Mikrotik L2TP/IPSEC Dial-in VPN

jebz · Fri May 29, 2015 5:15 pm

I've had a minor learning experience creating a mobile road warrior style VPN for my phone and tablet. I found a reasonably clear Mikrotik L2TP/IPSEC Dial-in VPN explanation on You tube https://www.youtube.com/watch?v=cgfXs6ZJrgs

It didn't quite work. I couldn't connect and the Android didn't offer any errors. No messages on the Mikrotik logs either. I then tried with the Android on the inside LAN side of the VPN router on another LAN segment and it connected. This proved the encryption and protocols matched. Suspecting a firewall issue I searched but none of the number of examples mentioned firewall modifications.

After a considerable bit of reading and another search I found the Mikrotik Wiki Manual page with the magic note -
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

#If there are strict firewall policies, do not forget to add rules which accepts l2tp and ipsec.

/ip firewall
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp

Not quite there yet this has an error and should be -

/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp

Although I've since read quite a debate on the forum from a couple of years ago about these rules and the ports they've opened.

Fri May 29, 2015 5:25 pm

Manual fixed

pukkita · Fri May 29, 2015 6:49 pm

I'd tick logging on any drop filter rules you may have and check. Mobile operators nowadays block lots of ports and protocols, if no rule logs anything being dropped, that could be the case...

For this same reason (and performance) I'd better use SSTP...

Mikrotik L2TP/IPSEC Dial-in VPN

Mikrotik L2TP/IPSEC Dial-in VPN

Re: Mikrotik L2TP/IPSEC Dial-in VPN

Re: Mikrotik L2TP/IPSEC Dial-in VPN

Who is online