L2TP/IPSec for Road Warrior

RouterOS General
1

Has anyone successfully deployed L2TP/IPSec for Road Warrior?
After two weeks of testing I’m giving up :slight_smile:
Situation:

  1. Central point. Almost default config Mikrotik router (ROS v.:6.10) with NAT’ed LAN behind it.
  2. Clients. Win7, iOS, Android behind NAT’ed Mikrotik. All L2TP users and devices are configured to have their own names/passw. There is no situation same username on separate devices.
  3. Configuration was made based on this example: http://www.nasa-security.net/mikrotik/mikrotik-l2tp-with-ipsec/
    Problem:
    Any ONE of clients can successfully connect to central point (access remote LAN resources, etc.)
    Second client also successfully connects, but then first client stop working (no internet, no ping to remote LAN resources).
    If second client disconnects, first client starts working.
    Tried to look at l2tp/ipsec logs but with no luck.
2

Post your export.

3

IPsec and PPP or L2TP?
Sorry, never done export before :slight_smile:

4

Post your whole export, just remove your IP’s and passwords.

Basically just type /export and then put the output into Syntax tags here.

Sent from my SCH-I545 using Tapatalk

5

deleted

6

/interface bridge
add arp=proxy-arp l2mtu=1598 name=bridge1 protocol-mode=rstp
/interface ethernet
set 0 comment=WAN
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 comment=“LAN Switch”
/interface wireless
set 0 band=2ghz-b/g/n l2mtu=2290 ssid=MikroTik
/ip neighbor discovery
set ether1 comment=WAN
set ether5 comment=“LAN Switch”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=LAN_pool ranges=192.168.0.180-192.168.0.235
/ip dhcp-server
add address-pool=LAN_pool disabled=no interface=ether5 name=dhcp1
/ppp profile
add bridge=bridge1 change-tcp-mss=yes dns-server=8.8.8.8 local-address=
192.168.0.254 name=L2TP_IN_Profile only-one=no remote-address=LAN_pool
use-encryption=yes use-ipv6=no
/queue simple
add max-limit=128k/1M name=Zydrunas2_speed_limit target=192.168.0.3/32 time=
8h-19h,mon,tue,wed,thu,fri
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password=“”
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no
permissions=owner signup-allowed=no time-zone=-00:00
/certificate scep client
add server=0.0.0.0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP_IN_Profile enabled=yes
max-mru=1460 max-mtu=1460
/ip address
add address=WAN_IP/24 interface=ether1 network=WAN_Network
add address=192.168.0.254/24 interface=ether5 network=192.168.0.0
add address=192.168.0.42/24 interface=bridge1 network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=212.59.0.1,212.59.1.1,8.8.8.8 gateway=
192.168.0.254
/ip dns
set servers=212.59.0.1,212.59.1.1
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add chain=input connection-state=new dst-port=500 in-interface=ether1
protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=ether1
protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=ether1
protocol=udp
add chain=input connection-state=new in-interface=ether1 protocol=ipsec-esp
add chain=input connection-state=new in-interface=ether1 protocol=ipsec-ah
add action=log chain=forward content=youtube.com disabled=yes log-prefix=
youtube.com src-address=192.168.0.0/24
add action=log chain=forward content=.mp3 log-prefix=mp3 src-address=
192.168.0.0/24
add action=drop chain=forward content=.mp3 src-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec peer
add dpd-interval=disable-dpd dpd-maximum-failures=1 exchange-mode=main-l2tp
generate-policy=port-override hash-algorithm=sha1 nat-traversal=yes
secret=SECRET
add
/ip route
add distance=1 gateway=WAN_GW
add disabled=yes distance=1 dst-address=WAN_IP/32 gateway=ether5
pref-src=192.168.0.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=9587
set ssh disabled=yes
set api disabled=yes
/ppp secret
add name=testas password=“PASSWORD” profile=L2TP_IN_Profile service=l2tp
add name=NAME password=“PASSWORD” profile=
L2TP_IN_Profile service=l2tp
add name=NAME2 password=“PASWORD” profile=L2TP_IN_Profile service=l2tp
/snmp
set contact=Name enabled=yes location=Ofisas trap-community=
public trap-target=192.168.0.64
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=Router
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/system leds
set 0 interface=wlan1
/system logging
set 1 action=disk
set 2 action=disk
set 3 action=disk
add topics=l2tp
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=84.15.121.61 secondary-ntp=212.59.0.1
/system scheduler
/system script
/tool e-mail
/tool graphing interface
add interface=ether1
add interface=ether5
/tool graphing resource

7

Are your clients behind the same gateway using nat-traversal or they connect from different IP?

JF

8

As far as I know there can be only one L2TP/IPSEC tunnel behind the same NATed internet connection.

For example when two of out employies stay at the same hotel with public Wifi only one can work.
This is the limitation of Mikrotik implementation of L2TP/IPSEC VPN.

Cisco VPN client to Cisco ASA has no problem with multiple clients over same NATed internet connection.

I hope this will be fixed soon or if anyone knows how to make it work with multiple clients please DO tell!

9

Yes, clients are on the same network.

10

Thats your problem then…

11

If this true, its is very bad.
PPTP - non secure, only one connection from same NATes network.
OpenVPN - no UDP support.
L2TP/IPsec - only one connection from same NATes network ???
SSTP - only Windows support (no iOS, Androis clients).

If L2TP/IPsec really can make only one connection, so it looks like Mikrotik has no solution for Road Warrior setup.

What other uses for RW vpn setups?

12

PPTP works with multiple clients behind same NAT..
If you have multiple static IPs on gateway (L2tp Server) you can make clients connect each to specific static IP.. Yes I know its a stupid work around but it works :slight_smile:
Or you can use OpenVPN via TCP.. it also works for multiple Natted clients..

Since you need IOS and Droid I am not sure if SSTP will work (I havent tried that)..

13

Works only in case if PPTP helper enabled (Mikrotik). In hotels you cannot configure routers. So in real world it is useless.

If it is 2-3 clients it maybe work around. But when you have 50+ it will not work.

Did not tried yet. What is wrong with TCP why all wants UDP?

I tried to google, but could not find SSTP clients for iOS and Androids.

14

Can Mikrotik support confirm that there can be only one L2TP/IPSEC tunnel behind the same NATed internet connection?

15

If you want to use OpenVPN on android device you have to root it. It is not a procedure everyone is comfortable with and it can also cause waranty problems with some mobile operators.

Hopefully Mikrotik will fix this issue with roadwarrior ipsec some day …

JF.

16

One more thing I just remembered Mikrotik have enabled IPSEC XAUTH support..
This is on my try list :slight_smile:

See here:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf

Also no mention of Droid or IOS support.. For Windows you have Shrew VPN Client..

ON PPTP VPN Passthrough I have good experience (in Europe). Most hotels I stayed at have PPTP contrack enabled (VPN Passthrough) on their Routers/Firewalls.

For OpenVPN udp is faster but tcp is more reliable. Most vendors prefer udp (no transmision control) and thus faster and more suitable for VoIP and Gaming. OpenVPN has its own transmision protocol. But I must say if you have enough bandwidth (upload) on VPN server it should also work with tcp and Mikrotik.

17

I can get it working if the ISP isn’t port blocking, which in my travels is seen quite often, but as you noticed only one PC can connect at a time.

I tried SSTP but have not been successful, the step by step examples in the wiki are lacking.

Have you seen this?
http://tinc-vpn.org/

I just read about it at https://www.grc.com/sn/sn-445.htm

18

Is mikrotik supports ovpn udp?

19

I’m interested to see if you get this working.

20

Today received answer from Mikrotik support:
Currently we are working on a L2tp/ipsec to support more than one client behind nat.

Maybe month, maybe a little longer.