Mikrotik… need I say More?
Show MenuHide Menu

L2TP with IPSec on Mikrotik RoutersOS

February 20, 2013

Mikrotik L2TP with IPSec HOW TO by Travis Kenner

Equipment:
Mikrotik RB750GL Running Package version 6.0rc11
Apple IPhone 4 with iOS 5.x

NOTE: All the formatting on this page is not done as this was a really long Blog: I am redoing it to have better formatting and better explanations. I added some screen shots but like anything you write yourself after you have gone over and over it I tend to miss grammer or spelling mistakes LOL and that’s with a spell checker. HA HA. Most IT guys I know would rather work on the firewall rules and just gloss over the grammer or spelling. Anyways, on to my blog on Mikrotik and L2TP.

 

PLEASE NOTE: For any configuration examples please visit the Mikrotik Forums for help and support. There are some really knowledgeable people on the forums who will be able to help you with your individual setups.

http://forum.mikrotik.com/

 

PPTP is getting a Bad Rap for being unsecure so I implemented SSTP with an SSL Certificate for my Mikrotik Router. (Check out this blog that talks about the PPTP MS-CHAPv2 findings http://blog.calyptix.com/2012/08/pptp-is-so-insecure-it-should-be.html )

All proud that I got it up and running so that I can securely connect to my Mikrotik from another PC (Note: Mikrotik to Mikrotik you don’t need an SSL Certificate) when I am offsite, I thought why not try connecting with my IPhone. Unfortunately there is only 3 Options with the IPhone 4 at this point in time.

PPTP – Not so secure anymore accoriding to some googling and the blog above
L2TP/IPSec
IPSec (only used for CISCO).

So I set out to get my IPhone connected to my Mikrotik using L2TP with IPSec.

Here are the steps to get it setup.

Example Mikrotik Router IPs
Interface : ether1-gateway – 1.1.1.1
Interface: ether2-master-local – 192.168.1.1

Setting up L2TP/IPSec on the Mikrotik:

Log into your Mikrotik
Click PPP on the left side menu

image

Under the Interfaces TAB click on L2TP Server Button
In the L2TP Server pop up windows click the Enabled check box

image
Now choose the authentication methods that you want to use. I highly recommend using only mschap2.
For windows 7 I chose mschap2.
For IPhone 4 you also only need mschap2 set here.

For Default Profile I created a profile called L2TP-Profile but you can use the default encryption profile if you like.
Note: The default encryption worked for Windows 7 but not for IPhone 4. (In my L2TP Profile under the Protocols TAB I changed Use Encryption to default instead of required and then my IPhone worked as well as windows 7 Pro).

Here is how I setup my L2TP Profile:
Again under the PPP Menu click on the Profiles TAB now
Click + to add profile

image
Name: Now name your profile whatever you want (Remember I named mine L2TP-Profile)
Local Address: The local address is the IP for the Mikrotik inside private IP address (ether2-master-local 192.168.1.1 – from our example – replace with how you setup your Mikrotik)
Remote Address: The remote address can be static or from an IP POOL. This will be the address that gets assigned to the device you are using to connect to the L2TP VPN Server.
- When you set a static make sure that you don’t use an IP that is already being used on your local LAN!!!!
- If Using a POOL make sure you don’t setup a POOL of IP Addresses that would conflict with any addresses inside your LAN (I Will go over IP Pool setup Below)
DNS: I set the DNS to the inside address I assigned to the Mikrotik or you can use an external DNS like google or OpenDNS.
Change TCP MSS: Set to yes if not already.
Done on the General TAB

 

Click the Protocols TAB

image
Use MPLS
: set as default
Use Compression: set as default
Use VJ Compression: set as default
Use Encryption: set to required if ONLY using windows 7 clients, (Set to DEFAULT if using an IPhone 4)

Limits TAB – you can set limits on traffic here but we don’t set anything different in this tutorial.
Profile Done

 

NOTE: If you created this profile or your own named profile you MUST now go change the L2TP Server Profile from earlier from default-encryption now to your L2TP-Profile Name from the drop down list so that your profile will be used instead of the default-encryption profile

Ok. Now we have L2TP turned on. We have a profile setup or have used the default and now we need to setup users to use our L2TP server. To do this we use the SECRET TAB still under the PPP Menu to make users

 

Click on the Secrets TAB and click the + to start making a new user.

image
Name: This can be a bit misleading. Name is the Username that you will use to logon to your L2TP server. Enter the username you want to use to logon to your L2TP VPN server
Password: set your password here (make sure it is good and strong)
Service: change to L2TP
Profile: change to the profile you made earlier or leave at default-encryption (Note:default encryption does not work with IPhone 4 as it needs the Use Encryption to be set to default under Protocols like we mentioned earlier.)
Click OK and now you have a new shiny user ready to go
Close the PPP menu

 

 

OK Take a Breather stretch grab a drink or whatever you do. The above wasn’t that hard but if your new it may have been a little daunting. Now we get to the good stuff.

 

Alright. Now things get Interesting. If you have never worked with IPSec before then don’t worry. It can be daunting but I will step you through step by step to get this working.

SETTING UP IPSEC:
L2TP does not need IPSec but L2TP by itself does NOT provide any encryption as it is a Tunneling Protocol. Thus we use L2TP tunnels and use IPSec to encrypt the data going over the tunnel.
More Info: http://en.wikipedia.org/wiki/L2TP

Let’s get started.

Click on the IP Menu on Mikrotiks left side menu and then choose IPSec from the drop down list.

image
Click on the Peers TAB

image

Click the + to create a new Peer

image
Address: Leave this as 0.0.0.0/0 (Everyone can connect)
Port: 500
Auth. Method: pre shared key
Secret: set a secret(password) for the IPSec secret authentication (Make it good and strong)
Exchange Mode: change to “main l2tp”
Send Initial Contact: Check this box
NAT Traversal: Check this box (Most likely you will have users outside of the organization so they will need this checked. I won’t go into what it is. Google is your best friend!!! Look it up)
Proposal check: obey
Hash Algorithm: sha
Encryption Algorithm: 3des
DH Group: modp 1024
Generate Policy: Check this box
Lifetime: 1d 00:00:00 (1 Day)
DPD Interval: 120
DPD Max Failures: 5
Click the OK button.

Your are now done making your IPSec Peer.

 

Now onto the Proposals Setup:
Click on Proposals TAB
Double click default Proposal from the list

image
Name: Leave as default
Auth. Algorithm: sha 1
Encr. Algorithms: 3des
(For IPhone 4 to work it needs Encr. Algorithms to also have aes-256 enabled)
Lifetime: 00:30:00
PFS Group: change to “none”
Click the OK button
You have now setup a IPSec proposal compatible with IPhone 4 using iOS 5.x at the time of this tutrial and Windows 7 Pro 64 bit.

 

Your Mikrotik is now setup for L2TP for windows 7 and IPhone 4

NOTE: Sometimes I had to reboot my IPhone if it was not connecting. Also checking the firewall I noticed after some times it did not even connect anymore and the Counters on IP Firewall Filters did not increment. A reboot usually cleared what was wrong and then the phone would connect to the Mikrotik again.

 

Windows 7 Pro 64 bit Setup:
Go to the Control Panel
Network and Sharing Centre
Click Setup a new connection or network

image
Select Connect to a work place and click Next

image
Click no to create a new connection if you have previous, if not continue

image
Choose Use my Internet connection VPN

image
Internet Address: This is the IP of the LAN or WAN side of the Mikrotik depending on if you are testing from the Inside or connecting from the Internet.
Destination Name: Name this whatever you want as it doesn’t really matter. However a good name will help you remember what it is for later on when you have a whole lot of VPN connections made.
Check don’t connect now and click then NEXT button.

image
User name:Type in the username you setup for your L2TP secret earlier.
Password: This is the L2TP Secrets password from earlier setup NOT the IPSec secret (password) although you can set them the same.
Remember this password: Click the remember password if you want (I would not if this will pose a security risk)
Show Characters: Check this, type your password, make sure it looks correct and then uncheck if you want.
Click the Create Button

You now have a new VPN connection Client setup but we still need to make a few tweaks to it.

Now to Tweak / finish L2TP setup on Windows 7:
Left click the network icon on bottom panel in your system tray. (The network icon near your time display in the right hand system tray).

image
Locate new L2TP connection and right click on it
Choose Properties from the pop up menu
Click on the General TAB

image
Make sure hostname or IP is correct
Click the Security TAB

image
Type of VPN: choose Layer 2 Tunneling …. L2TP IPsec from drop down list.
Click the Advanced settings button

image
Type in the IPSec secret (password) you created when making the IPSec secret earlier on.
Click OK
Data Encryption: Make sure Required encryption disconnect if server declines is chosen
Allow These protocols:
Choose MSCHAP v2
Don’t have PAP or CHAP checked
Click OK
Your Windows 7 L2TP Client is now fully configured.

Click the network Icon again in your system tray and now this time choose connect and you should be connected.

 

IPhone 4 with iOS 5.1.1 Setup:

Got to VPN
Click Add VPN Configuration
Choose L2TP
Description: Call it whatever you want.
Server: Put in the Mikrotik WAN IP or FQDN
Account: Put in the username you setup under Secret TAB setup
RSA Secure ID: OFF
Password: Your password
Secret: Your IPSec Password
Send All Traffic: ON
Proxy: OFF
Click Save and now you should be able to connect with your IPhone 4.

 

Now if you are going to access your L2TP from the internet then you will need to setup some Firewall Filter Rules to let the traffic in:

FIREWALL SETTINGS for Outside ACCESS:
For Outside access you need to have Firewall rules for UDP Ports 500, UDP Port 1701, and UDP Port 4500
Other firewall settings I read about were Protocol 50 ipsec-esp and protocol 51 ipsec-ah
For my setup I just setup UDP Ports 500, 1701 and 4500
Ok here we go:

Log in to your Mikrotik router if your still not on it.

Click IP from the left side menu
Click Firewall from the pop up menu
Click the Filter Rules TAB
Click + to add new firewall filter rule.

On the General TAB:

image
Chain: input
Protocol: 17 UDP
DST Port: 500
In Interface: ether1-gateway (or whatever your WAN interface name is. Choose it from the drop down list)
Connection state: new

 

Click the Action TAB:

image
Action: accept
You now have your first Firewall Filter rule setup for UDP port 500
You need to make 2 more. 1 for UDP port 1701 and UDP port 4500

Now once this is done you may want to group these rules in order and then put them high enough in your firewall filter chain so that they get processed before any UDP Drop Firewall filter rules you have or else they wont get processed.

I also added a log rule so I could see connections in my log for debugging:

image

NOTE: I don’t have the other rules enabled and also you can get away with making one rule that has all three UDP ports in the one rule example:

image

But for this tutorial practice makes perfect :)

 

It’s Probably 4 am if your anything like me and you have work in 3 hours. Put in some Visine eye drops and pound back whatever caffeine you can get your hands on… lol

Now go show all your friends how you can logon to your Mikrotik from their house using an L2TP VPN tunnel and the iSSH app on your IPhone or impress them even more when you run a script using iSSH on your IPhone to wakeup your home station using (Script Clue: “tool wol interface=ether2-master-local mac=InsertMACaddressofyourstation-here” without the quotes)

You can make this script in your Mikrotik under System | Scripts

I called mine wakemyws for Wake My Workstation and then in the source I put in the “tool wol interface=ether2-master-local mac=InsertMACaddressofyourstation-here” without quotes

Now I can wake my Workstation right from my Mikrotik when I’m out of the office using my IPhone if I am not sitting at a station.

 

 

AS THIS IS A REALLY LONG POST please comment on grammer or mistakes so I can fix it. I have read it so many times I probably just gloss over now and don’t notice anything. Also if you think I should make an addition or made a mistake please leave a comment. Constructive Criticism is good. We should never stop learning and growing.

4 visitors online now
4 guests, 0 members
Max visitors today: 9 at 02:05 am UTC
This month: 16 at 04-01-2014 05:12 pm UTC
This year: 19 at 02-25-2014 09:04 pm UTC
All time: 37 at 10-20-2013 10:35 am UTC