Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

l2tp vpn

Locked
 
mvcorrea
just joined
Topic Author
Posts: 13
Joined: Tue Aug 08, 2017 2:25 am

l2tp vpn

Fri Sep 15, 2017 1:56 pm

Trying to configure an ipsec/l2tp vpn on a hap-ac, to use it with a apple computer (road warrior) (or an android phone).
Saw some examples:
- https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
- https://youtu.be/vPxGIz0_Pnw
- viewtopic.php?f=13&t=124618&hilit=l2tp+vpn
- viewtopic.php?f=9&t=123532&p=607963&hil ... pn#p607963

But with all implementations I saw, I don't see them as complete configurations
- shouldn't I need some kind of nat?
- definitively I need firewall rules :) I also noticed I have some default ipsec rules. do they relate?
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
[OSX: public IP] <-----> [HAP-AC: dhcp assigned ip(with no-ip service)] <-----> [internal Network: 10.10.10.0/24, GW:10.10.10.1]

So I ended with this
Code: Select all
/ip pool
add name=dhcp ranges=10.10.10.200-10.10.10.250		# local pool
add name=vpn-pool ranges=10.10.10.251-10.10.10.254	# vpn pool

/ppp profile
add change-tcp-mss=yes local-address=10.10.10.1 name=vpn-profile only-one=yes remote-address=vpn-pool use-encryption=yes

/ppp secret
add name=user password=userpw profile=vpn-profile service=l2tp

/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile ipsec-secret=my_secret one-session-per-host=yes use-ipsec=yes
I would like to implement a route on the client to force traffic to 10.10.10* go thru the tunnel.
again any insight is welcome :)
Top
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: l2tp vpn

Fri Sep 15, 2017 11:45 pm

Specific to a road warrior VPN with L2TP/IPSec you may or may not things like NAT rules. Tutorials are often authored with information that isn't needed, has changed in newer versions (typically default configuration updates).

Looking at a common example, we see a lot of examples with these things called NAT exclusion rules. They are rarely needed if your PAT to the Internet is correctly setup.

The only thing I see in your configuration, you are placing your VPN users on the same range as your LAN. I personally don't do this as it requires proxy ARP to be enabled on the bridge for communication to work correctly. Along with that you are using 10.10.10.1 in the PPP profile. Based on your ASCII art it would seem this overlaps with the IP assigned to the bridge of the HAP AC. I'd assign a dedicated local-address to the PPP profile.
Top
Locked
  4. RouterOS
  5. Beginner Basics