Hello,
I’ve been trying to set up my HaP Lite as a L2TP/IPSec server to make sure my data is safe when browsing from unsecure wifi. The laptop’s IP is not predictable (petrol station, cafee, airport). Here is what I have done so far:
/ip pool add name=vpnPool ranges=192.168.88.100-192.168.88.120
/ppp profile add name="VPN_profile" local-address=192.168.88.1 remote-address=vpnPool use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default address-list="" on-up="" on-down=""
/ppp secret add service=l2tp caller-id="" name="username" password="password" profile=VPN_profile routes="" limit-bytes-in=0 limit-bytes-out=0 disabled=no
/interface l2tp-server add disabled=no name=l2tp-vpn user="username"
/interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=VPN_profile enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
#unclear what sa-dst-address and sa-src-address are supposed to be
/ip ipsec policy add action=encrypt disabled=no src-address=192.168.88.0/24 src-port=any dst-address=0.0.0.0 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=192.168.88.100 sa-src-address=192.168.88.99 tunnel=yes
/ip ipsec peer add address=::/0 passive=yes auth-method=pre-shared-key secret="psk" generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
/ip firewall filter add chain=input action=accept in-interface=ether1 log=yes log-prefix="vpn_" ipsec-policy=in,ipsec comment"Allow IPSec policy matcher"
/ip firewall filter chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no comment="Allow L2TP/IPSec"
/ip firewall filter chain=input action=accept protocol=ipsec-esp log=no comment="Allow IPSec"
The local IP range is 192.168.88.0/24 with the router being 192.168.88.1. The router WAN IP is fix. The firewall rules are in the right order (I think). This is the log file when I try to connect:
17:58:04 ipsec,info respond new phase 1 (Identity Protection): 152.66.250.95[500]<=>5.204.57.65[500]
17:58:05 ipsec,info ISAKMP-SA established 152.66.250.95[500]-5.204.57.65[500] spi:ef52bd49335b67ac:97097f759bd08546
17:58:06 ipsec,error 5.204.57.65 failed to pre-process ph2 packet.
17:58:08 ipsec,error 5.204.57.65 failed to pre-process ph2 packet.
17:58:09 ipsec,info purging ISAKMP-SA 152.66.250.95[500]<=>5.204.57.65[500] spi=ef52bd49335b67ac:97097f759bd08546.
17:58:09 ipsec,info ISAKMP-SA deleted 152.66.250.95[500]-5.204.57.65[500] spi:ef52bd49335b67ac:97097f759bd08546 rekey:1
I’ve read elsewhere that I should delete the ip/ipsec/groups default group however when I ry to do that I get an error message.
Any help would be appreciated since I am not even entirely sure what all these commands do.
Thank you,
David Baka