Mikrotik client Strongswan l2tp/ipsec how to configure correctly?

D

Daeamon2019-10-26 13:32:38

Mikrotik

Daeamon, 2019-10-26 13:32:38

Hello, I'm trying to put all traffic through vpn. Mikrotik is at home, ubuntu is installed on a remote machine with strongswan configured (configured through a script on DigitalOcean) I want all devices in the Mikrotik network to go to the Internet via vpn on DO.
It connects from the phone to vpn without any problems and there is internet, there is no internet on Mikrotik when connected to vpn)
Mikrotik settings

spoiler

Also in Mikrotik I mark all packets of the internal network as AnotherGWRoute
Added a masquerade to the l2tp-out1 interface
ipsec.conf

spoiler

version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no
nat_traversal=yes
force_keepalive=yes
conn %default
type=tunnel
keyingtries=0
disablearrivalcheck=no
authby=secret
esp=3des-sha1
ike=3des-md5-modp1024
keylife=8h
keyexchange=ike
left=
pfs=yes
conn shared
left=%defaultroute
leftid=
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikev2=never
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
sha2-truncbug=no
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.43.10-192.168.43.250
rightsubnet=192.168.0.0/24
modecfgdns="8.8.8.8 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
cisco-unity=yes
also=shared

firewall on ubuntu

spoiler

# Generated by iptables-save v1.4.21 on Sat Oct 26 10:34:38 2019
*nat
:PREROUTING ACCEPT [37174:2148030]
:INPUT ACCEPT [31653:1715753]
:OUTPUT ACCEPT [874:62061]
:POSTROUTING ACCEPT [1507:176391]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s 192.168.42.0/29 -j MASQUERADE
COMMIT
# Completed on Sat Oct 26 10:34:38 2019
# Generated by iptables-save v1.4.21 on Sat Oct 26 10:34:38 2019
*filter
:INPUT ACCEPT [104:4920]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [590:30571]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/29 -j ACCEPT
-A FORWARD -d 192.168.42.0/29 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Sat Oct 26 10:34:38 2019

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Denis Sechin, 2019-10-26
@tamogavk

Better implementation of IPSec on Mikrotik can only be strongwan. I say this because I set up IPSec on both Mikrotik and Linux. And once I had to configure IPSec between juniper vSRX and Linux server. On Linux, I used strongwan route based, the mode is configured using crutches, you need to mark the interfaces and specify the marking in the config