How to setup L2TP VPN?

computersmurf · March 22, 2020, 12:32pm

How can I set up L2TP vpn?
It is very difficult on Mikrotik
I have followed several guides and youtube.
but i cannot get a connection so i can access a server on my lan network
Is there anyone who can help me?
I don’t want the default config 192.168.89.1
i want to get to my lan network 10.0.0.0/23

[admin@Landaal-MK] > ip address export 
# mar/22/2020 13:31:23 by RouterOS 6.46.4
# software id = 4ZV9-XS2V
#
# model = 960PGS
# serial number = 78D207A03485
/ip address
add address=10.0.0.1/23 comment=defconf interface=ether2 network=10.0.0.0
add address=10.0.3.1/24 interface=vlan3 network=10.0.3.0
[admin@Landaal-MK] >

Zacharias · March 23, 2020, 7:55pm

Did you check the examples in the wiki ?
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Application_Examples

computersmurf · March 23, 2020, 8:14pm

Of course!
I can set up a VPN.
then when i am connected to the vpn i cannot access my server locally on 10.0.0.200/23

Zacharias · March 23, 2020, 8:45pm

Is the VPN subnet the same as in your Local network ?
If yes then try enabling proxy-arp in your Bridge interface and test again…
Otherwise you should use NAT to reach your server…

computersmurf · March 23, 2020, 10:49pm

hmm i think the subnet is the problem. local is / 23 vpn is / 24. where can I change the vpn subnet? I can’t find this

Zacharias · March 24, 2020, 7:57am

/23 and /24 already have a common address space…
So if you cant reach any IP, that cant be the problem…
Can you type the whole addresses ?

computersmurf · March 24, 2020, 12:55pm

Yes,

my private network is 10.0.0.0/23 and te router is 10.0.0.1
My guest network is vlan 10.0.3.0/24 router 10.0.3.1

here the vpn details

 name="wesley" service=l2tp caller-id="" password="********" 
     profile=default local-address=10.0.0.1 remote-address=10.0.0.10 routes="" 
     limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00

[admin@Landaal-MK] /interface ethernet> print
Flags: X - disabled, R - running, S - slave 
 #    NAME               MTU MAC-ADDRESS       ARP             SWITCH            
 0 R  ;;; Ziggo-WAN
      ether1-wan        1500 64:D1:54:A8:F1:30 enabled         switch1           
 1 RS ether2            1500 64:D1:54:A8:F1:31 proxy-arp       switch1           
 2  S ether3            1500 64:D1:54:A8:F1:32 enabled         switch1           
 3  S ether4            1500 64:D1:54:A8:F1:33 enabled         switch1           
 4  S ether5            1500 64:D1:54:A8:F1:34 enabled         switch1           
 5  S sfp1              1500 64:D1:54:A8:F1:35 enabled        
[admin@Landaal-MK] /interface ethernet>

when i make a connection i get a 24 subnet and not 23

Here a output of my windows machine

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::ac12:62e8:d35:4220%16
   IPv4 Address. . . . . . . . . . . : 10.0.0.51
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.0.0.1

PPP adapter Home:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.0.0.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Hope you can help me

Zacharias · March 24, 2020, 4:01pm

I am confused.
Earlier you said the VPN Subnet is the 10.0.3.0/24..
But as i can see from your code, the remote-address you use for the VPN Client is 10.0.0.10, so you are in the same subnet as your Local network…
Enable proxy ARP on your Bridge interface and try again…

Also, as i see IPv4 Address. . . . . . . . . . . : 10.0.0.51 makes me more confused…
Are you inside your LAN but you connect through VPN to access the Server inside your LAN ?

computersmurf · March 24, 2020, 4:37pm

Yes my guest and vpn are /24 networks.
vpn network was 192.168.89.1 /24
I have change it to the same subnet as my private lan.
My lan start at 10.0.0.50
So i give my vpn the 10.0.0.10 adress.
This wil Works right..
I set proxy ARP on the bridge.
I have make on multiple routers a vpn connection.
But mikrotik is difficult

Zacharias · March 24, 2020, 5:11pm

It is not about Mikrotik, it is about Netowrks in general…
So did it work ?

computersmurf · March 24, 2020, 5:33pm

No its not working

Verstuurd vanaf mijn SM-A505FN met Tapatalk

Zacharias · March 24, 2020, 5:38pm

Are you sure you are not blocking anything with Firewall ?
When you are connected through the VPN, can you ping the VPN Address of the router ? 10.0.3.x ?

computersmurf · March 24, 2020, 5:42pm

I check it tomorrow. Tonight a have no time

Verstuurd vanaf mijn SM-A505FN met Tapatalk

computersmurf · March 24, 2020, 6:28pm

I can make a VPN connection from the inside.
When I am on 4G network I cannot make the connection.
Here an output from my firewall

[admin@Landaal-MK] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; Laptop Levy, kid-control
      chain=forward action=reject dst-address=10.0.0.232

 1  D ;;; Laptop Levy, kid-control
      chain=forward action=reject src-address=10.0.0.232

 2  D ;;; Levy mobiel, kid-control
      chain=forward action=reject dst-address=10.0.0.93

 3  D ;;; Levy mobiel, kid-control
      chain=forward action=reject src-address=10.0.0.93

 4  D ;;; Tablet Izzaly, kid-control
      chain=forward action=reject dst-address=10.0.0.175

 5  D ;;; Tablet Izzaly, kid-control
      chain=forward action=reject src-address=10.0.0.175

 6  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 7    ;;; defconf: accept established,related,untracked
      chain=input action=accept
      connection-state=established,related,untracked log=no log-prefix=""

 8    ;;; allow pptp
      chain=input action=accept protocol=tcp dst-port=1723

 9    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

10    ;;; defconf: accept ICMP
      chain=forward action=drop protocol=icmp log=no log-prefix=""

11    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

12    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

13    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

14    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

15    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection
      connection-state=established,related log=no log-prefix=""

16    ;;; defconf: accept established,related, untracked
      chain=forward action=accept
      connection-state=established,related,untracked

17    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

18    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new
      connection-nat-state=!dstnat in-interface-list=WAN

19    ;;; Block guest network from home network
      chain=forward action=accept
      connection-state=invalid,established,related,new,untracked
      src-address-list=Home-Network log=no log-prefix=""

20    chain=forward action=accept connection-state=established,related
      src-address-list=Home-Network log=no log-prefix=""

21    ;;; Emby Access from guest network
      chain=forward action=accept protocol=tcp src-address=10.0.3.0/24
      dst-address=10.0.0.200 dst-port=8096 log=no log-prefix=""

22    ;;; Minecraft access from guest network
      chain=forward action=accept protocol=udp src-address=10.0.3.0/24
      dst-address=10.0.0.200 dst-port=19132 log=no log-prefix=""

23    ;;; webserver from guest network
      chain=forward action=accept protocol=tcp src-address=10.0.3.0/24
      dst-address=10.0.0.200 dst-port=80 log=no log-prefix=""

24    ;;; webserver from guest network
      chain=forward action=accept protocol=tcp src-address=10.0.3.0/24
      dst-address=10.0.0.200 dst-port=443 log=no log-prefix=""

25    ;;; Block all acces from guest network to home network
      chain=forward action=drop in-interface=vlan3 out-interface=bridge
      log=no log-prefix=""
-- [Q quit|D dump|up|down]

Zacharias · March 24, 2020, 6:38pm

But earlier you said the VPN connection is established…

computersmurf · March 24, 2020, 6:41pm

Yes 2 days ago was it working on a different subnet
Now is only working form inside

Verstuurd vanaf mijn SM-A505FN met Tapatalk

tippenring · March 24, 2020, 7:16pm

I posted this in another thread recently. This should be pretty close. It assumes RADIUS, but I’d guess it isn’t hard to authenticate against a local database.

/ip pool
 add name=pool.ppp ranges=172.20.0.10-172.20.0.50

/ppp profile
 add interface-list=ifl.vpn.trusted local-address=172.20.0.1 name=pr.l2tp only-one=yes remote-address=pool.ppp use-encryption=required use-upnp=no

/ppp aaa
 set accounting=no use-radius=yes

/radius
 add address=172.16.5.22 secret=<RADIUS PSK> service=ppp timeout=2s

/interface l2tp-server
 add name=l2tp-in1 user=""

/interface l2tp-server server
 set authentication=mschap2 default-profile=pr.l2tp enabled=yes ipsec-secret=<PSK> one-session-per-host=yes use-ipsec=required

/ip ipsec proposal
 set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=modp4096

/ip firewall filter
 add action=jump chain=forward in-interface-list=ifl.vpn.trusted jump-target=vpn.trusted.in
 ...
 add action=passthrough chain=--------
 add action=accept chain=vpn.trusted.in comment=VoIP dst-address=172.16.5.16 protocol=udp src-port=3000-3001,4000-4005
 ...
 add action=accept chain=vpn.trusted.in icmp-options=8:0-255 protocol=icmp
 add action=drop chain=vpn.trusted.in log=yes log-prefix="Def Drop: "
 add action=passthrough chain=--------

With Windows, you can create the VPN connection with Powershell. This is the example I use. You may need to adjust some options for compatibility with your configuration.

Add-VpnConnection -Name "SLHV CNE" -ServerAddress "<FQDN or IP>" -AllUserConnection:$true -AuthenticationMethod MSChapv2 -TunnelType L2TP -l2tppsk "<PSK>" -SplitTunnel:$false -EncryptionLevel Required -UseWinlogonCredential -PassThru -Force

computersmurf · March 24, 2020, 7:25pm

When i disable this rule

12 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

Than i can make connection from outside.
Tested with mobile and i can Access the router.
But i can see on my mobile of i have the same subnet

Verstuurd vanaf mijn SM-A505FN met Tapatalk

tippenring · March 24, 2020, 8:52pm

I provided the sample code as a template for you to refer to. It is primarily geared for starting with no L2TP configuration. If you have any configuration that may conflict, you’ll have to diagnose and resolve it.

Your rule 12 is a very important rule that you should not disable until you understand what it does, and are able to weigh and mitigate the risks associated with disabling that rule. That particular rule is a very strong impediment to compromise of your router and network(s) due to malicious activity.

If you don’t understand what the firewall rules are for, I strongly encourage you to spend more time studying networking before exposing things to the internet.

computersmurf · March 29, 2020, 2:57pm

Tippenring,

It was not a wrong config of the l2tp-vpn.
it was a firewall problem.
found firewall rule that got in the way.
And adjusted this line.

I’ve been doing networking stuff for a bit longer than today;)
I have overlooked all these.