MikroTik Router OS V3.0 User Manual

							1.+ 	
 *$*$ 

	 & 	
 
 
	  

!
[admin@MikroTik] interface ipip> add local-address=10.1.0.172 \remote-address=10.5.8.104 disabled=no
2.+ 	
 *$ 	 
 	


!

	
[admin@MikroTik] ip address> add address=10.0.0.2/24 interface=ipip1
Specifications
Packages required:system
License required:level1 (limited to 1 tunnel), level3 (200 tunnels), level5 (unlimited)
Home menu level:/interface ipip
Standards and Technologies:IPIP(RFC2003)
Hardware usage:Not significant
Additional Documents
•#3/C
						

							0
  	
 
 	
 	
45 
 
 *$*$ 

	
  
 	


	

  %
	
%  
 

	  	

 	  
 

	 	 


 
 


	
  


	

 
 ! *$*$ 

	

 	 
 

 
 3 /.. addlocal-address: 10.0.0.1remote-address: 22.63.11.6[admin@MikroTik] interface ipip> printFlags: X - disabled, R - running, D - dynamic# NAME MTU LOCAL-ADDRESS REMOTE-ADDRESS0 X ipip1 1480 10.0.0.1 22.63.11.6
[admin@MikroTik] interface ipip> enable 0[admin@MikroTik] interface ipip> /ip address add address 1.1.1.1/24 interface=ipip1
 
	

  
3& 
 
Page 201 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							[admin@MikroTik] interface ipip> add local-address=22.63.11.6 remote-address=10.0.0.1[admin@MikroTik] interface ipip> printFlags: X - disabled, R - running, D - dynamic# NAME MTU LOCAL-ADDRESS REMOTE-ADDRESS0 X ipip1 1480 22.63.11.6 10.0.0.1
[admin@MikroTik] interface ipip> enable 0[admin@MikroTik] interface ipip> /ip address add address 1.1.1.2/24 interface=ipip1
9 
 
 	
 
 	 

[admin@MikroTik] interface ipip> /ping 1.1.1.21.1.1.2 64 byte ping: ttl=64 time=24 ms1.1.1.2 64 byte ping: ttl=64 time=19 ms1.1.1.2 64 byte ping: ttl=64 time=20 ms3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max = 19/21.0/24 ms[admin@MikroTik] interface ipip>
Page 202 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							L2TP Tunnel
Document revision 1.5 (January 16, 2008, 9:09 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
GeneralInformation
Summary
QuickSetupGuide
Specifications
Description
L2TPClientSetup
PropertyDescription
Notes
Example
MonitoringL2TPClient
PropertyDescription
Example
L2TPServerSetup
Description
PropertyDescription
Notes
Example
L2TPTunnelInterfaces
Description
PropertyDescription
Example
L2TPApplicationExamples
Router-to-RouterSecureTunnelExample
ConnectingaRemoteClientviaL2TPTunnel
L2TPSetupforWindows
Troubleshooting
Description
General Information
Summary
A-$ &A	 - 

 $
 
 

 


 ( *$   
 ! 

	



 
  
 A-$ 

 	
 (
I
	 		

  A-$ 


 

• 
7
7
 


 ( 
 *



•

 &
 	 *

	

  A+9
Page 203 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•


 $$$  



 
 	 
 	

 & 	 
 		
 	


	

 	

*



 	 

  *!$
•	
 	
 *

	

1A+9  	 	
  
 & 

 &
F	 A-$ 



    	 ( 	
 	 

   
 ! 	 


 	 	 (
 

   (	 
	

 
 	  
 (   



 	
 

  






Quick Setup Guide
 	 	 A-$ 


 

 -  
 
 *$ 	!+%*%(%!+1&A-$ ( 	

!+%!%+%!9&&A-$ 

  
 

 

•3
	

 
 A-$ ( 

1.+ 	 A-$ 
[admin@L2TP-Server] ppp secret> add name=user password=passwd \\... local-address=10.0.0.1 remote-address=10.0.0.2
2.F
	 
 A-$ (
[admin@L2TP-Server] interface l2tp-server server> set enabled=yes
•3
	

 
 A-$ 

 

1.+ 	 A-$ 


[admin@L2TP-Client] interface l2tp-client> add user=user password=passwd \\... connect-to=10.5.8.104
Specifications
Packages required:ppp
License required:level1 (limited to 1 tunnel), level3 (limited to 200 tunnels), level5
Home menu level:/interface l2tp-server, /interface l2tp-client
Standards and Technologies:L2TP(RFC2661)
Hardware usage:Not significant
Description
A-$  	  


 
  
	


 *$ 
	 
 $$$ A-$ 
		
 $$$ 
 (
	 


	
 
 ( *$ #	 	 	
 
 
 &
	
 	 

 

 
   
 !
A-$ 
	
 $$$ 	
 $$F &
 $

 
 $

 F


 
 	 

 
  
 
 
  
 	 
 A	 - 	
 $$$ 


 
  
 

 ( 




  	
	
7
 

 6
 A-$ 	  	 	 A	 - 



 
 	
 	 


	
 77.,&
 	
 +5!A 5!A+ 
 	
 
 


	
 

 


 
(	 $$$ 	 
 
 9

+ !( 7.0  	 
 	
	 
  $$$ 	
 
  		
  
 

	


 
 A	 - 
 # 
 % 
( 
  
 


	 
 

 	(
 
 A-

 

	
 
 	 9+! 
  
 A-$
*
 	 	   
  A-$ 4
 	 	
 
 



 
 
  

 


  A-$
Page 204 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
	
	 	 
	
 
 
  	 
 

 	
	  
 A-$ ( *$ &

	
 
  	
  
 A-$ 

 	 	 A-$ 

 	
 	
	 	
  	 	
	 


 		 	

 05$1*$ 	
	 	
 
 
 *$ 



 $$$ &$  
 
  
 ( 0 &
 	
 
 
	

 72 /
						

							!
 0 	
 
	
 $ &

 $$$ ( 
 
  
   
 
  	



 	 
 0
 6
 
 	
  
	 
 9

 
	 !


 


 H9
	
 
7

 
 
 



H  0  	 
 /G/D  


   
 ( $	
0
( 	  $   
	 
 
 
Example
 
  A-$ 

 
	

&
 
	= 
 	= 
 


 
 
!+%!%!%!&
A-$ ( 	
  
 	 
 	
 	
	
[admin@MikroTik] interface l2tp-client> add name=test2 connect-to=10.1.1.12 \\... user=john add-default-route=yes password=john[admin@MikroTik] interface l2tp-client> printFlags: X - disabled, R - running0 X name=test2 max-mtu=1460 max-mru=1460 mrru=disabled connect-to=10.1.1.12user=john password=john profile=default add-default-route=yesallow=pap,chap,mschap1,mschap2[admin@MikroTik] interface l2tp-client> enable 0
Monitoring L2TP Client
Command name:/interface l2tp-client monitor
Property Description
encoding(text) - encryption and encoding (if asymmetric, separated with /) being used in this
connection
idle-time(read-only: time) - time since the last packet has been transmitted over this link
mru(read-only: integer) - effective MRU of the link
mtu(read-only: integer) - effective MTU of the link
status(text) - status of the client
•dialing- attempting to make a connection
•verifying password...- connection has been established to the server, password verification in
progress
•connected- self-explanatory
•terminated- interface is not enabled or the other side will not establish a connection
uptime(time) - connection time displayed in days, hours, minutes and seconds
Example
F	  	
 
	 




[admin@MikroTik] interface l2tp-client> monitor test2status: connecteduptime: 6h44m9sidle-time: 6h44m9sencoding: MPPE128 statelessmtu: 1460mru: 1460[admin@MikroTik] interface l2tp-client>
Page 206 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							L2TP Server Setup
Home menu level:/interface l2tp-server server
Description
 A-$ ( 	
 	 
	 

	  	 


 A-$ 

  A-$ 



 

 

 
 
 
 
 (  	( A(/ 
 	 / A-$ 

 A(:  A(D

  
 -.. 

 	
 A(<  A(G 
  

 	( A-$ 

 
	


 	
 A-$    

 
$$$
	
$$$$	
	 *
  	  
 

  
 	 	 +5*0! 

 
 
 
 A-$   
	
	 
  

Property Description
authentication(multiple choice: pap|chap|mschap1|mschap2; default:mschap2) -
authentication algorithm
default-profile- default profile to use
enabled(yes|no; default:no) - defines whether L2TP server is enabled or not
keepalive-timeout(time; default:30) - defines the time period (in seconds) after which the router is
starting to send keepalive packets every second. If no traffic and no keepalive responses has came
for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
max-mru(integer; default:1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
max-mtu(integer; default:1460) - Maximum Transmission Unit. The optimal value is the MTU of
the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the
MTU to 1460 to avoid fragmentation of packets)
mrru(integer: 512..65535; default:disabled) - maximum packet size that can be received on the
link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size
IP or Ethernet packets to be sent over the tunnel
•disabled- disable MRRU on this link
Notes
!
 0 	
 
	
 $ &

 $$$ ( 
 
  
   
 
  	



 	 
 0
 6
 
 	
  
	 
 9

 
	 !


 


 H9
	
 
7

 
 
 



H  0  	 
 /G/D  


   
 ( $	
0
( 	  $   
	 
 
 
Example
 
	 A-$ (
[admin@MikroTik] interface l2tp-server server> set enabled=yes[admin@MikroTik] interface l2tp-server server> printenabled: yesmax-mtu: 1460
Page 207 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							max-mru: 1460mrru: disabledauthentication: mschap2,mschap1keepalive-timeout: 30default-profile: default[admin@MikroTik] interface l2tp-server server>
L2TP Tunnel Interfaces
Home menu level:/interface l2tp-server
Description
 	 
 
  

	 &


 
 
 $$$ ( 
	

 7 
	
  	
 
	




 +
 

	  	
  	 


 
	 
 
 (
 ( !
	
 

	 	
	 	

	
(  
  	 
 
 
 
 	
	 

	 
	 &
 	  
 	
  
 	
	  5
	 

	 	 	 
 
 
 	
	
	 
(
	   


 	
 
 
	  

 	
 	
 

 
	
 

 & 
 	 
 

  	
(
		 	 
 	
 

  
 		
 


 

	 
  
 	 
	 5
	


	 		 
 	  


 	
 		 
 
  


  
   


 
 


 	
  
	
  
 
 
	

 & 	 
 	    
 	



   
	
  	
 	 
	
 

  1  
 
  	 
  
	

	



	
 
 
 	 $$$  
  
  7 
	
 

  

 	
$$$ 
	


Property Description
client-address(read-only: IP address) - shows the IP address of the connected client
encoding(read-only: text) - encryption and encoding (if asymmetric, separated with /) being used
in this connection
mru(read-only: integer) - clients MRU
mtu(read-only: integer) - clients MTU
name(name) - interface name
uptime(read-only: time) - shows how long the client is connected
user(name) - the name of the user that is configured statically or added dynamically
Example
 	 	 
	
 

 !
[admin@MikroTik] interface l2tp-server> add user=ex1[admin@MikroTik] interface l2tp-server> printFlags: X - disabled, D - dynamic, R - running# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...0 DR  ex 1460 10.0.0.202 6m32s none1 l2tp-in1 ex1[admin@MikroTik] interface l2tp-server>
*
 
 	 	
 		 


  
  
 
  4
 	 9 
 

	

	&

!	
  
  	
 
 
 ! 
	

  	 	 

	
Page 208 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							L2TP Application Examples
Router-to-Router Secure Tunnel Example
 
  	
 	  



 
 *

	

 
 	
 

 A-$ 


 ( 
 *




 	 
 
 
 
 	
•=, >
*

	 A	,  /./