L2TP/IPSec server

RouterOS General
1

Hi all,

I have tried to apply an L2TP/IPSec server on my mikrotik.

I have seen this option.

/ppp secret
add name=device service=l2tp password=12345678910 local-address=10.0.29.1 remote-address=10.0.29.100

/interface l2tp-server server
set enabled=yes

Unfortunatly, my android device have L2TP/IPSec PSK VPN option to connect.

I have already two interfaces l2tp client interface. They redirect the forward packets to an another Autonomous System (AS).

So i’m asking how to do L2TP/IPSec PSK server on my mikrotik.

Have you a template ?

My configuration about L2TP,

/ip pool add name=LAN ranges=10.0.15.10-10.0.15.200

/ip dhcp-server add address-pool=LAN disabled=no interface=bridge1 name=LAN

/ip settings set accept-redirects=yes accept-source-route=yes

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

/interface l2tp-client
add allow=mschap2 allow-fast-path=yes connect-to=76.82.134.27 disabled=no name=l2tp0 password=S5F4D6qs23g87DFFd54sfg5l3 profile=default user=c_cust
add allow=mschap2 allow-fast-path=yes connect-to=76.82.134.28 disabled=no name=l2tp1 password=4HHd2h8zGK47ZrJ3gE6LrJvef profile=default user=c_cust

/ip address
add address=10.0.15.1/24 interface=bridge1 network=10.0.15.0
add address=40.18.134.183 interface=Loopback0 network=40.18.134.183

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes src-address=10.0.15.0/24
add action=change-mss chain=forward new-mss=1410 out-interface=l2tp1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
add action=change-mss chain=forward in-interface=l2tp1 new-mss=1410 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535

/ip firewall nat
add action=src-nat chain=srcnat comment="L2TP MILKYWAN" out-interface=l2tp0 src-address=10.0.15.0/24 to-addresses=40.18.134.183
add action=src-nat chain=srcnat comment="L2TP MILKYWAN" out-interface=l2tp1 src-address=10.0.15.0/24 to-addresses=40.18.134.183

Thank you for advices

2

Start here https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup

3

Start here > https://wiki.mikrotik.com/wiki/Manual:I > … pSec_setup

With this following lines, my device can connect to the L2TP server when i try to connect with my local network (Wifi).


/interface l2tp-server server
set enabled=yes use-ipsec=required ipsec-secret=sdfvTY5hyhZE543fgG default-profile=default

/ip pool 
add name=vpn-pool range=10.0.29.201-10.0.29.220

/ppp profile
set default local-address=10.0.29.1 remote-address=vpn-pool

/ppp secret
add name=user1 password=SQVjnb52fgkj65

/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp

Now, when i try to connect my device to the L2TP server with 3G/4G connection, it’s not possible.

The cause is all the data from my Public IP come from forward and not input chain.

How established a connexion with this configuration ?

All my data come from the forward chain and are redirect with a L2TP tunnel between me and my Access Network Provider.


/ip address
add address=10.0.15.1/24 interface=bridge1 network=10.0.15.0
add address=40.18.134.183 interface=Loopback0 network=40.18.134.183

/interface l2tp-client
add allow=mschap2 allow-fast-path=yes connect-to=76.82.134.27 disabled=no name=l2tp0 password=S5F4D6qs23g87DFFd54sfg5l3 profile=default user=c_cust
add allow=mschap2 allow-fast-path=yes connect-to=76.82.134.28 disabled=no name=l2tp1 password=4HHd2h8zGK47ZrJ3gE6LrJvef profile=default user=c_cust

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes src-address=10.0.15.0/24
add action=change-mss chain=forward new-mss=1410 out-interface=l2tp1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
add action=change-mss chain=forward in-interface=l2tp1 new-mss=1410 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535

/ip firewall nat
add action=src-nat chain=srcnat comment="L2TP MILKYWAN" out-interface=l2tp0 src-address=10.0.15.0/24 to-addresses=40.18.134.183
add action=src-nat chain=srcnat comment="L2TP MILKYWAN" out-interface=l2tp1 src-address=10.0.15.0/24 to-addresses=40.18.134.183
4

The question is simple, is your VPN Server accessible through the Internet?
Does it have a public Address configured?

5

Humm, i suppose not again.

6 
/ppp profile
set default local-address=10.0.29.1 remote-address=10.0.29.201-10.0.29.220

I have added my public IP, but i can’t have access to my L2TP server now :confused:


/ppp profile
set default local-address=10.0.29.1 remote-address=40.18.134.183

Why i have no log about L2TP connexion now ?

7

It’s okey now with local network.

But with 3G/4G, i have this notice in log.


respond new phase 1 (Identity Protection): 40.18.134.183[500] <=> 77.204.247.91[1525]
the packet is retransmitted by 77.204.247.91[1525].
the packet is retransmitted by 77.204.247.91[1525].
the packet is retransmitted by 77.204.247.91[1525].
the packet is retransmitted by 77.204.247.91[1525].
the packet is retransmitted by 77.204.247.91[1525].
first L2TP UDP packet received from 77.204.247.91
phase1 negociation failed due to time up 40.18.134.183[500] <=> 77.204.247.91[1525]

77.204.247.91, It’s the IP of my provider.

8

You need a couple of firewall rules to allow the remote VPN connections -

/ip firewall filter
add action=accept chain=input comment="VPN port allow" dst-port=500,4500 log=yes protocol=udp
add action=accept chain=input dst-port=1701 ipsec-policy=in,ipsec protocol=udp
9

I have apply firewall rules,

And i have

input : in:l2tp0 out:(unknown 0), src-mac 01:ad:29:3n:7z:2p, proto UDP, 77.204.247.91:1525 → 40.18.134.183:500, len 752.

Have you another idea ?

10

First it would be best if you post your whole config with hide-sensitive… Also, hide your Public IP on your previous posts…
Why do you change the MSS ? You can select that option on your L2TP profile anyways…

Also look here:
“phase1 negotiation failed due to time up” what does it mean?
There are communication problems between the peers. Possible causes include - misconfigured Phase 1 IP addresses; firewall blocking UDP ports 500 and 4500; NAT between peers not properly translating IPsec negotiation packets.
This error message can also appear when local-address parameter is not used properly. More information available here.
Source: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Basic_L2TP.2FIPsec_setup

11

First it would be best if you post your whole config with hide-sensitive… Also, hide your Public IP on your previous posts…

I have already anonymous my configuration.


Why do you change the MSS ? You can select that option on your L2TP profile anyways…

It was just a simple help of my association network provider.


There are communication problems between the peers. Possible causes include - misconfigured Phase 1 IP addresses; firewall blocking UDP ports 500 and 4500; NAT between peers not properly translating IPsec negotiation packets.

Okey, but it seems to be the forward chain problem.


Here, my packet flow,

device => (10.0.2.1) network provider router (77.204.247.91) => … => (40.18.134.183) my router (10.0.29.1) =>

=> REDIRECTION L2TP0 => association network provider router => IP => SEARCH IP 77.204.247.91

It’s not a simplest way.

All the traffic go in forward chain due to L2TP server network association.

12

I don’t get the remark about forward chain. Whether a received packet will take the input chain or the forward chain depends on its destination address. If it is any of router’s own addresses, it takes the input chain; if it is any other one, it takes the forward chain. However, dst-nat takes place before this decision is taken, so a packet coming to one of the own addresses of the router can be redirected to another destination address, so it then goes via forward chain (and vice versa). But your partial configuration export contains no action=dst-nat rules whilst you mention some “redirection L2TP0” - what is that?

Plus I cannot see in your partial config export neither use-ipsec=yes in the /interface l2tp-server server configuration nor a manual configuration of an IPsec peer, policy etc.

The log is somehow too sparse - it mentions that the IPsec engine has received the initial packet from the mobile device, and then only reports retransmissions but nothing regarding the answer your own device sends (or why it doesn’t). So if you did configure the IPsec one way or the other, use

/system logging
add topics=ipsec,!packet
add topics=l2tp,!packet

Then run /log print follow-only file=l2tp_startup where topics~“ipsec|l2tp” and try to connect the client again. Once it fails, stop the /log print and download the file. The regular log file may be to small to hold all the messages as you’re already running two L2TP connections so their control messages will fall into the log as well.

If you haven’t configure the IPsec in either of the two possible ways, the log should complain about missing information necessary to process the incoming request, but it never came to my mind not to configure anything about IPsec and attempt an incoming IPsec connection.

Also, the same IP address as source one of the incoming traffic from the Android device and as the destination one of your L2TP client tunnels is very confusing.

13

I’m sorry, i have forget to paste the VPN configuration,

/interface l2tp-server server
set enabled=yes use-ipsec=required ipsec-secret=3287ljhfut257hviumg default-profile=default

/ip pool add name=vpn-pool range=10.0.29.201-10.0.29.220

/ppp profile
set default local-address=10.0.29.1 remote-address=vpn-pool

/ppp secret
add name=user1 password=vb287jhgl35ghk

/ip firewall filter
add chain=input protocol=ipsec-esp

/ip firewall filter
add action=accept chain=input comment="VPN port allow" dst-port=500,4500 log=yes protocol=udp
add action=accept chain=input dst-port=1701 ipsec-policy=in,ipsec protocol=udp
14

Is it a copy-paste error or /ip ipsec peer print really shows nothing?

15

Sorry, it was a mistake