L2TP/IPSec and Windows 10 road warriors

lovestheporn · Fri Mar 20, 2020 2:07 pm

Hi Guys,

I'm getting a bit stuck with configuring my 1100 with L2TP/IPSec for Windows 10 road warriors with outdated or partial config guides.

Does anyone have a guide or a working config on gist that I can look at to get myself setup?

Thanks,

joegoldman · Fri Mar 20, 2020 2:54 pm

I literally configured mine by starting from default config and going into PPP->L2TP server settings and ticking use IPSec, and then whatever config was default in /ip ipsec area. Maybe export what you have and give some sample of your logs of failed logins and we can help identify whats wrong.

tippenring · Fri Mar 20, 2020 5:50 pm

Here's my template. I think I have everything here, but I might have missed something.

 /ppp profile
  add interface-list=ifl.vpn.trusted local-address=172.20.0.1 name=pr.l2tp only-one=yes remote-address=pool.ppp use-encryption=required use-upnp=no

 /ppp aaa
  set accounting=no use-radius=yes

 /radius
  add address=172.16.5.22 secret=<RADIUS PSK> service=ppp timeout=2s

 /interface l2tp-server
  add name=l2tp-in1 user=""

 /interface l2tp-server server
  set authentication=mschap2 default-profile=pr.l2tp enabled=yes ipsec-secret=<PSK> one-session-per-host=yes use-ipsec=required

 /ip ipsec proposal
  set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=modp4096

 /ip pool
  add name=pool.ppp ranges=172.20.0.10-172.20.0.50

 /ip firewall filter
  add action=jump chain=forward in-interface-list=ifl.vpn.trusted jump-target=vpn.trusted.in
  ...
  add action=passthrough chain=--------
  add action=accept chain=vpn.trusted.in icmp-options=8:0-255 protocol=icmp
  ...
  add action=drop chain=vpn.trusted.in log=yes log-prefix="Def Drop: "
  add action=passthrough chain=--------

And here is the powershell to add the VPN configuration

Add-VpnConnection -Name "SLHV CNE" -ServerAddress "<URL or IP>" -AllUserConnection:$true -AuthenticationMethod MSChapv2 -TunnelType L2TP -l2tppsk "<PSK>" -SplitTunnel:$false -EncryptionLevel Required -UseWinlogonCredential -PassThru -Force

lovestheporn · Sat Mar 21, 2020 6:31 pm

Thanks tippenring,

I think I managed to stumble of all the bits. Its good to know I still needed the powershell to get windows 10 working.

I'm confused with "ipsec-policy=in,ipsec" that I read about to secure IPSEC/L2TP server.

My aim is to have a secure setup, which only allows for need IPSEC ports and ssh.

[admin@MikroTik] > export
# mar/21/2020 16:13:37 by RouterOS 6.46.4
# software id = 
#
# model = RB1100Dx4
/interface ethernet
set [ find default-name=ether2 ] name=LAN speed=100Mbps
set [ find default-name=ether1 ] name=WAN speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
set [ find default-name=ether11 ] disabled=yes speed=100Mbps
set [ find default-name=ether12 ] disabled=yes speed=100Mbps
set [ find default-name=ether13 ] disabled=yes speed=100Mbps
/ip ipsec mode-config
set [ find default=yes ] src-address-list=local-RW
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp4096,modp2048 enc-algorithm=aes-256,camellia-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256 pfs-group=ecp256
/ip pool
add name=pool1-L2TP_users ranges=192.168.255.2-192.168.255.254
/ppp profile
set *0 dns-server=1.1.1.1 local-address=192.168.255.1 remote-address=pool1-L2TP_users use-compression=yes use-encryption=required use-mpls=no use-upnp=no
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=XXXXXXXXXX use-ipsec=required
/ip address
add address=192.168.0.27/24 comment=defconf interface=WAN network=192.168.0.0
add address=10.0.0.10/24 comment="Internal Network Interface" interface=LAN network=10.0.0.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=192.168.255.0/24 list=local-RW
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow ssh" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow l2tp" dst-port=1701 ipsec-policy=in,ipsec protocol=udp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow IPsec NAT" dst-port=4500 log=yes log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="IPSec incoming" dst-port=500,4500 in-interface=WAN log=yes log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="IPSec incoming" in-interface=WAN log=yes log-prefix=pass-ipsec protocol=ipsec-esp
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=drop-invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN log=yes log-prefix=drop-no-dstnat
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN log=yes log-prefix=drop-from-wan
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote host-key-size=4096 strong-crypto=yes
/ppp secret
add name=tom password=tom service=l2tp
add name=sam password=sam service=l2tp
add name=joe password=joe service=l2tp
add name=tim password=tim service=l2tp
add name=gil password=gil service=l2tp
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=user-manager

lovestheporn · Mon Mar 23, 2020 2:01 pm

Last question, the vpn clients can connect and access the internet via the tunnel. But the vpn clients cannot access the internal network.

I have an internal network of 10.0.0.0/24 and a vpn pool of 192.168.255.0/24, I'm trying to add a masquerade but its not working. any ideas?

EDIT: nevermind the host I was testing had its firewall on, blocking icmp. all good!

L2TP/IPSec and Windows 10 road warriors

L2TP/IPSec and Windows 10 road warriors

Re: L2TP/IPSec and Windows 10 road warriors

Re: L2TP/IPSec and Windows 10 road warriors

Re: L2TP/IPSec and Windows 10 road warriors

Re: L2TP/IPSec and Windows 10 road warriors

Who is online