Hi all,

According to the manual, underneath /ip ipsec peer, it is possible to have L2TP tunnels secured using ipsec:

generate-policy (yes | no; default: no) - allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time

The L2TP server is a Linux machine running xl2tpd and openswan, and the routerboard is successfully establishing an L2TP connection with /interface l2tp-client, but ipsec doesn't work at all.

Having tried many combinations of peer configurations pointing at the address of the L2TP server's IP address, is well as the private IP address of the endpoint of the L2TP tunnel, I have had no luck whatsoever in convincing ROS to generate a policy.

Does anyone have a working example of how this is achieved?

Regards,
Graham
--