L2TP/IPsec Site-2-Site between Mikrotik and Win Server 2012 RRaS?

S

Suenoroco2015-09-15 14:56:02

VPN

Suenoroco, 2015-09-15 14:56:02

Good afternoon. Might be a noob question.
Has anyone had successful experience with a similar task?
Link 2 offices, where on 1 side mikrotik RB951G-2HnD, and on the other server with RRAS?
Since OVPN on Mikrotik is truncated, only the c l2tp / ipsec option remains.
The Internet is full of manuals for mikrotik + mikrotik or cisco asa, etc. I can't find it on this topic.
We have white IP
RRAS 89.108.***.**
Mikrotik 188.65.***.***
PPTP client on Mikrotik hooks up to RRAS without problems. But L2TP categorically does not want to.
According to the manuals, I put it on Mikrotik.
/interface l2tp-client
add allow=chap,mschap2 connect-to=89.108.***.** mrru=1600 name=l2tp-out1 \
password=**** user=****
/ip ipsec proporsal
add auth-algorithms=sha1,sha256 enc-algorithms=3des,aes-128-cbc,aes-256-cbc \
name=proposal1 pfs-group=none
/ip ipsec peer
add address=89.108.***.***/32 enc-algorithm=3des,aes-128,aes-256 exchange-mode=\
main-l2tp generate-policy=port-override secret=** **
In the settings, peer Passive is disabled, Send Initial Contact is enabled, NAT Traversal is enabled.
A connection appears in the Remote peers, but the SA exchange does not occur.

We raise the L2TP client:

5 similar Control messages are sent, after which the connection is broken.

I can not understand what is the reason, because unfortunately this log does not tell me much.
I tried to prescribe policies manually, it also ends with a fail.
Thanks in advance for the tips.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Suenoroco, 2015-09-24
@Suenoroco

I'll pull it out of the comments here.
Made to mine extremely crooked, but it works.
Of the oddities, ipsec policies periodically disappear, while the remote peer and SA remain.
"And so let's remind you again. We have RRAS on the 1st side under Win Server 2012, white IP, behind RRAS there is a LAN. On the second side of Mikrotik RB951g-2hnd, ROS 6.27, a white IP, behind it there is a LAN.
On the RRAS side
In the settings create a tunnel to Mikrotik
in the RRAS console in the interfaces create a demand-dial connection to Mikrotik, via l2tp Add a static route at once and check the persistent connection in the properties
On the side of Mikrotik
Add pool
PPP create a profile, secrets.
Enable L2TP server with IPsec. We make an interface. We enter the created profile and login \ password into them.
Add the rule to NAT add chain=srcnat dst-address=(local behind RRAS) src-address=(local Mikrotik)
In IPsec add proporsal with checkboxes sha1 3des aes-128 cbc aes-256 cbc
We raise the connection from RRAS to Mikrotik using log\ pass created on Mikrotik.
At this moment, IPsec transport rises, but (I can’t understand why) the connection does not occur.
Then the crutch comes into play.
We create an l2tp-out interface on Mikrotik. We throw a connection from it to RRAS, it rises instantly.
After we throw the connection from RRAS to Mikrotik, everything rises.
We add a route to the local area behind RRAS.
Packets from mesh to mesh go encrypted. Everything is working.
But, if one of the parties reboots. Correcting the crutch every time ... somehow not very good.
I will look for a solution, as a last resort, you can probably hang a crutch on the script."

V

VecH, 2015-09-24
@VecH

Here's what I read recently

On Mikrotik, L2TP / IPSEC so far allows only one client to work from inside the network, it seems that the developers are planning to fix this, but there is no deadline. If you need several connections due to one NAT, then it is quite possible to use PPTP.