Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Egor Semenov2018-07-11 17:21:06
Mikrotik
Egor Semenov, 2018-07-11 17:21:06

L2tp+ipsec. Windows 2008 r2 as server and mikrotik as client. How to connect?

There is a server Windows 2008 r2. Upgrading to the next version 2012-2016 is not possible, updates are all worth it. The "Routing and Remote Access" role has been raised, an l2tp server with a preshared key has been configured. Uses EAP and MS-CHAP v2 authentication.
On the firewall, the rule "Routing and remote access (L2TP - incoming)" is enabled and incoming traffic udp 500,1701.4500 is allowed manually, as well as the gre protocol.
Clients on win7 and win10 connect without problems.
There is mikrotik with routeros-mipsbe 6.42.2. I'm trying to set it up as a client. Does not exceed.
settings:

[[email protected]_Office] > interface l2tp-client print 
Flags: X - disabled, R - running 
 0 X  name="l2tp-test" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=8.8.8.8 user="Admin" password="321pusk" 
      profile=default-encryption keepalive-timeout=60 use-ipsec=yes ipsec-secret="hrenpodberesh" allow-fast-path=no 
      add-default-route=no dial-on-demand=no allow=mschap2

[[email protected]_Office] > ppp profile print 
Flags: * - default 
 3   name="profile1" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default 
     use-upnp=default address-list="" on-up="" on-down="" 

 4 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes 
     use-upnp=default address-list="" on-up="" on-down="" 

[[email protected]_Office] > ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc,3des lifetime=30m pfs-group=none 

 1    name="proposal1" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=30m pfs-group=none

[[email protected]_Office] > ip ipsec peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0 X   address=8.8.8.8/32 auth-method=pre-shared-key secret="hrenpodberesh" generate-policy=no 
       policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey 
       hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5

connection log

Jul/11/2018 17:05:11 ipsec,debug sendto Information delete.
Jul/11/2018 17:05:11 ipsec,info ISAKMP-SA deleted 1.1.1.1[500]-8.8.8.8[500] spi:7eafc88e72e2d8a8:6eb7aabead73e487 rekey:1
Jul/11/2018 17:05:11 ipsec flushing active SAs due to setup change..
Jul/11/2018 17:05:12 ipsec,debug 0.0.0.0[500] used as isakmp port (fd=18)
Jul/11/2018 17:05:12 ipsec,debug 0.0.0.0[4500] used as isakmp port with NAT-T (fd=20)
Jul/11/2018 17:05:15 ipsec,debug failed to bind to ::[500] Bad file descriptor
Jul/11/2018 17:05:15 ipsec flushing active SAs due to setup change..

ip ipsec peer is disabled, enabling does nothing.
Please help.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)
Report
E
Egor Semenov, 2018-07-18
@E_gorka

Set up a client on Centos 7 according to the instructions

https://github.com/hwdsl2/setup-ipsec-vpn/blob/mas...

[[email protected] ~]# cat /etc/strongswan/ipsec.conf | grep -v "^$\|#"
config setup
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=3des-sha1-modp1024!
  esp=3des-sha1!
conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=8.8.8.8

[[email protected] ~]# cat /etc/xl2tpd/xl2tpd.conf
[lac myvpn]
lns = 8.8.8.8
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

[[email protected] ~]# cat /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name Admin
password 321pusk

I find the parameters
ike=3des-sha1-modp1024 especially interesting!
esp=3des-sha1!
but even armed with this knowledge, it was not possible to set up the client on Mikrotik.

Similar questions
V
Victor Bo2015-10-07 10:52:55
What is Torch in RouterOS? 3Reply
B
Braind2015-10-08 21:18:56
Mikrotik hotspot how to redirect to the login page on ios devices and with long addresses? 1Reply
V
VasHan2020-04-22 19:13:09
How to set up Hairpin NAT on Mikrotik correctly? 1Reply
S
Serega Kuzmin2015-10-12 10:00:50
Mikrotik rb2011 ui as-rm how to set up two providers and two local networks isolated from each other? 1Reply
G
Gennady Chuzhinov2020-04-23 16:20:23
How to let a certain port bypass IKEv2 on Mikrotik with IPSEC + IKEv2? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question