L2TP/IPsec VPN settings

john4669 · May 28, 2018, 6:20pm

I am setting up a VPN for my daughter living in another state with insecure apartment network (see my earlier post: http://forum.mikrotik.com/t/which-vpn-configuration-for-apartment/119873/1)

Basically it will be [Daughter’s hAP Lite] → [NATed Apartment LAN] → [l2TP/IPsec VPN over internet] → [My Home Router RB951G-1HnD] → [Internet access for daughter]

I’ve tested the setup locally and it works, but the IPsec settings are driving me crazy. I understand that IPsec phase 1 is setup by the peer config in Mikrotik and phase 2 is the Proposal setting. I do not want SHA1 hash or 3DES encryption to even be options. I would like the hash to be SHA-256 and either aes128-cbc or aes256-cbc encryption along with PFS. It seems like no matter what I do, if I don’t have SHA1 checked as a hash option, I get a “No suitable proposal found” error in the log. Also, when a connection is successful, how do you know exactly what parameters were agreed upon? The log seems very vague (and is not searchable) and the status doesn’t tell you if PFS is being used or not. Is SHA1 is the only thing that works for phase1? Routers are running version 6.42.1. Please note that her router is doing “dial up” to mine. I can not do site to site VPN as I have no access to the apartment building hardware.

CZFan · May 28, 2018, 9:13pm

Do s it have to be L2TP/IPSec? I will just use SSTP vpn

john4669 · May 28, 2018, 9:53pm

I guess not, but I have no experience with SSTP. I will check it out. If you have any good references I would appreciate it.

john4669 · May 31, 2018, 2:50pm

OK, so SSTP setup with no certificate is silly easy to set up and shows AES256-CBC encoding. Throughput is pretty slow though. I am testing it from my workplace to home. At work we have a 50Mbps up/down and at home I have 25M down / 6M up. Running speedtest.net shows 2.57M down / 3.97M up through the VPN. I understand it will be slower because it is tcp and not udp but I had hoped for better. Is there anything I can tweak such as the MTU/MRU numbers? Also, as a note to the uninitiated… I banged my head against the wall for days trying to figure out why the VPN would connect but I could hardly get any data through. It finally hit me that Fasttrack was bypassing my mangle rules. After I disabled fasttrack it worked.

This Wiki was very helpful https://wiki.mikrotik.com/wiki/Policy_Base_Routing as well as several of the commercial VPN instructions for a Roadwarrior setup such as this: https://support.purevpn.com/mikrotik-sstp.

john4669 · May 31, 2018, 9:58pm

Did some testing with the L2TP/IPsec client setup. Performance is much better even I have to accept SHA1 HMAC. 5.37M down / 5.65 up.