RouterOS L2TP/IPSec Setup

Following on from my previous post. Here is how setup the router to have a VPN server, allowing Roadwarriors to connect to the local network and access local resources.

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup

I used this link as a guide and:

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Connecting_Remote_Client

For a bit of background, here is how you set it up on Linux,

https://wordpress.com/post/adriangin.wordpress.com/979

You will see parallels.

Debugging

Of course not everything goes to plan. Setup logging for both IPsec and l2tp modules under System Logging Rules.

/system logging
add topics=l2tp
add topics=ipsec

Setup VPN IP Address Pool

We want Roadwarriors to have an IP on our local subnet so they can access the same local workstations. It’s like DHCP, but I think the L2TP server handles it.

/ip pool
add name=VPN ranges=192.168.88.10-192.168.88.49

PPP Profile Setup

RoadWarriors connect with PPP and their gateway will be assigned to the router (192.168.88.1) and they will receive an IP from the VPN pool.

/ppp profile
add local-address=192.168.88.1 name=LocalNetwork remote-address=VPN

IPSec Setup

Create a new policy.

/ip ipsec policy group
add name=Roadwarrior

If you are wanting to connect via Windows 10, I find that these settings work.

/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
    aes-256,aes-128,3des
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-128,3des \
    name=windows
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp1536
/ip ipsec policy
add dst-address=192.168.88.0/24 group=Roadwarrior src-address=192.168.88.0/24 \
    template=yes

Add the IPSec to the Firewall

Note that we use the INPUT chain as these packets are intended for the router itself. Tutorials often have UDP port 1701 forwarded, but as all the packets are over IPSec not raw L2TP, there is no need.

Allow the ESP protocol as well as the UDP Ports 500 and 4500.

add action=accept chain=input comment="IPSec ESP" in-interface=vlan10 \
    protocol=ipsec-esp
add action=accept chain=input comment="UDP 500, 4500" dst-port=500,4500 \
    protocol=udp src-port=""

Setup the L2TP Server:

/interface l2tp-server server
set default-profile=LocalNetwork enabled=yes ipsec-secret=mysecretPassword \
    use-ipsec=required

Add PPP users

/ppp secret
add name=UserName password=mysecretpassword profile=LocalNetwork service=l2tp

Add the ARP Proxy so Roadwarrior can access local workstations.

/interface bridge set bridge arp=proxy-arp

There you have it, it really is that simple!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s