In the sixth part of our Mikrotik IPSec series, we will cover the L2TP/IPSec scenario. This scenario is used to support “road warriors”, employees that need to work from home or while on the road.
This scenario is similar in some elements with the previous scenario, when one side is behind a NAT device. The main difference is that we use L2TP as the basic protocol and therefore we need to protect this VPN tunnel without encryption.
Oh, I just recall. Did you still use that ye olde PPTP VPN tunnels? Yes? How many of you? Well, don’t do that anymore. PPTP protocol is considered weak and unsafe since 2012. It’s time to reject it in favor of much stronger L2TP/IPSec.
As the first step, I will highlight the most interesting part of the image of my virtual network. We are focused on this part with remote users.
We simulate the ADSL connections on the MegaISP Access router. This router is the part of the MegaISP network. I used it also in my previous article. As the PPPoE mechanism is not part of this series, I’ll leave that topic for another article.
Although I simulated here ADSL/PPPoE connections, you can try all this steps even if you either connect those remote virtual workstations using the Ethernet connections or PPP links. It’s only important that our remote computers and the Contoso router are separated with at least one router. In our scenario, we have two intermediate routers – MegaISP Access router and MegaISP router (this one is not highlighted on this picture).
Configuring the Contoso router
Again the Contoso router is an end-point for the VPN access. We need to configure it to accept both L2TP VPN connection and the IPSec connection that will protect this tunnel. Without the IPSec protection, the L2TP tunnel is not protected.
It’s very easy to setup the server side of this connection, even simpler from the RouterOS version 6.x. We will finish all the tasks in the same dialog window.
The previous releases requires that you make one more step – the IPSec peer configuration. This step is the same as in the previous article.
We are going to open the window for PPP services from the WinBox tool. Here we’re going to click on the button [ L2TP Server ].
In the opened window, we can configure both L2TP server and IPSec peer. As the first step, you should enable it.
Then you should choose the default profile for the L2TP connections. When we’re talking about authentication protocols, then you should use either MSCHAP v2 or CHAP. Other protocols are not recommended.
As the latest step, we need to enable IPSec support. Just tick the box near Use IPSec and enter the IPSec pre-shared key in the box. Sorry, certificates are not supported here.
Click on the button [ OK ]. Congratulations! You just created the L2TP/IPSec server. Our router is ready to rock.
I’m still on RouterOS v5.26 or earlier
Before we proceed further, I want to show you the IPSec peers list. Open IP > IPSec, then the Peers tab. You can see that there is an entry with the IP address 0.0.0.0/0.
Don’t be confused. The IP address shown above is the IPv6 address. Therefore, the IPv4 address 0.0.0.0/0 is equal to the IPv6 address ::/0.
Furthermore, you can see letter D in the first column. This means that this policy is dynamically generated and we can’t edit it. In addition, you can manually add such policy. You need to do so in the older releases of Mikrotik RouterOS.
As you can see, even the older versions of RouterOS can support this scenario. Yes, you need to make one more definition for the peer, but this is just a few extra minutes of work.
In addition, the Mikrotik support policy for RouterOS will allow all customers to upgrade their payed products. There is no reason to stay will the older version of the RouterOS. You can’t upgrade only the free level 1 license and older RB1xx and RB5xx series of Mikrotik Routerboards. Those Routerboards can run RouterOS v5.26 as the latest version.
We finished the server side. Now we can configure the client side.
We can use any TCP enabled device with built-in L2TP/IPSec support as client. We will not cover this part here, as I just finished the mini-series related to the client side setup. You can find detailed information for Windows XP, Windows 7 and later, Android and Apple iOS devices inside the respected articles. Even another Mikrotik can be the client (added 26.01.2017.)
In our example for this scenario, I use one Windows XP based and one Windows 7 based VM. The user named user01 uses the Windows XP VM and user02 uses the Windows 7 VM. They are connected to the ISP and now they will initiate the VPN connection.
After a while, both clients are connected to the Contoso router. We’re in the lab and this will be a matter of the seconds. Moreover, it is possible to simulate low quality links with data loss even in the lab environment.
Here is the status of the Windows XP client:
And here is the status of the Windows 7 client.
In the IPSec windows we can see that two IPSec sessions are active.
Connecting the TFC router
Again, we will refer to the previous article. We have a small company named “Trange Frange”. We manually made the 0.0.0.0/0 policy in this scenario. This approach is correct and we can use it even here.
However, if we want to support in the same time both remote customers behind the NAT and L2TP users, we need to have one IPSec peer definition for the IP address 0.0.0.0/0. It can be either static or dynamic and all foreign users will use the same pre-shared key.
Therefore, if we want to have connected at the same time our “road warrior” users and the TFC router, we need to update the IPSec definition on the TFC side. In our case, we just updated the pre-shared key and authentication algorithm within the peer definition.
We can also replace the legacy 3DES encryption algorithm with contemporary AES. I would strongly encourage you to do so.
When we make these changes, the TFC router will establish a connection. If we check the policies on the Contoso router, we will see dynamically generated policy for the TFC network.
How to configure L2TP/IPSec server from the command line
For this example I will not prepare any special text file with commands. Commands are very simple and we executing them only on the Contoso router:
/ip ipsec peer remove [find address=0.0.0.0/0]
/interface l2tp-server server set enabled=yes authentication=chap,mschap2 use-ipsec=yes ipsec-secret=Contoso123
/ip ipsec proposal set [find name="default"] auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128-cbc,aes-192-cbc,aes-256-cbc
The first line will delete previous static definition, if any exists. It’s useful if you already made any such definition. However, you can omit this command and still use that definition. In any case, please check the settings.
The second line will enable the L2TP server, configure it and enable IPSec protection. This will generate dynamic policy for peer 0.0.0.0/0.
The third line will reconfigure the default proposal to support a wider range of authentication and encryption algorithms. It’s important to do so, because not all clients will be able to support newer protocols.
Now it’s your turn
I shared with you this recipe for the L2TP/IPSec connections. Now you can simulate it in your lab. Try to change different parameters and see what will happen.
Now, when you know how to configure different clients and the server side, you should abandon those ancient PPTP connections. Well, PPTP was great in its time. It’s easy to be configure and use. However, its time has passed. Use it only in your lab, not on the Internet.
Our next steps will cover the Mikrotik L2TP client configuration, protection of the site-to-site tunnels, like IP-IP tunnel, and some basic troubleshooting steps.
Until then, enjoy reading my blog. In addition, I encourage you to follow my blog.