How to have L2TP server with different IPSec preshared keys

whiterabbit · July 7, 2014, 3:33am

I have a simple L2TP server setup configured in my RB751.
It works and I have local users and users authenticated by radius.

The address is 0.0.0.0/0 in the IPSec peer entry I set up. My issue is now I want to have two peer entries in IPSec with two different preshared keys so I can give some users one key and other users the other key.

But when I set up a second peer identical to the first but with different preshared key only the first peer in the list works.
If the client Windows workstation uses the second key they cannot connect.

Is there a way to have multiple shared secrets in the IPSec setup?

thanks in advance
Scott

mrz · July 7, 2014, 9:49am

You can only if both peers have different exchange modes or encryption methods.

nz_monkey · July 8, 2014, 8:11am

This is typically achieved with the “Peer IKE ID” option on other vendors.

The closest thing I can see on RouterOS is “my-id-user-fqdn”

mrz, can you confirm this is the same as “Peer IKE ID” ?

mrz · July 8, 2014, 10:44am

yes it is IKE ID mode USER_FQDN

mrz · July 9, 2014, 11:32am

@nz_monkey

is there any setups where you would require different IKE ID mode than user FQDN?

nz_monkey · July 10, 2014, 2:28am

@mrz

We usually just use FQDN. Other vendors usually have options for “Local ID” and “Peer ID”.
If the remote IP of the tunnel is specified, or the mode is set to MAIN then “Peer ID” is ignored.

See http://docs.fortinet.com/uploaded/files/1881/fortigate-ipsec-52.pdf it has good examples on use of Peer ID’s, XAuth and VTI’s

whiterabbit · December 9, 2014, 7:18am

Thanks everyone for the replies.