+1You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...
You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...
# jan/02/2020 10:38:53 by RouterOS 6.45.7
# software id = X0SX-GX9H
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED08CC18B8
/interface l2tp-server
add name=l2tp-in1 user=arty
/interface l2tp-server server
set default-profile=profile1 enabled=yes use-ipsec=yes/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \
in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\
icmp-admin-prohibitedActually it's related to how ROS processes the packets. You do need the 1701 L2TP rule and I do have hits on it whenever I used the L2TP/IPSEC tunnel from my android.I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.Code: Select all/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \ in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\ icmp-admin-prohibited
My bad, it appears the input chain also processes packets after they are decapsulated from ipsec. So for my application I've modifed the accept 1701/udp rule so it only passes the packet if it arrives via ipsec.Actually it's related to how ROS processes the packets. You do need the 1701 L2TP rule and I do have hits on it whenever I used the L2TP/IPSEC tunnel from my android.I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.Code: Select all/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \ in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\ icmp-admin-prohibited
It's even in the mk wiki.
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
add action=accept chain=input dst-port=1701 in-interface=ether2 ipsec-policy=\
in,ipsec log=yes protocol=udp src-port=""This was extremely helpful. Thanks for going out of your way to make such a long and detailed post.Hi!
I've just finished setting up my L2TP/IPSEC server on my RB3011 (6.46.1) and I have to say it was a pain....most tutorials are incomplete or obsolete related to newest ROS versions. Not only that, the router got frozen a lot during ipsec parameters changes and it needed hard reboot. Now it's stable and working well. I wanted to do the config in WebFig and not CLI. I did so many changes to the config, most blind shots, so I may not remember everything but here are the basic steps:
1) Create a pool of IPs from which the server will give IPs to the clients. I created pool 192.168.1.2-192.168.1.10. The IP 192.168.1.1 I manually assigned to the router but that is optional.
/ip pool
add name=Remote-users-pool ranges=192.168.1.2-192.168.1.10
2) Under PPP menu you have to:
a) Create a PPP Profile where you give name, router IP (local address) and IPs for clients from the pool above
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.1 name=L2TP-Profile remote-address=Remote-users-pool use-encryption=yes use-ipv6=no use-upnp=yes
b) Create at least 1 user that will be allowed to connect. this is under "Secrets"
/ppp secret
add name=remote profile=L2TP-Profile service=l2tp
make a note of the user/ password, you will need it on the client.
c) OPTIONAL - you can have increased security if you add a password specific for L2TP under "L2TP Secrets" -> make note of it, you will need it on the client if you configure it
d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes
e) OPTIONAL
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
/interface l2tp-server
add name=L2TP-IF user=remote
NOTE: This is one of the things that really annoys me, this interface is named differently between CLI and WEBFIG AND under webfig is PPP-> Interface-> L2TP server binding but under CLI is under /interface l2tp-server. yes, it can be directly configured under interface BUT under CLI there is no "binding" in the name
3) IPSEC
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile
b) under Identities - something deployed automatically by ROS which points to an IPSEC peer named " l2tp-in-server" - cannot be modified
c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified
d) under groups - a default group which i renamed L2TP
e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)
f) under policies - a default policy which I modified to
- use template
- link to group L2TP
- link to the default proposal
- ipsec protocol - esp
- action encrypt
I really tried to create another set of items and not use the defaults but it simply did not work, most errors being related to IPSEC phase 2. but with the options above it works.
4) Put these security rules somewhere before your DROP rule.
/ip firewall filter
****for IPSEC/L2TP establishment; my WAN is PPPoE, replace yours as needed*******
add action=accept chain=input comment="L2TP/IPSEC Server" in-interface=PPPoE protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=4500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=1701 in-interface=PPPoE protocol=udp
********for flows between your inside network(mine is 192.168.0.0/24, on bridge) and the l2tp interface ( I put 192.168.1.0/24 for ease) - modify as needed **
add action=accept chain=forward comment=L2TP dst-address=192.168.0.0/24 in-interface=L2TP-IF out-interface=bridge src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 in-interface=bridge out-interface=L2TP-IF src-address=192.168.0.0/24
After this I could connect with my Android 9 terminal and access the local network. On the client you need:
- Router external IP
- l2tp user and pass
- l2tp password (optional, if you configure it on the server)
- IPSEC preshared key
Hope this helps!
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
Hello,Hi all, have been playing a bit with the L2TP server on my home router and got the VPN tunnel working. The only thing that slightly bothers me is that I'm not getting any hits on this firewall rule when clients connect:
Am I missing something, is that rule even needed (if so, in which situations)?Code: Select all/ip firewall filter add chain=input action=accept protocol=ipsec-esp
(if it makes any difference - the connecting clients have been iOS macOS devices with their built-in VPN client)
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=jnasegfASDFgvsadfrg54 use-ipsec=required
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 comment="For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
You can set allow-fast-path here, the cost is that you won't be able to apply special firewall rules to these packets. It is possible that your WAN connection is so slow, that using fast path has no real benefits. Sometimes it is better not to use fast path.d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes
This is something that I did not know. Nice!e) OPTIONAL
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
/interface l2tp-server
add name=L2TP-IF user=remote
If you want, you can also use fixed remote IP addresses instead of using a pool./ppp secret
add name=user1 password=password1 profile=ipsec_vpn_maybe_your_default remote-address=192.168.5.121 service=l2tp
The L2TP server in routeros can use the default ipsec configuration. It is "all or nothing". It means that you either use the default ipsec settings and let L2TP server generate policies for you, OR alternatively you can create your ipsec tunnel over l2tp manually. The former is easier to setup, but it is not so flexible. The later is more flexible (for example, you can create different profiles/algorigthms for different peers), but it is more difficult and time consuming to setup.3) IPSEC
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile
Yes, L2TP server is generating/using default settings and you can't change that. If you really need to fine-tune ipsec settings, then you need to disable ipsec on the l2tp server, and setup ipsec (policies, peers, identities, profile and proposal) manually.c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified
d) under groups - a default group which i renamed L2TP
e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)
Hello,
If you want to force ipsec then you need to set use-ipsec=required instead of use-ipsec=yes.
For example:
If you are using Windows 10 client, then you need to change adapter settings for the connection, then do this:Code: Select all/interface l2tp-server server set authentication=mschap2 enabled=yes ipsec-secret=jnasegfASDFgvsadfrg54 use-ipsec=required
* On the VPN settings page, click Change adapter options.
* Click your VPN to select it.
* Click Change settings of this connection.
* The Properties for this VPN appear.
* Click the Security tab.
* From the Data encryption drop-down list, select Require encryption (disconnect if server declines).
If you want to secure your connection even further, you should change your default ipsec settings, something like this
Please note these:Code: Select all/ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 comment="For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
* the L2TP server uses the default ipsec profile/proprosal. It may also used by other services on your router, so be careful when chaging the default settings.
* the l2tp client of Windows 10 is a bit silly/outdated and it does not support the most secure algorithms. Then settings given above are the most secure that work with Windows 10 (IMHO). You may find that it won't work with other clients.
* many other operating systems support much secure algs
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP-profile enabled=yes \
use-ipsec=required
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc pfs-group=modp2048
/ppp profile
add bridge=bridge.lan change-tcp-mss=yes dns-server=192.168.xxx.xxx \
local-address=192.168.xxx.xxx name=L2TP-profile remote-address=pool.lan \
use-encryption=required
/ppp secret
add name=mt-vpn-01 profile=L2TP-profile service=l2tp
/ip firewall filter
add action=accept chain=input dst-port=500,4500 in-interface=combo.wan \
protocol=udp
add action=accept chain=input dst-port=1701 in-interface=combo.wan \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input in-interface=combo.wan protocol=ipsec-esp
Is your L2TP server or L2TP client behind NAT? When a peer is behind NAT, then ipsec uses so called "NAT Traversal". It changes the ESP packets so that they appear as normal UDP packets on port 4500. As a result, they can traverse NAT firewalls that would otherwise block ipsec-esp connections. (ESP packets have no concept of a "port", so it is not possible to do NAT on them.) If your "accept ipsec-esp" rule is not counting, then it might be because these packets arrive as UDP port=4500 packets, then decapsulated into ESP and the further decapsulated and decrypted.Thanks for taking the time to reply, I think the settings I have are OK (but I have added them below just in case I'm overlooking something). As I wrote before, the connection itself works (can be seen also from the screenshot). Just that one firewall rule for protocol 50 (ipsec-esp) - or the need for it - confuses me. If it does not process any packets, why do we need it? (even with the protocol 50 (ipsec-esp) rule disabled, the VPN connection will still work)
Is your L2TP server or L2TP client behind NAT? When a peer is behind NAT, then ipsec uses so called "NAT Traversal". It changes the ESP packets so that they appear as normal UDP packets on port 4500. As a result, they can traverse NAT firewalls that would otherwise block ipsec-esp connections. (ESP packets have no concept of a "port", so it is not possible to do NAT on them.) If your "accept ipsec-esp" rule is not counting, then it might be because these packets arrive as UDP port=4500 packets, then decapsulated into ESP and the further decapsulated and decrypted.
You can find details about NAT traversal here: https://en.wikipedia.org/wiki/NAT_traversal.
You can check if your policies are using NAT-T this way: "/ip ipsec active-peers print" and look for the "N" flag.
