Mikrotik L2TP with IPsec for mobile clients

I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.

Before we start, please make sure that your Mikrotik build-in firewall is configured in such way that it can accept packets on the WAN interface. You can check my article on IPsec VPN Mikrotik to Cisco for firewall configuration.

Another important part is that I’m using RouterOS v6.24 in the below scenario. In earlier versions some configurations are a bit different, but you’ll figure it out as I will explain where is really important.

1. Add a new IP Pool

It’s not mandatory if you already have a IP Pool, but I assume you don’t and we need to add one.

GUI

IP > Pool

Add a new pool

CLI

L2TP Configuration

1. Configure L2TP Profile

Before adding a new L2TP Server, we need to add a new L2TP Profile. We can use also the default one, but I don’t like to mix things.

GUI

PPP > Profiles

The rest of values can be left on default value.

CLI

2. Add a L2TP-Server

GUI

PPP > Interface > L2TP Server

CLI

3. Add PPP Secrets

GUI

PPP > Secrets

Let the rest as default.

CLI

IPsec Configuration

On IPsec configuration, you can use the default configuration (like Proposals) but I would suggest to let those as default and add your new ones. In case that you already have some IPsec configuration which is already working and using the default configuration we don’t want to mess with that.

1. IPsec Proposals

GUI

IPsec > Proposals

CLI

Something to mention here. In version previous than 6.xx, you can pick only one encryption algorithm, if I remember correctly. You cannot add multiple algorithms (like 3des and aes-256 above). If this is the case, be sure to stay with 3des. I know it offer less security, but for some reason I could not force Microsoft Windows to work on L2TP via aes-256.

2. IPsec Peers

GUI

IPsec > Peers

CLI

IMPORTANT

The value of the Secret field above, MUST be the same as in L2TP Configuration, Step 2.
Also, if your RouterOS support only one encryption algorithm, then pick 3des.

3. IPsec Policies

GUI

CLI

Below, I’ll add two examples how to configure the iPhone and Microsoft Windows to work with the above configuration.

iPhone

Go to Settings, VPN section and Add VPN Configuration…

It will look like this:

iPhone L2TP Configuration

The Server is the public IP address or FQDN of your Mikrotik. Account and Password are the one defined in L2TP Configuration Step 3. (MYUSER and MYPASSWORD in the example above). Secret , is the IPsec Secret Key defined in L2TP Configuration Step 2. and IPsec Configuration Step 2. (MYKEY in the example).

PC with Microsoft Windows

1. Add a new VPN connection

Add New VPN Connection

2. Pick the option Use my Internet connection

Chose VPN type

3. Add Mikrotik L2TP Server details

Add L2TP Mikrotik details

4. Add the user and password

Add L2TP user

Add this point Windows 7 force me to hit Connect. I will not work yet. Please follow the next steps.

You need to reach the Properties of your new VPN connection.

5. Configure the VPN Security settings.

Be sure to have the settings like in image below, to force encryption and use mschap2 protocol.

L2TP VPN Security

6. Set the IPsec Secret key

Hit the Advanced button and set the IPsec key

L2TP IPsec Key

Hit Connect and it will work. If you have questions please be sure to add them to Comments.

IPsec VPN Mikrotik to Linux

After writing the Mikrotik IPsec VPN article and I got some questions about how Mikrotik will work with a Linux device to build an IPsec VPN. I did notice that the questions were more oriented for a copy / paste solution, so I’ll provide one that it’s working. If you need more details about why the solution is like it this, please let me know.
Also don’t forget to customize the solution as you need.

I’ll start with the same topology like in the last post, just that the right side now it’s a Linux device.

Mikrotik-IPsec-VPN-Linux

Please consider the minimum ports needed to be open on your firewall from my earlier article. Just don’t forget to open these ports also on the Linux device.

First let’s configure the Mikrotik.

The IPsec Proposal

CLI

GUI

IP > IPsec > Proposals

The IPsec Policy

CLI

GUI

IP > IPsec > Policies

The IPsec Peer

CLI

GUI

IP > IPsec > Peers

Now, the Linux part. I’m using Ubuntu, but I’m not going to advocate here for one flavour or another. So, just use any device with Linux or you try solutions such as Amazon AWS. Install Openswan (compile it from source or install via your Linux flavour package system).

The main file for Openswan is ipsec.conf. For me this file is in /etc, but I assume it can reside in another location.

For the above example, the ipsec.conf file looks like this:

You need to associate the keyword “left” with “local” and “right” with “remote” and it will be easier to read the configuration above.

Also in the /etc location I have another file called ipsec.secrets which has the pre-shared secret key:

This is the minimal configuration that I need to apply to have the IPsec VPN up and running. I’m sure that it can be fine tuned to add more security or features, but that is not in scope of this post.

As always if you have problems please let me know in Comments.

Mikrotik IPsec VPN

If you did not hear yet about Mikrotik I can’t say I blame you. Not exactly something you’ll find in SOHO network shops next to brand like TP-Link, Linksys or Netgear. Mikrotik is a company
in Latvia that produce network hardware under the name of RouterBOARD. The devices are excellent and the RouterOS support an amazing amount of feature for a SOHO product.

As recently I did develop a small VPN network based on IPsec and using Mikrotik RB951G-2HnD platform, I had the idea to put together a short how to for the enthusiast out there who wants to try these products. Now, I’m not saying that this is the best or the only approach, but it’s a start from which you can develop your own fine tuned solution.

Let’s assume that we have the following topology:

Mikrotik-IPsec-VPN

The idea is to build a VPN using IPsec technology between the two routers. The RouterOS version is 6.23, so earlier versions may not support all features described here, but I’ll try to point this where is the case.

As some people are more comfortable with GUI and others with CLI, I’ll describe both methods. If you are following this blog post, I assume that you are already a bit familiar with RouterOS and your Mikrotik device is connected at least to Internet.

In this example I’ll focus on the left side of the diagram. The right side is configured in the same way.

Before going into the real IPsec configuration, please be sure to have the following ports open on your Mikrotik firewall:

You may not use these protocols after following this blog post, but it’s OK to have them open if you want to experiment. They can be closed later after you decide what to use, but we don’t want this as a blocking point and force us into troubleshooting.

You can allow the following ports into Mikrotik firewall as follow into CLI:

The place-before=0 is to force the rule on the top of your Input table.

On GUI, check the

IP > Firewall > Filter Rules > Input table

Another thing to remember if you’re using NAT like in the picture above is that the LAN subnets have to be allowed to communicate directly, before they are pass to masquerade rule.

CLI

GUI

IP > Firewall > NAT

Let’s start now with the IPsec configuration part.

First let’s define a new IPsec Proposal policy. There is a default one which comes preconfigured but I would like to use my own.

CLI

GUI

IP > IPsec > Proposals

As mentioned earlier in this post, depending on your RouterOS version, you can have here different options. Just pick what suits your needs.

Next we need to define an IPsec Policy.

CLI

GUI

IP > IPsec > Policies

I think that settings are obvious, just be careful to correctly pick the sources (SRC ADDR and SA SRC). The SRC values are from local site while the DST part has to be the remote site.

Last we need to define a least one IPsec Peer

CLI

GUI

IP > IPsec > Peers

Be careful that if you are on version RouterOS 5.xx (just as an example) the Encryptions Algorithm field supports only one value and not multiple like configured above. I did especially to highlight that there are differences depending on the RouterOS version. Nevertheless the baseline for IPsec VPN configuration remains the same.

If you have questions or something does not work as explained please let me know in Comments.