L2TP IPSEC VPN Configuration Help

alexturner · April 22, 2012, 2:55pm

Hey Guys,

I’m trying to setup a VPN server in the office to allow workers VPN access to the network. I would like the VPN to be as secure as possible and would like all traffic to be encrypted. Is L2TP IPSEC a possibility for point to multipoint environments? I’m having a hard time getting things to work and I’m starting to think that I have a firewall error blocking the incoming requests. I’ve posted my configs below, i’m getting no connection errors and I can’t connect from the LAN or WAN.

[alex@MTRouter1] /ip firewall> export
# jan/03/1970 03:41:18 by RouterOS 5.14
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input disabled=no
add action=accept chain=input disabled=no protocol=tcp
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=output disabled=no
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=accept chain=input comment="From our LAN" disabled=no in-interface=ether2 src-address=10.0.1.0/24
add action=accept chain=input comment="From Server LAN" disabled=no in-interface=ether3 src-address=10.2.0.0/16
add action=log chain=input comment="Log everything else" disabled=no log-prefix="DROP INPUT"
add action=accept chain=input disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no src-address=10.0.1.0/24
add action=masquerade chain=srcnat disabled=no src-address=10.2.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=dst-nat chain=dstnat disabled=no dst-address=xxx59 dst-port=500 protocol=udp to-addresses=10.0.1.1 to-ports=500
add action=dst-nat chain=dstnat disabled=no dst-address=xxx59 dst-port=1701 protocol=udp to-addresses=10.0.1.1 to-ports=1701
add action=dst-nat chain=dstnat disabled=no dst-address=xxx59 dst-port=4500 protocol=udp to-addresses=10.0.1.1 to-ports=4500
add action=dst-nat chain=dstnat disabled=no dst-address=xxx.59 dst-port=50 protocol=udp to-addresses=10.0.1.1 to-ports=50
add action=dst-nat chain=dstnat disabled=no dst-address=xxx59 dst-port=50 protocol=tcp to-addresses=10.0.1.1 to-ports=50
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

Ipsec:

[alex@MTRouter1] /ip firewall> /ip ipsec export
# jan/03/1970 03:43:02 by RouterOS 5.14
# software id = K17Y-EHXH
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 secret=123456789 send-initial-contact=yes

PPP export:

[alex@MTRouter1] /ip firewall> /ppp export
# jan/03/1970 03:43:40 by RouterOS 5.14
# software id = K17Y-EHXH
#
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
add change-tcp-mss=default local-address=10.3.0.254 name=vpnin only-one=default remote-address=vpn-pool use-compression=default use-encryption=required use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=10.3.0.1 name=jacques password=xxx profile=default-encryption remote-address=10.3.0.2 routes="" service=any
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=10.3.0.1 name=alex password=xxx profile=default-encryption remote-address=10.3.0.3 routes="" service=any
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=10.5.0.1 name=1235 password=12345 profile=default-encryption remote-address=10.5.0.2 routes="" service=any

jandafields · April 23, 2012, 12:12am

Get IPSec working by itself (so you can ping each other’s public IP from each router, and when you do so you will see 2 Installed SA’s on each router.

Then, disable IPSec and get L2TP working by itself (one router is server, other is client).

Getting them working separately will help you identify where the problem is.

Once they both work, turn on your IPSec, and then L2TP will be encrypted with IPSec as it leaves the router.