J
J
JackBauer2014-08-27 19:45:26
Mikrotik
JackBauer, 2014-08-27 19:45:26

Mikrotik+Softether: L2TP over IPsec - how to set up Mikrotik?

At the other end - Softether is standard, both L2TP without encryption and over IPsec are allowed. Shared secret is set.
On this - super RB2011UiAS-2HnD-IN. Connection via L2TP without encryption works fine.
Question - how to properly configure peer, proposal and other IPsec charms on Mikrotik? I did not find a single example - mikrotik<-l2tp/ipsec->mikrotik is everywhere. Taking into account the fact that there are at least settings in Softether on this topic AND any 'home' clients connect without problems via L2TP over IPsec (Macosx, Ios, Win7/8).
Thanks again!

Answer the question

In order to leave comments, you need to log in

2 answer(s)
J
JackBauer, 2014-09-06
@JackBauer

In short, after a week of torment, the installations are recognized.
So, for those who struggle with setting up L2TP over IPSec towards the Softether server, and the Mikrotik client:
Softether server - xx.xx.xx.xx - its IP,
yy.yy.yy.yy Mikrotik address (in my case, internal yy.yy .10.42)
All settings on Mikrotik:
1. created Ipsec proposal. There Sha1, 3des, aes-256 cbc, PFS Group mod1024.
2. created an Ipsec peer. There the address is xx.xx.xx.xx, port 500, pre shared key and it is entered in the field itself, exchange mode l2tp, send initial contact is NOT worth it, nat traversal is worth it (I have Mikrotik behind nat), proposal check Obey, sha1 , 3des+aes-128+aes-256, DH group NO, disable DPD. Phew.
3. the most cheerful - created Ipsec policy. There src-address yy.yy.10.42/32 (!), dest-address xx.xx.xx.xx/32, protocol udp, action encrypt, level require, ipsec protocols ESP, tunnel is NOT worth it, sa-src-ad yy.yy.10.42, sa-dst-ad xx.xx.xx.xx.
4. well, the l2tp client connection itself, only the profile must contain encryption -> require.
After everything done when trying to raise the l2tp client, the server and established in details should appear in IPSec -> remote peers, and two lines in IPSec -> Installed SAs with details of the SAs themselves and the encryption method. Softether, as it turns out, supports a lot. Both des and 3des and aes-128 cbc and aes-256 cbc.
Thank you all, take a break!

C
Cool Admin, 2014-08-27
@ifaustrue

Colleague, you can at least attach a screenshot of the settings of your wonderful thing. And settings "home" of clients too.
It will be quite easy to translate into the language of Mikrotik, so that he will also join in communion .

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question