I need to set up a VPN between two sites.
Site A uses an RB2011UiAS and has a fixed real IP.
Site B uses an RB951G and is behind provider’s NAT. The external IP is managed by provider and is changing from time to time.
Both routers are updated to the RouterOS 6.38.5 .
I have set up an L2TP link between the two sites. Site A is a server, and Site B is a client. It works exactly as expected. But then I got stuck trying to set up the encryption (IPsec). On the client side, there’s a tick box ‘Use IPsec’ and corresponding ‘IPsec Secret’ field. But I cannot figure out the configuration needed on the server side. Can someone please advise how to set it up properly?
In fact, there’s no reason to stick to L2TP. I could go with an IPsec and an IKEv2, if that makes more sense… But I need some guidance setting it up, either.
Yes. After I tick “Use IPsec” and put the key (on both ends), the L2TP link doesn’t come up anymore.
In the logs on the client I see “NO-PROPOSAL-CHOSEN” ipsec message.
Hmm, interesting! The only proposal I have on Site B router is the ‘default’ one. It is written in blue font in WinBox, but it does seem to work!
I had to adjust ‘encryption algorithms’ section there, as it only had ‘des’ (not a ‘3des’) enabled for some reason (perhaps I changed it earlier when trying to set it up, and then forgot about it).
After that, the connection was established!
Thanks a lot!!!
Can you please help to set up the same without using L2TP? Just with IPsec and IKEv2…
Hmm… There’s a strange issue.
The encrypted L2TP link works and I can reach hosts located at Site B from my Site A. But Winbox behaves strangely. It connects to the Site B router, but doesn’t show any data. I can open windows in Winbox (i.e. ‘interfaces’ or ‘Terminal’), the new windows pop up, but there’s nothing inside - no text, just nothing at all! And then after some seconds the Winbox session terminates.
At the same time, I still can access the Site B router via ssh, and it responds fine (I can view and change its configuration).
Perhaps something is wrong with the firewall configuration that partially blocks Winbox traffic. Though, I’m absolutely sure Winbox was working fine before. The only thing that changed is the encryption of the L2TP link…
UPDATE:
Looks like this issue was related to Max. MTU / MRU configuration. I had it set to 1460 / 1400 on the L2TP server side. Reducing both of these to 1300 fixed the problem with Winbox. I will experiment a little more and find a maximum value that still allows for reliable traffic flow.
Experimentator Can you tell me where do you see the “use IPSec” and a place for password on the CLIENT side (the one with dynamic external address).
I can see these options only on the server side, after pressing the L2TP server button. But I cannot see anything like this while creating the L2TP client on the other router.
Well, you’re more lucky than I am. My home router does not have this option. All I have there is “Dial on demand” and “Add default route”.
I was really frustrated trying to figure it out on the client side. Now it seems that… what exactly? That my RB does not support it or do I have to upgrade the OS?
