Filter
Top Products
162 AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
Related Topics
IP Addresses and ARP
AAA Configuration
EoIP
IP Security
Additional Resources
http://www.linuxguide.it/docs.php?Networking:VPN:IPSec%2FL2TP
http://en.wikipedia.org/wiki/L2tp
Description
L2TP is a secure tunnel protocol for transporting IP traffic using PPP. L2TP encapsulates PPP in virtual
lines that run over IP, Frame Relay and other protocols (that are not currently supported by RouterOS).
L2TP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The
purpose of this protocol is to allow the Layer 2 and PPP endpoints to reside on different devices
interconnected by a packet-switched network. With L2TP, a user has a Layer 2 connection to an access
concentrator - LAC (e.g., modem bank, ADSL DSLAM, etc.), and the concentrator then tunnels
individual PPP frames to the Network Access Server - NAS. This allows the actual processing of PPP
packets to be separated from the termination of the Layer 2 circuit. From the user's perspective, there is
no functional difference between having the L2 circuit terminate in a NAS directly or using L2TP.
It may also be useful to use L2TP just as any other tunneling protocol with or without encryption. The
L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note that it is
default mode for Microsoft L2TP client) as all L2TP control and data packets for a particular tunnel
appear as homogeneous UDP/IP data packets to the IPsec system.
Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and
larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows to send raw
Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should
either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not
have MAC addresses.
This is the default mode for Microsoft L2TP client
L2TP includes PPP authentication and accounting for each L2TP connection. Full authentication and
accounting of each connection may be done through a RADIUS client or locally.
MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.
L2TP traffic uses UDP protocol for both control and data packets. UDP port 1701 is used only for link
establishment, further traffic is using any available UDP port (which may or may not be 1701). This means
that L2TP can be used with most firewalls and routers (even with NAT) by enabling UDP traffic to be
routed through the firewall or router.
8.5.2 L2TP Client Setup
Submenu level: /interface l2tp-client
Property Description
add-default-route (yes | no; default: no) - whether to use the server which this client is connected to
as its default router (gateway)
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) - the
protocol to allow the client to use for authentication
connect-to (IP address) - The IP address of the L2TP server to connect to
max-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU to
1460 to avoid fragmentation of packets)
max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU to
1460 to avoid fragmentation of packets)