L2TP/IPSec for Road Warriors

In the sixth part of our Mikrotik IPSec series, we will cover the L2TP/IPSec scenario. This scenario is used to support “road warriors”, employees that need to work from home or while on the road.

This scenario is similar in some elements with the previous scenario, when one side is behind a NAT device. The main difference is that we use L2TP as the basic protocol and therefore we need to protect this VPN tunnel without encryption.

Oh, I just recall. Did you still use that ye olde PPTP VPN tunnels? Yes? How many of you? Well, don’t do that anymore. PPTP protocol is considered weak and unsafe since 2012. It’s time to reject it in favor of much stronger L2TP/IPSec.

 

Our scenario

As the first step, I will highlight the most interesting part of the image of my virtual network. We are focused on this part with remote users.

clip_image002

We simulate the ADSL connections on the MegaISP Access router. This router is the part of the MegaISP network. I used it also in my previous article. As the PPPoE mechanism is not part of this series, I’ll leave that topic for another article.

clip_image003

Although I simulated here ADSL/PPPoE connections, you can try all this steps even if you either connect those remote virtual workstations using the Ethernet connections or PPP links. It’s only important that our remote computers and the Contoso router are separated with at least one router. In our scenario, we have two intermediate routers – MegaISP Access router and MegaISP router (this one is not highlighted on this picture).

 

Configuring the Contoso router

Again the Contoso router is an end-point for the VPN access. We need to configure it to accept both L2TP VPN connection and the IPSec connection that will protect this tunnel. Without the IPSec protection, the L2TP tunnel is not protected.

It’s very easy to setup the server side of this connection, even simpler from the RouterOS version 6.x. We will finish all the tasks in the same dialog window.

The previous releases requires that you make one more step – the IPSec peer configuration. This step is the same as in the previous article.

We are going to open the window for PPP services from the WinBox tool. Here we’re going to click on the button [ L2TP Server ].

clip_image005

In the opened window, we can configure both L2TP server and IPSec peer. As the first step, you should enable it.

clip_image006

Then you should choose the default profile for the L2TP connections. When we’re talking about authentication protocols, then you should use either MSCHAP v2 or CHAP. Other protocols are not recommended.

As the latest step, we need to enable IPSec support. Just tick the box near Use IPSec and enter the IPSec pre-shared key in the box. Sorry, certificates are not supported here.

Click on the button [ OK ]. Congratulations! You just created the L2TP/IPSec server. Our router is ready to rock.

 

I’m still on RouterOS v5.26 or earlier

Before we proceed further, I want to show you the IPSec peers list. Open IP > IPSec, then the Peers tab. You can see that there is an entry with the IP address 0.0.0.0/0.

clip_image007

Don’t be confused. The IP address shown above is the IPv6 address. Therefore, the IPv4 address 0.0.0.0/0 is equal to the IPv6 address ::/0.

Furthermore, you can see letter D in the first column. This means that this policy is dynamically generated and we can’t edit it. In addition, you can manually add such policy. You need to do so in the older releases of Mikrotik RouterOS.

clip_image008

As you can see, even the older versions of RouterOS can support this scenario. Yes, you need to make one more definition for the peer, but this is just a few extra minutes of work.

In addition, the Mikrotik support policy for RouterOS will allow all customers to upgrade their payed products. There is no reason to stay will the older version of the RouterOS. You can’t upgrade only the free level 1 license and older RB1xx and RB5xx series of Mikrotik Routerboards. Those Routerboards can run RouterOS v5.26 as the latest version.

We finished the server side. Now we can configure the client side.

 

Configuring clients

We can use any TCP enabled device with built-in L2TP/IPSec support as client. We will not cover this part here, as I just finished the mini-series related to the client side setup. You can find detailed information for Windows XP, Windows 7 and later, Android and Apple iOS devices inside the respected articles. Even another Mikrotik can be the client (added 26.01.2017.)

In our example for this scenario, I use one Windows XP based and one Windows 7 based VM. The user named user01 uses the Windows XP VM and user02 uses the Windows 7 VM. They are connected to the ISP and now they will initiate the VPN connection.

After a while, both clients are connected to the Contoso router. We’re in the lab and this will be a matter of the seconds. Moreover, it is possible to simulate low quality links with data loss even in the lab environment.

clip_image009

Here is the status of the Windows XP client:

clip_image010

And here is the status of the Windows 7 client.

clip_image011

In the IPSec windows we can see that two IPSec sessions are active.

clip_image012

 

Connecting the TFC router

Again, we will refer to the previous article. We have a small company named “Trange Frange”. We manually made the 0.0.0.0/0 policy in this scenario. This approach is correct and we can use it even here.

However, if we want to support in the same time both remote customers behind the NAT and L2TP users, we need to have one IPSec peer definition for the IP address 0.0.0.0/0. It can be either static or dynamic and all foreign users will use the same pre-shared key.

Therefore, if we want to have connected at the same time our “road warrior” users and the TFC router, we need to update the IPSec definition on the TFC side. In our case, we just updated the pre-shared key and authentication algorithm within the peer definition.

clip_image013

We can also replace the legacy 3DES encryption algorithm with contemporary AES. I would strongly encourage you to do so.

When we make these changes, the TFC router will establish a connection. If we check the policies on the Contoso router, we will see dynamically generated policy for the TFC network.

clip_image014

 

How to configure L2TP/IPSec server from the command line

For this example I will not prepare any special text file with commands. Commands are very simple and we executing them only on the Contoso router:

/ip ipsec peer remove [find address=0.0.0.0/0]
/interface l2tp-server server set enabled=yes authentication=chap,mschap2 use-ipsec=yes ipsec-secret=Contoso123
/ip ipsec proposal set [find name="default"] auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128-cbc,aes-192-cbc,aes-256-cbc

The first line will delete previous static definition, if any exists. It’s useful if you already made any such definition. However, you can omit this command and still use that definition. In any case, please check the settings.

The second line will enable the L2TP server, configure it and enable IPSec protection. This will generate dynamic policy for peer 0.0.0.0/0.

The third line will reconfigure the default proposal to support a wider range of authentication and encryption algorithms. It’s important to do so, because not all clients will be able to support newer protocols.

 

Now it’s your turn

I shared with you this recipe for the L2TP/IPSec connections. Now you can simulate it in your lab. Try to change different parameters and see what will happen.

Now, when you know how to configure different clients and the server side, you should abandon those ancient PPTP connections. Well, PPTP was great in its time. It’s easy to be configure and use. However, its time has passed. Use it only in your lab, not on the Internet.

Our next steps will cover the Mikrotik L2TP client configuration, protection of the site-to-site tunnels, like IP-IP tunnel, and some basic troubleshooting steps.

Until then, enjoy reading my blog. In addition, I encourage you to follow my blog.

Stay tuned.

Advertisements

5 thoughts on “L2TP/IPSec for Road Warriors

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s