Community discussions

MUM Europe 2020
 
csalvo
just joined
Topic Author
Posts: 2
Joined: Tue Oct 25, 2016 10:36 pm

Super EASY VPN for macOS

Tue Oct 25, 2016 11:07 pm

Hello everyone,

I'm new here and also new at routing & MikroTik.
Now that Apple removed PPTP support on macOS and iOS I can't connect to my remote routers.

Is there any SUPER EASY way to make a VPN connection so I can connect through my Mac and iOS devices?
I'm not very much into TERMINAL mode on MikroTik.

Any help will be valuable.


Kind regards,
Claudio
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Super EASY VPN for macOS

Wed Oct 26, 2016 1:01 am

Use L2TP over IPsec. You should find plenty of documentation on how to set up MikroTik side.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Super EASY VPN for macOS

Wed Oct 26, 2016 5:33 am

L2Tp mean lot more latency, sadly than PPTP :(
and both L2TP and PPTP not reslly secure(and/or both mschap version popular behind it).
how bout MPLS+IPSec instead ? :)
performance-wise both pptp, l2tp with or without chiper - do hit heavvy :(
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24422
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Super EASY VPN for macOS

Wed Oct 26, 2016 12:08 pm

This is a more detailed manual (example for Apple included):
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf

But if you want "super easy", just click "VPN" checkbox in QuickSet and it will automatically set up IPsec.
No answer to your question? How to write posts
 
malstro
just joined
Posts: 17
Joined: Fri Jun 24, 2016 11:31 am

Re: Super EASY VPN for macOS

Wed Oct 26, 2016 2:06 pm

Hey there,

like (seemingly) a lot of other users, I'm also struggeling to get ANY other VPN solution then PPTP (which - by the way - works to most reliable of all solutions) to work.

IPSec in Road-Warrior setup would be fine - if it would work somehow.
The typical "Home" setup:
- router/RouterOS with public IP address (IPSec server)
- iPhone/Mac within another WiFi (which means the device is NATed)

I did configure the ModeConf RW IPSec example from the Wiki multiple times, on different locations, with NO success.
I'm selecting "Cisco IPSec" on my Apple devices, which uses the "racoon" Process in the background.
- Neither ipsec,debug logs from the router - nor Logs from my Apple devices give me a clue how to fix this
My firewall rules are valid (IPSec-ESP/AH + UDP Ports 500,1701,4500), the logs also show that the devices reach the router - but the connection won't work

- Is "Cisco IPSec" on my Apple device the right choice? Do I leave the "Group Name" field empty?
- Do I need any other Firewall settings?

Thanks for help again - Please give me a notice if I should discuss this in another topic!
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Super EASY VPN for macOS

Wed Oct 26, 2016 2:29 pm

We have L2TP/IPsec working here for a couple of hundreds road warriors without any problems.
The clients are Windoze laptops, Macs with a variety of OS versions includiing sierra, Linux machines, iPhones, iPads, Android phones and tablets.

Here's our proven working config:
/ip ipsec mode-config
add address-pool="VPN guests" name="vpn Guests" split-include=<all our relevant subnets>
/ip ipsec policy group
add name="VPN guests"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=l2tp-proposal pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 comment="L2tp " enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=<a secret of your choice>
/ip ipsec policy
add dst-address=0.0.0.0/0 proposal=l2tp-proposal src-address=0.0.0.0/0 template=yes

/ip pool
add name="VPN guests" ranges=192.168.168.1-192.168.169.254

/ppp profile
add change-tcp-mss=yes dns-server=<our local DNS servers> local-address="VPN guests" name=l2tp-profile remote-address="VPN guests"

/ip firewall filter
add chain=input comment=IKEandL2TP dst-address-list=myWANips dst-port=1701,500,4500 protocol=udp
add chain=input comment=IPsec dst-address-list=myWANips protocol=ipsec-esp
add chain=input comment=IPsec dst-address-list=myWANips protocol=ipsec-ah
Hope, that helps.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24422
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Super EASY VPN for macOS

Wed Oct 26, 2016 3:31 pm

No, Cisco IPSec is not correct on iOS/Apple.

L2TP Ipsec is the correct choice. Attached is my config
IMG_0277.PNG
You do not have the required permissions to view the files attached to this post.
No answer to your question? How to write posts
 
malstro
just joined
Posts: 17
Joined: Fri Jun 24, 2016 11:31 am

Re: Super EASY VPN for macOS

Thu Oct 27, 2016 12:11 pm

Thanks for your help!
I kinda got L2TP over IPSec working now.

Unfortunately I can't figure out how to configure this to use only the split-include subnets (or route only specific traffic over VPN on my devices).

(e.g. on an iPhone)
1) when I select "Send all trafic" - it does what it says: so ALL traffic is routed through the VPN.
2) when I don't select this option - I can't access any device, although connected to the VPN - neither DNS hostname resolving nor IP addresses directly.

Is there any description how to push the specific routes to the device or get this scenario working (only use VPN for specific subnets and/or DNS resolving on a specific search domain)?
 
JNK
just joined
Posts: 8
Joined: Tue Feb 10, 2015 5:00 pm

Re: Super EASY VPN for macOS

Mon Apr 17, 2017 3:02 pm

Is there any solution to this? "Send all traffic" works as expected, however "split-include" is ignored.

Best Regards,

Jan
 
robuk
just joined
Posts: 4
Joined: Sun Apr 23, 2017 6:50 pm

Re: Super EASY VPN for macOS

Sun Apr 23, 2017 11:54 pm

We have L2TP/IPsec working here for a couple of hundreds road warriors without any problems.
The clients are Windoze laptops, Macs with a variety of OS versions includiing sierra, Linux machines, iPhones, iPads, Android phones and tablets.

Here's our proven working config:
/ip ipsec mode-config
add address-pool="VPN guests" name="vpn Guests" split-include=<all our relevant subnets>
/ip ipsec policy group
add name="VPN guests"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=l2tp-proposal pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 comment="L2tp " enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=<a secret of your choice>
/ip ipsec policy
add dst-address=0.0.0.0/0 proposal=l2tp-proposal src-address=0.0.0.0/0 template=yes

/ip pool
add name="VPN guests" ranges=192.168.168.1-192.168.169.254

/ppp profile
add change-tcp-mss=yes dns-server=<our local DNS servers> local-address="VPN guests" name=l2tp-profile remote-address="VPN guests"

/ip firewall filter
add chain=input comment=IKEandL2TP dst-address-list=myWANips dst-port=1701,500,4500 protocol=udp
add chain=input comment=IPsec dst-address-list=myWANips protocol=ipsec-esp
add chain=input comment=IPsec dst-address-list=myWANips protocol=ipsec-ah
Hope, that helps.
-Chris

Chris,

Thanks for this but the line
/ip ipsec mode-config
add address-pool="VPN guests" name="vpn Guests" split-include=<all our relevant subnets>


doesn't work. it returns
input does not match any value of address-pool
If I go through winbox interface and follow your commands but using the interface I can get a L2TP/IPsec vpn working but it seems I can only get 1 iphone client or a mac client working at once. Is there a way to get multiple clients working? I'll try my cell phone and ipad from home when I get home to the mikrotik in the office (where I am now)

Rob
 
kennerblick
just joined
Posts: 12
Joined: Tue Apr 25, 2017 8:56 am

Re: Super EASY VPN for macOS

Thu Apr 27, 2017 9:01 am

try

/ip ipsec mode-config
add address-pool="VPN guests" name="vpn Guests" split-include="192.168.168.0/23"
 
dhanie99
just joined
Posts: 4
Joined: Thu Sep 06, 2007 8:35 am

Re: Super EASY VPN for macOS

Thu Mar 28, 2019 3:26 am

We have L2TP/IPsec working here for a couple of hundreds road warriors without any problems.
The clients are Windoze laptops, Macs with a variety of OS versions includiing sierra, Linux machines, iPhones, iPads, Android phones and tablets.

Here's our proven working config:
/ip ipsec mode-config
add address-pool="VPN guests" name="vpn Guests" split-include=<all our relevant subnets>
/ip ipsec policy group
add name="VPN guests"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=l2tp-proposal pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 comment="L2tp " enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=<a secret of your choice>
/ip ipsec policy
add dst-address=0.0.0.0/0 proposal=l2tp-proposal src-address=0.0.0.0/0 template=yes

/ip pool
add name="VPN guests" ranges=192.168.168.1-192.168.169.254

/ppp profile
add change-tcp-mss=yes dns-server=<our local DNS servers> local-address="VPN guests" name=l2tp-profile remote-address="VPN guests"

/ip firewall filter
add chain=input comment=IKEandL2TP dst-address-list=myWANips dst-port=1701,500,4500 protocol=udp
add chain=input comment=IPsec dst-address-list=myWANips protocol=ipsec-esp
add chain=input comment=IPsec dst-address-list=myWANips protocol=ipsec-ah
Hope, that helps.
-Chris
is work with ros 6.44.1?

Who is online

Users browsing this forum: No registered users and 40 guests