Community discussions

 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

L2TP/IPSec more than one shared secret?

Wed Jun 12, 2019 2:16 pm

I have an L2TP/IPSec VPN server up and running on our Mikrotik. I would like to add a VPN user who is outside our organization (i.e. not our employee) in order gain access to certain assets for support. I know I can specify a remote address and use firewall filter rules with that address to limit access.

My preference would be to not hand out our pre shared key to him. Is there a way to specify more than one? It appears you can only have one as it is configured in the /ppp /interface /L2TP server section.

Thanks in advance.
 
tdw
Member Candidate
Member Candidate
Posts: 190
Joined: Sat May 05, 2018 11:55 am

Re: L2TP/IPSec more than one shared secret?

Wed Jun 12, 2019 3:25 pm

Create an IPsec peer entry for the remote address with a different secret.
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: L2TP/IPSec more than one shared secret?

Thu Jun 13, 2019 1:44 am

Looks like there has to be a peer and an identity. Did not get it working.

It looks the the key in peer1 is taken from the L2TP server settings.
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSec more than one shared secret?  [SOLVED]

Thu Jun 13, 2019 2:12 am

If you want to do anything but a single common IPsec peer for all L2TP clients, you have to make do without the automagical generation of the IPsec configuration which RouterOS does for you when you specify the pre-shared key as a parameter of /interface l2tp-server server and set use-ipsec to yes. So create two copies of those dynamic items (peer, identity), set the address item of the first (upper) peer to the IP address of the client you use to imitate the contractor's device, and make each identity point to one of the peers:
/ip ipsec peer
add copy-from=[find where dynamic] name=contractor address=1.2.3.4
add copy-from=[find where dynamic] name=colleagues
/ip ipsec identity
add copy-from=[find where dynamic] peer=contractor secret=PSKforcontractor
add copy-from=[find where dynamic] peer=colleagues


Then change use-ipsec to no in /interface l2tp-server server settings. The dynamically created peer and identity will disappear, and the copies will take over. Incoming connection requests from the IP address of the test client will be caught by the upper peer, incoming connection requests from other IP addresses will be ignored by the upper peer and will be caught by the lower one.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: L2TP/IPSec more than one shared secret?

Thu Jun 13, 2019 4:35 am

Thanks sindy -

Can the address be the address assigned to the them in the /ppp /secrets local-address? So when those credentials are used they always get the same IP that I can use in FW filter rules?

I am assuming that "Incoming connection requests from the IP address" refers to the contractors WAN IP address they are coming in from.

Also - I assume the /ip ipsec identity colleagues should have a secret in the example provided?


Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSec more than one shared secret?

Thu Jun 13, 2019 8:11 am

Can the address be the address assigned to the them in the /ppp /secrets local-address? So when those credentials are used they always get the same IP that I can use in FW filter rules?

I am assuming that "Incoming connection requests from the IP address" refers to the contractors WAN IP address they are coming in from.
The address on the peer is the public one from (from behind) which the contractor will be connecting; if the contractor is a road warrior, this whole approach will not work.

As for firewall handling of the contractor, there is plenty of possibilities: you can set a specific remote-address in the contractor's /ppp secret item, or you can make that item refer to a dedicated /ppp profile which can add the address assigned to his end of the L2TP tunnel to an address-list, or add the name of the dynamically added local L2TP tunnel interface as a member to an interface-list, or can add a jump to a dedicated firewall chain to a firewall filter chain named ppp. I'll add a link to a recent topic describing this latter variant once I get to PC.

Also - I assume the /ip ipsec identity colleagues should have a secret in the example provided?
The copy command is actually a copy-with-few-changes one. So if you execute them in the exact form I gave, the secret for colleagues will be inherited from the one you've configured previously on the /service l2tp-server server, which RouterOS has used to dynamically generate the /ip ipsec identity from which you copy it to the static one.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: L2TP/IPSec more than one shared secret?

Thu Jun 13, 2019 12:38 pm

Thank you.

For a road warrior scenario - is there an approach that will work? Alternative VPN or otherwise?

As for firewall handling of the contractor, there is plenty of possibilities: you can set a specific remote-address in the contractor's /ppp secret item, or you can make that item refer to a dedicated /ppp profile which can add the address assigned to his end of the L2TP tunnel to an address-list, or add the name of the dynamically added local L2TP tunnel interface as a member to an interface-list, or can add a jump to a dedicated firewall chain to a firewall filter chain named ppp. I'll add a link to a recent topic describing this latter variant once I get to PC
Thank you for the information - I would be interested in the link. The dynamic interface lists are really powerful.

The copy command is actually a copy-with-few-changes one. So if you execute them in the exact form I gave, the secret for colleagues will be inherited from the one you've configured previously on the /service l2tp-server server, which RouterOS has used to dynamically generate the /ip ipsec identity from which you copy it to the static one.
Ah - thank you for the clarification.

I trust this individual/contractor. I wonder if I am over thinking providing him our shared secret. Still better than opening a bunch of ports. Of course it is usually never the person trust who is the problem...
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSec more than one shared secret?

Thu Jun 13, 2019 1:45 pm

For a road warrior scenario - is there an approach that will work? Alternative VPN or otherwise?
If you can use only one public IP address at the L2TP server for both groups of clients (colleagues and contractor), the "alternative VPN" would have to be either IKEv2 IPsec or have nothing to do with IPsec at all. The thing is that
  • in L2TP/IPsec mode, the Windows embedded VPN client sends its local IP address as IKE peer ID, which cannot be matched by /ip ipsec identity, so you have to match the whole peer,
  • the IPsec stack of RouterOS can choose from locally defined peers by combination of remote and local address and the exchange-mode value. So if the remote address of the contractor may change, and because staying with L2TP/IPsec means also staying with exchange-mode=main, the only variable part of the selection key is the local address.
  • while you can use dstnat to map the requests incoming to some other port than 500 on the public IP to port 500 on some local IP, there is no way to tell the Windows client to send the initial request to a non-standard port.
So if you can equip the contractor with a mAP acting as an L2TP/IPsec client and providing by means of DHCP option 249 (for Windows) or 121 (for normal gear) a route list towards your network on its LAN side interface, you can slightly modify the approach above (address=0.0.0.0/0, local-address=some.local.private.ip) and still be fine. Otherwise you have to use IKEv2 (requires a machine certificate for Windows), SSTP (requires a certificate), or OpenVPN (should use a certificate, and in the current stable release of RouterOS (6.44.3) it doesn't check server certificate validity yet).

I would be interested in the link. The dynamic interface lists are really powerful.
Here you go, but I'm afraid you may expect something else from it - it doesn't provide any additional info regarding dynamically adding the interface to an interface-list, it just details the functionality of the incoming-filter item.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 257
Joined: Wed Oct 09, 2013 1:59 pm

Re: L2TP/IPSec more than one shared secret?

Thu Jun 13, 2019 4:16 pm

Got it - I understand and appreciate your comments.

Your concise explanations are great.

Who is online

Users browsing this forum: No registered users and 109 guests