Peplink to mikrotik VPN

zaza355N · December 3, 2020, 4:19pm

Good afternoon,
I need some help
we would like to create a tunnel between mikroitk device and a PEP30-4G and a mikroitik device.
With L2TP IPSEC avalable in peplink device,
The peplink have a public fixed IP address. Any chance to get help from you. My is behind nat and is not the server but a client
To let you know, i succeded to create a L2TP IPSEC tunnel bewteween windows device and peplink . but with Mikroitk doesnt work.
Can i get help please ?
Thank you very much

erkexzcx · December 3, 2020, 4:40pm

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

Either ask something more specific, or that’s all we could help.

sindy · December 3, 2020, 6:16pm

If it works with Windows, it should not be a big deal. What are the peplink settings for Phase 1 and Phase 2? I don’t ask for the pre-shared key value but for the various encryption and authentication algorithms used.

And post your current Mikrotik configuration, maybe there is a simple mistake. See my automatic signature below on how to avoid posting sensitive information.

zaza355N · December 3, 2020, 10:05pm

Sorry for the lack of infos
Here it is :

/interface l2tp-client
add connect-to=51.75.144.77 disabled=no ipsec-secret=admin max-mru=\
    1500 max-mtu=1500 name=l2tp-out1 password=admin use-ipsec=yes \
    user=admin
/interface lte apn
add apn=free default-route-distance=1
/interface lte
set [ find ] apn-profiles=free mac-address=AC:FF:FF:00:00:00 name=lte1 pin=\
    1234
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 dpd-interval=10s \
    dpd-maximum-failures=3 enc-algorithm=aes-256 lifetime=8h
add name=olddefo
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1d pfs-group=\
    modp1536
add name=proposal1
/ip pool
add name=dhcp_pool0 ranges=192.168.102.2-192.168.102.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether1 lease-time=1d name=dhcp1
/ip address
add address=192.168.102.1/24 interface=ether1 network=192.168.102.0
/ip dhcp-server network
add address=192.168.102.0/24 dns-server=192.168.102.1 gateway=192.168.102.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
/ip ipsec policy
add dst-address=51.75.144.77 dst-port=1701 protocol=udp src-address=\
    10.140.64.63/32 src-port=1701

By the way i check what is the microsoft config that is working at the moment

Thank you very much

sindy · December 5, 2020, 5:13pm

According to what you’ve posted, there’s a difference in settings between the devices. On the Mikrotik, you use the automatically generated IPsec peer, identity and policy (because you have specified the ipsec-secret parameter on the /interface l2tp-client row), which means that the default /ip ipsec profile row (aggregating phase 1 settings) and the default /ip ipsec proposal row (aggregating phase 2 settings) are used, so you have to modify them to match the peplink’s ones:

/ip ipsec profile
set [ find default=yes ] dh-group=ecp384

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1d pfs-group=ecp384

Also, you should remove the manually created policy since you use the dynamic generation of IPsec settings.