Hello.
I’ve successfully create a config with a L2tp / IPSEC vpn. I’ve created a users, which can be used to connect to the remote LAN. But now I would like to use the Windows RADIUS server, but the Mikrotik is unable to connect to the Radius server. Can somebody help me ?
# sep/27/2015 20:53:09 by RouterOS 6.32.2
# software id = 5UMM-SJI3
#
/interface bridge
add name=bridge-Cisco-Wifi-Gast
add arp=proxy-arp name=bridge-PTGbridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-KPN-DHCP
set [ find default-name=ether2 ] name=ether2-Cisco-Wif-Gasten
set [ find default-name=ether3 ] name=ether3-KPN-Zakelijk
set [ find default-name=ether4 ] arp=proxy-arp name=ether4-PTG-Lan
set [ find default-name=ether5 ] name=ether5-Management
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] name=ether7-slave-local
set [ find default-name=ether8 ] name=ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] disabled=yes name=ether10-slave-local
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-220D62 \
wireless-protocol=802.11
/ip neighbor discovery
set ether1-KPN-DHCP discover=no
set ether3-KPN-Zakelijk discover=no
/interface vlan
add arp=proxy-arp interface=ether1-KPN-DHCP l2mtu=1594 name=vlan1.6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 comment=\
"PPPoE Client voor KPN-DHCP" default-route-distance=1 disabled=no \
interface=vlan1.6 max-mru=1480 max-mtu=1480 mrru=1600 name=KPN-PPPoE \
password=kpn user=XXXXXXXX@direct-adsl
/ip neighbor discovery
set KPN-PPPoE comment="PPPoE Client voor KPN-DHCP" discover=no
/interface ethernet switch port
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 12 vlan-mode=fallback
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc pfs-group=none
/ip pool
add name=Pool-Cisco-Wifi-Gast ranges=10.254.1.100-10.254.1.200
add name=Pool-L2TP-VPN ranges=192.168.1.45-192.168.1.89
/ip dhcp-server
add address-pool=Pool-Cisco-Wifi-Gast disabled=no interface=\
bridge-Cisco-Wifi-Gast name=Cisco-Wifi-Gasten
/ppp profile
add change-tcp-mss=yes comment="Profile voor L2TP" dns-server=\
192.168.1.11,192.168.1.6 local-address=192.168.1.252 name=L2TP/IPSEC \
remote-address=Pool-L2TP-VPN use-encryption=yes
add change-tcp-mss=yes comment="Profiel voor KPN-DHCP" name=KPN-PPP
/routing bgp instance
set default disabled=yes
/interface bridge port
add bridge=bridge-Cisco-Wifi-Gast interface=ether2-Cisco-Wif-Gasten
add bridge=bridge-PTGbridge interface=ether4-PTG-Lan
add bridge=bridge-Cisco-Wifi-Gast interface=ether6-master-local
add bridge=bridge-Cisco-Wifi-Gast interface=ether7-slave-local
add bridge=bridge-Cisco-Wifi-Gast interface=ether8-slave-local
add bridge=bridge-Cisco-Wifi-Gast interface=ether9-slave-local
/interface ethernet switch host
add ports=ether4-PTG-Lan share-vlan-learned=no switch=switch1 vlan-id=\
4294967295
add share-vlan-learned=no switch=switch1 vlan-id=4095
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP/IPSEC enabled=yes \
ipsec-secret=password use-ipsec=yes
/ip address
add address=192.168.1.253/24 interface=bridge-PTGbridge network=192.168.1.0
add address=10.254.1.254/24 interface=bridge-Cisco-Wifi-Gast network=\
10.254.1.0
add address=X.X.X.74/29 disabled=yes interface=ether3-KPN-Zakelijk \
network=194.45.9.72
add address=10.10.10.10/24 interface=ether5-Management network=10.10.10.0
add address=X.X.X.75/29 interface=ether3-KPN-Zakelijk network=X.X.X.72
add address=194.45.9.77/29 disabled=yes interface=ether3-KPN-Zakelijk \
network=194.45.9.72
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-KPN-DHCP
/ip dhcp-server network
add address=10.254.1.0/24 comment="DHCP Netwerk voor Cisco Wifi-Gast" \
gateway=10.254.1.254
add address=192.168.1.0/24 comment="default configuration" gateway=\
192.168.1.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.254.1.254 name="router 2"
/ip firewall filter
add chain=input comment="LT2P VPN port inkomend" dst-port=1701 in-interface=\
KPN-PPPoE protocol=udp
add chain=input comment="LT2P VPN port inkomend" dst-port=1701 in-interface=\
ether3-KPN-Zakelijk protocol=udp
add chain=input comment="LT2P VPN port inkomend" dst-port=4500 in-interface=\
KPN-PPPoE protocol=udp
add chain=input comment="LT2P VPN port inkomend" dst-port=4500 in-interface=\
ether3-KPN-Zakelijk protocol=udp
add chain=input comment="LT2P VPN port inkomend" dst-port=500 in-interface=\
KPN-PPPoE protocol=udp
add chain=input comment="LT2P VPN port inkomend" dst-port=500 in-interface=\
ether3-KPN-Zakelijk protocol=udp
add chain=input comment="LT2P VPN port inkomend" disabled=yes in-interface=\
KPN-PPPoE protocol=ipsec-esp
add chain=input disabled=yes in-interface=ether3-KPN-Zakelijk protocol=\
ipsec-esp
add chain=input disabled=yes in-interface=KPN-PPPoE protocol=ipsec-ah
add chain=input disabled=yes in-interface=KPN-PPPoE protocol=udp src-port=\
5500
add chain=input comment="Ping accepteren op internet verbinding" disabled=yes \
protocol=icmp
add chain=input comment="Automatisch vinden van Mikrotik vanuit PTG-Lan" \
dst-port=5678 in-interface=bridge-PTGbridge protocol=udp src-address=\
192.168.1.0/24
add chain=input comment="Beheer via WinBox Mikrotik vanuit PTG-Lan" dst-port=\
8291 in-interface=bridge-PTGbridge protocol=tcp src-address=\
192.168.1.0/24
add chain=input comment=\
"Automatisch vinden van Mikrotik vanuit Management Lan" connection-state=\
established,related dst-port=5678 in-interface=ether5-Management \
protocol=udp src-address=10.10.10.0/24
add chain=input comment="Beheer via WinBox Mikrotik vanuit Management-Lan" \
dst-port=8291 in-interface=ether5-Management protocol=tcp src-address=\
10.10.10.0/24
add chain=input comment="Beheer via HTTP Mikrotik vanuit PTG-Lan" dst-port=80 \
in-interface=bridge-PTGbridge protocol=tcp src-address=192.168.1.0/24
add chain=input comment="Beheer via HTTP Mikrotik vanuit Management-Lan" \
dst-port=80 in-interface=ether5-Management protocol=tcp src-address=\
10.10.10.0/24
add action=reject chain=forward comment=\
"Blokkeer verkeer tussen PTG-Lan en Cisco-Wifi-Gast" disabled=yes \
dst-address=10.254.1.0/24 src-address=192.168.1.0/24
add action=reject chain=forward comment=\
"Blokkeer verkeer tussen Cisco-Wifi-Gast en Management Lan" disabled=yes \
dst-address=10.10.10.0/24 src-address=10.254.1.0/24
add action=reject chain=forward comment=\
"Blokkeer verkeer tussen Management Lan en Cisco-Wifi-Gast" disabled=yes \
dst-address=10.254.1.0/24 src-address=10.10.10.0/24
add action=reject chain=input comment=\
"Blokkeer verkeer naar Netwerk Cisco-Wifi-PTG" disabled=yes in-interface=\
bridge-Cisco-Wifi-Gast
add action=reject chain=input comment="Blokkeer verkeer naar Netwerk PTG-Lan" \
disabled=yes in-interface=bridge-PTGbridge
add action=reject chain=input comment=\
"Blokkeer verkeer naar Netwerk Management Lan" disabled=yes in-interface=\
ether5-Management
add action=reject chain=forward comment=\
"Blokkeer verkeer tussen Cisco-Wifi-Gast en PTG-Lan" disabled=yes \
dst-address=192.168.1.0/24 src-address=10.254.1.0/25
add action=drop chain=input comment=\
"Blokkeer al het verkeer vanuit het internet via KPN-DHCP" in-interface=\
KPN-PPPoE
add action=drop chain=input comment=\
"Blokkeer al het verkeer vanuit het internet via KPN-Zakelijk" \
in-interface=ether3-KPN-Zakelijk
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"PTG LAN naar internet via KPN DHCP" dst-address=0.0.0.0/0 out-interface=\
KPN-PPPoE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=\
"Cisco Wifi Gast naar internet via KPN DHCP" dst-address=0.0.0.0/0 \
out-interface=KPN-PPPoE src-address=10.254.1.0/24
add action=masquerade chain=srcnat comment=\
"PTG LAN naar internet via KPN Zakelijk" dst-address=0.0.0.0/0 \
out-interface=ether3-KPN-Zakelijk src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=\
"Cisco Wifi Gast naar internet via KPN Zakelijk" dst-address=0.0.0.0/0 \
out-interface=ether3-KPN-Zakelijk src-address=10.254.1.0/24
add action=dst-nat chain=dstnat comment="NAT 25 SMTP to 25 SRVmail (Getest)" \
disabled=yes dst-address=194.45.9.74 dst-port=25 in-interface=\
ether3-KPN-Zakelijk protocol=tcp to-addresses=192.168.1.5 to-ports=25
add action=dst-nat chain=dstnat comment=\
"NAT 443 HTTPS to 443 SRVmail (Getest)" disabled=yes dst-address=\
194.45.9.74 dst-port=443 in-interface=ether3-KPN-Zakelijk protocol=tcp \
to-addresses=192.168.1.5 to-ports=443
add action=dst-nat chain=dstnat comment=\
"NAT 443 HTTPS to 443 SRVfile (Getest)" disabled=yes dst-address=\
194.45.9.77 dst-port=443 in-interface=ether3-KPN-Zakelijk protocol=tcp \
to-addresses=192.168.1.4 to-ports=443
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override \
local-address=0.0.0.0 secret=password
/ip route
add check-gateway=ping distance=10 gateway=194.45.9.73
/lcd interface pages
set 0 interfaces="sfp1,ether1-KPN-DHCP,ether2-Cisco-Wif-Gasten,ether3-KPN-Zake\
lijk,ether4-PTG-Lan,ether5-Management,ether6-master-local,ether7-slave-loc\
al,ether8-slave-local,ether9-slave-local,ether10-slave-local"
/ppp aaa
set use-radius=yes
/ppp secret
add name=floris password=floris profile=L2TP/IPSEC service=l2tp
/radius
add address=192.168.1.6 domain=PTG secret=\
pplH^^hH&UYr&^kPF#2P&p4Y8CvJTyy38VP06ozZIM0XR@Af6I src-address=\
192.168.1.252
/system clock
set time-zone-name=Europe/Amsterdam
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-Cisco-Wif-Gasten
add interface=ether3-KPN-Zakelijk
add interface=ether4-PTG-Lan
add interface=ether5-Management
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-Cisco-Wif-Gasten
add interface=ether3-KPN-Zakelijk
add interface=ether4-PTG-Lan
add interface=ether5-Management
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add