Mikrotik L2TP with IPsec for mobile clients

I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.

Before we start, please make sure that your Mikrotik build-in firewall is configured in such way that it can accept packets on the WAN interface. You can check my article on IPsec VPN Mikrotik to Cisco for firewall configuration.

Another important part is that I’m using RouterOS v6.24 in the below scenario. In earlier versions some configurations are a bit different, but you’ll figure it out as I will explain where is really important.

1. Add a new IP Pool

It’s not mandatory if you already have a IP Pool, but I assume you don’t and we need to add one.


IP > Pool

Add a new pool


L2TP Configuration

1. Configure L2TP Profile

Before adding a new L2TP Server, we need to add a new L2TP Profile. We can use also the default one, but I don’t like to mix things.


PPP > Profiles

The rest of values can be left on default value.


2. Add a L2TP-Server


PPP > Interface > L2TP Server


3. Add PPP Secrets


PPP > Secrets

Let the rest as default.


IPsec Configuration

On IPsec configuration, you can use the default configuration (like Proposals) but I would suggest to let those as default and add your new ones. In case that you already have some IPsec configuration which is already working and using the default configuration we don’t want to mess with that.

1. IPsec Proposals


IPsec > Proposals


Something to mention here. In version previous than 6.xx, you can pick only one encryption algorithm, if I remember correctly. You cannot add multiple algorithms (like 3des and aes-256 above). If this is the case, be sure to stay with 3des. I know it offer less security, but for some reason I could not force Microsoft Windows to work on L2TP via aes-256.

2. IPsec Peers


IPsec > Peers



The value of the Secret field above, MUST be the same as in L2TP Configuration, Step 2.
Also, if your RouterOS support only one encryption algorithm, then pick 3des.

3. IPsec Policies



Below, I’ll add two examples how to configure the iPhone and Microsoft Windows to work with the above configuration.


Go to Settings, VPN section and Add VPN Configuration…

It will look like this:

iPhone L2TP Configuration

The Server is the public IP address or FQDN of your Mikrotik. Account and Password are the one defined in L2TP Configuration Step 3. (MYUSER and MYPASSWORD in the example above). Secret , is the IPsec Secret Key defined in L2TP Configuration Step 2. and IPsec Configuration Step 2. (MYKEY in the example).

PC with Microsoft Windows

1. Add a new VPN connection

Add New VPN Connection

2. Pick the option Use my Internet connection

Chose VPN type

3. Add Mikrotik L2TP Server details

Add L2TP Mikrotik details

4. Add the user and password

Add L2TP user

Add this point Windows 7 force me to hit Connect. I will not work yet. Please follow the next steps.

You need to reach the Properties of your new VPN connection.

5. Configure the VPN Security settings.

Be sure to have the settings like in image below, to force encryption and use mschap2 protocol.

L2TP VPN Security

6. Set the IPsec Secret key

Hit the Advanced button and set the IPsec key

L2TP IPsec Key

Hit Connect and it will work. If you have questions please be sure to add them to Comments.

IPsec VPN Mikrotik to Cisco

Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

IPsec VPN Mikrotik Cisco

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN ( in this example) destination REMOTE_LAN ( in this example).

On Console the configuration looks like this:


2. The IPsec Proposal


IP > IPsec > Proposals


3. The IPsec Policy


IP > IPsec > Policies


4. The IPsec Peer


IP > IPsec > Peers


Cisco configuration

1. Crypto ISAKMP Policy

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

3. Crypto IPsec transformation set

4. Crypto map

5. Access-list for interesting traffic

6. Interface config

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

How to integrate F5 BIG-IP VE with GNS3

I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.

Lately I wanted to get a feeling how F5 BIG-IP works, you know, just to get familiar with its interfaces, rules and being capable of setting up a basic LTM or APM. Far from me the idea of becoming an expert on the first touch, but it’s nice to discover new technologies.

Beside getting the F5 BIG-IP VE (Virtual Edition), running up VMware (ESXi, Player, Fusion or Workstation) and starting the virtual machine I also wanted to emulate some kind of real environment to test. So, I did build the below topology in GNS3:

F5 BIG-IP Simple setup

Some explanation:

  • Client WIN7 is a VM in VirtualBox and integrated in GNS3
  • WWW Servers are VMs in VirtualBox and integrated in GNS3
  • WIN2008 AD DC is a VM in VirtualBox and integrated in GNS3
  • Routers are emulated in GNS3
  • F5 BIG-IP VE is a VM in VMware Workstation and integrated as a Cloud in GNS3

GNS3 is version 1.2.1 which works perfect. Why VirtualBox and VMware Workstation? Usually I have no problem to have my VMs in VirtualBox, but I could not successfully import the F5 BIG-IP VE OVA image in VirtualBox. I had to download a trial version of VMware Workstation to install the OVA image.

If you want to know more about this F5 product, Ethan Banks has a great article about the BIG-IP VE. Please note that Ethan’s article is about getting a lab license for BIG-IP VE. I just went for the trial version. You can download the OVA image and get the license here:

Download the BIG-IP VE OVA image, get a trial license (valid for 90 days) and install it in VMware Workstation. It may work with other VMware products, but in this article I’m using only VMware Workstation.

The part that gave me some headache was the how to have a successfully network communication between VMware Workstation and GNS3.

Before GNS3 1.2.1, when I had to use a “cloud” to integrate VirtualBox VMs in GNS3, I was configuring a TAP interface and use Bridge mode for the VM NIC to the TAP interface. Then on the GNS3 Cloud, I was adding the TAP as a Generic Ethernet NIO on the NIO Ethernet. If you want to refresh more deeply the above information please read my article about How to integrate GNS3 with VirtualBox.

Unfortunately, in VMware Workstation, I cannot just bridge a VMnet interface to a TAP and use that specific VMnet in a VM. I just could not make it work.

To cut it short, here are the steps that I had to follow to have this working. I assume that you have VMware Workstation installed already. Another detail is that I’m using Ubuntu 14.04 to test the entire scenario.

1. Add two VMnet interfaces in VMware Workstation Virtual Network Editor

Use the image below to have an idea what I mean.

Virtual Network Editor

2. Configure the BIG-IP VE NIC as follow in VMware Workstation

I assume that you have the BIG-IP VE OVA imported in VMware Workstation


I had 4 NICs originally, but I only need three:

  • VMnet0 is bridge to my real LAN interface so I can manage the F5 BIG-IP VE over Web / CLI interfaces
  • VMnet11 – one “internal” interface facing LAN (server side)
  • VMnet22 – one “external” interface facing WAN (client side)

3. Configure two tap interfaces for F5 BIG-IP VE to be used in GNS3

11 – internal, 22 – external

*user = the non-root user which you use on Ubuntu host.

If you are having problems to find tunctl command please do the following:

Bring the interfaces up

4. Remove the IP addresses on both TAP and VMnet interfaces

5. Bridge the TAP and the VMnet interfaces

Bring the bridge interfaces up

5. Add the F5 BIG-IP VE to GNS3

If with GNS3 1.2.1 you can add the VirtualBox VMs directly, for the VMware Workstation (Player, Fusion, etc…) VMs you still need to you the Cloud part.

My GNS3 for F5 topology looks like this:

F5 topology in GNS3

And the GNS3 Cloud (representing the F5 BIG-IP VE) settings are the following:

F5 GNS3 Cloud settings

6. Connect the GNS3 Cloud interfaces to R1 and R2

Like shown in the image above, connect the TAP interface of the Cloud to the peer routers.

I’m running all applications (GNS3, VMware Workstation, VirtualBox) as non-root user. If you’re doing the same an error may occur in GNS3. Something like:

Server error [-3200] from x.x.x.x:8000: R1: unable to create TAP NIO

If this is the case, please run the following command on Ubuntu host:

This will help you setup the environment to test F5 BIG-IP VE in a lab environment totally virtualized. I’m not going to cover here how to configure the F5 BIG-IP VE. Maybe in one of my next articles.

If you encounter problems, please let me know in Comments.

GNS3 1.2.1 installation on Ubuntu 14.04

As mentioned in an earlier post GNS3 is moving ahead fast. Currently at version 1.2.1 the GNS3 is looking great. Compared with the version 1.0 Beta 1 which I had installed, the 1.2.1 is not only more stable, but it has the Menu more clean and compact. For example now there is only one Preferences menu where you can adjust all your settings.

During the installation of 1.0 Beta 1 I made some notes in Evernote and it prove to be very useful as the installation was pretty messy. With 1.2.1 I did the same thing, but the installation was very smooth. Still, I said that if I made those notes maybe I should share them for those interested in a quick installation. A more complete guide can be found on GNS3 Community.

1. Download GNS3 1.2.1

Head over to http://www.gns3.com/, create and account and download the bundle archive for Linux.

If you for some reason you don’t want to create an account, you may download each package individually from https://github.com/GNS3

The following lines will assume that you have the bundle archive.

2. Install Ubuntu 14.04 dependencies

3. Unzip the bundle archive

You should see 5 packages in GNS3-1.2.1 folder:

4. Install Dynamips

To check if the correct version is install:

You should see in the output 0.2.14

5. Install GNS3 Server

To check if the GNS3 Server is installed correctly:

If you see some output other than an error, than you’re fine.

6. Install GNS3 GUI

To test if the installation is working:

You should see a graphical interface of GNS3 launched.

At this moment you have a working GNS3 environment if you want only want to test Cisco hardware emulators. I strongly recommend to continue and install also the rest of the components. Who knows when you’ll need them

7. Install IOUyap (Optional, if you will use IOU images)

To test the installation:

If you encounter an error, please check the [Update 1] section at the bottom of this article.

8. Install VPCS (Optional, if you want to use VirtualPC)

For the third line, the 64 represent 64bit, as my Ubuntu 14.04 is build on 64bit.
The values can be:
– 32 or i386 for 32bit OS
– 64 or amd64 for 64bit OS

Please be sure to use the correct one for your OS.

To test the VPCS:

You should see a Virtual PC being launched. Leave the console with letter q.

9. Install VirtualBox (Optional, if you want to launch VMs)

Download the correct version for your system from https://www.virtualbox.org/wiki/Linux_Downloads. The following lines will assume an Ubuntu 14.04 64bit OS.

You can also use the instructions at https://www.virtualbox.org/wiki/Linux_Downloads and go for an APT installation.The choice is yours.

10. Install Qemu (Optional, if you want to use qemu images)

11. Install IOU (Optional, if you want to use IOU images)

I’m not a legal matter expert, and the usage of IOU is sort of grey area. Because of this, I’m not going to cover this chapter.

You’re ready to go. Start the GNS3 GUI:

Some things to check before going live:

  • check in the menu Edit > Preferences to set your desired Paths (in General sections) and to check the paths for the binaries (dynamips, vpcs, iou, virtualbox…)
  • add the IOS, virtualbox vm, iou images
  • in case of Cisco hardware emulators don’t forget to find the IdlePC value (when you add the IOS image or later with the start of your first router with a certain image) otherwise your CPUs will cry.

If something does not work as described or you need help please let me know in Comments.

[Update 1]

If you get the following error during installation of iouyap:

Try to install the iniparser as follows:


and finally iouyap

Thanks to mweisel @ forum.gns3.net for this update!

Cisco BGP soft-reconfiguration and received-routes relation

A while ago I received the following question:

“Why I’m not seeing the prefixes received from the BGP peer when using the show ip bgp neighbors x.x.x.x received-routes while the soft-reconfiguration inbound is not enabled?”

I must admit that I had to stop and think for a second before giving my response.

Simple BGP

For the above diagram I have a simple BGP configuration:

Focus is on the secondary router. I’m trying to see what prefixes I receive from my BGP neighbor, so I rapidly hit the following command:

OK, that’s not good. Am I missing the command? Let’s see:

-> received-routes – Display the received routes from neighbor

OK, I know the soft-reconfiguration inbound is not enabled, but what has this to do with the fact that the command is not showing me what routes I receive from BGP neighbor?

Let’s recall what “soft-reconfiguration inbound” command actually does.

BGP soft-reconfiguration inbound
*Cisco BGP-4 Command and Configuration Handbook

According to the above explanation, if you have an inbound policy (like a route-map) applied to a BGP neighbor and you change that policy, you need to clear the BGP session before it take effect. This is the procedure without having “soft-reconfiguration inbound” configured. I remember it like this and most of the network engineers out there remember this behavior associated with the “soft-reconfiguration inbound” command.

Still, I just want to see what routes I received from BGP neighbor and according with “sh ip bgp neighbors received-routes” description is the right command . I have no inbound policy on R2 for R1 BGP neighbor.

A less remembered fact about the “soft-reconfiguration inbound” command is that when added, the router begins to store updates from the specified neighbor. These updates are unmodified by any existing inbound policies so that the router can correctly apply the new policies when soft reconfiguration is triggered.

Where are these updates stored?

In the BGP Adj-RIB-in (Adjacent Routing Information Base, Incoming) table. So, what the “received-routes” command does actually is looking in the BGP Adj-RIB-in table for the received routes from the BGP neighbor. I consider that the “received-routes” command has an ambiguous explanation leading to confusion.

When “soft-reconfiguration inbound” is not present, the BGP router does not store anything in Adj-RIB-in. Rather it process the update and discard the Adj-RIB-in table, but not before adding the information in the Loc-RIB (Local Routing Information Base) table. Knowing these facts of course the BGP router returns an error when trying to check the received prefixes using the “received-routes” command.

To check actually what’s received from BGP peer and stored in the Loc-RIB (after being processed by inbound policies) use only the “routes” parameter in the command:

-> routes – Display routes learned from neighbor

The output is what exists in the Loc-RIB table, after processed by the inbound policy.

Let me show you an example of the above explanation.

I’ll apply the “soft-reconfiguration inbound” first:

Now I’ll check again the received routes:

OK, so I have three prefixes, reflected in the Adj-RIB-in table.
Checking next the Loc-RIB tables (so the routes installed after being processed by inbound policies):

The Adj-RIB-in and Loc-RIB tables are identical.

Now, I’ll apply an inbound policy that will filter the prefix.

OK, we have the “soft-reconfiguration inbound” in place, so the inbound policies should be applied automatically denying the prefix.

The above output is what we receive from BGP peer. Notice that the prefix is still there, in the Adj-RIB-in table, as the inbound policies are not applied yet. The only visible change is the missing > sign (best).

Now we can see that the inbound policy is working fine as the prefix is not installed in the Loc-RIB table. This is also the explanation why the > (best) sign was missing from the prefix in Adj-RIB-in.

I hope you understood the logic behind the confusion which these commands “received-routes” and “routes” and their explanation in IOS is creates.

Please let me know in Comments if you have any questions.