setup L2TP or any VPN protocol between my pc and Ros

Techsystem · September 7, 2022, 7:13am

hello for all my Friends here…! so i tried alot to setup a tunneling protocol between My Windows 10 machine and Ros951ui -(i am talking about L2TP protocol)- but with no avail .
i don’t know if i miss something but well… i apply a lot of configuration out there in youtub , google…etc.but all this doesn’t working .
so please anyone setup L2TP or any other VPN protocol in Ros and get an active connection until now..?
please if anyone can help and thanks in advance.
this is my config in the pictures below

in the server name or address section in my windows vpn setting -red colour- i put my public ip address not my out interface so does that make a different ..?

own3r1138 · September 7, 2022, 7:45am

MT official DOC

Firewall

Techsystem · September 7, 2022, 8:08am

very thanksful Mr own3r1138 for your replay..!
but what this address 172.17…represent..? do i have to have a docker in my case ..? also can you please send your config on your windows pc..?

own3r1138 · September 7, 2022, 8:22am

Keep in mind that my setup is a bit different from what you want to do my server acts as a VPN server like any third-party VPN service. There is no LAN at this setup but besides this, the L2TP server configuration is the same.

172.17.

No, You don’t need it it’s just an extra DNS server.

do I have to have a docker in my case

No

also can you please send your config on your windows pc

Note: check the official document my P1/P2 is different from the default setting. I’m going to share this part too.

/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm pfs-group=none

Windows Powershell command

#IPsec L2TP SHA256 CBC/GCM-AES256 ECP256
#Set-VpnConnectionIPsecConfiguration -ConnectionName "" -RevertToDefault

#GCM
Add-VpnConnection -Name "L2TP-GCM" -ServerAddress "Public-IP" -TunnelType "l2tp" 
Set-VpnConnection -Name "L2TP-GCM" -RememberCredential $True -SplitTunneling $False -EncryptionLevel Required -L2tpPsk "IPsec-secret" -PassThru -Force
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TP-GCM" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup ECP256 -PassThru -Force

#CBC
Add-VpnConnection -Name "L2TP-CBC" -ServerAddress "Public-IP" -TunnelType "l2tp" 
Set-VpnConnection -Name "L2TP-CBC" -RememberCredential $True -SplitTunneling $False -EncryptionLevel Required -L2tpPsk "IPsec-secret" -PassThru -Force
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TP-CBC" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup ECP256 -PassThru -Force

Techsystem · September 7, 2022, 8:46am

but what this address 172.17…represent..? do i have to have a docker in my case ..? also can you please send your config on your windows pc..?

Keep in mind that my setup is a bit different from what you want to do my server acts as a VPN server like any third-party VPN service. There is no LAN at this setup but besides this, the L2TP server configuration is the same.

172.17.

No, You don’t need it it’s just an extra DNS server.

do I have to have a docker in my case

No

also can you please send your config on your windows pc

Note: check the official document my P1/P2 is different from the default setting. I’m going to share this part too.
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm pfs-group=none
Windows Powershell command
#IPsec L2TP SHA256 CBC/GCM-AES256 ECP256
#Set-VpnConnectionIPsecConfiguration -ConnectionName "" -RevertToDefault

#GCM
Add-VpnConnection -Name "L2TP-GCM" -ServerAddress "Public-IP" -TunnelType "l2tp" 
Set-VpnConnection -Name "L2TP-GCM" -RememberCredential $True -SplitTunneling $False -EncryptionLevel Required -L2tpPsk "IPsec-secret" -PassThru -Force
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TP-GCM" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup ECP256 -PassThru -Force

#CBC
Add-VpnConnection -Name "L2TP-CBC" -ServerAddress "Public-IP" -TunnelType "l2tp" 
Set-VpnConnection -Name "L2TP-CBC" -RememberCredential $True -SplitTunneling $False -EncryptionLevel Required -L2tpPsk "IPsec-secret" -PassThru -Force
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TP-CBC" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup ECP256 -PassThru -Force
Very thanksful for the second time..! The problem that i encounter that i don’t know in the client side - my pc-what ip address i have to put my public ip or my out interface ip on my mikrotik router or what..? This issue is still fuzzy for me. Well its the first time that i try to setup a vpn on mikrotik.

own3r1138 · September 7, 2022, 8:58am

You’re welcome. It should be your public IP.
What are the purposes of your VPN setup? A remote connection?

Techsystem · September 7, 2022, 9:37am

Yes i want to access to my server that’s connected to my mikrotik 951ui from outside - (different LAN) -

own3r1138 · September 7, 2022, 10:10am

It’s best to share a network diagram, and export config (remove any public IP, sensitive data)

It should be your public IP at least till I know more about your “different LAN”

Techsystem · September 7, 2022, 2:22pm

Hello MR own3r1138..! so what i have to write on my terminal in order to export all my data..?
this is my network diagram.
Eth1 represent out interface with ip 192.168.2.2
all other interface represent LAN in Bridge interface with ip=192.168.1.1
in my D-link router-DMZ section i put the ip address of my out interface of Mikrotik 192.168.2.1
so both mikrotik and D-Link in same DMZ

anav · September 7, 2022, 2:48pm

Forget DMZ, its not a wise security move
What you need to do is port forward the applicable ports from the DLINK router to 192.168.2.2
For example if you were using wireguard it would be the wireguard port, if it was L2TP it would be port 1701 etc…
On the mikrotik you need to add access to these ports on the INPUT CHAIN.

This is assuming you want the MT to be a server/receiver for initial vpn connectivity.

Techsystem · September 7, 2022, 4:28pm

hello anav..! yes i setup an access rule im my mikrotik as you mention
for the DMZ it has been there for a while -in my network- and until now i didn’t encounter such a big issue in security. the purpose of DMZ in my case is to setup the forwarding rule
in my mikrotik instead of Dlink router. and that’s rule work fine until now.

own3r1138 · September 7, 2022, 5:10pm

@Techsystem

Simply open your terminal and type “export hide-sensitive”. Copy& paste it into the text editor. Then, remove any public IP address or sensitive data. It’s ready to be published.
As Anav said you have two main options. I like the first option the most if it’s possible. Also, your public IP is still a valid answer.

If your upstream service is PPPOE you could set your TP-link to bridge mode and set your PPPOE in MT.
Port forwarding.

Techsystem · September 7, 2022, 6:31pm

Well how can i do that from mikrotik side..? - set my dlink router as abridge and set my pppoe in MT-..?
i don’t think that i find such an option on pppoe section. Please olif there is any quide or anything that explain the setup proccess. So you mean in this case i dont need to use DMZ any more if i do that..?

Techsystem · September 8, 2022, 2:56am

Hello again Mr own3r1138..! so this is my MT config.
Untitled.txt (5.44 KB)

own3r1138 · September 8, 2022, 4:36am

I checked your export file you should remove your software id and serial number from your export. First, find out how can you continue with your setup then we talk about the MT config.

So you mean in this case i dont need to use DMZ any more if i do that..?

Well, Firstly, it makes your setup more complex which is unnecessary. Secondly, nowadays doesn’t add any benefit with regard to security.
Thirdly, in general, MT is more caple than ISP-provided routers.

set my dlink router as abridge

First, you have to check if this is something that you can achieve.
Mine is TP-link However, TP and D-link GUIs’ are much like each other.

set my pppoe in MT

The easiest way is to set it up from the quick-set menu.

Techsystem · September 8, 2022, 6:34am

so what about my l2tp config ,? is there is any problem on it

own3r1138 · September 8, 2022, 7:09am

Overall, It could be cleaner than what it is now.

Your VPN IP pool range should be different from your LAN IP pool. You should also add this to your address list. or use ARP.
MT wiki recommends that the VPN range should be different.

name=l2tp ranges=192.168.1.200-192.168.1.230

CLI.

add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=192.168.100.1/24 interface=LAN network=192.168.100.0
ip pool
add name=l2tp ranges=192.168.100.2-192.168.100.254

These are unused.

/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.200
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.200
/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=8291 protocol=tcp to-addresses=192.168.2.2 to-ports=8291

Could you clarify these rules, Please?

dns-server=192.168.130.1

dhcp-server add address=192.168.10.0/24

From your export file.

/ppp profile
set *0 change-tcp-mss=default dns-server=192.168.1.1,192.168.130.1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1