L2TP/IPSEC VPN with Samsung Note 8

vader7071 · January 17, 2020, 3:31pm

I am wanting to create a VPN from my Note 8 to my Mikrotik router.

Current setup:
Router = RB951G
OS = 6.46.2

Phone = Samsung Note 8
OS = v9 “Pie”

I have been looking for months at various VPN examples and tutorials, and I am just confusing myself.

Here is what the PHONE has for setup:

Type:

PPTP

L2TP/IPSec PSK

L2TP/IPSec RSA

IPSec Hybrid RSA

IPSec Xauth PSK

IPSec Xauth RSA

IPSec IKEv2 PSK

IPSEC IKEv2 RSA

Server Address:

After that, depending on the Type selected, the options change. I have been able to use PPTP, however, that is not an “always on” option. I want one that will always remain on. From what I have read, that means the L2TP/IPSec type.

If I set the phone to L2TP/IPSec PSK, here are my options:

L2TP Secret
IPSec identifier
IPSec Pre-shared Key
Username
Password
Always On VPN

Advanced:
DNS Search Domains
DNS Servers
Forwarding Routes

In trying to read all the various examples and tutorials, I am coming across the fact that many of them were created with older versions of RouterOS, so I am finding that certain settings have been moved. Example:

***Original Posting 04 Dec 2012***
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=1h
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 secret=vpnsecret send-initial-contact=no

However, in OS 6.46.2, these 2 lines now look like:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=1h
/ip ipsec peer
add name=peer1 passive=yes profile=profile99 send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des,aes-128,aes-192,aes-256 hash-algorithm=sha1
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des lifetime=1h name=profile99

So it has been a little fun trying to “translate” older settings into the new locations. But as I said, after reading who knows how many forum posts and tutorials and examples, I have just gotten myself completely confused and lost.

My end goal is to have the following devices setup to be an “always on” VPN back to my Mikrotik.
A Samsung Note 8
A Samsung Galaxy S7
A Samsung Galaxy S5
A Samsung Tab A

So, I type all that in the hopes someone can help me navigate this endeavor and find a solution. Thank you in advance for your help.

I do have one final question. Once I set this “always on” VPN on these devices, when the phones are away from my house, no big deal. They use the VPN either on VZW’s internet or the local “free” (yeah right) WiFi to get back to the house. But what will happen when these phones are at the house? If I step through the process correctly, they will get access on MY WiFi, go out on the internet to just turnaround and try and access the network they are already on via the VPN. Am I thinking this correctly? Will this affect their internet access when at home on the home WiFi/router?

erlinden · January 17, 2020, 3:58pm

This blogpost was very helpful for me:
https://blog.johannfenech.com/mikrotik-l2tp-ipsec-vpn-server/

techlord · January 17, 2020, 4:38pm

Hi!
I’ve written down the steps I took to have L2TP/IPSEC from my S8 with Android 9 to my Mikrotik.

http://forum.mikrotik.com/t/creating-l2tp-server/135651/12

The config is done in WebFig but I guess you can translate them to CLI.

Why would you leave the VPN on when at home on Wifi? It takes 2 seconds to disable it.

vader7071 · January 17, 2020, 5:47pm

Thank you! I just went through following your example. I think I have it. I need to set up my phone now. I did notice that a couple of the firewall filter rules are showing an error right now:

/ip firewall filter
add action=accept chain=forward comment=L2TP dst-address=192.168.15.0/24 in-interface=L2TP/IPSec_VPN out-interface=bridge1 src-address=192.168.16.0/24
add action=accept chain=forward dst-address=192.168.16.0/24 in-interface=bridge1 out-interface=L2TP/IPSec_VPN src-address=192.168.15.0/24

The error is “L2TP/IPSec_VPN not ready”. Well, that is the name of my out-interface from here:

/interface l2tp-server
add name=L2TP/IPSec_VPN user=remote

But, as I said, got to load the settings on my phone first and then work on making sure everything is good.

If I set the VPN connection on my phone to be “always on”, it will still be trying to connect via the VPN when I am at home. The goal is to not have to turn the VPN on and off. The reason, I have some very specific internet rules setup for my son, and I would like them to always be in effect, no matter where he is. This way I know they are always on, and if I can set the VPN to “always on” and not have to turn it on and off, I don’t have to worry about him not activating it.

Again, thank you so much for that post. It was clear, concise, easy to follow, and hopefully the answer to my question.

vader7071 · January 17, 2020, 6:16pm

Good news and bad.

The good. It worked. I was able to get my Note 8 to connect to my home router.

The bad. When I connect, I lose internet. I must have a route or a filter rule wrong somewhere.

EDIT - I think I figured it out. In my phone settings, I set my DNS search domains to 8.8.8.8 and set my DNS servers to my home router. That let me access the web. Now to keep testing.

techlord · January 20, 2020, 8:15am

So if you want your phone to route all traffic through the tunnel you must go to advanced options of the tunnel and look for forwarding routes and put there 0.0.0.0/0. Also check your NAT/masquerade settings in the mikrotik.

vader7071 · January 26, 2020, 10:18pm

I apologize for taking so long. Been out of town for work.

I’m not sure I understand the instructions. I went looking for the advanced options to the tunnel, but I believe I am looking in the wrong places. Can you clarify please?