After struggling for a few days, I just want to share a successful roadwarrior setup between strongswan and mikrotik / windows 10 as a vpn client!
Assumption
StrongSwan (Public Static IP) -> Mikrotik 6.48.1 (Behind a NAT router)
Code: Select all
VPN Server (Strongswan)
ipsec.conf
config setup
cachecrls=yes
uniqueids=yes
charondebug="ike, knl 3, cfg 2" ######## this allows you to see both phase 1 and phase 2 in action between the server and client without turning this on, it's hard to troubleshoot
conn %default
keyingtries=%forever
dpddelay=30s
dpdtimeout=120s
conn L2TP
dpdaction=clear
left=your_public_ip_address
leftsubnet=your_subnet_behind_the_vpn_server
leftid=your_public_ip_address
leftauth=psk
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightauth=psk
ikelifetime=1h
keylife=8h
ike=aes256-sha1-ecp384,aes256-sha256-modp1024,aes128-sha1-modp1024! ###### aes256-sha1-ecp384 windows 10 proposal
esp=aes256-sha1,aes256-sha256-modp1024,aes128-sha1-modp1024! ###### aes256-sha1 expect by windows 10
###### to match up with the GUI in winbox box this is how i wrap around my head
###### ike=encryption_algorithm-authentication_algorithm-pfs_group
###### esp=encryption_algorithm-authentication_algorithm-pfs_group (optional) e.g aes256-sha1
auto=add
keyexchange=ike
type=transport
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no
[lns default]
ip range = 10.0.0.20-10.0.0.30
local ip = 10.0.0.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes
/etc/ppp/options.xl2tpd
require-chap #### required for non windows 10 chap authentication
require-mschap-v2 #### required for windows 10 authentication
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
auth
idle 1800
mtu 1200
mru 1200
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
login
logfile /var/log/xl2tpd.log