Hi there,
Hoping someone could shed some light on this topic. I’ve been trying for the last few days to configure a L2TP/IPSec Client VPN on my Mikrotik. The intent is NOT to have a site-to-site VPN, but a client-to-site VPN. The reason for this is to prevent me from having to dial a vpn connection from multiple computers. Instead as I’ve done very successfully with a PPTP VPN is to masquerade and mark the packets that need to go via the VPN. I support multiple clients and its often easier if I have my home office set up in such a way that I can simply connect to various computers at the client’s premises without having to dial VPN on my laptop/vms etc.
With this particular client of mine, they use a Sonicwall NSA2600 firewall. I’ve configured the L2TP VPN Server on the firewall and it works perfectly if the connection is dialed from my office using a Windows 10/OS X computer. I therefore know that in my office, the Mikrotik Firewall should not require any adjustment, at least I’m assuming this due to the fact that computers on the same subnet as the Mikrotik can connect the L2TP/IPSec VPN without any problems.
The trouble I’m having however is configuring this client VPN on the Mikrotik.
Sonicwall L2TP Policy is set as follows:
Type: IKE Using Preshared Secret
IKE (Phase 1) Proposal:
DH Group: Group 2
Encryption: 3DES
Authentication SHA1
Life Time (seconds): 28800
IPSEC (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication SHA1
Life Time (seconds): 28800
I then went about configuring IPSec on the Mikrotik. Here’s the output of /ip ipsec export:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-192-cbc,aes-256-cbc lifetime=8h
add enc-algorithms=3des lifetime=8h name=sonicwall
/ip ipsec peer
add address=41.0.205.250/32 dpd-interval=10s dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-strict lifetime=8h local-address=192.168.88.1 nat-traversal=no secret=XXXXXXXXXX send-initial-contact=no
/ip ipsec policy
add dst-address=41.0.205.250/32 level=unique proposal=sonicwall sa-dst-address=41.0.205.250 sa-src-address=105.237.54.113 src-address=105.237.54.113/32
The Mikrotik has a LAN IP of 192.168.88.1. The WAN IP (dynamic) is currently 105.237.54.113. I have tried various things, having NAT on the peer, making the local-address the WAN IP the same for the Policy, swopped things around etc. But ultimately no go.
In terms of the L2TP part…
/interface l2tp-client
add add-default-route=yes connect-to=41.0.205.250 default-route-distance=1 disabled=no keepalive-timeout=disabled name=“L2TP VPN” password=xxxxxxxxx user=xxxxxxx
Not sure what else I can try here. Based on my not very great knowledge of IPSec, it seems as though Phase 2 never completes. The installed SA’s always show no encryption and no authentication. Anyone have any idea what I could try here?