i configured an L2tp tunnel between 2 sites , after capturing with wireshark i’m getting packages inside L2tp.
now i want to encrypt this with ipsec. but i’m not getting my packages encrypted.
my setup is quite easy , 2 mikrotiks connected with each other and i want to tunnel between them.
Mikrotik 1 has public ip 192.168.1.1 and the other one 192.168.1.2 , my L2tp tunnel has on mikrotik 1 ip 10.10.20.1 and the other side on mikrotik 2 has 10.10.20.2
now my question is where to put my ipsec configs on? on my public ip ( 192.168.1.) or on my tunnel ip’s ?
i thought my peers should be the 192 address and my policy src and dst address should be my tunneling addresses? where my sa src and dst are 192
You can use the easy config of IPsec by specifying an IPsec secret for your L2TP server and client.
That will automatically create the required IPsec config.
Make sure you select “required” for IPsec in the server.
Well, in the past I have once faced the issue that when the server was configured this way, it would not always work when the client was behind double-NAT.
This could then be solved by making a manual IPsec peer that specifies generate-policy=port-override instead of the generate-policy=port-strict that the
easy IPsec setting made. However, I think there have been fixes in this area and I still need to re-check if this issue still occurs.
When you find that a client cannot connect while others can, and they are behind double-NAT, write down what the easy config has created and then remove
the server IPsec setting and re-create the IPsec config manually except that single setting.