Community discussions

MikroTik App
  4. RouterOS
  5. General

l2tp with ipsec site-to-site between 2 mikrotik router

Post Reply
 
hofi76
newbie
Topic Author
Posts: 31
Joined: Tue Oct 13, 2020 11:01 am

l2tp with ipsec site-to-site between 2 mikrotik router

Thu Oct 06, 2022 3:07 pm

I configured a mikrotik as l2tp server with ipsec and an other one as l2tp client.
If the ipsec is disabled all looks fine.
Code: Select all
[admin@Router1] /ip/ipsec/active-peers> /ppp/active/print 
Columns: NAME, SERVICE, CALLER-ID, ADDRESS, UPTIME
# NAME   SERVICE  CALLER-ID    ADDRESS        UPTIME
0 user1  l2tp     10.36.6.205  172.16.16.101  29s
If I enable the ipsec, the ipsec looks fine but the ppp connection did not operate The status is link established
Code: Select all
[admin@Router1] /ip/ipsec/active-peers> print 
Flags: R - RESPONDER
Columns: STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
#    STATE        UPTIME  PH2-TOTAL  REMOTE-ADDRESS
;;; l2tp-in-server
0 R  established  22s             1  10.36.6.205   
[admin@Router1] /ip/ipsec/active-peers> print

Any idea why?

Server side config:
Code: Select all
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
/ppp profile
add change-tcp-mss=yes local-address=172.16.16.1 name=HQ-R1 remote-address=172.16.16.101 use-encryption=yes
add change-tcp-mss=yes local-address=172.16.16.2 name=HQ-R2 remote-address=172.16.16.102 use-encryption=yes
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=*SECRET* one-session-per-host=yes use-ipsec=yes
/ppp secret
add name=user1 password=*pw* profile=HQ-R1 service=l2tp
add name=user2 password=-pw* profile=HQ-R2 service=l2tp
Client side config:
Code: Select all
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
/ppp profile
add change-tcp-mss=yes local-address=172.16.16.101 name=R1-HQ remote-address=172.16.16.1 use-encryption=yes
/interface l2tp-client
add allow=mschap2 connect-to=10.36.6.204 disabled=no ipsec-secret=*SECRET* name=R1-HQ-l2tp password=*pw* profile=R1-HQ use-ipsec=yes user=user1


[/code]
Top
 
User avatar
karlisi
Member
Member
Posts: 438
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: l2tp with ipsec site-to-site between 2 mikrotik router

Thu Oct 06, 2022 3:56 pm

I suppose, there is more configuration, especially on server side. Because you don't posted it, this can be only guess, but perhaps there is no ipsec-esp (50) protocol allowed in input chain of server's firewall?
Top
 
hofi76
newbie
Topic Author
Posts: 31
Joined: Tue Oct 13, 2020 11:01 am

Re: l2tp with ipsec site-to-site between 2 mikrotik router

Thu Oct 06, 2022 5:28 pm

At the moment it is still in test environment so no firewall configured
See the full config of the l2tp Server maybe you will find the mistake

HQ
Code: Select all
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface eoip
add arp=proxy-arp local-address=172.16.16.1 mac-address=02:EA:F9:52:59:AE \
    name=HQ-R1-EOIP remote-address=172.16.16.101 tunnel-id=10
add arp=proxy-arp local-address=172.16.16.2 mac-address=02:EA:F9:52:59:AE \
    name=HQ-R2-EOIP remote-address=172.16.16.102 tunnel-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
add dh-group=modp2048 enc-algorithm=aes-256 name=l2tp_ipsec
/ip pool
add name=dhcp_pool1 ranges=192.168.76.1-192.168.76.200
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=172.16.16.1 name=HQ-R1 remote-address=\
    172.16.16.101 use-encryption=yes
add change-tcp-mss=yes local-address=172.16.16.2 name=HQ-R2 remote-address=\
    172.16.16.102 use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=HQ-R1-EOIP
add bridge=bridge1 interface=HQ-R2-EOIP
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface l2tp-server server
set authentication=mschap2 default-profile=HQ-R1 enabled=yes ipsec-secret=\
    *SECRET* one-session-per-host=yes use-ipsec=yes
/ip address
add address=192.168.76.254/22 interface=bridge1 network=192.168.76.0
/ip dhcp-client
add interface=WAN
/ip dhcp-server network
add address=192.168.76.0/22 gateway=192.168.76.254
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    192.168.76.0/22
/ppp profile
set *0 local-address=172.16.16.101 remote-address=*1
/ppp secret
add name=user1 password=*PW* profile=HQ-R1 service=l2tp
add name=user2 password=*PW* profile=HQ-R2 service=l2tp
/system identity
set name=Router1
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.36.2.11
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 66 guests
  4. RouterOS
  5. General