Is there a way to connect with IPSEC mobile users. Basically give them a piece of software and login credentials with the IP address of the unit, and they can connect remotely. I have done the site to site, but I would now like to do mobile users.
Thanks for the help!
Danny
what’s a “mobile user”? name a few examples. iPhone has a built in IPsec client, it can already do that.
I would like it to act the same way as the Cisco easy VPN concentrator or the Cisco asa5505 where users can have a laptop running win 7 connect to the VPN from anywhere using IPSec and then tunnel only networks in the tunnel list. Is this possible?
Of course
What VPN client would be used on the client machine? I don’t see one on mikroriks website? Is there a tutorial anywhere? Also this must be done a little differently than the site to site beacuse there I had to specify a source and destination ip which would not be done in this case.
Thanks
Dan
IPsec clients are built into most operating systems by default. You don’t need to install anything.
From Windows:
Is there one in xp too?
Also do you have a tutorial for this and how to set it up on the mikrorik?
Sorry, but for Windows configuration manuals, you will have to look in Windows forums. We don’t have a readymade manual for it.
I actually mean how to configure the routerboard for this.
Thanks
Dan
Yes, read through this:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
The only example I see is site to site which I have successful done. I just don’t get what is out in when it asks for the remote up address and also where to define to the pool of ips that are assigned to the clients.
Thanks for the help
Dan
If client address is unknown then set 0.0.0.0/0 as peers address and generate-policy=yes.
See following example
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
Hello and thanks for the link.
Can you update the code snippet under adjust firewall settings?
Thanks,
Dan
Hi I am also doing the same and managed to get this working with static IP addresses on the client.
However, in some cases the remote end will be on a network with dynamically assigned address and the above will not work.
I can see the reply:
“If client address is unknown then set 0.0.0.0/0 as peers address and generate-policy=yes.
See following example
http://wiki.mikrotik.com/wiki/MikroTik_ … IPSec/L2TP”
I have a couple of questions:
Thanks,
Chris
You can do it like this:
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=\
main-l2tp generate-policy=yes hash-algorithm=md5 lifetime=1d \
my-id-user-fqdn="" nat-traversal=no port=500 secret=\
"secret" send-initial-contact=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
/ppp profile
set 0 change-tcp-mss=yes local-address=pool_remote name=default only-one=default \
remote-address=pool_remote use-compression=default use-encryption=default \
use-mpls=default use-vj-compression=default
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=user1 \
password="user1password" profile=default-encryption routes="" service=\
any
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=yes \
max-mru=1460 max-mtu=1460 mrru=disabled
It’s working out of box with Android client, for windows XP you should follow this guide.
This works great with one exception…I dont want to route ALL of their traffic (ie: i dont want them to access the internet through my Mtik) I just want to grant them access to specific Internal resources…
How canI do that?
It is clients responsibility to decide which traffic to route over the tunnel. Server can pass split nets if ike1/mode-conf is used or use traffic selectors if ike2 is used (examples for both are in the manual), however many client software may not accept multiple splitnets and still route everything over the tunnel.