Community discussions

MikroTik App
  4. RouterOS
  5. General

a clear configuration L2TP server on a Mikrotik router

Post Reply
 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2511
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:
Contact plisken

a clear configuration L2TP server on a Mikrotik router

Sat Jan 26, 2019 11:16 pm

Can someone show me a clear configuration of an L2TP server on a Mikrotik router.
Also the firewall rules and where the external and internal IP address should come. Is for logging in with android.
All these that I have found online do not work
Top
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: a clear configuration L2TP server on a Mikrotik router

Sat Jan 26, 2019 11:23 pm

Here is how to do it for iOS and Windows 10. Note, that the Windows 10 profile needs to be created via command line to get AES256 support. I don't have experience with Android, but generally speaking, if you can't connect you'll need to use hash-algorithm=sha1 and other less secure methods (not recommended).

Code: Select all
##################################################
# Minimal settings for L2TP/IPSec VPN
# Works with iOS 11 and Windows 10
# 
# Windows 10 creation requirements
# Add-VpnConnection -Name "MyVPN" -ServerAddress 1.2.3.4 -TunnelType "L2tp"
# Set-VpnConnectionIPsecConfiguration -ConnectionName "MyVPN" -EncryptionMethod AES256 -CipherTransformConstants AES256 -IntegrityCheckMethod SHA256 -PfsGroup ECP256 -DHGroup ECP256 -AuthenticationTransformConstants SHA196 -PassThru -Force
#
##################################################

# Server settings
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=required ipsec-secret="PasswordSecret"

# Create an username tied to a specific interface
/interface l2tp-server
add name=L2TP1 user=uservpn

# User password
/ppp secret
add name=uservpn password="PasswordUser" service=l2tp

# Give them an IP address from the LAN pool
/ppp profile
set default local-address=192.168.0.1 remote-address=pool_LAN use-encryption=required

# Phase1 IPsec behaviour, Windows 7 requires hash-algorithm=sha1
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256

# added automatically when l2tp-server server is enabled=yes
#/ip ipsec peer
#add local-address=PublicIP exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret="PasswordSecret" comment=Phase1

# Phase2 IPsec Settings
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256

# configure the rest of the router
/interface list
add name=LAN
add name=WAN

/interface list member
add interface=bridge_LAN 	list=LAN
add interface=L2TP1 		list=LAN
add interface=ether1 		list=WAN

# add these to your firewall rules
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500 comment=L2TP_IPSEC
add chain=input protocol=ipsec-esp
add chain=forward action=accept connection-state=new in-interface-list=LAN comment="Allow LAN"

/interface
set bridge_LAN arp=proxy-arp

# optional
/system logging
add topics=ipsec,!packet
Top
 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2511
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:
Contact plisken

Re: a clear configuration L2TP server on a Mikrotik router

Sun Jan 27, 2019 12:28 pm

Thanks pcunite i try this and hope it's work
I let you know
Greatings
Top
 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2511
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:
Contact plisken

Re: a clear configuration L2TP server on a Mikrotik router

Sun Jan 27, 2019 1:29 pm

I try but it's don't work.

See log
12:21:23 ipsec,error no suitable proposal found.
12:21:23 ipsec,error 213.119.169.98 failed to get valid proposal.
12:21:23 ipsec,error 213.119.169.98 failed to pre-process ph1 packet (side: 1, status 1).
12:21:23 ipsec,error 213.119.169.98 phase1 negotiation failed.
Code: Select all
/ip ipsec mode-config
add name=vpn static-dns=8.8.8.8 system-dns=no
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc \
    pfs-group=ecp256
/ip ipsec peer
# This entry is unreachable
# Unsafe configuration, suggestion to use certificates
add comment=Phase1 exchange-mode=main-l2tp generate-policy=port-strict \
    local-address=192.168.0.100 passive=yes secret=mypassword
What is local-address=192.168.0.100 here is that IP-adres between ISP-router and Mikrotik router
Top
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: a clear configuration L2TP server on a Mikrotik router

Sun Jan 27, 2019 3:57 pm

12:21:23 ipsec,error no suitable proposal found.
12:21:23 ipsec,error 213.119.169.98 failed to get valid proposal.
12:21:23 ipsec,error 213.119.169.98 failed to pre-process ph1 packet (side: 1, status 1).
12:21:23 ipsec,error 213.119.169.98 phase1 negotiation failed.

That is totally normal. Now, you have to change settings to work for your client. Look under the # Phase1 comments in the config file. I gave you the most secure settings. Try SHA1 over the 256. It would be better to upgrade the client, however.
Top
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: a clear configuration L2TP server on a Mikrotik router

Sun Jan 27, 2019 4:15 pm

Here is how to do it for iOS and Windows 10. Note, that the Windows 10 profile needs to be created via command line to get AES256 support. I don't have experience with Android, but generally speaking, if you can't connect you'll need to use hash-algorithm=sha1 and other less secure methods (not recommended).

Code: Select all
(...)

/interface list member
add interface=bridge_LAN 	list=LAN

(...)

/interface
set bridge_LAN arp=proxy-arp

(...)
The interface bridge_LAN is not defined in the snippet. Which interfaces are there, if it is a bridge, and what is it intended for?
Top
 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2511
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:
Contact plisken

Re: a clear configuration L2TP server on a Mikrotik router

Sun Jan 27, 2019 8:34 pm

Hello
I place the complete export here.
Hoping if I have made a mistake that can be corrected.
Many thanks to the quick response to solve my problem.
Code: Select all
/interface l2tp-server
add name=L2TP1 user=user1
/interface bridge
add admin-mac=6C:3B:6B:2E:BE:0E auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-2EBE14 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-2EBE13 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256
/ip pool
add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=pool_LAN disabled=no interface=bridge name=defconf
/ppp profile
set *0 local-address=192.168.88.1 remote-address=pool_LAN use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=testtesttest use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=L2TP1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add chain=input comment=L2TP_IPSEC port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface-list=LAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add comment=Phase1 exchange-mode=main-l2tp generate-policy=port-strict local-address=192.168.0.100 passive=yes secret=testtesttest
/ppp secret
add name=user1 password=testtesttest service=l2tp
/system logging
add topics=ipsec,!packet
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
eggbean
just joined
Posts: 10
Joined: Sat May 16, 2020 8:53 am
Location: London, UK
Contact:
Contact eggbean

Re: a clear configuration L2TP server on a Mikrotik router

Wed Aug 12, 2020 6:23 am

Hi. I tried this, but I got stuck at this point, as the `/ip ipsec peer profile` subsection does not seem to exist in the current version of RouterOS. What do I need to do instead, or has anybody got a link to more up to date instructions of setting up an L2TP/IPsec connection? Thanks.
Code: Select all
##################################################
# Phase1 IPsec behaviour, Windows 7 requires hash-algorithm=sha1
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
Top
 
marisspringis
just joined
Posts: 17
Joined: Wed Dec 12, 2018 2:17 pm

Re: a clear configuration L2TP server on a Mikrotik router

Wed Aug 12, 2020 9:12 am

Hi,those settings are in in IP -> ipsec -> column profiles

in newer ROS versions those two are splited - peers and profiles, previously it was peer profiles (if i remember correctly)
Top
Post Reply

Who is online

Users browsing this forum: GWarrior5595, McSee and 36 guests
  4. RouterOS
  5. General