp/pptp server to a specific IP so that I can force it to use a single IP? I can't be entering static routes for a single gateway for each remote destination, especially if they are dynamic addresses.
The SOLUTION is to force RouterOS to use the same source IP throughout the tunnel lifetime... not sure how easy that is to implement though.
Thx all
pptp and l2tp use the src-address of the outgoing interface, and if using multiple interfaces this changes in the middle of a tunnel conversation and tears it down. I just tested with pptp and it has similiar problems. We need a setting similiar to ipsec (SA-SRC-ADDRESS) that allows setting the tunnel to a specific source; loopback, internal interface, etc. pptp is a little better for the fact its in the connection table longer and ecmp plays nice, however - you cannot connect to 10.30.1.1 (or an ip on a loopback) because the response does not come from that ip.
Please add pref-src or tunnel-src-address to the ppp tunnel adapters - or something similiar to accomplish the same. I assume if l2tp/pptp server listens on all ip addresses it should simply take the local IP connected to and use that throughout the conversation. Supout was taken and if you want it I will email it... although I don't think its a config problem.
Thx,
Sam
Please add pref-src or tunnel-src-address to the ppp tunnel adapters - or something similiar to accomplish the same. I assume if l2tp/pptp server listens on all ip addresses it should simply take the local IP connected to and use that throughout the conversation. Supout was taken and if you want it I will email it... although I don't think its a config problem.
Thx,
Sam