最後更新: 2023-07-04
介紹
L2TP is a secure tunnel protocol for transporting IP traffic using PPP.
L2TP encapsulates PPP in virtual lines that run over IP.
L2TP traffic uses UDP protocol for both control and data packets.
UDP port 1701 is used only for link establishment,
further traffic is using any available UDP port (which may or may not be 1701).
不是所有 Router 都支援 Multi-Client-Same-NATed-encrypted-VPN solution
原理
L2TP 自身沒有加密, 所以加密由 IPSec 完成
L2TP 負責使用者驗證和IP地址分配
IP Package -> L2TP 封裝 -> IPSec 封裝 -> Router
目錄
- Firewall Settings
Firewall Settings
# 必須
/ip firewall filter add chain=input protocol=udp port=1701,500,4500
# 不須 "ipsec-esp"
add chain=input protocol=ipsec-esp
Static & Dynamic interfaces
Static interfaces
added administratively
Dynamic interfaces
appear when a user connects and disappear once the user disconnects,
so it is impossible to reference the tunnel created for that use in router configuration.
(a user is connected and its username does not match any existing static entry)
Create VPN DHCP pool
# 連入來的用戶會獲得此 pool 的 IP
/ip pool
add name=l2tp range=192.168.8.201-192.168.8.219
ppp profile
/ppp profile
add name=l2tp local-address=192.168.8.1 remote-address=l2tp
* remote-address 對應 "/ip pool"
Setting
local-address: Tunnel address or name of the pool from which address is assigned to ppp interface locally. (Router Lan IP)
remote-address: Tunnel address or name of the pool from which address is assigned to remote ppp interface.
incoming-filter (string; Default: )
Firewall chain name for incoming packets.
Specified chain gets control for each packet coming from the client.
The ppp chain should be manually added and
rules with "action=jump jump-target=ppp" should be added to other relevant chains in order for this feature to work.
outgoing-filter (string; Default: )
Firewall chain name for outgoing packets.
Specified chain gets control for each packet going to the client.
The ppp chain should be manually added and
rules with "action=jump jump-target=ppp" should be added to other relevant chains in order for this feature to work.
rate-limit (string; Default: )
Rate limitation in form of
rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]
from the point of view of the router (so "rx" is client upload, and "tx" is client download).
All rates are measured in bits per second, unless followed by optional 'k' suffix (kilobits per second) or 'M' suffix (megabits per second).
If tx-rate is not specified, rx-rate serves as tx-rate too. The same applies for tx-burst-rate, tx-burst-threshold and tx-burst-time.
If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified),
rx-rate and tx-rate are used as burst thresholds.
If both rx-burst-time and tx-burst-time are not specified, 1s is used as default.
Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest.
If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used.
The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.
session-timeout (time; Default: )
Maximum time the connection can stay up.
By default no time limit is set.
idle-timeout (time; Default: )
Specifies the amount of time after which the link will be terminated
if there are no activity present. Timeout is not set by default
use-compression (yes | no | default; Default: default)
This setting does not affect OVPN tunnels.
use-encryption (yes | no | default | require; Default: default)
This setting does not work on OVPN and SSTP tunnels.
use-mpls (yes | no | default | require)
Specifies whether to allow MPLS over PPP.
default - derive this value from the interface default profile; => same as no
only-one (yes | no | default)
Defines whether a user is allowed to have more than one ppp session at a time
default - derive this value from the interface default profile => same as no
Add some user account
# 加 user1, pw=1234
/ppp secret add name=user1 password=1234 service=l2tp profile=l2tp
* profile 對應 "/ppp profile"
Checking
print detail
Flags: X - disabled # NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
Enable L2TP server
/interface l2tp-server server
set enabled=yes default-profile=l2tp
* default-profile 對應 "/ppp profile"
# 設定
keepalive-timeout (integer; Default: 30)
If server during keepalive-timeout period does not receive any packets,
it will send keepalive packets every second, five times.
If the server still does not receive any response from the client,
then the client will be disconnected after 5 seconds.
Logs will show 5x "LCP missed echo reply" messages and then disconnect.
# 查看 setting
/interface l2tp-server server> print
Monitoring
/interface l2tp-client
/interface l2tp-client> print
/interface l2tp-client> monitor 0
Set up proxy-arp on local interface (ether2)
# ( ping any workstation from the laptop )
/interface ethernet
set ether2 arp=proxy-arp
L2TP/IpSec Setup
/interface l2tp-server server
set enabled=yes default-profile=l2tp use-ipsec=yes ipsec-secret=mySecret
當 L2TP Server 啟用 IPsec 時, 那它會用 IPSec 的 default Policy 及 Proposal
-
IP > IPsec > Policies > set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
(/ip ipsec policy) -
IP > IPsec > Proposals > default
(/ip ipsec proposal) -
IP > IPsec > Profiles > default
(/ip ipsec profile)
------------------------------------------------------------------------------ - IP > IPsec > Peers > Name: l2tp-in-server # 自動建立
- IP > IPsec > Identities > L2tp-in-server # 自動建立
Checking
過程
[1] IP/IPsec/Policies => PH2 State:established
[2] PPP/Active Connections => Caller ID: remote wan ip
Clients
Win7: IPSce Proposals
- Auth. Alg.: sha1 ( win7 一定要有 )
- Encr. Alg.: aes-128 cbc ( win7 一定要有 )
- L2TP Server: mschap2 ( 只保留它就得, 其他的也沒有用到 )
Troubleshoot
Can 't establish multiple VPN connections from one external IP (multiple l2tp ipsec connections from same ip address)
PPTP 亦有同樣情況 !
PPTP - non secure, only one connection from same NATes network.
PPTP 的解決: "PPTP VPN Passthrough"(PPTP contrack)