All,
I’m at my wits’ end with setting up secure VPN on my RB951G-2HnD. Here’s my network configuration:
ether1: internet (modem in bridged mode)
ether2, ether3, ether4: internal network ports
ether5: second internal network (10.0.1.0/24)
wlan1: internal wireless network
bridge: bridge ether1, ether2, ether3, wlan1 to internal network (192.168.0.0/24)
What I’m looking for is the most OS-compatible VPN configuration with the best possible security. I ultimately want VPN users to be on their own separate network (for example, 10.0.2.0/24). I have a DHCP server sitting on 192.168.0.0/24 that only gives out addresses for machines using the bridge.
I’ve tried several ways of setting the VPN up:
- https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
- https://www.nasa-security.net/mikrotik/l2tp-ipsec-vpn-site-to-site-mikrotik-how-to/
- http://forum.mikrotik.com/t/using-l2tp-ipsec-vpn-with-ios-10/101199/1
- https://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
None of these have produced a working VPN configuration, regardless of what tweaks and changes I try. I honestly don’t understand what I’m doing wrong and I can’t seem to find any definitive documentation from Mikrotik on how this is supposed to be configured. Could someone respond with either some “gotchas” to check for, or ideally a step-by-step guide on how to set up an OS-compatible, high-security VPN with the RB951G-2HnD?
For reference, I need the following OSs to work: Windows 7/8.1/10, RHEL 7/CentOS 7, FreeBSD 10.x/11.x, Android 5.x/6.x/7.x, iOS 7.x/10.x, OSX 10.11+. I would also like to avoid using any hash algorithm weaker than SHA-256 and any encryption algorithm weaker than AES-256. 3DES and SHA1 cannot be used.
I’ll accept any/all assistance at this point.
Thanks in advance!