After issuing commands like those in the manual (<http://www.mikrotik.com/docs/ros/2.9/interface/l2tp>), the machine became unavailable.

RouterOS version is 2.9.30.

What's the cockpit error?

rgds/ldv

[admin@MikroTik] interface l2tp-server server> set enabled=yes
[admin@MikroTik] interface l2tp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface l2tp-server server>

[admin@MikroTik] interface l2tp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface l2tp-client> print
Flags: X - disabled, R - running
0 X name="test2" mtu=1460 mru=1460 connect-to=10.1.1.12 user="john"
password="john" profile=default add-default-route=yes

[admin@MikroTik] interface l2tp-client> enable 0

===result

[vaden@skopje ~]$ ping mosel.texoma.net
connect: Resource temporarily unavailable
[vaden@skopje ~]$ ssh mosel.texoma.net
ssh: connect to host mosel.texoma.net port 22: Resource temporarily unavailable
[vaden@skopje ~]$

[quote="ldvaden"]After issuing commands like those in the manual (<http://www.mikrotik.com/docs/ros/2.9/interface/l2tp>), the machine became unavailable.

RouterOS version is 2.9.30.

What's the cockpit error?

An additional view of the ROS host from an offnet system is below the sig.

rgds/ldv

$ ping -c5 mosel.texoma.net
PING mosel.texoma.net (209.151.96.139): 56 data bytes
----mosel.texoma.net PING Statistics----
5 packets transmitted, 0 packets received, 100.0% packet loss

$ ssh -l vaden -p 987 mosel.texoma.net
ssh: connect to host mosel.texoma.net port 987: Connection timed out
$

Just a quick glance and an idea:
Could it be that the fact that you set your default-route to the l2tp-client is cutting you off? Or is this intended?

Best regards,
Christian Meis

Just a quick glance and an idea:
Could it be that the fact that you set your default-route to the l2tp-client is cutting you off? Or is this intended?

Thanks for obviously a good question, Christian. While I haven't rigorously proven it yet, it may be the case that the machine is no longer communicating to any IP from anywhere.

Are you saying default-route should be set to no?

Kind regards,

ldv

Well, the correct setting depends on your network setup.
Tell us more about the network, the setup and what you want to achieve.

Best regards,
Christian Meis

Well, the correct setting depends on your network setup.
Tell us more about the network, the setup and what you want to achieve.

The box is our corporate firewall protecting the help desk and other administrative machines. It resides on the management subnet, 209.151.96.128/27. Our ASN is comprised of 209.151.96.0/19.

The intent was to allow secure access for road warriors, those working from home, etc. Another important aspect is that most production hosts will only respond to ssh by a host from within the management network --- this access is desired as well.

rgds/ldv