On Thu, Jan 23, 2014 at 11:09:16AM -0800, Kristian Hoffmann wrote: > Not sure if this applies to your configuration, but I recently ran into > the same symptom in two similar cases. The short version is, regardless > of what the config and logs say, the IPSec packets will have a source IP > of the pref-src value for the route matching the IPSec endpoint. Example... > > /ip addr add address=1.2.3.4/24 interface=wan > /ip addr add address=2.2.2.2/32 interface=wan > /ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254 > > The pref-src for the default route will be 1.2.3.4, unless otherwise > specified. > > If your remote endpoint connects to 2.2.2.2 to establish the IPSec SA, > the SA will come up and everything will look fine, but the the > L2TP/IPSec traffic will originate from the 1.2.3.4 address. Especially > if you're doing NAT-T, the router in front of the remote endpoint will > just drop the UDP packets because the connection tracking won't know > where they came from. > > I'm fudging some of the details from because I'm a bit swamped and > pulling this from memory, but the underlying point is the same. If the > remote endpoint connects to 2.2.2.2, it won't work, and if you connect > to 1.2.3.4, it does.
We have a winner!!! Have to use the IP speaking OSPF or BGP in the direction of the client. That makes things interesting with 8 paths into router at the centrally located office. In the future, I will try to remember "MikroTik IPsec VPN concentrators must be single-homed to be useful." Thank you! And I knew to look for issues like that because I have the same problem with SNMP. This router has multiple subnets on each path and isn't using the subnet I thought it was on either of the directions from which I attmepted to test. We're in the process of moving out of some older IP space and re-organizing the network. I did all of my testing to the IP in the newer subnets on the interfaces facing me. What is so hard about sourcing packets from the same IP your client used to contact you in the first place? Lacking that, why can't every service have a src-address like the radius client has for each radius server? A cisco-esque source-interface would be wonderful. ip radius source-interface Loopback0 logging source-interface Loopback0 snmp-server source-interface informs Loopback0 ntp source Loopback0 > I also noticed some related badness when setting up IPSec with a static > policy in a dual-WAN config. Even though sa-src-address was set to the > second WAN address, it turns out the deciding factor was the pref-src on > the matching route for the outbound traffic. I tried NAT, policy > routing, yelling, and the pref-src value was the only thing that would > change it. Even the logs (ipsec,raw,packet) showed the correct src > address, but torch on the upstream routers proved the logs to be > incorrect. The worst part was, once I did get it to change by setting > the pref-src on a static /32 route matching the remote endpoint, > removing the route didn't change it back. I had to reboot the router to > switch it back to the first WAN address. Suffice it to say, I should > set this up in a lab carefully documenting it and send it to MikroTik, > but who has time for that. I hear you. > On 01/21/2014 03:30 PM, Scott Lambert wrote: > > I appologize for the length of this e-mail. I didn't want to leave out > > any of the work I've already done trying to troubleshoot this. I really > > appreciate anyone willing to slog through it. > > > > I am having fits with my IPSect/L2TP VPNs I use to get into various > > places. Someone posted a recipe to this list which just worked for > > RouterOS 5.x and I have been running that on a few routers for a while > > now. It just worked so I never actually spent the time to learn what > > was what. I have been trying to correct that laziness over the past few > > days and nights. But I am out of time and hitting a wall now. > > > > Unfortunately, I have been upgrading a few of the test routers to 6.x > > and now need to setup VPNs on a couple of CCRs. I have not had to use > > the IPSec VPNs since the upgrade to 6.x, or at least the upgrade to 6.5 > > and up. I do not have logs of the last time I used the VPNs. > > > > Where I have 6.5 and up, I cannot seem to get ISAKMP to complete. > > > > I only have 6.4 on the new CCR and have configured it to be the moral > > equivalent of the config on my remaining functional RouterOS 5.21 > > 493G site. I could not get ISAKMP to come up on the CCR with 6.5. I > > upgraded it to 6.7. Still toast. > > > > I am also trying to get a site to site tunnel running between the CCR > > and a CiscoASA. Never got a successful ISAKMP link on 6.5 or 6.7. > > > > So, I went down to 6.4. I instantly had a good ISAKMP SA with the > > CiscoASA. I am stil working out some issues with passing traffic on > > that tunnel. Is IPsec completely broken above 6.4? > > > > I am also finally getting to the L2TP negotiation with my laptop. I > > have a priority need to get the IPsec/L2TP road warrior tunnel up before > > I finish with the CiscoASA. > > > > >From what I can see in the logs, IPsec is happy. I think the MikroTik > > is happy with the L2TP request sent by the laptop. But it looks like > > the laptop never acknowleges hearing the MikroTik's ACK. I have triple > > and quadruple checked the secrets. I have even changed the secrets a > > few times, shortening them, to see if that would result in any different > > error messages. > > > > If I connect the laptop to the IPsec/L2TP on the RouterOS 5.21 box, the > > VPN is fully negotiated and passing traffic in less than 3 seconds. So > > that tells me I should not have issues with the firewall behind which > > the laptop lives. > > > > I have been trying to use info in this article to understand where L2TP > > is getting stuck. > > > > > > https://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=34 > > > > C.D.1.22 and A.B.32.129 are both on the CCR. C.D.1.22 faces the > > Internet and A.B.32.129 is the public IP for the network into which I am > > trying to VPN. I have the Site to Site tunnel using C.D.1.22 because > > that is closer to the ASA. I have tried with the IP on the CCR which is > > closest to the Laptop's router with the same results. > > > > When I connect to the RouterOS 6.4 CCR, here is what the MikroTik shows: > > > > 16:29:07 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:500->A.B.32.129:500, len 328 > > 16:29:07 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:500->A.B.32.129:500, len 256 > > 16:29:07 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 132 > > 16:29:08 l2tp,debug,packet rcvd control message from A.B.34.126:51593 > > 16:29:08 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 > > 16:29:08 l2tp,debug,packet (M) Message-Type=SCCRQ > > [ My laptop sent a request to start the control > > connection (SCCRQ) ] > > 16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x3 > > 16:29:08 l2tp,debug,packet (M) Host-Name="" > > 16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 > > 16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:08 l2tp,info first L2TP UDP packet received from A.B.34.126 > > 16:29:08 l2tp,debug tunnel 12 entering state: wait-ctl-conn > > 16:29:08 l2tp,debug,packet sent control message to A.B.34.126:51593 > > 16:29:08 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 > > 16:29:08 l2tp,debug,packet (M) Message-Type=SCCRP > > [ My CCR likes my request and is accepting the > > control connecion (SCCRP) ] > > 16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x1 > > 16:29:08 l2tp,debug,packet (M) Bearer-Capabilities=0x0 > > 16:29:08 l2tp,debug,packet Firmware-Revision=0x1 > > 16:29:08 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" > > 16:29:08 l2tp,debug,packet Vendor-Name="MikroTik" > > 16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 > > 16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:08 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 284 > > 16:29:08 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 92 > > 16:29:08 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 > > 16:29:09 l2tp,debug,packet rcvd control message from A.B.34.126:51593 > > 16:29:09 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 > > 16:29:09 l2tp,debug,packet (M) Message-Type=SCCRQ > > [ My laptop sent a request to start the control > > connection (SCCRQ) again ] > > 16:29:09 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:09 l2tp,debug,packet (M) Framing-Capabilities=0x3 > > 16:29:09 l2tp,debug,packet (M) Host-Name="" > > 16:29:09 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 > > 16:29:09 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:09 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 > > 16:29:09 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 > > 16:29:09 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 > > 16:29:09 l2tp,debug,packet sent control message to A.B.34.126:51593 > > 16:29:09 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 > > 16:29:09 l2tp,debug,packet (M) Message-Type=SCCRP > > [ My CCR likes my request and is accepting the > > control connecion (SCCRP) again ] > > 16:29:09 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:09 l2tp,debug,packet (M) Framing-Capabilities=0x1 > > 16:29:09 l2tp,debug,packet (M) Bearer-Capabilities=0x0 > > 16:29:09 l2tp,debug,packet Firmware-Revision=0x1 > > 16:29:09 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" > > 16:29:09 l2tp,debug,packet Vendor-Name="MikroTik" > > 16:29:09 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 > > 16:29:09 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:10 l2tp,debug,packet sent control message to A.B.34.126:51593 > > 16:29:10 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 > > 16:29:10 l2tp,debug,packet (M) Message-Type=SCCRP > > [ My CCR likes my request and is accepting the > > control connecion (SCCRP) again ] > > 16:29:10 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:10 l2tp,debug,packet (M) Framing-Capabilities=0x1 > > 16:29:10 l2tp,debug,packet (M) Bearer-Capabilities=0x0 > > 16:29:10 l2tp,debug,packet Firmware-Revision=0x1 > > 16:29:10 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" > > 16:29:10 l2tp,debug,packet Vendor-Name="MikroTik" > > 16:29:10 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 > > 16:29:10 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:11 l2tp,debug,packet rcvd control message from A.B.34.126:51593 > > 16:29:11 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 > > 16:29:11 l2tp,debug,packet (M) Message-Type=SCCRQ > > [ My laptop sent a request to start the control > > connection (SCCRQ) again ] > > 16:29:11 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:11 l2tp,debug,packet (M) Framing-Capabilities=0x3 > > 16:29:11 l2tp,debug,packet (M) Host-Name="" > > 16:29:11 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 > > 16:29:11 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:11 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 > > 16:29:11 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 > > 16:29:11 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 > > 16:29:12 l2tp,debug,packet sent control message to A.B.34.126:51593 > > 16:29:12 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 > > 16:29:12 l2tp,debug,packet (M) Message-Type=SCCRP > > [ My CCR likes my request and is accepting the > > control connecion (SCCRP) again ] > > 16:29:12 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:12 l2tp,debug,packet (M) Framing-Capabilities=0x1 > > 16:29:12 l2tp,debug,packet (M) Bearer-Capabilities=0x0 > > 16:29:12 l2tp,debug,packet Firmware-Revision=0x1 > > 16:29:12 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" > > 16:29:12 l2tp,debug,packet Vendor-Name="MikroTik" > > 16:29:12 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 > > 16:29:12 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:15 l2tp,debug,packet rcvd control message from A.B.34.126:51593 > > 16:29:15 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 > > 16:29:15 l2tp,debug,packet (M) Message-Type=SCCRQ > > [ My laptop sent a request to start the control > > connection (SCCRQ) again ] > > 16:29:15 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:15 l2tp,debug,packet (M) Framing-Capabilities=0x3 > > 16:29:15 l2tp,debug,packet (M) Host-Name="" > > 16:29:15 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 > > 16:29:15 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:15 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 > > 16:29:15 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 > > 16:29:15 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 > > 16:29:16 l2tp,debug,packet sent control message to A.B.34.126:51593 > > 16:29:16 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 > > 16:29:16 l2tp,debug,packet (M) Message-Type=SCCRP > > [ My CCR likes my request and is accepting the > > control connecion (SCCRP) again ] > > 16:29:16 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:16 l2tp,debug,packet (M) Framing-Capabilities=0x1 > > 16:29:16 l2tp,debug,packet (M) Bearer-Capabilities=0x0 > > 16:29:16 l2tp,debug,packet Firmware-Revision=0x1 > > 16:29:16 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" > > 16:29:16 l2tp,debug,packet Vendor-Name="MikroTik" > > 16:29:16 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 > > 16:29:16 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:23 l2tp,debug,packet rcvd control message from A.B.34.126:51593 > > 16:29:23 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 > > 16:29:23 l2tp,debug,packet (M) Message-Type=SCCRQ > > [ My laptop sent a request to start the control > > connection (SCCRQ) again ] > > 16:29:23 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:23 l2tp,debug,packet (M) Framing-Capabilities=0x3 > > 16:29:23 l2tp,debug,packet (M) Host-Name="" > > 16:29:23 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 > > 16:29:23 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:23 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 > > 16:29:23 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 > > 16:29:23 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 > > 16:29:24 l2tp,debug,packet sent control message to A.B.34.126:51593 > > 16:29:24 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 > > 16:29:24 l2tp,debug,packet (M) Message-Type=SCCRP > > [ My CCR likes my request and is accepting the > > control connecion (SCCRP) again ] > > 16:29:24 l2tp,debug,packet (M) Protocol-Version=0x01:00 > > 16:29:24 l2tp,debug,packet (M) Framing-Capabilities=0x1 > > 16:29:24 l2tp,debug,packet (M) Bearer-Capabilities=0x0 > > 16:29:24 l2tp,debug,packet Firmware-Revision=0x1 > > 16:29:24 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" > > 16:29:24 l2tp,debug,packet Vendor-Name="MikroTik" > > 16:29:24 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 > > 16:29:24 l2tp,debug,packet (M) Receive-Window-Size=4 > > 16:29:28 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 29 > > 16:29:28 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 108 > > 16:29:28 firewall,info input: in:vlan101 out:(none), src-mac > > 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 116 > > 16:29:32 l2tp,debug tunnel 12 received no replies, disconnecting > > 16:29:32 l2tp,debug tunnel 12 entering state: dead > > > > Then the CCR gives up. > > > > I cannot figure out from that information what is not matched up. > > > > This is the laptop's perspective, which doesn't help me: > > > > Jan 21 16:29:07 lambertmbp pppd[23979]: pppd 2.4.2 (Apple version 412.5.70) > > started by lambert, uid 501 > > Jan 21 16:29:07 lambertmbp pppd[23979]: L2TP connecting to server > > 'A.B.32.129' (A.B.32.129)... > > Jan 21 16:29:07 lambertmbp pppd[23979]: IPSec connection started > > Jan 21 16:29:07 lambertmbp racoon[20913]: Connecting. > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. > > (Initiator, Main-Mode message 1). > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. > > (Initiator, Main-Mode message 2). > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. > > (Initiator, Main-Mode message 3). > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. > > (Initiator, Main-Mode message 4). > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. > > (Initiator, Main-Mode message 5). > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 AUTH: success. > > (Initiator, Main-Mode Message 6). > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. > > (Initiator, Main-Mode message 6). > > Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 Initiator: success. > > (Initiator, Main-Mode). > > Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success. > > (Initiator, Quick-Mode message 1). > > Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: receive success. > > (Initiator, Quick-Mode message 2). > > Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success. > > (Initiator, Quick-Mode message 3). > > Jan 21 16:29:08 lambertmbp racoon[20913]: IKEv1 Phase2 Initiator: success. > > (Initiator, Quick-Mode). > > Jan 21 16:29:08 lambertmbp racoon[20913]: Connected. > > Jan 21 16:29:08 lambertmbp pppd[23979]: IPSec connection established > > Jan 21 16:29:28 lambertmbp pppd[23979]: L2TP cannot connect to the server > > Jan 21 16:29:28 lambertmbp configd[14]: SCNCController: Disconnecting. > > (Connection tried to negotiate for, 21 seconds). > > Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success. > > (Information message). > > Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: > > transmit success. (Delete IPSEC-SA). > > Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success. > > (Information message). > > Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: > > transmit success. (Delete ISAKMP-SA). > > Jan 21 16:29:29 lambertmbp racoon[20913]: Disconnecting. (Connection was up > > for, 21.016530 seconds). > > > > > > This is the MikroTik config: > > > > /ip firewall filter > > <early in the list before any drops> > > add action=log chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp > > add chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp > > add chain=input comment="IPSec ESP" protocol=ipsec-esp > > add chain=input comment="IPSec AH" protocol=ipsec-ah > > add action=log chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp > > add chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp > > add chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp > > > > I do not have an anti-nat rule for this session. I am not getting far > > enough to be assigned an IP. So, it should not matter. I think it > > would only be necessary for the Site to Site link with the CiscoASA, > > anyway. The 5.x box does not have an anti-nat rule either. > > > > I am not using the below mode-cfg part of the config, that I know of, > > yet. It is leftover from trying to combine what worked on 5.x with what > > is on the MikroTik wiki. > > > > /ip ipsec mode-cfg > > add address-pool=xyz_dhcp_pool1 name=RW-cfg split-include=\ > > 10.10.230.0/24,192.168.10.0/24 > > /ip ipsec policy group > > add name=RoadWarrior > > /ip ipsec proposal > > set [ find default=yes ] auth-algorithms=md5,sha1 > > enc-algorithms=3des,aes-256 > > /ip ipsec peer > > add exchange-mode=main-l2tp generate-policy=port-override > > hash-algorithm=sha1 \ > > nat-traversal=yes secret=abc123456789 > > add address=M.N.O.121/32 hash-algorithm=sha1 my-id-user-fqdn=C.D.1.226 \ > > nat-traversal=yes secret=supersecret > > /ip ipsec policy > > add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121 > > sa-src-address=\ > > C.D.1.226 src-address=10.10.230.0/24 tunnel=yes > > add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121 > > sa-src-address=\ > > C.D.1.226 src-address=192.168.10.0/24 tunnel=yes > > > > /ppp profile > > add bridge=XYZ change-tcp-mss=yes dns-server=192.168.10.9 local-address=\ > > 10.10.230.1 name=xyz remote-address=xyz_dhcp_pool1 > > /ppp secret > > add name=lambert-l2tp password=secret profile=xyz service=l2tp > > > > /interface l2tp-server server > > set default-profile=xyz enabled=yes keepalive-timeout=disabled max-mru=1460 > > max-mtu=\ > > 1460 > > > > Thanks for taking the time to read through. I would really appreciate > > any wild guesses you might have. > > > > > _______________________________________________ > Mikrotik mailing list > Mikrotik@mail.butchevans.com > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -- Scott Lambert KC5MLE Unix SysAdmin lamb...@lambertfam.org How to be a "computer expert," http://www.xkcd.com/627/ _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
