Re: [MT-AU Public] MikroTik LNS config

9 Mar 2015

      Hi Mike,

The 'Tunnel' is authenticated via CHAP.

Once the Tunnel is up, the users then authenticate via whatever mechanism configured.

L2TPNS had no issues achieving compatibility and it's an open source program if they "needed inspiration".

It looks like even RP-L2TP (2004!) could specify a tunnel secret.
...
-----Original Message-----
From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of
mike@duxtel.com
Sent: Monday, 9 March 2015 10:48 AM
To: 'MikroTik Australia Public List'
Subject: Re: [MT-AU Public] MikroTik LNS config
That's right! :-)
Cisco supports two modes of l2tp tunnel auth: 'host based' (I believe this
is either the default mode, else considered 'industry standard' by many) and
'user based' which is the only method supported by routerOS.
I have had some discussion with MT team about this, seeking
implementation
of 'host based' authentication mode with routerOS, but (although they did
not say it precisely) my understanding of the situation is that it is a
cisco proprietary mode and would require some modification of core linux
kernel code which is unlikely to happen any time soon.
Therefore, the only two options are as per my previous comment on this
topic: either convince the other end to use user-based auth, or use a
'cheap' cisco router to terminate the tunnel and bridge it to an Ethernet
segment ;)
Cheers!
Mike.
-----Original Message-----
From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of
Damien Gardner Jnr
Sent: Monday, 9 March 2015 4:57 AM
To: MikroTik Australia Public List
Subject: Re: [MT-AU Public] MikroTik LNS config
Paul, from the reading I've done (I'm about to setup the same way as Nick is
doing, just waiting for him to get it working ;) ), the incompatibility is
that MT doesn't support l2tp tunnel authentication. - so provided you can
disable tunnel auth from the LAC end, it is supposed to work :)
On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au>
wrote:
...
Interesting Tim, I always thought there was some incompatibility which
stopped you from using a MT box as an LNS with a Cisco LAC, happy to
be proven wrong as I would love to see this working as it would be a
very cost effective LNS especially as I am about to upgrade my Cisco
LNS.....
Regards
Paul
-----Original Message-----
From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of
Tim Warnock
Sent: Sunday, 8 March 2015 8:42 PM
To: MikroTik Australia Public List
Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled
Then set your default profile.
Then disable MSCHAPX.
That should sort your problem.
...
-----Original Message-----
From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf
Of Nick Pratley
Sent: Sunday, 8 March 2015 8:52 AM
To: MikroTik Australia Public List
Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP
established over that link and they send all traffic form their
loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't
work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail
to get from the server, correct?
This is what I have so far if it helps
/ppp profile
name="default-l2tp" local-address=x.x.x.27
remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no
use-compression=no use-vj-compression=no use-encryption=no
only-one=default change-tcp-mss=yes address-list=""
dns-server=8.8.8.8
/ppp secret
name="nick@domain.com" service=l2tp caller-id="nick@domain.com"
password="hidden" profile=default-l2tp remote-address=192.168.10.100
routes=""  limit-bytes-in=0 limit-bytes-out=0
last-logged-out=jan/01/1970
00:00:00
/interface l2tp-server
     name="l2tp-in1" user=""
/interface l2tp-server
            enabled: yes
            max-mtu: 1500
            max-mru: 1500
               mrru: 1600
     authentication: pap,chap
  keepalive-timeout: 30
    default-profile: default-l2tp
          use-ipsec: no
       ipsec-secret:
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag@rendrag.net -  http://www.rendrag.net/
--
We rode on the winds of the rising storm,  We ran to the sounds of thunder.
We danced among the lightning bolts,
 and tore the world asunder
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au