In this post we will be covering how to configure an L2TP tunnel on a MikroTik router. We will also be explaining the uses of L2TP and some extra advanced features you can use L2TP for such as bridging remote sites into an MPLS network. Below is a video that covers the topic in detail on YouTube.
What is L2TP?
The Layer 2 Tunneling-Protocol or L2TP for short is a protocol which allows us to establish a virtual tunnel between two routers.
For all intents and purposes you can think of an L2TP tunnel as a VPN tunnel which bridges two networks together. One thing to take note of regarding L2TP is that it runs over UDP (Port 1701) and not TCP to create the tunnel.
Another thing to consider regarding L2TP is that it does not encrypt traffic inside the tunnel like an IPSEC tunnel would, which is why you may find additional protocols running inside the tunnel like IPSEC to add encryption.
Why use L2TP?
Well L2TP is particularly useful for ISPs (Internet Service Providers) allowing them a means of bringing a remote site that may only have broadband or a Layer 3 service available into an MPLS network.
You may see this happen a lot with sites that may make use of ADSL, LTE or even Broadband Fibre connections where the ISP will place a router down at the site and configure an L2TP Client towards an L2TP server (or LNS server) on a public IP address.
These two devices will establish the L2TP tunnel over the public Internet from where the ISP can move the L2TP interface into a VRF to bring the site into the MPLS. L2TP can also be used by Enterprises or even SMEs as a means to create tunnel connections between sites to send and receive data.
L2TP Server Configuration
We will now be diving into the configuration of an L2TP server on a MikroTik router. It is the server's job to authenticate L2TP clients and to assign them a tunnel IP address. You will typically find an L2TP server having a public IP address which clients will use to connect against.
Looking at the above topology we will be configuring and L2TP tunnel between R1 and the L2TP-Server, in our example the routers will be directly connected on a /30 subnet. You can however imagine that this is a connection over the internet the devices do not need to be directly connected in order to create an L2TP tunnel.
Our routers will use the following IP addresses:
We will now be navigating through the Winbox configuration.
- Click on PPP -> Select the L2TP Server button -> click "enabled" hit apply and ok
- Click on PPP -> Select the Profiles tab -> Click on the "+" button to add a profile
- Give the profile a name in my example we will use R1_L2TP.
- Assign a Local address, this can be any /32 private address preferably one not on the network. Example "10.1.0.1" This is the tunnel IP address which will be assigned to the L2TP server.
- Assign a Remote address, this can be any /32 private address preferably one not on the network. Example "10.1.0.2" This is the tunnel IP address which the L2TP server will assign to the client. You can now hit Apply & Ok
- Click on PPP -> Select the Secrets tab -> Click on the "+" button to add a secret
- Give the secret a name in my example we will use R1_L2TP
- Now we need to set a password which the client will use to connect in our example we will use 123456
- Set the service you can click on the dropdown box and select L2TP or leave it on any
- Finally select the profile that we created earlier by clicking the dropdown box and selecting R1_L2TP or whatever name you gave your profile.
With those easy steps our L2TP server has now been created and a single client can connect, to add more clients simply add more profiles and assign secrets to them.
L2TP Client Configuration
Configuring an L2TP client on a MikroTik router is a lot easier than configuring a server and requires you to simply create a new L2TP-Client interface. We will now look at the steps to configure an L2TP client.
- Click on PPP -> Inside the Interface tab click on the "+" button and select the L2TP Client option
- Give the L2TP Client a name you can call this TO_L2TP_SERVER or TO_MYDC, it is just a name for you to make managing the interface easier.
- Click on the Dial Out tab from here we will fill in the L2TP server details
- In Connect To we will specify the publicly reachable address of our L2TP server I will be using 22.214.171.124 in my example
- In User you will specify the name you gave to your secret on the server, in our example this was R1_L2TP this has to match!
- In Password you will specify the password you used in your secret on the server this also has to match!
Your L2TP client should now be connecting to verify you can check on either the server or client to see if there is an R on the interface, if there is no R then the connection is not up. One hint I can give when setting up L2TP tunnels and wanting to route traffic it is best practice to ensure that you add a static route with your L2TP server public IP to go out over your default gateway . If you accidentally route all traffic over the tunnel you will cause the tunnel to go down.
I hope this post has been informative and that you have gotten the answers you were looking for. If not feel free to leave a comment and I will do my best to answer you 🙂