I've just finished setting up my L2TP/IPSEC server on my RB3011 (6.46.1) and I have to say it was a pain....most tutorials are incomplete or obsolete related to newest ROS versions. Not only that, the router got frozen a lot during ipsec parameters changes and it needed hard reboot. Now it's stable and working well. I wanted to do the config in WebFig and not CLI. I did so many changes to the config, most blind shots, so I may not remember everything but here are the basic steps:
1) Create a pool of IPs from which the server will give IPs to the clients. I created pool 192.168.1.2-192.168.1.10. The IP 192.168.1.1 I manually assigned to the router but that is optional.
add name=Remote-users-pool ranges=192.168.1.2-192.168.1.10
2) Under PPP menu you have to:
a) Create a PPP Profile where you give name, router IP (local address) and IPs for clients from the pool above
add change-tcp-mss=yes local-address=192.168.1.1 name=L2TP-Profile remote-address=Remote-users-pool use-encryption=yes use-ipv6=no use-upnp=yes
b) Create at least 1 user that will be allowed to connect. this is under "Secrets"
add name=remote profile=L2TP-Profile service=l2tp
make a note of the user/ password, you will need it on the client.
c) OPTIONAL - you can have increased security if you add a password specific for L2TP under "L2TP Secrets" -> make note of it, you will need it on the client if you configure it
d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
add name=L2TP-IF user=remote
NOTE: This is one of the things that really annoys me, this interface is named differently between CLI and WEBFIG AND under webfig is PPP-> Interface-> L2TP server binding but under CLI is under /interface l2tp-server. yes, it can be directly configured under interface BUT under CLI there is no "binding" in the name
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile
b) under Identities - something deployed automatically by ROS which points to an IPSEC peer named " l2tp-in-server" - cannot be modified
c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified
d) under groups - a default group which i renamed L2TP
e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)
f) under policies - a default policy which I modified to
- use template
- link to group L2TP
- link to the default proposal
- ipsec protocol - esp
- action encrypt
I really tried to create another set of items and not use the defaults but it simply did not work, most errors being related to IPSEC phase 2. but with the options above it works.
4) Put these security rules somewhere before your DROP rule.
/ip firewall filter
****for IPSEC/L2TP establishment; my WAN is PPPoE, replace yours as needed*******
add action=accept chain=input comment="L2TP/IPSEC Server" in-interface=PPPoE protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=4500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=1701 in-interface=PPPoE protocol=udp
********for flows between your inside network(mine is 192.168.0.0/24, on bridge) and the l2tp interface ( I put 192.168.1.0/24 for ease) - modify as needed **
add action=accept chain=forward comment=L2TP dst-address=192.168.0.0/24 in-interface=L2TP-IF out-interface=bridge src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 in-interface=bridge out-interface=L2TP-IF src-address=192.168.0.0/24
After this I could connect with my Android 9 terminal and access the local network. On the client you need:
- Router external IP
- l2tp user and pass
- l2tp password (optional, if you configure it on the server)
- IPSEC preshared key
Hope this helps!