setup lt2p ipsec vpn

RouterOS General
1

trying to set this up,

followed the wiki’s but clients don’t even show getting denied in the firewall, nor do i see packet increase on the firewall rules??? is there something im missing? pptp seemed to work fine

another question, i setup up a bridge and change it to proxy arp. and this allowed vpn clients to see everything, but i have a feeling i should have set this on a interface and not created a bridge?

not sure what to provide to troublshoot the l2tp

all users are windows computers

[root@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=accept protocol=udp in-interface=WAN dst-port=500,1701,4500 

 1   chain=input action=accept protocol=ipsec-esp in-interface=WAN 

 2   chain=input action=accept protocol=tcp in-interface=WAN dst-port=1723 

 3   ;;; default configuration
     chain=input action=accept protocol=icmp 

 4   ;;; default configuration
     chain=input action=accept connection-state=established in-interface=WAN 

 5   ;;; default configuration
     chain=input action=accept connection-state=related in-interface=WAN 

 6   ;;; default configuration
     chain=input action=log protocol=tcp in-interface=WAN log-prefix="drop" 

 7   ;;; default configuration
     chain=input action=drop in-interface=WAN




[root@MikroTik] /ip ipsec peer> print
Flags: X - disabled 
 0   address=0.0.0.0/0:500 auth-method=pre-shared-key secret="123456789" generate-policy=yes 
     exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey 
     hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 
     dpd-interval=disable-dpd dpd-maximum-failures=1




[root@MikroTik] /interface l2tp-server server> print
          enabled: yes
          max-mtu: 1460
          max-mru: 1460
             mrru: disabled
   authentication: pap,chap,mschap1,mschap2
  default-profile: default
2

Once you have an interface in a bridge, you should do things like proxy-arp to the bridge, not to the interface itself, so that is correct.

Also, for IPSec, did you setup the NAT part of it? There should be some NAT ACCEPT rule(s), (so that the ipsec traffic doesn’t get natted along with regular internet traffic) look at the wiki for IPSEC again.

3

i followed
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP#IPSec_configuration

nothing is mentioned about nat rules??? mind cluing me in ?

4

Nevermind, that NAT setup is for IPSEC - IPSEC (site-to-site)

Anyway, turn on the debug log on the Mikrotik and the PC and see where it is getting stuck at. That will help the most at this point.

IPSEC is complex on windows with all the custom auth/certificate stuff you have to do, double check EVERYTHING. If you have Windows Vista/7, you can instead use the very secure SSTP without any special setup on Windows. Unfortunately, it doesn’t work with XP.

5

yea it was bug in 4.17, upgrading to 5.8 makes it work flawless, too bad it now broke usermanager.

always something with this router