back to listing index

Mikrotik L2TP with IPsec for mobile clients

[web search]
Original source (www.firstdigest.com)
Tags: configuration routers vpn mikrotik l2tp ipsec
Clipped on: 2016-01-29

Our website uses cookies. By using our website and agreeing to this policy, you consent to our use of cookies.

Mikrotik L2TP with IPsec for mobile clients

I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.

Before we start, please make sure that your Mikrotik build-in firewall is configured in such way that it can accept packets on the WAN interface. You can check my article on IPsec VPN Mikrotik to Cisco for firewall configuration.

Another important part is that I’m using RouterOS v6.24 in the below scenario. In earlier versions some configurations are a bit different, but you’ll figure it out as I will explain where is really important.

1. Add a new IP Pool

It’s not mandatory if you already have a IP Pool, but I assume you don’t and we need to add one.

GUI

IP > Pool

Add a new pool

Shell
1
2
3
Name: L2TP-Pool
Adresses: 172.31.86.1-172.31.86.14
Next Pool: None

CLI

Shell
1
/ip pool add name="L2TP-Pool" ranges=172.31.86.1-172.31.86.14

L2TP Configuration

1. Configure L2TP Profile

Before adding a new L2TP Server, we need to add a new L2TP Profile. We can use also the default one, but I don’t like to mix things.

GUI

PPP > Profiles

Shell
1
2
3
4
5
6
Name: l2tp-profile
Local Address: L2TP-Pool
Remote Address: L2TP-Pool
DNS Server: 8.8.8.8
Change TCP MSS: yes
Use Encryption: required

The rest of values can be left on default value.

CLI

Shell
1
/ppp profile add name=l2tp-profile local-address=L2TP-Pool remote-address=L2TP-Pool use-encryption=required change-tcp-mss=yes dns-server=8.8.8.8

2. Add a L2TP-Server

GUI

PPP > Interface > L2TP Server

Shell
1
2
3
4
5
6
7
Enabled: Checked
Max MTU: 1460
Max MRU: 1460
Keepalive Timeout: 30
Default Profile: mschap2
Use IPsec: Checked
IPsec Secret: MYKEY

CLI

Shell
1
/interface l2tp-server server set authentication=mschap2 default-profile=l2tp-profile enabled=yes ipsec-secret=MYKEY max-mru=1460 max-mtu=1460 use-ipsec=yes

3. Add PPP Secrets

GUI

PPP > Secrets

Shell
1
2
3
4
5
Enabled: Checked
Name: MYUSER
Password: MYPASSWORD
Service: l2tp
Profile: l2tp-profile

Let the rest as default.

CLI

Shell
1
/ppp secret add name=MYUSER password=MYPASSWORD service=l2tp profile=l2tp-profile

IPsec Configuration

On IPsec configuration, you can use the default configuration (like Proposals) but I would suggest to let those as default and add your new ones. In case that you already have some IPsec configuration which is already working and using the default configuration we don’t want to mess with that.

1. IPsec Proposals

GUI

IPsec > Proposals

Shell
1
2
3
4
5
Enabled: Checked
Name: L2TP-Proposal
Auth. Algorithm: sha1
Encr. Algorithm: 3des, aes-256 cbc
PFS Group: none

CLI

Shell
1
/ip ipsec proposal add name=L2TP-Proposal auth-algorithms=sha1 enc-algorithms=3des,aes-256-cbc pfs-group=none

Something to mention here. In version previous than 6.xx, you can pick only one encryption algorithm, if I remember correctly. You cannot add multiple algorithms (like 3des and aes-256 above). If this is the case, be sure to stay with 3des. I know it offer less security, but for some reason I could not force Microsoft Windows to work on L2TP via aes-256.

2. IPsec Peers

GUI

IPsec > Peers

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Enabled: Checked
Address: 0.0.0.0
Auth. Method: pre shared key
Secret: MYKEY
Policy Template Group: default
Exchange Mode: main l2tp
Send Initial Contact: Checked
NAT Traversal: Checked
My ID: auto
Proposal check: obey
Hash Algorithm: sha1
Encryption Algorithm: 3des, aes-256
DH Group: modp1024
Generate policy: port override

CLI

Shell
1
2
/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="MYKEY" generate-policy=port-override exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=3des,aes-256 dh-group=modp1024

IMPORTANT

The value of the Secret field above, MUST be the same as in L2TP Configuration, Step 2.
Also, if your RouterOS support only one encryption algorithm, then pick 3des.

3. IPsec Policies

GUI

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
Enabled: Checked
Src. Address: ::/0
Dst. Address: ::/0
Protocol: 255(all)
Template: Checked
Group: default
Action: encrypt
Level: require
IPsec Protocols: esp
Tunnel: Not checked
SA Src. Address: 0.0.0.0
SA Dsr. Address: 0.0.0.0
Proposal: L2TP-Proposal

CLI

Shell
1
/ip ipsec policy add src-address=::/0 dst-address=::/0 protocol=all template=yes group=default action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=L2TP-Proposal

Below, I’ll add two examples how to configure the iPhone and Microsoft Windows to work with the above configuration.

iPhone

Go to Settings, VPN section and Add VPN Configuration…

It will look like this:

Image (Asset 1/10) alt=

The Server is the public IP address or FQDN of your Mikrotik. Account and Password are the one defined in L2TP Configuration Step 3. (MYUSER and MYPASSWORD in the example above). Secret , is the IPsec Secret Key defined in L2TP Configuration Step 2. and IPsec Configuration Step 2. (MYKEY in the example).

PC with Microsoft Windows

1. Add a new VPN connection

Image (Asset 2/10) alt=

2. Pick the option Use my Internet connection

Image (Asset 3/10) alt=

3. Add Mikrotik L2TP Server details

Image (Asset 4/10) alt=

4. Add the user and password

Image (Asset 5/10) alt=

Add this point Windows 7 force me to hit Connect. I will not work yet. Please follow the next steps.

You need to reach the Properties of your new VPN connection.

5. Configure the VPN Security settings.

Be sure to have the settings like in image below, to force encryption and use mschap2 protocol.

Image (Asset 6/10) alt=

6. Set the IPsec Secret key

Hit the Advanced button and set the IPsec key

Image (Asset 7/10) alt=

Hit Connect and it will work. If you have questions please be sure to add them to Comments.

Like this:

Be the first to like this.

Related

Mikrotik IPsec VPNDecember 16, 2014In "Hardware"

IPsec VPN Mikrotik to LinuxDecember 16, 2014In "Hardware"

IPsec VPN Mikrotik to CiscoJanuary 8, 2015In "Cisco"

Tagged on:                 

7 thoughts on “Mikrotik L2TP with IPsec for mobile clients

  • January 30, 2015 at 02:24
    Permalink

    This has been a huge help but, I’m still struggling. I can make the connection just fine. However, once on the target network and receiving an IP address from the dhcp server, I can’t connect to (or even ping) other devices on the subnet. Yes, I have enabled arp-proxy on my LAN interface and, no, I see no difference once enabled. Is there something (likely simple) else I may be missing?

    Reply
    • Image (Asset 8/10) alt=
      Aleksei
      May 22, 2015 at 10:10
      Permalink

      MPLS missing. Configure that and other devices will be visible.

  • Image (Asset 9/10) alt=
    Dmitry
    June 5, 2015 at 11:40
    Permalink

    Phase 1 negotiation failed due to time up 192.168.1.1[500]34.128.0.178[500]43f762354…:5674a8462g5….

    Reply
  • Image (Asset 10/10) alt=
    Dmitry
    June 5, 2015 at 12:27
    Permalink

    “Invalid length of payload.”

    Reply
  • grandavebb
    June 24, 2015 at 03:30
    Permalink

    Thanks so much for this! I was stuck dead in the water at “resent phase 1 packet” until I read this. I opened up UDP 4500, and that broke the dam. Just a couple more minor things to tweak, and I had my first L2TP/iPhone connection operational.

    Reply
  • sion
    September 11, 2015 at 07:25
    Permalink

    need add net firewall rule to work

    Chain: input
    Protocol: 17 UDP
    DST Port: 500
    In Interface: ether1-gateway (or whatever your WAN interface name is. Choose it from the drop down list)
    Connection state: new

    action : accept

    Reply
  • Sergey
    September 14, 2015 at 12:49
    Permalink

    Hi!
    This configuration isn`t working at android phone? Or need some other config?

    Reply

Leave a Reply

Copyright © 2016 FirstDigest. Powered by WordPress. Theme: Spacious by ThemeGrill.