Community discussions

 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

L2TP/IPSEC as a client to VPN providers

Thu Jan 10, 2019 5:26 pm

Hi, Guys
I'm having problems with RouterOS connecting to VPN providers with IPSEC as a client.
Here is my config:
/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] loop-protect=off name=ether2-wan
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] loop-protect=off name=ether6-lan
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2-wan name=pppoe-out1password=ppppassword user=pppuser
/ip ipsec mode-config
add name=miaopasi responder=no
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128 lifetime=1h proposal-check=claim
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256,aes-128 lifetime=1h name=miaopasi nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-ctr,aes-128-cbc,aes-128-ctr,aes-128-gcm,camellia-128 lifetime=1h
add enc-algorithms=aes-128-ctr lifetime=1d name=shiyutech pfs-group=modp2048
add enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=1h name=miaopasi
/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=2d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether6-lan
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set cache-max-ttl=1h cache-size=1024KiB servers=208.67.220.220,208.67.222.222
/ip firewall address-list
add address=1.0.1.0/24 list=cnlist
#...more than 5000 ip address...
add address=223.255.252.0/23 list=cnlist
add address=208.67.220.220 comment=opendns list=cnlist
add address=208.67.222.222 comment=opendns list=cnlist
add address=l2tpipsecsrv1.com comment=l2tpipsecsrv1 list=cnlist
add address=l2tpipsecsrv2.com comment=l2tpipsecsrv2 list=cnlist
add address=l2tpipsecsrv3.com comment=l2tpipsecsrv3 list=cnlist
add address=192.168.100.2-192.168.100.253 list=local
/ip firewall mangle
#add action=mark-routing chain=prerouting dst-address-list=!cnlist new-routing-mark=l2tp passthrough=yes src-address=192.168.100.2-192.168.100.253 #disabled
/ip firewall nat
add action=src-nat chain=srcnat comment=src-nat out-interface=pppoe-out1 to-addresses=mywanip
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=tcp src-address=192.168.100.0/24 to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp src-address=192.168.100.0/24 to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=tcp src-address=192.168.100.0/24 to-addresses=208.67.222.222 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp src-address=192.168.100.0/24 to-addresses=208.67.222.222 to-ports=5353
/ip ipsec peer
add address=l2tpipsecsrv1ipaddress auth-method=pre-shared-key-xauth disabled=yes exchange-mode=main-l2tp generate-policy=port-override mode-config=request-only secret=miaopasi xauth-login=myusername xauth-password=mypassword
/ip ipsec policy
set 0 dst-address=192.168.88.0/24 proposal=shiyutech src-address=192.168.100.0/24 disabled=yes
I can establish IPSEC connetion to my VPN provider.
/ip ipsec remote-peers> print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              REMOTE-ADDRESS                                               DYNAMIC-ADDRESS                      UPTIME              
 0  N                      established        l2tpipsecsrv1ipaddress                                              192.168.10.21                        7m12s
and
/ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
 1 ADC  58.32.32.1/32      58.32.33.223    pppoe-out1                0
 2 ADC  192.168.10.0/24    192.168.10.21   pppoe-out1                0
 3 ADC  192.168.100.0/24   192.168.100.1   bridge1                   0
Since IPSEC don't create a interface, how can i do to archieve a results like pure L2TP can do?
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!cnlist new-routing-mark=l2tp passthrough=yes src-address=192.168.100.2-192.168.100.253
Thanks in advance.
Last edited by kenyloveg on Thu Jan 10, 2019 6:18 pm, edited 3 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5261
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP/IPSEC as a client to VPN providers

Thu Jan 10, 2019 5:34 pm

Your interface is l2tp-out, and you can do anything with it that you can do with another dynamic interface.
The fact that IPsec is underneath it does not matter. To the inside it is L2TP.
Of course you should not set the default route to such a connection or at least you should make some other arrangements
for your local to internet traffic.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

Re: L2TP/IPSEC as a client to VPN providers

Thu Jan 10, 2019 5:40 pm

@pe1chl
Please understand I'm not talking about "/interface L2TP client", It's not working when i check "use IPsec". L2TP (without IPsec) is not stable, usually drop connection every hour in my place.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5261
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP/IPSEC as a client to VPN providers

Thu Jan 10, 2019 5:55 pm

That is what you get when you don't post a clear question...
Try again, this time mentioning what is your problem and what you want to achieve.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

Re: L2TP/IPSEC as a client to VPN providers

Thu Jan 10, 2019 6:01 pm

I'm trying to switch to L2TP over IPsec from L2TP (without IPsec, currently working but drops every hour)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5261
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP/IPSEC as a client to VPN providers

Thu Jan 10, 2019 7:31 pm

Try to remove those lifetime=1h declarations from your IPsec configuration.
Sometimes there is confusing when negotiating parameters like this with the remote.
(i.e. locally you force the lifetime to 1h, remote has an 8h lifetime and does not understand this, so
connection is dead after 1h)
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

Re: L2TP/IPSEC as a client to VPN providers

Fri Jan 11, 2019 3:26 am

1. I set 1 hr because I know exactly the server side had the same 1 hr set.
2 Do not mess with L2TP-out1 interface stuff, It’s IPSec peer setting, please read my config again
Thanks for your reply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5261
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP/IPSEC as a client to VPN providers

Fri Jan 11, 2019 10:53 am

I don't understand you, probably the language barrier is too high.
Hopefully someone else understands what you want to ask.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: L2TP/IPSEC as a client to VPN providers

Fri Jan 11, 2019 11:51 pm

I'm having problems with RouterOS connecting to VPN providers with IPSEC as a client.

Let me jump in here and see if I can help. First, are you able to connect using IPsec? If not, then please do the following:

1. Turn on logging:
/system logging add topics=ipsec,!packet

2. Start a log capture file
/log print follow-only file=IPsec.txt where topics~"ipsec"

3. Try to connect for about 20 seconds.
Then CTRL-C to end the logging capture. Then post the output of the IPsec.txt file here. You can hide IP's and usernames if you need to.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

Re: L2TP/IPSEC as a client to VPN providers

Sat Jan 12, 2019 9:43 am

Hi, @pcunite
I'd like to thanks for your replay first :)
If you guys ever read my first post, you can see:
I can establisha IPSEC connection to VPN service provider, and get a dynamic address (192.168.10.21) from server:
/ip ipsec remote-peers> print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              REMOTE-ADDRESS                                               DYNAMIC-ADDRESS                      UPTIME              
 0  N                      established        l2tpipsecsrv1ipaddress                                              192.168.10.21
Along with a dtnamic route created by IPSEC:
ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
 1 ADC  58.32.32.1/32      58.32.33.223    pppoe-out1                0
 2 ADC  192.168.10.0/24    192.168.10.21   pppoe-out1                0 #this route is dynamically created after enabled IPSEC#
 3 ADC  192.168.100.0/24   192.168.100.1   bridge1                   0
Because there is no interface created by IPSEC, I need instructions to make firewall rules to route traffice like I was able to do with previous L2TP pratice(l2tp is working now but keep dropping randomely, IPSEC seems stable for now, maybe the reason is UDP port 1701 getting interfered but not UDP 500 nor 4500):
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!cnlist new-routing-mark=l2tp passthrough=yes src-address=192.168.100.2-192.168.100.253
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: L2TP/IPSEC as a client to VPN providers

Sat Jan 12, 2019 5:13 pm

Because there is no interface created by IPSEC, I need instructions to make firewall rules to route traffic like I was able to do with previous L2TP practice(l2tp is working now but keep dropping randomly, IPSEC seems stable for now, maybe the reason is UDP port 1701 getting interfered but not UDP 500 nor 4500):

Okay, here is a full example, read slowly see how I create an interface name, put it in the LAN interface list, the firewall allow that.

######################################
# Minimal settings for L2TP/IPSec VPN
######################################

# Server settings
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=required ipsec-secret="PasswordSecret"

# Create an username tied to a specific interface
/interface l2tp-server
add name=L2TP1 user=uservpn

# User password
/ppp secret
add name=uservpn password="PasswordUser" service=l2tp

# Give them an IP address from the LAN pool
/ppp profile
set default local-address=192.168.0.1 remote-address=pool_LAN use-encryption=required

#Phase1 IPsec behaviour, Windows 7 requires hash-algorithm=sha1
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256

# added automatically when l2tp-server server is enabled=yes
#/ip ipsec peer
#add local-address=PublicIP exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret="PasswordSecret" comment=Phase1

#Phase2 IPsec Settings
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256

# configure the rest of the router
/interface list
add name=LAN
add name=WAN

/interface list member
add interface=bridge-LAN 	list=LAN
add interface=L2TP1 		list=LAN
add interface=ether1 		list=WAN

# add these to your firewall rules
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500 comment=L2TP_IPSEC
add chain=input protocol=ipsec-esp
add chain=forward action=accept connection-state=new in-interface-list=LAN comment="Allow LAN"

/interface
set bridge-LAN arp=proxy-arp
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2009 3:25 pm

Re: L2TP/IPSEC as a client to VPN providers

Sat Jan 12, 2019 6:28 pm

Hi, @pcunite
Thanks for your reply again.
But you are still missing my point, there is no such L2TP server stuff in my configuration. I'm talking about create a L2TP client over IPsec to a VPN provider (which means I'm on client side).
I'm doing this by:
/ip ipsec peer
add address=l2tpipsecsrv1ipaddress auth-method=pre-shared-key-xauth disabled=yes exchange-mode=main-l2tp generate-policy=port-override mode-config=request-only secret=miaopasi xauth-login=myusername xauth-password=mypassword
Not:
/interface l2tp-client
add connect-to=l2tpserver1.com disabled=yes keepalive-timeout=disabled name=l2tp-out1 password=mypassword user=myusername
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: L2TP/IPSEC as a client to VPN providers

Sun Jan 13, 2019 12:36 am

Hi, @pcunite
Thanks for your reply again.
But you are still missing my point, there is no such L2TP server stuff in my configuration. I'm talking about create a L2TP client over IPsec to a VPN provider (which means I'm on client side).

Ahhh, missed that too. Sorry about that. I don't use that feature.

Who is online

Users browsing this forum: No registered users and 36 guests