l2TP ,IP SEC,IKEv1 and IkeV2 in more Details and information

HI Guys,

We love mikrotik products they give us perfect managment of network and we can apply many rules versus expensive units like Cyberoam UTM router or Fortinet etc,

Very stable kernel and BSD UNix quality of production ,many years on market,

We succesfully managed to make all the following VPN protocols on RB2011 router SSTP,PPTP,OVPN and LT/IPSEC preshared 100 % work okey and no problem whatsoever,only problem we had is NAT translation in L2tp /PSEC which is big problem for ROAD WARRIORS on same subnet,

We had problems with Pure IPSEC because of limitations of layer 2 protocol ,we know nothing using RSA key and RSA signature also there is no descrition on WIKI page how to apply and where to apply without hassle ,scenarios etc.

So please clarify all of these scenarios in mine questions,


question 1:there is no explanation detailed where PURE IP SEC is best so here mine question,

only between router or can be used on mobile devices, example for applying scenarios

question 2:also IKEv1 does have limit NAT between same public IP is it worth to be used as road warrior versus IKEv2 on mobile devices like android

question 3:does MIKROTIK can make IPSEC cisco connection on IPHONE or android with signature certificate CISCO way example please example please pure Ipsec

question 4: is main,agreesive peer IKEV1 and have limit for NAT translation or works better then L2Tp ip sec ,does Ikev1 works good on WINDOWS 10

question 5:does RSA key phase 2 only works between 2 ROS routers or mix CISCO routers and nowhere else example WINDOWS ,ANDROID or IOS

i find some russian site where there is rsa key site to site example how to connect routers or tell me where to find

question 6: Which of Vpn protocol in VPN mikrotik support EAP or we have to use radius i mean forward to radius server when doing or pure XAUTH on Mikrotik devices

I manage to make IKEv2 on mine android phone but problems with routes, helpme with on that also how does it work on WIndows

edit : i made route using chain=forward input Ipsec poll address address and output address using two dynamic ip behind Nat

but had terrible Voip Sip quality also cannot connect multiple session from different ip when connects other ip fails i wonder do i have to make more peers or allow multiple sessions;


Thas all since IPSEC is huge piece of protocols bundled together and that more then enough to help me with

Thanks
Icko

The trouble is that all product manuals (not just Mikrotik ones) usually assume that the user is familiar with the generic features of the protocol and only needs an explanation how to configure the particular product to use these features, while all users assume that the product manual will explain what to configure without need to know anything at all about the underlying protocol.

The more complex the protocol, the more deployment variants exist, so a how-to for each of them could easily mean tens or hundreds of them.

So regarding your questions 1 and 2:

• to traverse a NAT, you need that the transport protocol supports the idea of ports, which you can understand as an extension of IP address, and that NAT devices understand that protocol. The absence of the idea of a port in GRE, L2TP, or ESP means that any NAT device can, at best, provide a pinhole to a single device at the private side at a time.
• specifically for IPsec, tunnel mode must be used because otherwise IPsec includes the IP header into the authentified part of the packet, so as soon as NAT changes it, the packet does not pass the authenticity test at receiving side.

.
While IKEv1 did not address this, the NAT-T extension to it does - it uses UDP as a transport for ESP if NAT traversal is necessary and a couple of methods to identify the need. IKEv2 uses the same techniques but as part of its specification rather than a separately standardized extension.

So for a road warrior, it would seem that you must use “pure IPsec” as you call it because use of L2TP prevents two road warriors behind the same NAT from establishing connection to the same remote server. If you do so, you must use the “tunnel mode”, and it is irrelevant from the NAT point of view whether you choose IKEv1 with NAT support enabled or IKEv2.

However, the “L2TP/IPsec” mode actually means “use L2TP’s authentication (which is performed using UDP port 1701) to negotiate keys, and then use IPSec in NAT-T mode (which also implies tunnel mode) to transport L2TP between the peers”. So the L2TP is encapsulated into ESP which itself is encapsulated into UDP which can traverse NAT, so this mode can also be used for a road warrior scenario. The advantage is that you don’t need to deal with policies, proposals etc. The disadvantage is that you can set almost nothing about IPSec parameters, the checkmark “use IPSec” in L2TP interface settings sets up everything the way it needs it.

As for RSA public/private key authentication, it is not suitable for road warrior setup. The point is that a RSA key pair is individual for each machine, but the peer identification does not support the idea of trying several matching configured peers one by one until one of them passes the RSA key authentication. With peers at public addresses, this is not an issue as you can identify each peer by its public address, but all peers behind an unknown-in-advance public address, which is usually the case with NAT, match the same configured peer at “server” side. But you can use certificate authentication for road warriors if you do not configure a particular certificate for the peer they match to; in this case, any certificate provided by a client is checked for being signed by a certification authority trusted by the checking peer (the server), so any certificate signed by that CA matches. But certificate mode is incompatible with L2TP/IPSec so “pure IPSec” has to be used.

Regardless what “group authentication” method (i.e. shared secret or certificate check) you use to accept or reject the incoming connection request in “pure IPSec” mode, if you need to provide individual settings for a road warrior peer, you have to use the x-auth configuration or its IKEv2 functional equivalent to do so.

I think most of the above can be understood from the manual page, but I admit it is much easier if you know how IPsec works.

Sorry to bump up an old thread, but I’ve been searching for hours and cannot find definitive info about this issue.

My question is very simple:

Is it possible to have a Mikrotik working as a VPN server, with both LT2P/IPSec enabled and IKEv1 enabled at the same time?

All the remote clients will be road warriors using the native client included in their operating system of choice. Android phones and Apple iPhones will connect using IKEv1 with PSK and XAUTH. Windows 10 laptops will connect using L2TP/IPSec with PSK. There MUST NOT be any certificates at all involved in this. EVERYTHING must be PreSharedKey and usernames/passwords.

Is this really possible or not??

I have L2TP server enabled, but when I try to add another ipsec peer I get the error “This entry is unreachable”. How can I have two different peers (who both send INITIAL_CONTACT) listening to 0.0.0.0/0 at the same time??

Kind regards.

Yes it is possible to have a MikroTik working as an L2TP/IPsec VPN server with a shared secret.
I don’t understand what you exactly mean with “both LT2P/IPSec enabled and IKEv1 enabled at the same time”, assuming you mean to run L2TP/IPsec with IKE v1 anyway.
(with IKEv2 you normally do not run L2TP on top of it)

You can have an IPsec peer and identity defined for remote address ::/0 and it will be used for L2TP/IPsec, no need to set it up in the L2TP server as well (just say Use IPsec: no there).

However, there is a problem. I have used this setup for a long time with MikroTik routers, Android phones and Chromebooks as clients and it works OK.
However, coincidentally today I tried to use a Windows 10 laptop as client and it fails. To debug it, I tried it on an old Windows XP laptop and it fails as well.
The usual IPsec problem it seems: nothing happens when trying to connect, and after some time it prints a message hinting about a configuration problem, without any details.

Currently at the server side (MikroTik router) I have these settings:

/ip ipsec peer
add comment="Incoming L2TP/IPsec" name=l2tp passive=yes
/ip ipsec identity
add generate-policy=port-override peer=l2tp secret=(your secret psk here)

I.e. the encryption settings are all at defaults. This works OK with the Android phones and Chromebooks as client (and obviously with MikroTik routers) and my experience is that adding newfangled things like sha256 in phase1 Proposals is breaking that.
At this moment I am not sure if this setup is ever going to work with Windows, and if not what minimally has to be changed in it to make it work (and not break the other clients).
It is a bit dangerous to experiment on our router as there are several VPNs running all the time, and changing the parameters at minimum makes them reset, and sometimes not come back.
So I would be happy when someone else can provide any detail, if not I will have to debug it on a spare router.

Just for the case it wasn’t clear from pe1chl’s post - you do not need two peers if some road warrior devices should use “barebone IKE(v1)” and others should use “L2TP over IKE(v1)”, because the single widely-open peer with exchange-mode=main will be used for both.

As for the error message, the entry is unreachable because by all parameters which can be evaluated - the (remote) address, the local-address, and the exchange-type of both items are the same, so the first one shadows the second one. So if you want multiple peers, e.g. because on top of road warriors, you have some remote site routers which only support IKE(v1), you can place their entries with narrow subnets as address before the one with address=0.0.0.0/0 (or ::/0), and they will be matched. But in such case, those road warriors cannot connect from these sites.

Sindy: do you happen to know the IPsec settings that are acceptable for Windows or how to set Windows to accept the default settings of MikroTik? I failed to get it working up to now.

pe1chl,

I’ve got access to a Mikrotik (it’s in production, but isn’t going to be used this weekend. And I also have access to a computer in the same subnet with AnyDesk, so I can even reset its configuration if I want to)

This Mikrotik ( RB750 ) is running firmware stable v6.46.2. And it’s currently configured with the default L2TP/IPSec config:

/interface l2tp-server server
set authentication=chap default-profile=perfil1 enabled=yes ipsec-secret=blablabla use-ipsec=required

/ppp secret
add name=user1 password=blaablabla profile=perfil1 service=l2tp

How would you add another IPSec responder for 0.0.0.0/0 and avoid conflicts with the existing one? All the road warriors will connect from unknown IP addresses!

Please explain what you mean with “add another IPSec responder”…
L2TP/IPsec uses usernames. When you want to allow another client, just add a username/password using PPP->Secrets.
Or do you mean something else?

Sorry, I don’t have a deep knowledge of IPSec, maybe I’m using incorrect words!

I was thinking that I could use a PreSharedKey for all the Android/iPhone warriors (those will use IPSec IKEv1 PSK XAUTH), and a different PSK for Windows warriors (they will use L2TP/IPSec). Is that correct? Or should they all share the same PSK??

They all need to use the same PSK unless you can find some selector that allows the selection of the correct peer+identity entry.
When the remote address is ::/0 you can use the local address, when you have more than one public IP address.
When you have only a single public IP I think it is impossible to have more than one PSK. You cannot have more than one identity for a peer, and you cannot have multiple peers with the same selector.

Ohh, darn! That means I cannot do what I wanted, because I only have one public IPv4 address

According to Mikrotik official docs, Windows L2TP/IPSec clients need the “auth-method” set to something like this:

/ip ipsec peer add auth-method=pre-shared-key …

But Android phones using IKEv1-XAUTH-PSK need something like this:

/ip ipsec peer add auth-method=pre-shared-key-xauth …

I understand that I cannot have both auth-methods simultaneously with a single public IP address?

Android phones can do L2TP/IPsec with username/password at L2TP level and no XAUTH at IPsec level. Same as Windows would do.
But of course you would need to reconfigure the phones.

I have it working with Android phones but not with Windows, no idea yet why it fails, have to do further debugging next week (this is a work thing).

I think I’m going to deploy IPSec IKEv1 with PSK and XAUTH.

The verdict has been delivered. This guy has finally convinced me:

https://www.youtube.com/watch?v=QlkIbx0Jpoo

L2TP/IPSec requires complex scripts running on the Mikrotik when several warriors share the same public IP (I acknowledge that the script designed by Sindy to combat this problem is very impressive, but it’s still somewhat a “hack”, and is not official Mikrotik code)

I hate that Windows doesn’t support IKEv1 with PSK and XAUTH by default, but it seems that the Shrew VPN client solves that problem without headaches.

Thanks for all the info!
Kind regards.

Sorry to bother you again, but, are you sure that it is not possible to have more than one identity for a peer?

I’ve been testing this configuration on the latest stable version (6.48.1) and it seems to work!

/ip ipsec policy group add name=group1
/ip ipsec peer add name=peer1 passive=yes send-initial-contact=no
/ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=proposal1 pfs-group=none
/ip pool add name=vpn-pool1 ranges=192.168.89.150-192.168.89.199
/ip ipsec mode-config add address-pool=vpn-pool1 address-prefix-length=32 name=cfg1 split-include=192.168.88.0/24
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=cfg1 password=blablabla peer=peer1 policy-template-group=group1 secret=blablapsk username=xuser1
/ip ipsec identity add auth-method=pre-shared-key generate-policy=port-strict peer=peer1 secret=blablapsk
/ip ipsec policy add dst-address=192.168.89.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

/ppp secret add local-address=172.16.1.1 name=l2tpuser1 password=blablabla profile=default-encryption remote-address=172.16.1.2 service=l2tp

/interface l2tp-server server set enabled=yes

Road warriors can connect with the native L2TP/IPSec included in Windows, and also with the Greenbow VPN client (using IKEv1 XAUTH). It seems to work fine.

However, I must confess that I received an error in Winbox when I created the second IPSec identity, but I ignored it and it seems to have accepted it. Do you think I may have problems in the future??

I’ve noticed one VERY ANNOYING problem with Greenbow VPN client and others like Forticlient VPN client. Those programs usually disable two critical windows services (IKEEXT and PolicyAgent) and will make it impossible to connect with the built-in Microsoft L2TP client

The solution I’ve found is to close Greenbow or Forticlient, and then start those services from the command line:

sc start IKEEXT
sc start PolicyAgent

And now you can use the integrated L2TP/IPsec client in windows.

What I wrote was true at that time, but since then changes have been made to RouterOS so it is now possible to have multiple identities for the same peer.