MikroTik L2TP over IPsec VPN Server Tutorial Guide for RouterOS v6.44+

Andy

Administrator
Hello there,
So after reading 1, 2, 3, 4, 5 and this article and something keeps blocking me
Below the code that I used
Code:
/ip pool add name=vpn-pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn-pool dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap default-profile=ipsec_vpn use-ipsec=yes
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=<SUPPERSECUREPASSWORD> peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=aes-128-cdc,aes-256-cdc,aes-128-ctr pfs-group=modp1024
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
This article code
Code:
/interface l2tp-server server set enabled=yes use-ipsec=required ipsec-secret=<SUPPERSECUREPASSWORD>
/ip pool add name=vpn_pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
RouterOS 6.45.6 (Stable)
What happens is that the connection is made, the Client LOCAL ip is 192.168.88.2 and it gets the IP of 192.168.1.20 from the Remote Router the DNS is the Remote Routers IP of 192.168.1.254
When I do a tracert to the Remote Routers IP the trace works
When I do a tracert to the Remote Routers WAN IP the trace works
The Issue is that i cannot accesses anything on the Remote side...
Suggestions to look at ?
Hi @Hav0c,

Can you ping 192.168.1.254 and see you get any response?
And also try to ping the other devices on the remote network.

Check if there's any other firewall rule that overrides the IPsec rules?
 

Hav0c

Member
Hi @Andy
The two firewall rules
Code:
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
Are at rule order 0 and 1.
I have disabled all my drop rules same results connect but does not allow connection to shared folders.

All tests was done from Client side

Ping a PC on Remote network = Fail
Tracert Client router IP = Works
Tracert Clients WAN Gateway IP (Internet IP) = Shows Remote network router IP then Clients WAN Gateway IP
Ping Remote Networks WAN IP = Works
Tracert Remote WAN IP = Shows Clients network router IP then Remote WAN IP



UPDATE:
Out of frustration I defaulted all the router (2 Mikrotiks and 1 UBNT ERX) and used the default setup only all.
Added your examples script, connects but still does not allow me access to any shared files.
Defaulted all the router again used the default setup again added my UBNT ERX with IPSEC setup works 100% as should
So this concludes that something is not correct with the Mikrotiks even using default configs.
 
Last edited:

Andy

Administrator
Hi @Andy
The two firewall rules
Code:
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
Are at rule order 0 and 1.
I have disabled all my drop rules same results connect but does not allow connection to shared folders.

All tests was done from Client side

Ping a PC on Remote network = Fail
Tracert Client router IP = Works
Tracert Clients WAN Gateway IP (Internet IP) = Shows Remote network router IP then Clients WAN Gateway IP
Ping Remote Networks WAN IP = Works
Tracert Remote WAN IP = Shows Clients network router IP then Remote WAN IP



UPDATE:
Out of frustration I defaulted all the router (2 Mikrotiks and 1 UBNT ERX) and used the default setup only all.
Added your examples script, connects but still does not allow me access to any shared files.
Defaulted all the router again used the default setup again added my UBNT ERX with IPSEC setup works 100% as should
So this concludes that something is not correct with the Mikrotiks even using default configs.
I doubt that, you could try downgrading your Router OS to v6.44.5 (use the long-term branch update tree)

You can downgrade by uploading the Router OS to the router and then use the following commands:
Code:
/system package downgrade; /system reboot;
Reboot, yes? [y/N]:
 

DAT

New member
Hi @Andy
i have this topology to deploy and not bin able to work since this morning please can u assist?
Mikrotik 6.45
 

Attachments

Last edited:

Hav0c

Member
I doubt that, you could try downgrading your Router OS to v6.44.5 (use the long-term branch update tree)

You can downgrade by uploading the Router OS to the router and then use the following commands:
Code:
/system package downgrade; /system reboot;
Reboot, yes? [y/N]:
So did what was asked and rolled back the Firmware to RouterOS v6.44.5 LTS

Attempt 2
Code:
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2,chap
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=Test peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn remote-address=192.168.1.15
/ip firewall filter add chain=input action=accept protocol=udp port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add chain=input action=accept protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
Attempt 2
Code:
/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap use-ipsec=required ipsec-secret=Test
/ip pool add name=vpn_pool ranges=192.168.1.2-192.168.1.5 comment="L2TP VPN IP Pool"
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
Site A; RB 750
Site B; Hex lite RB 750r2
"internet"; ERX

ALL 3 routers are defaulted nothing but the IPs was changed.
After IPs was changed, the routers were rebooted.
On site B the above script was run. Rebooted to make sure that settings stick.
Try to connect; The connection was made successfully.

On site A the above script was run but the IPs changed to the relevant IP ranges of Site B. Rebooted to make sure that settings stick
Try to connect; The connection is made successfully.

In both cases none of the shared folders can be accessed.


Factory defaulted both the Mikrotiks.
Change only ONEs IP to represent the "internet"
setup IPSEC on the ERX (Site A) connect from Site B and all works, can access the shared folders and all.

This is getting really really frustrating
 

Attachments

Andy

Administrator
So did what was asked and rolled back the Firmware to RouterOS v6.44.5 LTS

Attempt 2
Code:
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2,chap
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=Test peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn remote-address=192.168.1.15
/ip firewall filter add chain=input action=accept protocol=udp port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add chain=input action=accept protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
Attempt 2
Code:
/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap use-ipsec=required ipsec-secret=Test
/ip pool add name=vpn_pool ranges=192.168.1.2-192.168.1.5 comment="L2TP VPN IP Pool"
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
Site A; RB 750
Site B; Hex lite RB 750r2
"internet"; ERX

ALL 3 routers are defaulted nothing but the IPs was changed.
After IPs was changed, the routers were rebooted.
On site B the above script was run. Rebooted to make sure that settings stick.
Try to connect; The connection was made successfully.

On site A the above script was run but the IPs changed to the relevant IP ranges of Site B. Rebooted to make sure that settings stick
Try to connect; The connection is made successfully.

In both cases none of the shared folders can be accessed.


Factory defaulted both the Mikrotiks.
Change only ONEs IP to represent the "internet"
setup IPSEC on the ERX (Site A) connect from Site B and all works, can access the shared folders and all.

This is getting really really frustrating
If you can ping the remote computers without issues, check your Windows Firewall (you can also temporarily turn it off during troubleshooting to determine whether it's a Firewall issue, or IPsec tunnel issue) 🧐

Looking at your attached topology, kindly try to build a tunnel between 192.168.88.0/24 and 192.168.1.0/24 network directly and see how it goes?
So each router will have 2 IPsec tunnels.
 

Hav0c

Member
If you can ping the remote computers without issues, check your Windows Firewall (you can also temporarily turn it off during troubleshooting to determine whether it's a Firewall issue, or IPsec tunnel issue) 🧐

Looking at your attached topology, kindly try to build a tunnel between 192.168.88.0/24 and 192.168.1.0/24 network directly and see how it goes?
So each router will have 2 IPsec tunnels.
Both sides Firewalls are off the whole time, do not have AV firewalls

Pinged the following from the PC/Laptop itself
Side A
192.168.88.15 --> (192.168.99.3 --> 192.168.99.2) internet : Works
192.168.88.15 --> 192.168.1.5: Fail

Side B
192.168.1.5--> ( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.1.5 --> 192.168.88.15: Fail

Pinged the following using the Mikrotik Ping tool
Side A
(192.168.99.3 --> 192.168.99.2) internet : Works
192.168.1.5 : Fail

Side B
( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.88.15: Fail


There will be only one IPsec tunnels from A to B.
Tried creating a tunnel from A to B and B to A both have the exact same results,
Connects gets the correct Remote IP and DNS(remote sides Gateway) but does not allow connection to the shared folders OR allow of pining the connected Side local PCs/Laptops

Just noted that I could upload my Configs.
There are no passwords neded to log into the routers.
Routers are 88.1 and 1.1
DHCP is enabled

ipsec-secret=Test
/ppp secret add name=Test password=password
 

Attachments

Andy

Administrator
Both sides Firewalls are off the whole time, do not have AV firewalls

Pinged the following from the PC/Laptop itself
Side A
192.168.88.15 --> (192.168.99.3 --> 192.168.99.2) internet : Works
192.168.88.15 --> 192.168.1.5: Fail

Side B
192.168.1.5--> ( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.1.5 --> 192.168.88.15: Fail

Pinged the following using the Mikrotik Ping tool
Side A
(192.168.99.3 --> 192.168.99.2) internet : Works
192.168.1.5 : Fail

Side B
( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.88.15: Fail


There will be only one IPsec tunnels from A to B.
Tried creating a tunnel from A to B and B to A both have the exact same results,
Connects gets the correct Remote IP and DNS(remote sides Gateway) but does not allow connection to the shared folders OR allow of pining the connected Side local PCs/Laptops

Just noted that I could upload my Configs.
There are no passwords neded to log into the routers.
Routers are 88.1 and 1.1
DHCP is enabled

ipsec-secret=Test
/ppp secret add name=Test password=password
Juat FYI — In MikroTik, there is no ipsec initiator. As long as you created ipsec on both router then it should work.

I'm currently not in town, will definitely have a look at your config later on this weekend.

If you could go to MikroTik Terminal and then type /export then copy paste the content here, that would be great. (Please remove sensitive information such as passwords, etc)

Cheers
Andy
 

Hav0c

Member
Juat FYI — In MikroTik, there is no ipsec initiator. As long as you created ipsec on both router then it should work.

I'm currently not in town, will definitely have a look at your config later on this weekend.

If you could go to MikroTik Terminal and then type /export then copy paste the content here, that would be great. (Please remove sensitive information such as passwords, etc)

Cheers
Andy
Yes "it should" work. Think we all at one point in time uttered the line "it should work" but then it does not :ROFLMAO::LOL::LOL::LOL::LOL:
As asked below are the two model I used to test the IPSEC configs with the same script

Code:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.5
add comment="L2TP VPN IP Pool" name=vpn_pool ranges=192.168.1.2-192.168.1.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.1.1 name=ipsec_vpn remote-address=vpn_pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 enabled=yes ipsec-secret=Test use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=Test password=password profile=ipsec_vpn service=l2tp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Code:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.5
add comment="L2TP VPN IP Pool" name=vpn_pool ranges=192.168.88.2-192.168.88.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.88.1 name=ipsec_vpn remote-address=vpn_pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 enabled=yes ipsec-secret=Test use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=Test password=password profile=ipsec_vpn service=l2tp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Top