I'm testing ipsec (psk) + l2tp (mschap2+radius) in ROS 5.6 with windows 7 clients and everything works fine, except now i have to add certificate based authentication to this, and ending with RSA tokens in the clients for two-factor authentication.
I was sadly disappointed though, to see l2tp won't support EAP methods for authentication!! Please tell me there is support for this in the works.
Meanwhile, if i set up a token so it automatically adds certs to the client cert repository, could i use that for the ipsec phase instead of a preshared key? That would be a lifesaver, as it would allow to set up two-factor anyway (the other factor would be the active directory identification in l2tp/radius).
I don't see any other way to set up this at our router if this won't work. Could someone help me with this?
Re: **NEED HELP** ipsec/l2tp and two factor auth (no EAP??)
Hi
Can I ask you how you've done it? I mean the PSK part, with windows seven?
I was looking for some time now, no luck. would you explain to me, or give me a little heads up?
thanks and btw don't know about your problem.
Can I ask you how you've done it? I mean the PSK part, with windows seven?
I was looking for some time now, no luck. would you explain to me, or give me a little heads up?
thanks and btw don't know about your problem.
ipsec/l2tp and two factor auth (please add EAP!!!!!)
Sure. I've followed this wiki page and made these mods (see the sections in the wiki page):
Then, in the General tab, put the address of our mikrotik as the VPN server.
In the Options tab, i just ticked everything in "PPP config".
In the Security tab, selected IPSec/L2TP, and in "Advanced", selected preshared key and entered the same PSK i used in the IPSec Peer config at the router.
The settings below are for L2TP authentication, you can use several EAP schemes (should our holy current L2TP implementation in ROS had allowed) and the more basic PPP schemes (PAP,CHAP and MSCHAP/MSCHAP2) with MSCHAP2 being the less insecure. Just have a scheme that's both supported and enabled at this section and at the L2TP server config in the router.
In the Network tab leave everything as "automatic" if you are going to set these parameters automatically from the VPN server as above.
With all these things in place you should be able to connect multiple dynamic-ip clients using AD credentials.
It would rock to see EAP methods available for PPP auth, afaik the code is there, isn't it used in Hotspot?
- L2TP Server configuration
Specified mschapv2 only for L2TP authentication (this is were i should be using EAP btw), and used the ppp profile "default-encryption". Note that in this way you'll be using double encryption, if you want only IPSec to handle encryption use the ppp profile "default".Enabled RADIUS for PPP authCode: Select all/interface l2tp-server server set authentication=mschap2 default-profile=default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabledHad to make a bogus PPP secret even though i authenticate via RADIUSCode: Select all/ppp aaa set accounting=yes interim-update=0s use-radius=yesModified the PPP profile to set the VPN IP of our mikrotik and a pool in the same block for client IPs. Also had set "only-one=no", otherwise i wasn't able to connect more than one simultaneous client.Code: Select all/ppp secret add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=foo password=bar profile=default-encryption routes="" service=l2tpRadius config (Also check this wiki page)Code: Select all/ppp profile set default-encryption change-tcp-mss=yes local-address=<VPN IP OF ROUTER> name=default-encryption only-one=no remote-address=<POOL FOR CLIENT VPN IPS> use-compression=default use-encryption=yes use-ipv6=default \ use-mpls=default use-vj-compression=defaultCode: Select all/radius add accounting-backup=no accounting-port=<USUALLY 1813> address=<ADS RADIUS ADDY> authentication-port=<USUALLY 1812> called-id="" comment="" \ disabled=no domain=<YOURDOMAIN> realm="" secret=<PASSWORD>service=ppp timeout=300ms - IPSec configuration
This IPSec config allows for multiple dynamic clients (have yet to test NAT traversal, i'm guessing it will involve some fiddling with the firewall).
Make sure to upgrade to the latest ROS (5.6 as of now). With our previous version (4.3) we had an issue where the Security Associations had to be manually flushed, otherwise clients couldn't connect back after disconnection (i think it is reported here). No problem with 5.6.Code: Select all/ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=<HERE GOES THE PSK> send-initial-contact=yes /ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024 - Adjust firewall settings
Some variant of these rules will probably be neededCode: Select all/ip firewall filter add action=accept chain=input disabled=no protocol=ipsec-esp add action=accept chain=input disabled=no protocol=ipsec-ah add action=accept chain=input disabled=no dst-port=500,1701,4500 protocol=udp
Then, in the General tab, put the address of our mikrotik as the VPN server.
In the Options tab, i just ticked everything in "PPP config".
In the Security tab, selected IPSec/L2TP, and in "Advanced", selected preshared key and entered the same PSK i used in the IPSec Peer config at the router.
The settings below are for L2TP authentication, you can use several EAP schemes (should our holy current L2TP implementation in ROS had allowed) and the more basic PPP schemes (PAP,CHAP and MSCHAP/MSCHAP2) with MSCHAP2 being the less insecure. Just have a scheme that's both supported and enabled at this section and at the L2TP server config in the router.
In the Network tab leave everything as "automatic" if you are going to set these parameters automatically from the VPN server as above.
With all these things in place you should be able to connect multiple dynamic-ip clients using AD credentials.
It would rock to see EAP methods available for PPP auth, afaik the code is there, isn't it used in Hotspot?
Who is online
Users browsing this forum: kokoboko and 97 guests