MT as L2TP/IPSec VPN server for Win XP Client with preshared

First let me say, helo to everybody here! This is my first post over here, and off course, I am asking for help from you gurus here.
I am a newby in terms of MikroTik. I have read big part of the huge manual and i installed MikroTik demo free version locally on one very old pc to train myself but i steel need some help.

I have a very small office and I want to establish L2TP/IPSec VPN server in my office to connect to my office from remote location with my Win XP laptop as a clinet with preshared key. I am seeking for a good and safe solution for “normal” price. Win 2003 license is much to expensive for me and I heard that Win 2003 is not so good in terms of VPN. So I am very interested in MikroTik as my VPN server, and I think that license Level number 4 will be enough for my needs and the price is very friendly for my pocket. i think that level 4 is enough for one VPN server and user? Am I right?
I have a dsl connection in my office with dynamic IP address. If somebody is in the mood for helping a newbies as I am, I need your help to explain me how to configure MikroTik as VPN server.

My client side:
VPN client software is that one which is integrated in Win XP and I configured it with preshared key and everything else is default from wizard.

Server side - MikroTik i hope:
MikroTik has two ethernet interfaces. I successfully configured PPPoE client on ether1 for my dsl connection, and DHCP server on ether2 as default gateway for my LAN (3 PCs) and this works great. I am using Winbox bacause i am not so familiar with terminal things and I think that I also sucessfully configured L2TP server and user with password, but I have big problems with configuration of preshared key and IPSec. I do not understand where is the proper place to put that preshared key and how to configure IPSec policy. I need help with this.
I also know that UDP port 500, UDP port 4500, and IP protocol 50 needs to be allowed as input to PPPoE internet interface.

Thank you all very, very much on every help, and I hope that my search for good VPN server with reasonable price will stop here on MikroTik and that this will be my solution. Thank you one more time. I really appreciate all help.

You may start from here, these configuration example about RouterOS IPSec with preshared key,
http://www.mikrotik.com/testdocs/ros/2.9/ip/ipsec_content.php#5.44.8.3
L2TP server configuration,
http://www.mikrotik.com/testdocs/ros/2.9/interface/l2tp_content.php#5.24.6

sergejs, thank you very much on your response!! You are such a guru (that is what I can see in your previous posts) so I am feeling a little bit honored on your reply.

I have already read very big part of the pdf manual, and I read it again but those examples are not enough for me in terms of WinXP client to MT VPN connection. I think that I figured out where to put preshared key. I think that this is in Secret in IPSec. Am I right?

But it still doesnt work when I test this. Is it possible that somebody give me a “command” to put in terminal for just basic configuration to work for me? Nothing spacial, just enough to work for one client, to test it.

Thank you!!

This is preshared key for IPSec configuration, however L2TP client is required too at Windows as far as I know, here you may find some articles,
http://support.microsoft.com/search/default.aspx?catalog=LCID%3D2057&spid=3223&query=L2TP+client&adv=&mode=r&cat=False

You need to setup L2TP server on RouterOS, and set correct settings for ‘ip ipsec peer’ for IPSec (you may set ‘generate-policy=yes’, then ‘ip ipsec policy’ configuration will be created dynamically), look at the documentation for RouterOS syntax.

sergejs, thank you very much once again.
I know about Win XP client configuration and I did that without any problem. Off course I also know that L2TP/IPSec client
is required at Windows side. I am not such an amateur, do not wory. I have knowledge about networkong. I am far from professional, but still I am very much above average user.
My VPN client software is that which is built into Win XP.
I tested my Win XP client locally in office of one of my friends who has Win 2k3 and everything seems ok at client side, but when I try to setup MT as VPN L2TP/IPSec server locally in my LAN for testing purpose that does not work. I successfully configure L2TP server but IPSec is a problem it seams. I tried to figure out what you were talking about in your last post sergejs, but it seems that I am still missing something. Any more hint for me?


P.S. I know that MT trial is 24h uptime and I think that I am near that limit. Can I do clean reinstall after 24h of working to continue to test MT in my LAN, and if that will work than to buy licence? Is it ok?

For IPSec, you may specify ‘ip ipsec peer’ with address as 0.0.0.0 (if address is dynamic or you do not have information about it, secret (pre-shared-key) and use 'generate-policy=yes. It should work.

Oh, problems, problems…
First of all, thanks once again!

But I still have a problems. Logically it everything should work ok, but it seems that I am constantly missing something. Please take a look on my configuration and help me. I am loosing my mind trying to resolve this, but I am stuck in one place. Uuuuf..

This is my test situation:
MikrTik router has IP 192.168.5.1 on ether1 interface, and DHCP server is configured on that interface for my LAN.
This is Winbox Scree Shoot of configuration of L2TP/IPSec server on Mikrotik and 2 kind of errors which I constantly recive on my Win XP SP2 machine (VPN Client) when i try to connect to VPN server MikroTik:

I am trying to establish VPN connection from my Win client to Mikrotik ether1 192.168.5.1 and constantly I get errors: One time I get one error and next time I get second error, and all that with same configuration on both sides (client side and server side) all the time. This two kind of errors are totally random. Very strange for me.

What I can see here on this forum - lots of gurus here, I think that this is peace of cake for lots of you but I can not resolve this issue. I am missing something, that must be the case, but what? Please help. tnx!

Use Shiva -SHA and des encryption. Because windows doesn’t support higher encrypted certificate outside of USA.

M.

thank you maximan for your help, but this still does not work. I tried lots of combinations and nothing works:
This is ScreeShoot of winbox

I then tried to troubleshoot this issue on client side and I tried to disable IPSec on Win XP SP2 machine and when I did that L2TP connection without IPSec was successful between MT server and WinXP SP2 client, but when I triy to establish L2TP with IPSec that does not work. So I am prety sure that problem is with IPSec, but I need more help to figure out what is it.
Are there any more settings which I have to do on server side (MikroTik)? Please give me some hint, it seems to me that I am slowly loosing my mind with this VPN issue What I can read here on this forum, it is obvious that MT is so professionally powerful software and my wish should not be a problem for MT. I think there is something missing in my configuration. Perheps I need some manual IPSec rule or something else? I really need more help. Thanks in advance!

With some XP SP2 i have problem too, I change the PC with the same config and work!. There is problem with some windows.

M.

Augggh, it sounds like a bad news!
But it is really strange because I tested this same Win XP SP2 machine with Win 2k3 SP2 VPN server (my post on top) and everything works great with just default settings. This is confusing me, because MT is much more professionally oriented on hard ISP level networking demands than Win 2k3, and everything works with Win 2k3 and does not work with MT. Is there any more thing I can check on MikroTik side? Anything?

Did you try with peer’s IP address?

Yes, I test all this in my local LAN and I tried to enter the IP address 192.168.5.200 in that place for peer’s IP address. And it does not work. This is IP address which I have configured in PPP secret as local address of VPN server. Is this the proper address to put in peer’s IP address?

I really hope that I will find solution with MikroTik because I am so tired of trying to find good and not so expensive solution for secure VPN connection, and MT seems so good but this is really bothering me.

Hello folks!

I’m struggling with the same thing as Janseno describes.
I don’t know whether he made it through, but I cannot get this to work.

I have tried to follow the wiki:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
and have also used this guide:
http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#PSK

I’ve set it up from scratch several times, but still something prevents me from get it up and running. At least error 781 surfaced from the connection dialer in XP.

Setting up ROS appears to be rather straightforward, and I believe that setting up the L2TP VPN connection dialer also should be correct.
I’m more frustrated about the IPSec policy snap-in definitions in the MMC. This part seems pretty confusing to me and I cannot say I have the required overview over what is what and what is important and what is not.
Especially the filters in the policy definitions bother me.
When following the wiki, the filter appears to block all traffic to the MT router, preventing me from Winboxing it to see what is going on.

Will importing the policy provided here help me? http://ntcanuck.com/ipsec/ipsecxp.htm

From forum posts I can see that a lot of people are struggling with this.
Can anyone point me to a bulletproof and repeatable walkthrough so I can establish L2TP with IPSec/PSK dial-in to an MT router?

What version of MT ROS you have?

I have succeeded with version 3 of MT. Please update to the latest stable version and try.

You have to define L2TP server and secret (your username and password) in your MT in PPP and also you have to define IPSec peer with adress 0.0.0.0/0 (ATTENTION!: not 0.0.0.0, but 0.0.0.0/0) if you have dynamic ip or you do not know what IP adress of vpn client would be, then enter your preshared key, and also the easiest way is to setup generate policy to yes.

With such basic setup and new MT version you should be successful. Also, you have to setup same username and password and preshared key in you Win XP client machine.

Only big problem that is left to me to solve is that this setup does not work when client machine is behind NAT, and the reason for that is IPsec, so if somebody knows what to do, please suggest! That is my problem: http://forum.mikrotik.com/t/mtik-l2tp-ipsec-vpn-server-for-win-clients-behind-nat/25451/1

Thanks a lot for taking your time to reply webor!

I’m running 3.19.

Ok, I’ll check the IPSec peer settings once again.

Hmm, problems with NAT will affect 99% of the users, I guess. Most likely, people connecting to their corporate VPN server either sit at home behind some DSL routermodem or they are on some kind of hotspot or similar.

However the NAT issue shouldn’t affect me at this stage, right now I’m trying a setup with only a clean RB333 and my laptop directly connected.

I’ll give it another shot this afternoon. Can I PM you details if I’m able to isolate the problem, or maybe I’d rather post it here?

Have you got a clear understanding of what it takes to properly configure the IPSec policy snap-ins in XP? I’m kinda lost in the fog, I find it to be so many lists, property pages and so on, and I don’t know what is essential and what’s not. Not to mention the filters…

Have a nice weekend!

Yes off course, you can PM me, but I suggest to post it here because here are lots of great experts that know much more then me so they can be more helpful to you and also to me.

I have success without any modification to IPsec at windows client side, just default l2tp/IPsec client setup and entering user/pass and preshared key. End it should work. Windows machine is Win XP SP2.

What do you tried and want to configure in the IPSec policy snap-in?

In order to sort things out I have made a walkthrough, describing the various steps involved.
I have started from the Wiki at
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
and tried to make a guide showing all steps.
As mentioned, the hardest thing to get a hold on is the IPSec definitions in XP, so hopefully this method will get me there one day.

Unfortunately something is wrong, so I still don’t get this to work.
I get different error codes; 781 and 800 when trying to dial.
As far as I can see, no traffic arrives at the MT, so I believe the problem lies in XP. Maybe the filters I define are stopping me?

I would be very thankful if you webor, and anyone else, would take the time to review this walkthrough and tell me where I have missed so I can correct accordingly. Starting from this description should be easier for you than just answering the question: “How do I establish L2TP IPSec from Windows XP”
VPN_MT_WinXP.pdf (712 KB)

Hmm… nobody that have succeded in this before that can spare some minutes on my description?

I found all this fooling around in the security policies too confusing at the moment, so I started all over.

One of my problems is getting IPSec to work with XP clients behind NAT. I have enabled NAT-T in the IPSec Peer definition, but no use.
I run double-NATing, is the NAT-T mechanisms of ROS able to cope with this?

I followed this description, which is very simple:
http://human.network.web.id/2008/01/15/mikrotik-l2tp-ipsec-connect-xp/

This is my config:

interface l2tp-server server set enabled=yes

ppp secret add name=12345 password=12345 \
local-address=10.0.0.1 remote-address=10.0.0.2

ip ipsec peer add address=0.0.0.0/0:500 secret=123456789 \
generate-policy=yes

I connected from my laptop using an HSDPA card, giving me public addresses at both client and server side, and - Voila! - i got in.

My question now is whether this setup can be considered secure enough, and eventually which modifications I can make to improve security.

This is the log from the MT VPN server (IP addresses hidden):

10:57:24 ipsec respond new phase 1 negotiation: **.***.176.81[500]<=>**.**.2.9[500] 
10:57:24 ipsec begin Identity Protection mode. 
10:57:24 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 
10:57:24 ipsec received Vendor ID: FRAGMENTATION 
10:57:24 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
10:57:24 ipsec 
10:57:25 ipsec the packet is retransmitted by **.**.2.9[500]. 
10:57:25 ipsec ISAKMP-SA established **.***.176.81[500]-**.**.2.9[500] spi:0ac90c13e2ad13a9:ff5bafe67f19f1ec 
10:57:26 ipsec respond new phase 2 negotiation: **.***.176.81[500]<=>**.**.2.9[500] 
10:57:26 ipsec Update the generated policy : **.**.2.9/32[1701] **.***.176.81/32[1701] proto=udp dir=in 
10:57:26 ipsec authtype mismatched: my:hmac-sha peer:hmac-md5 
10:57:26 ipsec IPsec-SA established: ESP/Transport **.**.2.9[0]->**.***.176.81[0] spi=218361543(0xd03eec7) 
10:57:26 ipsec IPsec-SA established: ESP/Transport **.***.176.81[0]->**.**.2.9[0] spi=344047366(0x1481bf06) 
10:57:27 l2tp,ppp,info <l2tp-0>: waiting for call... 
10:57:27 l2tp,ppp,info <l2tp-0>: authenticated 
10:57:28 l2tp,ppp,info <l2tp-0>: connected 
10:57:28 l2tp,ppp,info,account 12345 logged in, 10.0.0.2 
10:57:28 l2tp,ppp,info <l2tp-12345>: using encoding - MPPE128 stateless 
10:57:51 l2tp,ppp,info,account 12345 logged out, 24 4108 286 38 12 
10:57:51 l2tp,ppp,info <l2tp-12345>: terminating... 
10:57:51 l2tp,ppp,info <l2tp-12345>: disconnected 
10:57:52 ipsec ISAKMP-SA expired **.***.176.81[500]-**.**.2.9[500] spi:0ac90c13e2ad13a9:ff5bafe67f19f1ec 
10:57:53 ipsec ISAKMP-SA deleted **.***.176.81[500]-**.**.2.9[500] spi:0ac90c13e2ad13a9:ff5bafe67f19f1ec 
10:57:59 ipsec respond new phase 1 negotiation: **.***.176.81[500]<=>**.**.2.9[500] 
10:57:59 ipsec begin Identity Protection mode. 
10:57:59 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 
10:57:59 ipsec received Vendor ID: FRAGMENTATION 
10:57:59 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
10:57:59 ipsec 
10:58:00 ipsec ISAKMP-SA established **.***.176.81[500]-**.**.2.9[500] spi:a71c9b0112749bba:8782e9b94cc010f7 
10:58:00 ipsec respond new phase 2 negotiation: **.***.176.81[500]<=>**.**.2.9[500] 
10:58:00 ipsec Update the generated policy : **.**.2.9/32[1701] **.***.176.81/32[1701] proto=udp dir=in 
10:58:00 ipsec authtype mismatched: my:hmac-sha peer:hmac-md5 
10:58:01 ipsec IPsec-SA established: ESP/Transport **.**.2.9[0]->**.***.176.81[0] spi=18944743(0x12112e7) 
10:58:01 ipsec IPsec-SA established: ESP/Transport **.***.176.81[0]->**.**.2.9[0] spi=3847806699(0xe558deeb) 
10:58:01 l2tp,ppp,info <l2tp-0>: waiting for call... 
10:58:01 l2tp,ppp,info <l2tp-0>: authenticated 
10:58:02 l2tp,ppp,info <l2tp-0>: connected 
10:58:02 l2tp,ppp,info,account 12345 logged in, 10.0.0.2 
10:58:03 l2tp,ppp,info <l2tp-12345>: using encoding - MPPE128 stateless

Anybody that can comment on this?