Hello! I want toi configure l2tp between mikrotik and vyos. vyos is the l2tp server and mikrotik is client. Kindly help me with this. IP for tunnel is provided by Vyos. every l2tp client has a /30 with the l2tp server interface.
Hello, @mafiosa I think you need to configure l2tpv3 if you need some routing process, except the default route.
https://docs.vyos.io/en/equuleus/configuration/interfaces/l2tpv3.html
It’s working on 1.3 with this additional settings.
On VyOS disable compression control protocol:
set vpn l2tp remote-access ccp-disable
On Mikrotik disable proposal pfs group:
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
One thing don’t work, multiple tunnels from the same source address.
Do I need to enable tunnel id? also no place to set username and password.
No. IPsec configuration looks like this:
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
I don’t want to use ipsec. Need to set username and password for the tunnel.
Hi @mafiosa , username and password can be set here:
set vpn l2tp remote-access authentication local-users username test password 'test’
I’ve checked and connectivity were established and working in lab with vyos-1.3-rolling-202012 and routeros-x86-6.47.2:
VyOS Lan interface eth0 - 192.168.0.1/24
VyOS Wan interface eth1 - 192.0.2.2/30
Mikro Wan interface eth1 - 192.0.2.1/30
VyOS L2TP server:
set interfaces ethernet eth0 address ‘192.168.0.1/24’
set interfaces ethernet eth1 address ‘192.0.2.2/30’
set vpn l2tp remote-access authentication local-users username test password ‘test’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access ccp-disable
set vpn l2tp remote-access client-ip-pool start ‘192.168.255.2’
set vpn l2tp remote-access client-ip-pool stop ‘192.168.255.254’
set vpn l2tp remote-access outside-address ‘192.0.2.2’
Mikrotik L2TP Client:
/interface l2tp-client
add connect-to=192.0.2.2 disabled=no use-ipsec=no name=vyos password=test user=test
/ip address
add address=192.0.2.1/30 interface=ether1 network=192.0.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=vyos
Connectivity status:
vyos@vyos:~$ show l2tp-server sessions
ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
--------±---------±--------------±----±-------±------------±-----------±-------±---------±---------±---------
l2tp0 | test | 192.168.255.3 | | | 192.0.2.1 | | active | 00:14:25 | 2.0 KiB | 182 B
[admin@MikroTik] /interface l2tp-client> monitor 0
status: connected
uptime: 13m59s
encoding:
mtu: 1436
mru: 1450
local-address: 192.168.255.3
remote-address: 192.168.255.2
[admin@MikroTik] > ping 192.168.0.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.0.1 56 64 0ms
1 192.168.0.1 56 64 1ms
2 192.168.0.1 56 64 0ms
3 192.168.0.1 56 64 1ms
4 192.168.0.1 56 64 0ms
5 192.168.0.1 56 64 1ms
sent=6 received=6 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms
P.S.: If you’ll need static routing between server and clients you could define static IP per client and define the static routes like this:
set vpn l2tp remote-access authentication local-users username test static-ip ‘192.168.254.2’
set protocols static route 192.168.1.0/24 next-hop 192.168.254.2
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
C>* 192.0.2.0/30 is directly connected, eth1, 00:09:53
C>* 192.168.0.0/24 is directly connected, eth0, 00:09:53
S>* 192.168.1.0/24 [1/0] via 192.168.254.2, l2tp0, weight 1, 00:00:03
C>* 192.168.254.2/32 is directly connected, l2tp0, 00:00:49
[admin@MikroTik] > ping 192.168.0.1 src-address=192.168.1.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.0.1 56 64 1ms
1 192.168.0.1 56 64 0ms
2 192.168.0.1 56 64 1ms
sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms
1 Like
Can I run ospf on this interface? And set network type as p2p?
Dear @mafiosa , sorry but I don’t think that this type of connection is designed for the dynamic routing such as OSPF. I’ve checked to add this on the VyOS device:
set protocols ospf area 0 network ‘192.168.254.0/24’ (l2tp dynamic interface network for remote connections)
and seems that it might work
vyos@vyos:~$ show ip ospf interface
l2tp0 is up
ifindex 6, MTU 1436 bytes, BW 0 Mbit <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>
This interface is UNNUMBERED, Area 0.0.0.0
MTU mismatch detection: enabled
Router ID 192.168.255.2, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 8.633s
Neighbor Count is 0, Adjacent neighbor count is 0
But as this is a dynamic interface, not sure that it’s a good idea to use it like that, and also that the Mikrotik allows you to use these dynamic interfaces in OSPF.
As @Dmitry mentioned previously, you can take a look at the l2tpv3 configuration L2TP between mikortik and vyos - #2 by Dmitry
I got it working by putting the network into ospf just after posting the previous reply. It was wonderful to get it working. Now I don’t have any reason to ditch VyOS for any of my deployments. I <3 VyOS.
1 Like
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.