Answer the question
In order to leave comments, you need to log in
How to set up L2TP+IPSec between 2 Mikrotik routers?
Hello. I've been scratching my head for three days now and can't find what exactly the problem is.
Task Description: There are 2 offices in each office Mikrotik RB951G-2HnD is installed. To access the Internet, a twisted pore is included in the ether1 connector and a PPPoE connection is raised on this interface for authorization on the provider's side. This interface is assigned a permanent white ip address. Ports 2-5 are combined into a bridge, and LAN computers are connected to these ports.
Office 1:
Public IP: pppoe-out - ip 85.12.xx.yy
Local IP: 192.168.1.0/24
Mikrotik Address: 192.168.1.1
Office 2:
Public IP: pppoe-out - ip 83.95.xx.yy
Local IP: 192.168 .2.0/24
Mikrotik address: 192.168.2.1
The task is to connect these 2 local networks via the Internet using L2TP/IPSec Tunnel so that all traffic passing through the tunnel is encrypted:
What I did:
Office 1 is taken as the server side.
1. Set up 1 L2TP Server in Office:
- Create a user:
> ppp secret add name=Office2 service=l2tp password=123
local-address=10.0.16.9 remote-address=10.0.16.10
/ppp secret> print detail
Flags: X - disabled
0 name="Office2" service=l2tp caller-id="" password=
local-address=10.0.16.9 remote-address=10.0.16.10
limit-bytes-out=0 last-logged-out=jan/01/1970 00:0
> interface l2tp-server add disabled=no name=l2tp-Office2
user=Office2
> interface l2tp-server server set authentication=pap,chap,
mschap1,mschap2 default-profile=default-encryption enabled=yes
max-mru=1460 max-mtu=1460 use-ipsec=yes
> interface l2tp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: pap,chap,mschap1,mschap2
keepalive-timeout: 15
default-profile: default-encryption
use-ipsec: yes
ipsec-secret: 123456789
> ip ipsec proposal set default auth-algorithms=sha1
disabled=no enc-algorithms=3des lifetime=30m name=default
pfs-group=modp1024
> ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des
lifetime=30m pfs-group=modp1024
>
> ip ipsec peer add address=10.0.16.10 auth-method=pre-shared-key
dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1
lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=test
send-initial-contact=yes
> ip ipsec peer print
Flags: X - disabled, D - dynamic
0 D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key
secret="123456789" generate-policy=port-strict policy-group=*2 exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5
1 address=10.0.16.10/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
secret="test" generate-policy=no policy-group=*2 exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
> ip route add comment=Office2 disabled=no distance=1
dst-address=192.168.2.0/24 gateway=10 .0.16.10 scope=30 target-scope=10
> interface l2tp-client add add-default-route=no allow=pap,chap,
mschap1,mschap2 connect-to=85.12.xx.yy dial-on-demand=no disabled=no
max-mru=1460 max-mtu=1460 name=l2tp-Office1 password=123 user=Office2
> ip ipsec proposal set default auth-algorithms=sha1
disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
> ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
> ip ipsec policy add action=encrypt disabled=no
dst-address=192.168.1.0/24 ipsec-protocols=esp level=require priority=0
proposal=default protocol=udp sa-dst-address=10.0.16.9
sa-src-address=10.0.16.10 src-address=192.168.2.0/24 tunnel=yes
> ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=85.172.xx.yy/32 dst-address=83.239.xx.yy/32
protocol=udp proposal=default template=yes
1 src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24
dst-port=any protocol=udp action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=10.0.16.10
sa-dst-address=10.0.16.9 proposal=default priority=0
> ip route add disabled=no distance=1 dst-address=192.168.1.0/24
gateway=10.0.16.9 scope=30 target-scope=10
> ip ipsec remote-peers print
0 local-address=10.0.16.9 remote-address=10.0.16.10 state=established
side=initiator established=4m22s
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp
Answer the question
In order to leave comments, you need to log in
Wow, a lot has been written, so I just had a glimpse.
So, if you need to connect two offices so that traffic from the 192.168.1.X/24 network goes to the 192.168.2.X/24 network, then in principle you don’t need an L2TP tunnel in this case, it’s enough to create a tunnel at the IPSec level (which By the way, you do it in your settings), no routes and policies are needed in this case. IPSec in tunnel mode will itself create a tunnel transparent to ROS and wrap traffic into it.
The procedure is as follows:
1. Create an IPSec Peer on each MK, where the peer address is a remote office, with permission to add traffic policies.
2. We create policies on each MK IPSec, where the origin network is a local network; destination network - remote network; departure peer - the external address of this MK; destination peer - remote white peer address, the same one configured in the next tab.
3. In the NAT rules, we make an Acces rule for traffic back and forth between these networks.
The routing list should be empty. If there are lines of key exchange - everything worked.
Everything you need, but clearly in the article Site to Site IpSec Tunnel
OpenVPN in Mikrotik does not support UDP. The delay in the VPN channel will be large.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question