L2TP with IPSec, all the examples I find are old or use 3des

I’m trying to set up a mobile VPN for cell phones and laptops for traveling, to eliminate the VNC and HTTP ports that were open in a previous router by another IT services provider. I’ve slowly started working with Mikrotiks and while I have some basics down I seem unable to make this one work. I followed 2 different guides, 1 from the forum and one from a link I found on here http://www.nasa-security.net/mikrotik/mikrotik-l2tp-with-ipsec/

Everything has been a struggle learning with Mikrotik so far, but I’m getting there! Previously I’ve used Sonicwall, Watchguard, Ubiquiti Edgerouters and Cisco. I’d love to just learn to use the CLI but it’s taking time to wrap my head around the commands. Even showing the log was a struggle.

I have included my configuration below. The clients will be various Windows versions, Mac OS X, and Apple and Android phones. I did set up a separate pool for mobile devices to use. In my logs, I get things about proposals while testing from a Mac. Here is the log information when I attempt to connect:

xxx.xxx.xxx.xxx phase 1 negotiation failed
xxx.xxx.xxx.xxx failed to pre-process ph1 packet (side 1, status 1)
xxx.xxx.xxx.xxx failed to get valid proposal.
xxx.xxx.xxx.xxx no suitable proposal found

I get that the connection is attempting, but I’m still so green with all of the options and commands that I don’t even know where to begin to look.

Cleansed config

[admin@R1] > export
# may/30/2017 23:54:52 by RouterOS 6.38.5
# software id = ****-****
#
/interface bridge
add admin-mac=6C:3B:6B:63:30:81 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states" \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=wifi \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country="united states" \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=wifi5Ghz \
    wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=1234567890 wpa2-pre-shared-key= 1234567890
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
add enc-algorithms=aes-128-cbc name=L2TP-Proposal pfs-group=none
/ip pool
add name=dhcp ranges=10.1.0.101-10.1.0.254
add name=vpn-pool ranges=172.16.31.101-172.16.31.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes comment="L2TP VPN" dns-server=172.16.31.1 local-address=172.31.16.1 name=\
    "L2TP vpn" remote-address=vpn-pool
set *FFFFFFFE dns-server=4.2.2.1,4.2.2.2 local-address=172.16.31.1 remote-address=\
    vpn-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface l2tp-server server
set authentication=mschap2 default-profile="L2TP vpn" enabled=yes ipsec-secret= 1234567890 \
    use-ipsec=yes
/ip address
add address=10.1.0.90/24 comment=defconf interface=ether2-master network=10.1.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.90 netmask=24
/ip dns
set allow-remote-requests=yes servers=4.2.2.1
/ip dns static
add address=10.1.0.90 name=router
/ip firewall filter
add action=accept chain=input comment="L2TP VPN" connection-state=new dst-port=500,1701,4500 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow HTC http" dst-port=4433 protocol=tcp src-address=\
    office1IP-http
add action=accept chain=input dst-port=22 protocol=tcp src-address=office1IP_ssh
add action=accept chain=input dst-port=4433 protocol=tcp src-address=office2IP_http
add action=accept chain=input dst-port=22 log=yes protocol=tcp src-address=office2IP_ssh
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat comment="VNC 5800 to 10.1.0.91" dst-port=5800 in-interface=ether1 \
    protocol=tcp to-addresses=10.1.0.91 to-ports=5800
add action=dst-nat chain=dstnat comment="VNC 5900 to 10.1.0.91" dst-port=5900 in-interface=ether1 \
    protocol=tcp to-addresses=10.1.0.91 to-ports=5900
add action=dst-nat chain=dstnat comment="Port 80 to 10.1.0.20" dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=10.1.0.20 to-ports=80
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ip ipsec peer
add address=0.0.0.0/0 comment=L2TP-IPSec dh-group=modp8192 enc-algorithm=aes-128 exchange-mode=\
    main-l2tp generate-policy=port-strict secret= 1234567890
/ip ipsec policy
set 0 comment=L2TP-Proposal
/ip service
set www port=4433
set www-ssl disabled=no
/ppp secret
add name=test1 password= 1234567890 profile="L2TP vpn" service=l2tp
/system clock
set time-zone-name=America/New_York
/system identity
set name=R1
/system routerboard settings
set init-delay=0s
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

It’s pretty easy to setup an L2TP/IPSEC remote access VPN. All it takes is a few clicks in WinBox and the addition of one firewall filter rule.

Using the WinBox GUI, under Quick Set there is a VPN option. Enable “VPN Access” and enter a secret. I confirmed this works for iOS and MacOSX using the L2TP/IPSEC VPN clients. You login using user “vpn” and you set the secret and password to the secret you entered on the Quick Set page. I had to also add firewall filter rules to open ports 500 and 4500 to get it to work. This is under IP->Firewall in the WinBox GUI. Add a filter rule in the Input chain to accept UDP ports 500 and 4500.

To connect from your client you need to know the IP of the MikroTik with the dynamic IP. Again in WinBox, open IP->Cloud. You will see a dialog box to enable a dynamic DNS for your router. Enable this and you can then connect to your router at XXX.sn.mynetname.net from your client.

See also the “L2TP/IpSec setup” section on this page for some more information on manually setting things: https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

Thank you! I have come across that, but I’ve already edited my default config by adding firewall rules to permit management remotely. Won’t that make the Quickset vpn not work properly? I do have a static IP for this router. The wiki page is COMPLETELY different from everything else I’ve read, that’s why I’m starting to get confused. To many years and revisions I guess?

EDIT: Also, I’m concerned that the “wizard”, for lack of a better description, isn’t going to use IPSec and will be unencrypted or using PPTP. I’m assuming the client, for example a Mac or iOS, which lets you choose L2TP with IPSec would force it to use IPSec, but I’m concerned that the other VPN options will be open and leave the router more vulnerable due to those various methods all being enabled on the router.

I don’t see why your firewall rules would affect the Quick Set VPN, unless you use the same ports.
I believe the Wiki page is the official reference and should be the most current.
By default L2TP, PPTP, and SSTP are enabled on the server. The client decides what protocol to use when you set it up. You can disable the firewall rules for PPTP and STP if you don’t want to use them.

The Quickset VPN is encrypted using aes-cbc 128,192, or 256 bits. Enabling the Quick Set VPN does the following automatically:

1. The L2TP Server is enabled with the Secret set to the VPN Password.
2. A new address pool “vpn” is created as 192.168.89.2 - 192.168.89.255
3. A new PPP Profile with local address of 192.168.89.1 and vpn pool of “vpn” is created
4. A new PPP Secret is created with user “vpn” and password the same as “VPN Password” from Quick Set menu
5. The default dynamic IPSEC peer is used. (aes-cbc encryption.)
6. Firewall is opened for l2tp, pptp, and sstp automatically.
7. New masquerade rule is created for “vpn” address pool.
   As I said above, I also needed to add a filter rule to allow ports 500 and 4500 (ipsec and nat-t).

If you setup the VPN yourself, you would need to do all the above manually.

So, that definitely worked. I assume I need to create routes to allow VPN users to access LAN subnet?

I’m glad to hear it worked for you

I did not need to create a route to access the LAN behind the Mikrotik, or to browse the Internet through the VPN. I have only one LAN on the Mikrotik at the moment.