vpn L2TP IPsec

hmddotcom · March 27, 2014, 2:06pm

Good morning every body!!!

I googled a tutorial about vpn L2TP IPsec and i got this page
http://mahidulsblog.blogspot.com/2013/05/how-to-configure-vpn-with-l2tp-and_19.html

i did everything but i can’t connect to the vpn l2tp,

plz need help for this.

this is my config codes

outerboard: yes
             model: 951Ui-2HnD
     serial-number: 43CE02F15315
  current-firmware: 3.07
  upgrade-firmware: 3.05

/ip address
add address=10.10.0.1/16 comment=Lan interface=bridge-local network=10.10.0.0
add address=197.157.193.106/25 comment=Wan interface=ether1-gateway network=\
    197.157.193.0

/ip route
add distance=1 gateway=197.157.193.1

/ip pool
add name=dhcp_pool1 ranges=10.10.0.10-10.10.255.254
add name=L2TP ranges=12.12.12.12-12.12.12.200

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-local name=dhcp1
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=197.157.193.30,197.157.192.250 gateway=\
    10.10.0.1 netmask=24

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0

/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.10.0.1 name=\
    L2TP remote-address=L2TP
/ppp secret
add name=hmd password=hmd profile=L2TP
add name=test password=test profile=L2TP service=l2tp

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256 pfs-group=none
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 \
    nat-traversal=yes secret=test

mrz · March 27, 2014, 2:27pm

At first according to your provided configuration you did not enable L2TP server.
Second problem is that firewall blocks everything arrving to wan port except ICMP

hmddotcom · March 28, 2014, 7:32am

after your reply i checked out my router, i enable L2TP server and i did this code in firewall but till now not working

/ip firewall filter
add chain=input comment="default configuration" protoco
add chain=input comment="default configuration" connect
add chain=input comment="default configuration" connect
add action=drop chain=input comment="default configurat
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default con
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat in-interface=ether1-gat
    12.12.12.0/24

please give me a good config and i will apply in my router

huntah · March 28, 2014, 10:49pm

You need to enable UDP Ports 500, UDP Port 1701, and UDP Port 4500 (For NAT Traversal)

/ip firewall filter add chain=input comment="L2TP ports" action=accept protocol=udp dst-port=500,1701,4500

hmddotcom · March 29, 2014, 3:10am

thank you guys,
now i have my vpn L2TP working

megasohaib · March 30, 2014, 11:13am

Hello Team, I hope you are all fine.

I have some problem with my Ipsec vpn between multiple sites. my 5 sites are connected with same ISP through MIKROTIOK ROUTER IPSEC TUNNEL. sites are a,b,c,d,e. a site is my head office and b,c,d,e sites is my clients(branches). all clients are connected with head office (a) through ipsec tunnel and working properly.But problem is that (b) not connected to (c,d,e) and (c) not connected to (b,d,e) and (d) not connected to (b,c,e) and (e) not connected to (b,c,d). Other words is (b,c,d,e) are not connected to eachother. All sites have different subnets.
Kindly give me some help that what i do work on my head office mikrotik router (a).

Although i was add subnet on routes opetion of my branches. but issed are same.

Regards
Sohaib

huntah · April 1, 2014, 7:00am

have you added routes froms ite b,c,d,e to site a like this:

/ip route add distance=1 dst-address=192.168.20.0/24 gateway=192.168.10.1

You need multiple routes (for each site-> Subnet) all pointing to site A (gateway).

ray12 · July 2, 2014, 5:00am

Hi i’m sorry to Hijack this thread

I need some help, i have setting L2TP/IPsec configuration and i can successfully connected from LAN to Router using win7 and android, but if i try to connect from internet to router it cannot working, but if i first connected using PPTP then using L2TP is working, can somebody help me ? and bellow are my config so far.

may i know is L2TP Server can work if in behind Nat ? because my topology is PC—Mikrotik(L2tp Server)—Mikrotik Internet Provider—Internet (cloud).

Regards
Ray

/interface bridge
add arp=proxy-arp l2mtu=1598 name=bridge_switch
/interface wireless
set 2 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=indonesia \
    disabled=no frequency=2442 hide-ssid=yes l2mtu=2290 mode=ap-bridge ssid=\
    MikroTik
/interface ethernet
set 0 name=LAN
set 1 arp=proxy-arp name=WAN
set 2 arp=proxy-arp
set 3 arp=proxy-arp
set 4 arp=proxy-arp
set 8 disabled=yes
set 9 disabled=yes

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256 lifetime=8h pfs-group=\
    none

/ip pool
add name=VPN-L2TP-Pool ranges=192.168.100.2-192.168.100.254
add name=VPN-PPTP-Pool ranges=192.168.101.2-192.168.101.254

/ppp profile
add change-tcp-mss=yes local-address=192.168.100.1 name=L2TP-Profile \
    remote-address=VPN-L2TP-Pool use-encryption=required
add change-tcp-mss=yes local-address=192.168.101.1 name=PPTP-Profile \
    remote-address=VPN-PPTP-Pool use-encryption=required

/interface l2tp-server server
set default-profile=L2TP-Profile enabled=yes max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=PPTP-Profile \
    enabled=yes

/ip firewall filter
add chain=input connection-state=new
add chain=input connection-state=related
add chain=input connection-state=established
add action=drop chain=input connection-state=invalid
add chain=input comment="Allow Port L2TP" dst-port=500,1701,4500 protocol=udp
add chain=output dst-port=500,1701,4500 protocol=udp
add chain=input protocol=ipsec-esp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 \
    nat-traversal=yes secret=secretkey
	
/ip route
add distance=1 gateway=192.168.1.1

/ppp secret
add name=user-l2tp password=user-l2tp profile=L2TP-Profile service=l2tp
add name=user-pptp password=user-pptp profile=PPTP-Profile service=pptp

lenbo · July 7, 2014, 10:52am

Hi mrz,

I used RB450G and set L2TP over IPsec done.
Because I had 6 public IPs and I address all of my public IPs to eth1 ( WAN ),
then I found that I can connect to VPN server from WAN,
but the connection can be established from LAN.

I have let UDP1701, UDP500, UDP4500 and ipsec-esp to be acceptable from WAN.
and set nat rules as below:
/ip firewall nat add chain=dstnat dst-address=PublicIp1 action=dst-nat to-addresses=192.168.0.20
/ip firewall nat add chain=srcnat src-address=VpnAddressList action=src-nat to-addresses=PublicIp1
/ip firewall nat add chain=srcnat src-address=PrivateNetWorks/24 action=src-nat to-addresses=PublicIp2

VpnAddressList=192.168.0.10-192.168.0.20
VPN’s IP pool is 192.168.0.10-192.168.0.19
RB450G’s eth2 LAN IP is 192.168.0.20

Since PPTP works fine, I think it may be routing problem.
Do you know how to fix this issue?

Thanks,
lenbo