MikroTik

Community discussions
https://forum.mikrotik.com/

l2tp vpn

https://forum.mikrotik.com/viewtopic.php?t=125656

Page 1 of 1

l2tp vpn

Posted: Fri Sep 15, 2017 1:56 pm
by mvcorrea
Trying to configure an ipsec/l2tp vpn on a hap-ac, to use it with a apple computer (road warrior) (or an android phone).
Saw some examples:
- https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
- https://youtu.be/vPxGIz0_Pnw
- viewtopic.php?f=13&t=124618&hilit=l2tp+vpn
- viewtopic.php?f=9&t=123532&p=607963&hil ... pn#p607963

But with all implementations I saw, I don't see them as complete configurations
- shouldn't I need some kind of nat?
- definitively I need firewall rules :) I also noticed I have some default ipsec rules. do they relate?
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
[OSX: public IP] <-----> [HAP-AC: dhcp assigned ip(with no-ip service)] <-----> [internal Network: 10.10.10.0/24, GW:10.10.10.1]

So I ended with this
Code: Select all
/ip pool
add name=dhcp ranges=10.10.10.200-10.10.10.250		# local pool
add name=vpn-pool ranges=10.10.10.251-10.10.10.254	# vpn pool

/ppp profile
add change-tcp-mss=yes local-address=10.10.10.1 name=vpn-profile only-one=yes remote-address=vpn-pool use-encryption=yes

/ppp secret
add name=user password=userpw profile=vpn-profile service=l2tp

/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile ipsec-secret=my_secret one-session-per-host=yes use-ipsec=yes
I would like to implement a route on the client to force traffic to 10.10.10* go thru the tunnel.
again any insight is welcome :)

Re: l2tp vpn

Posted: Fri Sep 15, 2017 11:45 pm
by idlemind
Specific to a road warrior VPN with L2TP/IPSec you may or may not things like NAT rules. Tutorials are often authored with information that isn't needed, has changed in newer versions (typically default configuration updates).

Looking at a common example, we see a lot of examples with these things called NAT exclusion rules. They are rarely needed if your PAT to the Internet is correctly setup.

The only thing I see in your configuration, you are placing your VPN users on the same range as your LAN. I personally don't do this as it requires proxy ARP to be enabled on the bridge for communication to work correctly. Along with that you are using 10.10.10.1 in the PPP profile. Based on your ASCII art it would seem this overlaps with the IP assigned to the bridge of the HAP AC. I'd assign a dedicated local-address to the PPP profile.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/