Community discussions

MikroTik App
 
aaronw
just joined
Topic Author
Posts: 13
Joined: Thu Feb 26, 2009 7:30 am

VPN with Linux

Wed Nov 07, 2018 9:32 am

I have been trying without success to use IPSec to connect from my Linux machine to my Mikrotik router. I have IPSec + XAuth working with my Android phone and tablet, but this configuration does not appear to work with the OpenSwan or StrongSwan network settings parameters.

Has anyone been able to successfully connect a Linux client to the Mikrotik router using IPSec, and if so, what configuration is being used on both sides?
 
User avatar
victorsoares
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Feb 15, 2018 6:29 pm
Location: Ubatuba, São Paulo - Brazil
Contact:

Re: VPN with Linux

Wed Nov 07, 2018 5:16 pm

I had the same issue a while ago. I managed to get it working installing on my (Linux Mint Tara) strongswan with network-manager-l2tp. I'm using L2TP with IPSEC, just make sure to insert on your Linux what encryption algorithms you are using.
MTCNA MTCRE
 
Cvan
Member Candidate
Member Candidate
Posts: 127
Joined: Sat Jun 09, 2018 3:32 am

Re: VPN with Linux

Thu Nov 08, 2018 4:25 am

I got this working today using openSuse 42.3 and network-manager-l2tp plugin + Mate desktop.

PPP settings:
MTU/MRU 1400
All Auth methods are checked

Also got PPTP working as well; had to modify default suse firewall rules to get it to work though.
 
User avatar
acald3ron
just joined
Posts: 18
Joined: Tue Jan 06, 2015 8:26 am
Location: Rosarito, México
Contact:

Re: VPN with Linux

Thu Nov 08, 2018 6:18 am

im not paranoid i used l2tpd without encryption..
 
seho
newbie
Posts: 36
Joined: Fri Aug 09, 2013 11:05 am

Re: VPN with Linux

Thu Nov 08, 2018 4:49 pm

Hey,

i'm using the MikroTik with IKEv2 and EAP + RADIUS (FreeRADIUS).

Radius is used for the authentication and assigning fixed (virtual) IP-Addreses to the RoadWarriors. In this configuration, strongSwan clients and Windows clients can establish a connection to Router. Also strongSwan running on Android is working.

/ip ipsec mode-config
add address-pool=ipsec-pool address-prefix-length=32 name=cfg1 static-dns=\
    10.0.1.253 system-dns=no
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr \
    lifetime=2h30m
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms="aes-256-cbc,aes-256-c\
    tr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm,3des" lifetime=2h name=proposal1 pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=[Cert] \
    comment="LTE Hybrid - RADIUS" dh-group=modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-override \
    lifetime=12h mode-config=cfg1 my-id=fqdn:[FromCERT] passive=yes
/ip ipsec policy
set 0 disabled=yes
add proposal=proposal1 template=yes
Also the RADIUS server has to be set in the MikroTik configuration.

/etc/freeradius/users

...
[USERNAME] NT-Password := "[NT-HASH]"
        Framed-IP-Address := 10.0.1.101
...
you can get the hashed password using smbencrypt <password> on a linux machine

StrongSwan ipsec.conf
conn office28
        left=%defaultroute
        leftfirewall=yes
        leftauth=eap-mschapv2
        leftsourceip=%config
        eap_identity=[Username]
        right=[WAN Address MikroTik]
        rightcert=[MikroTik Public Cert file]
        rightauth=pubkey
        rightsubnet=[Subnet behind MikroTik]/24
        auto=add
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        type=tunnel
        ikelifetime=12h
        lifetime=4h
Kind regards,
Sebastian

Who is online

Users browsing this forum: Baidu [Spider], Znevna and 76 guests