U
U
unps2014-09-24 00:25:27
Mikrotik
unps, 2014-09-24 00:25:27

How to set up L2TP+IPSec between 2 Mikrotik routers?

Hello. I've been scratching my head for three days now and can't find what exactly the problem is.
Task Description: There are 2 offices in each office Mikrotik RB951G-2HnD is installed. To access the Internet, a twisted pore is included in the ether1 connector and a PPPoE connection is raised on this interface for authorization on the provider's side. This interface is assigned a permanent white ip address. Ports 2-5 are combined into a bridge, and LAN computers are connected to these ports.
Office 1:
Public IP: pppoe-out - ip 85.12.xx.yy
Local IP: 192.168.1.0/24
Mikrotik Address: 192.168.1.1
Office 2:
Public IP: pppoe-out - ip 83.95.xx.yy
Local IP: 192.168 .2.0/24
Mikrotik address: 192.168.2.1
The task is to connect these 2 local networks via the Internet using L2TP/IPSec Tunnel so that all traffic passing through the tunnel is encrypted:
What I did:
Office 1 is taken as the server side.
1. Set up 1 L2TP Server in Office:
- Create a user:

 > ppp secret add name=Office2 service=l2tp password=123
local-address=10.0.16.9 remote-address=10.0.16.10

 /ppp secret> print detail 
Flags: X - disabled 
 0   name="Office2" service=l2tp caller-id="" password=
     local-address=10.0.16.9 remote-address=10.0.16.10 
     limit-bytes-out=0 last-logged-out=jan/01/1970 00:0

Create an L2TP interface for the created user
 > interface l2tp-server add disabled=no name=l2tp-Office2
user=Office2

- Enable L2TP/IpSec
 > interface l2tp-server server set authentication=pap,chap,
mschap1,mschap2 default-profile=default-encryption enabled=yes 
max-mru=1460 max-mtu=1460 use-ipsec=yes 
 > interface l2tp-server server print                                                       
enabled: yes                                               
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: pap,chap,mschap1,mschap2
keepalive-timeout: 15
default-profile: default-encryption
use-ipsec: yes
ipsec-secret: 123456789

- Create an ipsec proposal:
 > ip ipsec proposal set default auth-algorithms=sha1 
disabled=no enc-algorithms=3des lifetime=30m name=default 
pfs-group=modp1024 
 > ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des 
lifetime=30m pfs-group=modp1024 
 >

- Create ipsec policy:
> ip ipsec policy add action=encrypt disabled=no
dst-address=192.168.2.0/24 ipsec-protocols=esp level=require priority=0
proposal=default protocol=udp sa-dst -address=10.0.16.10
sa-src-address=10.0.16.9 src-address=192.168.1.0/24 tunnel=yes
> ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic , I - inactive, * - default
0 TX* group=*3 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 src-address=192.168.1.0 /24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=udp
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.16.9
sa-dst-address=10.0.16.10 proposal=default priority=0
- Create an ipsec peer:
 > ip ipsec peer add address=10.0.16.10 auth-method=pre-shared-key 
dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 
lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=test 
send-initial-contact=yes 
 > ip ipsec peer print 
Flags: X - disabled, D - dynamic 
 0  D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key 
      secret="123456789" generate-policy=port-strict policy-group=*2 exchange-mode=main-l2tp 
      send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d dpd-interval=2m 
      dpd-maximum-failures=5 

 1    address=10.0.16.10/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="test" generate-policy=no policy-group=*2 exchange-mode=main send-initial-contact=yes 
      nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 
      lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

- Add a route to Office 2
 > ip route add comment=Office2 disabled=no distance=1 
dst-address=192.168.2.0/24 gateway=10 .0.16.10 scope=30 target-scope=10

With the configuration of the first Mikrotik completed, let's move on to the second one, which will be an L2TP client:
- Create an l2tp interface to connect to the server
 > interface l2tp-client add add-default-route=no allow=pap,chap,
mschap1,mschap2 connect-to=85.12.xx.yy dial-on-demand=no disabled=no 
max-mru=1460 max-mtu=1460 name=l2tp-Office1 password=123 user=Office2

After executing this command, an L2TP tunnel is established.
- Create an ipsec proposal (the settings are exactly the same as we did on the server):
 > ip ipsec proposal set default auth-algorithms=sha1 
disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024 
 > ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m 
      pfs-group=modp1024

- Create ipsec policy:
 > ip ipsec policy add action=encrypt disabled=no 
dst-address=192.168.1.0/24 ipsec-protocols=esp level=require priority=0 
proposal=default protocol=udp sa-dst-address=10.0.16.9 
sa-src-address=10.0.16.10 src-address=192.168.2.0/24 tunnel=yes 
 > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=85.172.xx.yy/32 dst-address=83.239.xx.yy/32 
       protocol=udp proposal=default template=yes 

 1     src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 
       dst-port=any protocol=udp action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=10.0.16.10 
       sa-dst-address=10.0.16.9 proposal=default priority=0

- Create ipsec peer:
> ip ipsec peer add address=10.0.16.9/32 auth-method=pre-shared-key
dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum- failures=1
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1
lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=test
send-initial-contact=yes
[ [email protected]] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=10.0.16.9/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret= "test" generate-policy=no
policy-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
- Add route to Office one
 > ip route add disabled=no distance=1 dst-address=192.168.1.0/24 
gateway=10.0.16.9 scope=30 target-scope=10

After all these settings, connections are displayed in / ip ipsec remote-peers
 > ip ipsec remote-peers print 
 0 local-address=10.0.16.9 remote-address=10.0.16.10 state=established 
   side=initiator established=4m22s

It would seem that the whole setup is not complicated, and after that, entries should appear in / ip ipsec installed-sa, but they do not appear in any way. Data is transferred from one network to another perfectly, but I have a suspicion that the channel turned out to be not encrypted, since there are no entries in / ip ipsec installed-sa and the processor does not load at all during operation. Trying to deal with the problem, I added a rule for the firewall on each of Mikrotik:
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp

Mikrotik versions 6.19.
I have already tried everything, I read all the instructions, I could only find them, but I still can’t get it to work. ;( Please tell me what else I missed when setting up and what needs to be corrected. Many thanks in advance for the advice.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
C
Cool Admin, 2014-09-24
@ifaustrue

Wow, a lot has been written, so I just had a glimpse.
So, if you need to connect two offices so that traffic from the 192.168.1.X/24 network goes to the 192.168.2.X/24 network, then in principle you don’t need an L2TP tunnel in this case, it’s enough to create a tunnel at the IPSec level (which By the way, you do it in your settings), no routes and policies are needed in this case. IPSec in tunnel mode will itself create a tunnel transparent to ROS and wrap traffic into it.
The procedure is as follows:
1. Create an IPSec Peer on each MK, where the peer address is a remote office, with permission to add traffic policies.
2. We create policies on each MK IPSec, where the origin network is a local network; destination network - remote network; departure peer - the external address of this MK; destination peer - remote white peer address, the same one configured in the next tab.
3. In the NAT rules, we make an Acces rule for traffic back and forth between these networks.
The routing list should be empty. If there are lines of key exchange - everything worked.
Everything you need, but clearly in the article Site to Site IpSec Tunnel

K
kijimoshike, 2015-06-29
@kijimoshike

OpenVPN in Mikrotik does not support UDP. The delay in the VPN channel will be large.

V
Viktor, 2014-10-02
@awsswa59

ipsec slows down the processor on mikrotik so much - that the solution is not viable,
raise openvpn

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question