Community discussions

MikroTik App
 
menelaos
just joined
Topic Author
Posts: 2
Joined: Wed Dec 25, 2019 12:05 pm

creating l2tp server

Wed Dec 25, 2019 12:18 pm

I've been trying to create an l2tp over ipsec for days and i'm stuck not knowing what to do
the log file is: https://pastebin.com/fnH3DWcv
do you make something out of it?
 
Zacharias
Forum Guru
Forum Guru
Posts: 2309
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: creating l2tp server

Sun Dec 29, 2019 8:05 pm

You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: creating l2tp server

Mon Dec 30, 2019 3:15 pm

You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...
+1
 
menelaos
just joined
Topic Author
Posts: 2
Joined: Wed Dec 25, 2019 12:05 pm

Re: creating l2tp server

Thu Jan 02, 2020 10:41 am

You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...

# jan/02/2020 10:38:53 by RouterOS 6.45.7
# software id = X0SX-GX9H
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED08CC18B8
/interface l2tp-server
add name=l2tp-in1 user=arty
/interface l2tp-server server
set default-profile=profile1 enabled=yes use-ipsec=yes


This is the export of the l2tp server config
Thank you for taking the time to help me.
 
techlord
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Mon Nov 18, 2019 4:33 pm

Re: creating l2tp server

Thu Jan 02, 2020 4:49 pm

Hi!

I've just finished setting up my L2TP/IPSEC server on my RB3011 (6.46.1) and I have to say it was a pain....most tutorials are incomplete or obsolete related to newest ROS versions. Not only that, the router got frozen a lot during ipsec parameters changes and it needed hard reboot. Now it's stable and working well. I wanted to do the config in WebFig and not CLI. I did so many changes to the config, most blind shots, so I may not remember everything but here are the basic steps:

1) Create a pool of IPs from which the server will give IPs to the clients. I created pool 192.168.1.2-192.168.1.10. The IP 192.168.1.1 I manually assigned to the router but that is optional.
/ip pool
add name=Remote-users-pool ranges=192.168.1.2-192.168.1.10

2) Under PPP menu you have to:
a) Create a PPP Profile where you give name, router IP (local address) and IPs for clients from the pool above
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.1 name=L2TP-Profile remote-address=Remote-users-pool use-encryption=yes use-ipv6=no use-upnp=yes

b) Create at least 1 user that will be allowed to connect. this is under "Secrets"
/ppp secret
add name=remote profile=L2TP-Profile service=l2tp
make a note of the user/ password, you will need it on the client.

c) OPTIONAL - you can have increased security if you add a password specific for L2TP under "L2TP Secrets" -> make note of it, you will need it on the client if you configure it

d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes

e) OPTIONAL
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
/interface l2tp-server
add name=L2TP-IF user=remote
NOTE: This is one of the things that really annoys me, this interface is named differently between CLI and WEBFIG AND under webfig is PPP-> Interface-> L2TP server binding but under CLI is under /interface l2tp-server. yes, it can be directly configured under interface BUT under CLI there is no "binding" in the name

3) IPSEC
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile

b) under Identities - something deployed automatically by ROS which points to an IPSEC peer named " l2tp-in-server" - cannot be modified

c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified

d) under groups - a default group which i renamed L2TP

e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)

f) under policies - a default policy which I modified to
- use template
- link to group L2TP
- link to the default proposal
- ipsec protocol - esp
- action encrypt

I really tried to create another set of items and not use the defaults but it simply did not work, most errors being related to IPSEC phase 2. but with the options above it works.

4) Put these security rules somewhere before your DROP rule.

/ip firewall filter
****for IPSEC/L2TP establishment; my WAN is PPPoE, replace yours as needed*******
add action=accept chain=input comment="L2TP/IPSEC Server" in-interface=PPPoE protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=4500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=1701 in-interface=PPPoE protocol=udp

********for flows between your inside network(mine is 192.168.0.0/24, on bridge) and the l2tp interface ( I put 192.168.1.0/24 for ease) - modify as needed **
add action=accept chain=forward comment=L2TP dst-address=192.168.0.0/24 in-interface=L2TP-IF out-interface=bridge src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 in-interface=bridge out-interface=L2TP-IF src-address=192.168.0.0/24

After this I could connect with my Android 9 terminal and access the local network. On the client you need:
- Router external IP
- l2tp user and pass
- l2tp password (optional, if you configure it on the server)
- IPSEC preshared key


Hope this helps!
 
nickb333
just joined
Posts: 16
Joined: Sat Jul 25, 2015 1:45 pm
Location: UK

Re: creating l2tp server

Thu Jan 02, 2020 8:32 pm

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \
    in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\
    icmp-admin-prohibited
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.
Nick B.
UK.
 
techlord
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Mon Nov 18, 2019 4:33 pm

Re: creating l2tp server

Fri Jan 03, 2020 12:24 am

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \
    in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\
    icmp-admin-prohibited
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.
Actually it's related to how ROS processes the packets. You do need the 1701 L2TP rule and I do have hits on it whenever I used the L2TP/IPSEC tunnel from my android.
It's even in the mk wiki.
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
 
nickb333
just joined
Posts: 16
Joined: Sat Jul 25, 2015 1:45 pm
Location: UK

Re: creating l2tp server

Fri Jan 03, 2020 1:39 am

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \
    in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\
    icmp-admin-prohibited
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.
Actually it's related to how ROS processes the packets. You do need the 1701 L2TP rule and I do have hits on it whenever I used the L2TP/IPSEC tunnel from my android.
It's even in the mk wiki.
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
My bad, it appears the input chain also processes packets after they are decapsulated from ipsec. So for my application I've modifed the accept 1701/udp rule so it only passes the packet if it arrives via ipsec.
add action=accept chain=input dst-port=1701 in-interface=ether2 ipsec-policy=\
    in,ipsec log=yes protocol=udp src-port=""
But I'll leave my original rule as any l2tp that arrives unencrypted gets an icmp-admin-prohibited reply. I've seen this happen in practice when using l2tp/ipsec from a Mikrotik client.

Thanks for an interesting discussion.
Nick B.
UK.
 
noythetop
just joined
Posts: 2
Joined: Sat Dec 28, 2019 12:50 pm

Re: creating l2tp server

Fri Jan 03, 2020 1:07 pm

Hi!

I've just finished setting up my L2TP/IPSEC server on my RB3011 (6.46.1) and I have to say it was a pain....most tutorials are incomplete or obsolete related to newest ROS versions. Not only that, the router got frozen a lot during ipsec parameters changes and it needed hard reboot. Now it's stable and working well. I wanted to do the config in WebFig and not CLI. I did so many changes to the config, most blind shots, so I may not remember everything but here are the basic steps:

1) Create a pool of IPs from which the server will give IPs to the clients. I created pool 192.168.1.2-192.168.1.10. The IP 192.168.1.1 I manually assigned to the router but that is optional.
/ip pool
add name=Remote-users-pool ranges=192.168.1.2-192.168.1.10

2) Under PPP menu you have to:
a) Create a PPP Profile where you give name, router IP (local address) and IPs for clients from the pool above
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.1 name=L2TP-Profile remote-address=Remote-users-pool use-encryption=yes use-ipv6=no use-upnp=yes

b) Create at least 1 user that will be allowed to connect. this is under "Secrets"
/ppp secret
add name=remote profile=L2TP-Profile service=l2tp
make a note of the user/ password, you will need it on the client.

c) OPTIONAL - you can have increased security if you add a password specific for L2TP under "L2TP Secrets" -> make note of it, you will need it on the client if you configure it

d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes

e) OPTIONAL
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
/interface l2tp-server
add name=L2TP-IF user=remote
NOTE: This is one of the things that really annoys me, this interface is named differently between CLI and WEBFIG AND under webfig is PPP-> Interface-> L2TP server binding but under CLI is under /interface l2tp-server. yes, it can be directly configured under interface BUT under CLI there is no "binding" in the name

3) IPSEC
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile

b) under Identities - something deployed automatically by ROS which points to an IPSEC peer named " l2tp-in-server" - cannot be modified

c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified

d) under groups - a default group which i renamed L2TP

e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)

f) under policies - a default policy which I modified to
- use template
- link to group L2TP
- link to the default proposal
- ipsec protocol - esp
- action encrypt

I really tried to create another set of items and not use the defaults but it simply did not work, most errors being related to IPSEC phase 2. but with the options above it works.

4) Put these security rules somewhere before your DROP rule.

/ip firewall filter
****for IPSEC/L2TP establishment; my WAN is PPPoE, replace yours as needed*******
add action=accept chain=input comment="L2TP/IPSEC Server" in-interface=PPPoE protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=4500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=1701 in-interface=PPPoE protocol=udp

********for flows between your inside network(mine is 192.168.0.0/24, on bridge) and the l2tp interface ( I put 192.168.1.0/24 for ease) - modify as needed **
add action=accept chain=forward comment=L2TP dst-address=192.168.0.0/24 in-interface=L2TP-IF out-interface=bridge src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 in-interface=bridge out-interface=L2TP-IF src-address=192.168.0.0/24

After this I could connect with my Android 9 terminal and access the local network. On the client you need:
- Router external IP
- l2tp user and pass
- l2tp password (optional, if you configure it on the server)
- IPSEC preshared key


Hope this helps!
This was extremely helpful. Thanks for going out of your way to make such a long and detailed post.
 
techlord
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Mon Nov 18, 2019 4:33 pm

Re: creating l2tp server

Fri Jan 03, 2020 8:09 pm

Glad it helps. I actually think this forum needs a good [TUTORIAL] section with configuration examples for most features. the Wiki is a little...bland? There are countless threads with requests for help configuring stuff and you have to read for hours and pick what you need...
 
jaytcsd
Member Candidate
Member Candidate
Posts: 295
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: creating l2tp server

Sun Jan 12, 2020 5:07 am

I asked about a forum just for VPNs way back, like you said this info is scattered around. I've found some good videos and some that seem like they are an excuse
to put someone's personal music playlist on.
 
gidgrey
just joined
Posts: 2
Joined: Wed Jan 08, 2020 10:20 pm

Re: creating l2tp server

Mon Jan 13, 2020 8:21 am

Here is a step by step video for L2TP vpn https://www.youtube.com/watch?v=v2K0qOb_SLU

Who is online

Users browsing this forum: Baidu [Spider], sindy and 48 guests