ipsec + l2tp newbie Q.

tatan · September 7, 2015, 8:49am

Hello,
my 1st post here .

As said in Subject, i’m trying to set up ipsec + l2tp between 2 mikrotik routers.

I’m following this tutorial:
http://wiki.mikrotik.com/wiki/L2TP_%2B_IPSEC_between_2_Mikrotik_routers

I can follow it with no problem until i reach the Client side config of l2tp.

There it says:
/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2
connect-to=IP_OF_L2TP_SERVER

And from the picture drawing the network scheme, i’m not able to correctly deduce what that IP address is (public or private IP ?), which results i’m also failing to set it up on my test routers.

I have standardly set up 2 routers:

router A: LAN = private IP address WAN = public IP address
router B: same as above

Question is, what / where is the client side L2TP “IP_OF_L2TP_SERVER” pointing at ?? Or is the L2TP server having completely different IP than the WAN or LAN IP - if so, where to specify it and from which IP range (considering the wiki example)?
I’m a bit confused atm (no surprise there)

Thank you for any help or tip!

marrold · September 7, 2015, 9:41am

Please post your IPSEC configuration, and your external / internal IPs. A diagram would be great!

tatan · September 7, 2015, 1:22pm

Hi,
thanks for your reply. Here it is - it is very simple:
(IPs are not real)
router 01: LAN interface IP = 192.168.2.54 WAN interface (public IP) = 214.177.176.77
router 02: LAN interface IP = 192.168.210.54 WAN interface (public IP) = 213.155.160.22

router 01 (with L2TP server) :

Create an user who will connect to the server:
/ppp secret add name=PHA2MB service=l2tp comment=“l2tp tunel” disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=214.177.176.77 remote-address=213.155.160.22 password=4444 profile=default

Then create a L2TP server interface for the created user:
/interface l2tp-server add disabled=no name=l2tp-MB user=PHA2MB

Enable the server:
/interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled

Create a ipsec proposal:
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024

Create an ipsec policy:
/ip ipsec policy add action=encrypt disabled=no comment=“ipsec tunnel policy” ipsec-protocols=esp level=require priority=0 proposal=default protocol=all dst-address=192.168.210.0/24 dst-port=any sa-dst-address=213.155.160.22 sa-src-address=214.177.176.77 src-address=192.168.2.0/23 src-port=any tunnel=yes

Create an ipsec peer:
/ip ipsec peer add address=213.155.160.22/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey send-initial-contact=yes secret=dfklas

Add route:
/ip route add comment=“ipsec tunnel route” disabled=no distance=1 dst-address=192.168.210.0/24 gateway=192.168.210.54 scope=30 target-scope=10

NAT rule
/ip firewall nat add chain=srcnat comment=“NAT LAN to LAN” src-address=192.168.2.0/23 dst-address=192.168.210.0/24 action=accept place-before=0

router 02 (with L2TP client)

Create l2tp client:
/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=214.177.176.77 dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 mrru=disabled name=l2tp-PHA password=4444 profile=default-encryption user=PHA2MB

rest of rules on router 2 are only IPSEC / NAT / Route rules in reversible manner to router 01

IPSEC tunnel is working and i can ping both ways from both LAN to each other. But the L2TP is not working and my head is about to blow . I’m missing something something significant, ehh.

tatan · September 8, 2015, 9:03am

Hello again,
thanks for anyone reading it.
Anyway - solved. All is working. Needed to study more theory.

the example i referred to:
http://wiki.mikrotik.com/wiki/L2TP_%2B_IPSEC_between_2_Mikrotik_routers

is creating l2tp tunnel first and then it ecapsulate it in the ipsec. the l2tp in example is using 2x A type class IP addres (non-public) specified in the RFC1918 (this i overlooked at first, thought these are public IPs, which caused my fail !)

after understanding correctly to the network diagram in the example and knowing what the tunnel and transfer modes of ipsec means, i got all working

i know, ‘rtfm’ but sometime, everyone is pushed by ‘asap’ managers and ‘rtfm’ takes time.

anyway - thanks all

se232 · October 21, 2015, 10:50am

Hello there!

The L2TP/IPSEC tutorial was unfortunately deleted from the examples page
I tried to setup a L2TP/IPSEC tunnel between 2 Mikrotik routers as clients and a Mikrotik router as server but cannot ensure, that the IPSEC is really working.
The L2TP status page shows MPPE128 stateless encryption only although the IPSEC setup should allow only 3DES or AES. It seems that the L2TP tunnel is encrypted, but not using the IPSEC furthermore (btw: why should I encrypt the L2TP tunnel, when it’s encrypted by IPSEC?)

When I connect with my iPhone to the server router I get SHA and AES (what I would expect from the settings).

Can somebody provide a tutorial or example for routeros 6.32.3 (most tutorials refer to older versions obviously).
Especially how to set up the client(s) to establish a L2TP/IPSEC tunnel to the server side.

Thank you in advance!

mrz · October 21, 2015, 12:18pm

Official manual has the examples
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ipsec.2FL2TP_behind_NAT
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#L2TP.2FIpSec_setup