I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.
Before we start, please make sure that your Mikrotik build-in firewall is configured in such way that it can accept packets on the WAN interface. You can check my article on IPsec VPN Mikrotik to Cisco for firewall configuration.
Another important part is that I’m using RouterOS v6.24 in the below scenario. In earlier versions some configurations are a bit different, but you’ll figure it out as I will explain where is really important.
1. Add a new IP Pool
It’s not mandatory if you already have a IP Pool, but I assume you don’t and we need to add one.
GUI
IP > Pool
Add a new pool
Name: L2TP-Pool Adresses: 172.31.86.1-172.31.86.14 Next Pool: None
CLI
/ip pool add name="L2TP-Pool" ranges=172.31.86.1-172.31.86.14
L2TP Configuration
1. Configure L2TP Profile
Before adding a new L2TP Server, we need to add a new L2TP Profile. We can use also the default one, but I don’t like to mix things.
GUI
PPP > Profiles
Name: l2tp-profile Local Address: L2TP-Pool Remote Address: L2TP-Pool DNS Server: 8.8.8.8 Change TCP MSS: yes Use Encryption: required
The rest of values can be left on default value.
CLI
/ppp profile add name=l2tp-profile local-address=L2TP-Pool remote-address=L2TP-Pool use-encryption=required change-tcp-mss=yes dns-server=8.8.8.8
2. Add a L2TP-Server
GUI
PPP > Interface > L2TP Server
Enabled: Checked Max MTU: 1460 Max MRU: 1460 Keepalive Timeout: 30 Default Profile: mschap2 Use IPsec: Checked IPsec Secret: MYKEY
CLI
/interface l2tp-server server set authentication=mschap2 default-profile=l2tp-profile enabled=yes ipsec-secret=MYKEY max-mru=1460 max-mtu=1460 use-ipsec=yes
3. Add PPP Secrets
GUI
PPP > Secrets
Enabled: Checked Name: MYUSER Password: MYPASSWORD Service: l2tp Profile: l2tp-profile
Let the rest as default.
CLI
/ppp secret add name=MYUSER password=MYPASSWORD service=l2tp profile=l2tp-profile
IPsec Configuration
On IPsec configuration, you can use the default configuration (like Proposals) but I would suggest to let those as default and add your new ones. In case that you already have some IPsec configuration which is already working and using the default configuration we don’t want to mess with that.
1. IPsec Proposals
GUI
IPsec > Proposals
Enabled: Checked Name: L2TP-Proposal Auth. Algorithm: sha1 Encr. Algorithm: 3des, aes-256 cbc PFS Group: none
CLI
/ip ipsec proposal add name=L2TP-Proposal auth-algorithms=sha1 enc-algorithms=3des,aes-256-cbc pfs-group=none
Something to mention here. In version previous than 6.xx, you can pick only one encryption algorithm, if I remember correctly. You cannot add multiple algorithms (like 3des and aes-256 above). If this is the case, be sure to stay with 3des. I know it offer less security, but for some reason I could not force Microsoft Windows to work on L2TP via aes-256.
2. IPsec Peers
GUI
IPsec > Peers
Enabled: Checked Address: 0.0.0.0 Auth. Method: pre shared key Secret: MYKEY Policy Template Group: default Exchange Mode: main l2tp Send Initial Contact: Checked NAT Traversal: Checked My ID: auto Proposal check: obey Hash Algorithm: sha1 Encryption Algorithm: 3des, aes-256 DH Group: modp1024 Generate policy: port override
CLI
/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="MYKEY" generate-policy=port-override exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=3des,aes-256 dh-group=modp1024
IMPORTANT
The value of the Secret field above, MUST be the same as in L2TP Configuration, Step 2.
Also, if your RouterOS support only one encryption algorithm, then pick 3des.
3. IPsec Policies
GUI
Enabled: Checked Src. Address: ::/0 Dst. Address: ::/0 Protocol: 255(all) Template: Checked Group: default Action: encrypt Level: require IPsec Protocols: esp Tunnel: Not checked SA Src. Address: 0.0.0.0 SA Dsr. Address: 0.0.0.0 Proposal: L2TP-Proposal
CLI
/ip ipsec policy add src-address=::/0 dst-address=::/0 protocol=all template=yes group=default action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=L2TP-Proposal
Below, I’ll add two examples how to configure the iPhone and Microsoft Windows to work with the above configuration.
iPhone
Go to Settings, VPN section and Add VPN Configuration…
It will look like this:
The Server is the public IP address or FQDN of your Mikrotik. Account and Password are the one defined in L2TP Configuration Step 3. (MYUSER and MYPASSWORD in the example above). Secret , is the IPsec Secret Key defined in L2TP Configuration Step 2. and IPsec Configuration Step 2. (MYKEY in the example).
PC with Microsoft Windows
1. Add a new VPN connection
2. Pick the option Use my Internet connection
3. Add Mikrotik L2TP Server details
4. Add the user and password
Add this point Windows 7 force me to hit Connect. I will not work yet. Please follow the next steps.
You need to reach the Properties of your new VPN connection.
5. Configure the VPN Security settings.
Be sure to have the settings like in image below, to force encryption and use mschap2 protocol.
6. Set the IPsec Secret key
Hit the Advanced button and set the IPsec key
Hit Connect and it will work. If you have questions please be sure to add them to Comments.