Community discussions

MikroTik App
 
User avatar
loloski
Member Candidate
Member Candidate
Topic Author
Posts: 296
Joined: Mon Mar 15, 2021 9:10 pm

Strongswan RoadWarrior VPN (PSK) Setup

Fri Apr 02, 2021 7:01 am

Hey,

After struggling for a few days, I just want to share a successful roadwarrior setup between strongswan and mikrotik / windows 10 as a vpn client!
Assumption
StrongSwan (Public Static IP) -> Mikrotik 6.48.1 (Behind a NAT router)

VPN Server (Strongswan) 
ipsec.conf
config setup
    cachecrls=yes
    uniqueids=yes
    charondebug="ike, knl 3, cfg 2"            ######## this allows you to see both phase 1 and phase 2 in action between the server and client without turning this on, it's hard to troubleshoot

conn %default
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s


conn L2TP
    dpdaction=clear
    left=your_public_ip_address
    leftsubnet=your_subnet_behind_the_vpn_server   
    leftid=your_public_ip_address
    leftauth=psk
    leftprotoport=17/1701

    rightprotoport=17/%any
    right=%any
    rightauth=psk
    ikelifetime=1h
    keylife=8h
    ike=aes256-sha1-ecp384,aes256-sha256-modp1024,aes128-sha1-modp1024! ###### aes256-sha1-ecp384 windows 10 proposal
    esp=aes256-sha1,aes256-sha256-modp1024,aes128-sha1-modp1024!        ###### aes256-sha1 expect by windows 10
                                                                        ###### to match up with the GUI in winbox box this is how i wrap around my head
                                                                        ###### ike=encryption_algorithm-authentication_algorithm-pfs_group
                                                                        ###### esp=encryption_algorithm-authentication_algorithm-pfs_group (optional) e.g aes256-sha1
    auto=add
    keyexchange=ike
    type=transport
    
/etc/xl2tpd/xl2tpd.conf
    
[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no


[lns default]
ip range = 10.0.0.20-10.0.0.30
local ip = 10.0.0.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes
    
/etc/ppp/options.xl2tpd

require-chap                 #### required for non windows 10 chap authentication
require-mschap-v2            #### required for windows 10 authentication
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
auth
idle 1800
mtu 1200
mru 1200
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
login
logfile /var/log/xl2tpd.log

Hope this might help someone in the process :)

Who is online

Users browsing this forum: anav, AshuGite, patrikg and 39 guests