Hey all, Having a few issues getting an LNS session working! Any one got this working with a Cisco LAC? Provider removed the tunnel password from when I was running a Cisco as the LNS - but for the life of me I can not get it to authenticate the sessions. Torching the interface, I can see from the providers LAC the l2tp requests coming in to me when I start the session. I've read all forum posts on the 7 pages that a Google search returns - but everyone has confirmed they are able to complete the task without posting any configs. So far, I have L2TP Server Binding PPP Secret with user@domain.com and password L2TP profile with local & remote address
From what I have read - that's all that is needed - but it's not working. Unfortunately there is nothing in the logs either.
Hoping someone who has set this up can spare 10 minutes and give me a hand :-) Cheers Nick
I didn't think routeros would support acting as an LNS. interested to see if you get it working Matt
On 8 Mar 2015, at 12:06 am, Nick Pratley <nick.pratley@serversaustralia.com.au> wrote:
Hey all,
Having a few issues getting an LNS session working! Any one got this working with a Cisco LAC?
Provider removed the tunnel password from when I was running a Cisco as the LNS - but for the life of me I can not get it to authenticate the sessions.
Torching the interface, I can see from the providers LAC the l2tp requests coming in to me when I start the session.
I've read all forum posts on the 7 pages that a Google search returns - but everyone has confirmed they are able to complete the task without posting any configs.
So far, I have
L2TP Server Binding PPP Secret with user@domain.com and password L2TP profile with local & remote address
From what I have read - that's all that is needed - but it's not working. Unfortunately there is nothing in the logs either.
Hoping someone who has set this up can spare 10 minutes and give me a hand :-)
Cheers Nick _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
So far, I have
L2TP Server Binding PPP Secret with user@domain.com and password L2TP profile with local & remote address
From what I have read - that's all that is needed - but it's not working. Unfortunately there is nothing in the logs either.
Hoping someone who has set this up can spare 10 minutes and give me a hand :-)
Cheers Nick
It definitely works. There's a few gotchas but like making sure your SP doesn't require the use of a loop interface etc etc. I'd try a custom L2TP profile with a local address, empty remote address. Make sure every option is no (mpls/ipv6/encryption etc etc). pap/chap authentication on the l2tp server. Put your remote address in the ppp secret. That should be enough to get you going. If you are stuck and need a hand - sing out, I'm happy to help out. -Tim.
Thanks Tim, There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30. Was only a few changes away to get to that - but it still doesn't work or I have completely missed something. The remote-address in the secret should be what I want the DSL tail to get from the server, correct? This is what I have so far if it helps /ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8 /ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00 /interface l2tp-server name="l2tp-in1" user="" /interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret:
Hi Nick, I'm pretty sure you can't do lns with Cisco lac and MikroTik, I think it's to do with dynamic interfaces through an l2tp tunnel or something Regards Paul
On 8 Mar 2015, at 9:48 am, "Nick Pratley" <nick.pratley@serversaustralia.com.au> wrote:
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Nick, That's not quite how it works on MikroTik. Remove l2tp-server interface binding. Then click L2TP-Server button in PPP. Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX. That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS..... Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config Hi Nick, That's not quite how it works on MikroTik. Remove l2tp-server interface binding. Then click L2TP-Server button in PPP. Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX. That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Paul, from the reading I've done (I'm about to setup the same way as Nick is doing, just waiting for him to get it working ;) ), the incompatibility is that MT doesn't support l2tp tunnel authentication. - so provided you can disable tunnel auth from the LAC end, it is supposed to work :) On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au> wrote:
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX.
That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Ahhh yes that's what it was, Mmm interesting, well I will hang on to the end of this thread as well, please let us all know how you go ! Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 March 2015 4:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config Paul, from the reading I've done (I'm about to setup the same way as Nick is doing, just waiting for him to get it working ;) ), the incompatibility is that MT doesn't support l2tp tunnel authentication. - so provided you can disable tunnel auth from the LAC end, it is supposed to work :) On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au> wrote:
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX.
That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Few things missing that I think are critical: * L2TP Tunnel Authentication * Specify Source IP/VRF support * Max Sessions I don't know why MT are happy with a 95% implementation - I really wish I could kickstarter or an equivalent to pay for the new features to be coded in.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 9 March 2015 6:48 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] MikroTik LNS config
Ahhh yes that's what it was, Mmm interesting, well I will hang on to the end of this thread as well, please let us all know how you go !
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 March 2015 4:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Paul, from the reading I've done (I'm about to setup the same way as Nick is doing, just waiting for him to get it working ;) ), the incompatibility is that MT doesn't support l2tp tunnel authentication. - so provided you can disable tunnel auth from the LAC end, it is supposed to work :)
On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au> wrote:
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX.
That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only- one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Tim, isn't it that Cisco don't do something correctly which is why MT doesn't support it properly ? I know Juniper have only just been able to get around the issues as well and only their latest JUNOS can support LNS functions with a Cisco LAC. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Monday, 9 March 2015 11:22 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config Few things missing that I think are critical: * L2TP Tunnel Authentication * Specify Source IP/VRF support * Max Sessions I don't know why MT are happy with a 95% implementation - I really wish I could kickstarter or an equivalent to pay for the new features to be coded in.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 9 March 2015 6:48 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] MikroTik LNS config
Ahhh yes that's what it was, Mmm interesting, well I will hang on to the end of this thread as well, please let us all know how you go !
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 March 2015 4:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Paul, from the reading I've done (I'm about to setup the same way as Nick is doing, just waiting for him to get it working ;) ), the incompatibility is that MT doesn't support l2tp tunnel authentication. - so provided you can disable tunnel auth from the LAC end, it is supposed to work :)
On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au> wrote:
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX.
That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only- one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Monday, 9 March 2015 6:48 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] MikroTik LNS config
Ahhh yes that's what it was, Mmm interesting, well I will hang on to the end of this thread as well, please let us all know how you go !
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 March 2015 4:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Paul, from the reading I've done (I'm about to setup the same way as Nick is doing, just waiting for him to get it working ;) ), the incompatibility is that MT doesn't support l2tp tunnel authentication. - so provided you can disable tunnel auth from the LAC end, it is supposed to work :)
On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au> wrote:
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX.
That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only- one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of
Hi! It's probably not so much that MT has an 'incomplete' implementation - more like cisco has a 'proprietary' implementation ;) The thing is that much of routerOS functionality is derived from core linux kernel code - routerOS is essentially a proprietary shell running on linux. That is pretty much the essence of why routerOS is usually a strictly an 'open standard' approach to routing functionality ;) Cheers! Mike -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Monday, 9 March 2015 11:22 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config Few things missing that I think are critical: * L2TP Tunnel Authentication * Specify Source IP/VRF support * Max Sessions I don't know why MT are happy with a 95% implementation - I really wish I could kickstarter or an equivalent to pay for the new features to be coded in. thunder.
We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
That's right! :-) Cisco supports two modes of l2tp tunnel auth: 'host based' (I believe this is either the default mode, else considered 'industry standard' by many) and 'user based' which is the only method supported by routerOS. I have had some discussion with MT team about this, seeking implementation of 'host based' authentication mode with routerOS, but (although they did not say it precisely) my understanding of the situation is that it is a cisco proprietary mode and would require some modification of core linux kernel code which is unlikely to happen any time soon. Therefore, the only two options are as per my previous comment on this topic: either convince the other end to use user-based auth, or use a 'cheap' cisco router to terminate the tunnel and bridge it to an Ethernet segment ;) Cheers! Mike. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 March 2015 4:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config Paul, from the reading I've done (I'm about to setup the same way as Nick is doing, just waiting for him to get it working ;) ), the incompatibility is that MT doesn't support l2tp tunnel authentication. - so provided you can disable tunnel auth from the LAC end, it is supposed to work :) On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au> wrote:
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX.
That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Mike, The 'Tunnel' is authenticated via CHAP. Once the Tunnel is up, the users then authenticate via whatever mechanism configured. L2TPNS had no issues achieving compatibility and it's an open source program if they "needed inspiration". It looks like even RP-L2TP (2004!) could specify a tunnel secret.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of mike@duxtel.com Sent: Monday, 9 March 2015 10:48 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] MikroTik LNS config
That's right! :-)
Cisco supports two modes of l2tp tunnel auth: 'host based' (I believe this is either the default mode, else considered 'industry standard' by many) and 'user based' which is the only method supported by routerOS.
I have had some discussion with MT team about this, seeking implementation of 'host based' authentication mode with routerOS, but (although they did not say it precisely) my understanding of the situation is that it is a cisco proprietary mode and would require some modification of core linux kernel code which is unlikely to happen any time soon.
Therefore, the only two options are as per my previous comment on this topic: either convince the other end to use user-based auth, or use a 'cheap' cisco router to terminate the tunnel and bridge it to an Ethernet segment ;)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 March 2015 4:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Paul, from the reading I've done (I'm about to setup the same way as Nick is doing, just waiting for him to get it working ;) ), the incompatibility is that MT doesn't support l2tp tunnel authentication. - so provided you can disable tunnel auth from the LAC end, it is supposed to work :)
On 8 March 2015 at 21:02, Paul Julian <paul@oxygennetworks.com.au> wrote:
Interesting Tim, I always thought there was some incompatibility which stopped you from using a MT box as an LNS with a Cisco LAC, happy to be proven wrong as I would love to see this working as it would be a very cost effective LNS especially as I am about to upgrade my Cisco LNS.....
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Sunday, 8 March 2015 8:42 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hi Nick,
That's not quite how it works on MikroTik.
Remove l2tp-server interface binding.
Then click L2TP-Server button in PPP.
Check the box [X] Enabled Then set your default profile. Then disable MSCHAPX.
That should sort your problem.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 8:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Nick! There are two kinds of l2tp authentication mechanisms- host based and user based. Hist based auth for l2tp is not currently available in routerOS, but is the default for many (most) wholesale dsl providers. Could that be related to your problem? If so, there are only two ways that I know of how to solve it - one way is to convince the other end admins to use user based auth. The other way is to use a third party router (e.g Cisco) to terminate the l2tp tunnel and bridge it to a physical Ethernet interface. Hope it helps! Cheers, Mike -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 9:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config Thanks Tim, There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30. Was only a few changes away to get to that - but it still doesn't work or I have completely missed something. The remote-address in the secret should be what I want the DSL tail to get from the server, correct? This is what I have so far if it helps /ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8 /ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00 /interface l2tp-server name="l2tp-in1" user="" /interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hey Mike! Thanks for the reply. We've set it up in the correct mode on the Cisco side, "no tunnel authentication" - his config looks like this on the LAC side - from following all the forum posts. vpdn-group NICKPRATLEY-AGVC request-dialin protocol l2tp domain domain.com initiate-to ip x.x.x.27 priority 1 (My side of the /30) source-ip x.x.32.4 - (His loopback0, advertised to me via BGP) local name NICKPRATLEY-BROADBAND ip pmtu ip mtu adjust The problem with a 'cheap' Cisco router, ala the 1841 that I *was* using this to complete the LNS routing passed away! Hence trying to get it working on a fault-tolerant VM ;) I've set it all up as per recommendations from Tim, I am seeing the auth sessions come in when torching the interface but it's not processing the requests on my side - and there is no l2tp traffic going out still :( Regards, Nick Pratley Integration Manager[image: Facebook] <https://www.facebook.com/ServersAustralia>[image: @serversau on Twitter] <https://twitter.com/serversau>[image: Servers Australia] Ask us about web hosting... Phone: +61 2 8115 8817 Network Ops: +61 2 8115 8850 Main Switch: +61 2 8115 8888 Web: www.serversaustralia.com.au 11/6 Reliance Drive, Tuggerah NSW 2259 PO Box 3187, Tuggerah NSW 2259 SYDNEY | BRISBANE | PERTH | MELBOURNE | NEW ZEALAND *Notice:* This message may contain private and confidential information intended only for the recipients. If you have received this message in error please delete immediately and notify the sender. Any distribution or reproduction of this message is prohibited. The views & opinions expressed in this email are NOT necessarily those of Servers Australia. On Mon, Mar 9, 2015 at 11:48 AM, <mike@duxtel.com> wrote:
Hi Nick!
There are two kinds of l2tp authentication mechanisms- host based and user based. Hist based auth for l2tp is not currently available in routerOS, but is the default for many (most) wholesale dsl providers.
Could that be related to your problem?
If so, there are only two ways that I know of how to solve it - one way is to convince the other end admins to use user based auth. The other way is to use a third party router (e.g Cisco) to terminate the l2tp tunnel and bridge it to a physical Ethernet interface.
Hope it helps!
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 9:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Nick, On that vpdn-group: The keyword "no l2tp tunnel authentication" should show up. If it's not then the cisco will be trying to use a tunnel password of "cisco"*. * I can't find the cisco web page that backs this statement up.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Monday, 9 March 2015 10:55 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Hey Mike!
Thanks for the reply. We've set it up in the correct mode on the Cisco side, "no tunnel authentication" - his config looks like this on the LAC side - from following all the forum posts.
vpdn-group NICKPRATLEY-AGVC request-dialin protocol l2tp domain domain.com initiate-to ip x.x.x.27 priority 1 (My side of the /30) source-ip x.x.32.4 - (His loopback0, advertised to me via BGP) local name NICKPRATLEY-BROADBAND ip pmtu ip mtu adjust
The problem with a 'cheap' Cisco router, ala the 1841 that I *was* using this to complete the LNS routing passed away!
Hence trying to get it working on a fault-tolerant VM ;)
I've set it all up as per recommendations from Tim, I am seeing the auth sessions come in when torching the interface but it's not processing the requests on my side - and there is no l2tp traffic going out still :(
Regards,
Nick Pratley Integration Manager[image: Facebook] <https://www.facebook.com/ServersAustralia>[image: @serversau on Twitter] <https://twitter.com/serversau>[image: Servers Australia]
Ask us about web hosting... Phone: +61 2 8115 8817 Network Ops: +61 2 8115 8850 Main Switch: +61 2 8115 8888 Web: www.serversaustralia.com.au
11/6 Reliance Drive, Tuggerah NSW 2259 PO Box 3187, Tuggerah NSW 2259
SYDNEY | BRISBANE | PERTH | MELBOURNE | NEW ZEALAND
*Notice:* This message may contain private and confidential information intended only for the recipients. If you have received this message in error please delete immediately and notify the sender. Any distribution or reproduction of this message is prohibited. The views & opinions expressed in this email are NOT necessarily those of Servers Australia.
On Mon, Mar 9, 2015 at 11:48 AM, <mike@duxtel.com> wrote:
Hi Nick!
There are two kinds of l2tp authentication mechanisms- host based and user based. Hist based auth for l2tp is not currently available in routerOS, but is the default for many (most) wholesale dsl providers.
Could that be related to your problem?
If so, there are only two ways that I know of how to solve it - one way is to convince the other end admins to use user based auth. The other way is to use a third party router (e.g Cisco) to terminate the l2tp tunnel and bridge it to a physical Ethernet interface.
Hope it helps!
Cheers, Mike
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Sunday, 8 March 2015 9:52 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Thanks Tim,
There is a VLAN and a /30 between myself & the provider, BGP established over that link and they send all traffic form their loopback IP over to my side of the /30.
Was only a few changes away to get to that - but it still doesn't work or I have completely missed something.
The remote-address in the secret should be what I want the DSL tail to get from the server, correct?
This is what I have so far if it helps
/ppp profile name="default-l2tp" local-address=x.x.x.27 remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=no use-compression=no use-vj-compression=no use-encryption=no only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8
/ppp secret name="nick@domain.com" service=l2tp caller-id="nick@domain.com" password="hidden" profile=default-l2tp remote-address=192.168.10.100 routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00
/interface l2tp-server name="l2tp-in1" user=""
/interface l2tp-server enabled: yes max-mtu: 1500 max-mru: 1500 mrru: 1600 authentication: pap,chap keepalive-timeout: 30 default-profile: default-l2tp use-ipsec: no ipsec-secret: _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Awesome, thanks Tim! I assumed when the password was removed it wouldn't try and auth.. I love the un-documented features (read bugs)! New config from the provider: vpdn-group NICKPRATLEY-AGVC request-dialin protocol l2tp domain domain.com initiate-to ip x.x.x.27 priority 1 source-ip x.x.32.4 local name NICKPRATLEY-BROADBAND no l2tp tunnel authentication ip pmtu ip mtu adjust Still not auth-ing (getting the wife to boot the modem @ home), but when I get home I will wireshark the interface facing the provider and see whats coming in when I request a session. Once I get this all working - I'll write a blog post on it as it appears that it's very sought after information ;) Cheers Nick
Hi Nick, This should be all that's required: (L2TP - DHCP+Static IP) /ip pool add name=DHCP ranges=x.x.x.10-x.x.x.19 /ppp profile add change-tcp-mss=yes local-address=x.x.x.1 name=l2tp remote-address=DHCP use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-vj-compression=no dns-server=8.8.8.8 /interface l2tp-server server set default-profile=l2tp enabled=yes /ppp secret add name=test@domain.com password=xxxxxxxx profile=l2tp remote-address=x.x.x.2 service=l2tp -Tim
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Monday, 9 March 2015 11:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Awesome, thanks Tim! I assumed when the password was removed it wouldn't try and auth.. I love the un-documented features (read bugs)!
New config from the provider: vpdn-group NICKPRATLEY-AGVC request-dialin protocol l2tp domain domain.com initiate-to ip x.x.x.27 priority 1 source-ip x.x.32.4 local name NICKPRATLEY-BROADBAND no l2tp tunnel authentication ip pmtu ip mtu adjust
Still not auth-ing (getting the wife to boot the modem @ home), but when I get home I will wireshark the interface facing the provider and see whats coming in when I request a session.
Once I get this all working - I'll write a blog post on it as it appears that it's very sought after information ;)
Cheers Nick _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hello All, Just thought I would follow up on this. It's working perfectly now - Thank you Tim and everyone else who has thrown suggestions at me! The Mikrotik is acting as an LNS - talking to the providers Cisco LAC. Regards, Nick Pratley Integration Manager[image: Facebook] <https://www.facebook.com/ServersAustralia>[image: @serversau on Twitter] <https://twitter.com/serversau>[image: Servers Australia] Ask us about web hosting... Phone: +61 2 8115 8817 Network Ops: +61 2 8115 8850 Main Switch: +61 2 8115 8888 Web: www.serversaustralia.com.au 11/6 Reliance Drive, Tuggerah NSW 2259 PO Box 3187, Tuggerah NSW 2259 SYDNEY | BRISBANE | PERTH | MELBOURNE | NEW ZEALAND *Notice:* This message may contain private and confidential information intended only for the recipients. If you have received this message in error please delete immediately and notify the sender. Any distribution or reproduction of this message is prohibited. The views & opinions expressed in this email are NOT necessarily those of Servers Australia. On Mon, Mar 9, 2015 at 1:53 PM, Tim Warnock <timoid@timoid.org> wrote:
Hi Nick,
This should be all that's required: (L2TP - DHCP+Static IP)
/ip pool add name=DHCP ranges=x.x.x.10-x.x.x.19
/ppp profile add change-tcp-mss=yes local-address=x.x.x.1 name=l2tp remote-address=DHCP use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-vj-compression=no dns-server=8.8.8.8
/interface l2tp-server server set default-profile=l2tp enabled=yes
/ppp secret add name=test@domain.com password=xxxxxxxx profile=l2tp remote-address=x.x.x.2 service=l2tp
-Tim
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Monday, 9 March 2015 11:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Awesome, thanks Tim! I assumed when the password was removed it wouldn't try and auth.. I love the un-documented features (read bugs)!
New config from the provider: vpdn-group NICKPRATLEY-AGVC request-dialin protocol l2tp domain domain.com initiate-to ip x.x.x.27 priority 1 source-ip x.x.32.4 local name NICKPRATLEY-BROADBAND no l2tp tunnel authentication ip pmtu ip mtu adjust
Still not auth-ing (getting the wife to boot the modem @ home), but when I get home I will wireshark the interface facing the provider and see whats coming in when I request a session.
Once I get this all working - I'll write a blog post on it as it appears that it's very sought after information ;)
Cheers Nick _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Excellent! :-) Sounds like a very good topic for a presentation at the MUM in Melbourne on May 15th ;) Cheers, Mike. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Monday, 9 March 2015 6:24 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config Hello All, Just thought I would follow up on this. It's working perfectly now - Thank you Tim and everyone else who has thrown suggestions at me! The Mikrotik is acting as an LNS - talking to the providers Cisco LAC. Regards, Nick Pratley Integration Manager[image: Facebook] <https://www.facebook.com/ServersAustralia>[image: @serversau on Twitter] <https://twitter.com/serversau>[image: Servers Australia] Ask us about web hosting... Phone: +61 2 8115 8817 Network Ops: +61 2 8115 8850 Main Switch: +61 2 8115 8888 Web: www.serversaustralia.com.au 11/6 Reliance Drive, Tuggerah NSW 2259 PO Box 3187, Tuggerah NSW 2259 SYDNEY | BRISBANE | PERTH | MELBOURNE | NEW ZEALAND *Notice:* This message may contain private and confidential information intended only for the recipients. If you have received this message in error please delete immediately and notify the sender. Any distribution or reproduction of this message is prohibited. The views & opinions expressed in this email are NOT necessarily those of Servers Australia. On Mon, Mar 9, 2015 at 1:53 PM, Tim Warnock <timoid@timoid.org> wrote:
Hi Nick,
This should be all that's required: (L2TP - DHCP+Static IP)
/ip pool add name=DHCP ranges=x.x.x.10-x.x.x.19
/ppp profile add change-tcp-mss=yes local-address=x.x.x.1 name=l2tp remote-address=DHCP use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-vj-compression=no dns-server=8.8.8.8
/interface l2tp-server server set default-profile=l2tp enabled=yes
/ppp secret add name=test@domain.com password=xxxxxxxx profile=l2tp remote-address=x.x.x.2 service=l2tp
-Tim
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Nick Pratley Sent: Monday, 9 March 2015 11:57 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] MikroTik LNS config
Awesome, thanks Tim! I assumed when the password was removed it wouldn't try and auth.. I love the un-documented features (read bugs)!
New config from the provider: vpdn-group NICKPRATLEY-AGVC request-dialin protocol l2tp domain domain.com initiate-to ip x.x.x.27 priority 1 source-ip x.x.32.4 local name NICKPRATLEY-BROADBAND no l2tp tunnel authentication ip pmtu ip mtu adjust
Still not auth-ing (getting the wife to boot the modem @ home), but when I get home I will wireshark the interface facing the provider and see whats coming in when I request a session.
Once I get this all working - I'll write a blog post on it as it appears that it's very sought after information ;)
Cheers Nick _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (7)
-
Damien Gardner Jnr
-
Matt Perkins
-
Mike Everest
-
mike@duxtel.com
-
Nick Pratley
-
Paul Julian
-
Tim Warnock