L2TP IPSEC stronger crypto

sajt · April 13, 2017, 11:52am

Hi all,

TL;dr:
Is it possible for the mikrotik l2tp-client to use stronger ipsec phase1 and phase2 crypto?

Our company (unnamed for nda reasons) is planning to move many of the employees to “tele-work/home office”.
This is something that’s been planned and started by my predecessor years ago.
Now I inherited the project and ran into a big wall.

Many of these locations are behind carrier-grade-nat and obviously have dynamic external addresses as well.
These teleworkers already have cisco ip-phones that are registered into our (very) old cisco callmanager.
The phones will go to the home offices.

The company bought 30 (all different, to my luck) mikrotik boxes to give these users “remote access/voice/wifi” services.
The plan was to assign all 30 locations with 2 subnets (one for mgmt and voice, the other one is the AD/whatever the devops guys want)
get the boxes to connect to our firewall (an x86 box running an IDS/IPS with strongswan ipsec for remote workers) and setup dynamic-routing
between them and split-routing on the boxes on site.

The problem:

we are already over-budget
our firewall already provides l2tp/ipsec for roadwarrior laptops with psk.
(aes256cbc-sha256-modp2048 is set for both pashe1/2 minimum crypto)
our firewall does not know sstp for obvious reasons
many isps in the county are well known terminating long-running tcp connections
(thus openvpn is out of question)

What I want to achive:

atleast a aes128cbc-sha256-modp1536 phase1/2 crypto on l2tp-client (even if it’s damn slow)

I know this teleworker setup is flawed. It’s not my idea and I have little to no say in the matter.

Thank you for the answers in advance

P.S:
“If” the “experiment” is a success, then the company will probably move another 40~50 people to telework and
will buy another batch of mikrotik boxes wink wink nudge nudge

andriys · April 13, 2017, 12:00pm

Yes, that should be possible, but you will have to configure IPsec manually (i.e. if you simply specify IPsec PSK in your L2TP client configuration you will not be able to adjust IPsec settings).

sajt · April 13, 2017, 12:58pm

Thanks for the reply!

The wiki seems kind of hazy/confusing to me on this:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128
/ip ipsec peer
add address=1.1.1.1/32 hash-algorithm=sha1 nat-traversal=yes secret=test123456

/ip ipsec policy
add dst-address=1.1.1.1/32 protocol=udp sa-dst-address=1.1.1.1 \
      sa-src-address=10.5.8.120 [b]src-address=10.5.8.120/32[/b]

Can the above src-address be dynamic, or it needs to be defined?

kevintitus81 · April 13, 2017, 1:52pm

You should be able to specify dynamic source in the ipsec policy (src addr 0.0.0.0/0) and then modify the proposal to the crypto strength you prefer. I’m using l2tp/ipsec for road warrior configs, you can try it out with site-to-site.

pe1chl · April 13, 2017, 2:46pm

First configure it using the IPsec option in L2TP server itself, check what IPsec config that generates,
then remove the IPsec from the L2TP server and re-create the same IPsec config manually.
Then you can adjust the parameters to your liking.