Setting up a L2TP over IPsec tunnel between RUTX and Mikrotik device
Because of the lack of confidentiality inherent in the Layer 2 Networking Protocol (L2TP) protocol, Internet Protocol Security (IPsec) is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP over IPsec (or simply L2TP/IPsec).
This article provides a guide on how to configure L2TP/IPsec tunnel between RUTXxx and Mikrotik routers.
- One RUTXxx router of any type
- One Mikrotik router (this configuration example was created using Mikrotik rb750gr3)
- Server must have a Public Static or Public Dynamic IP address (client can have private or public IP address)
- At least one end device (PC, Laptop) to configure the routers
- WinBox application
Connect to MikroTik by using WinBox application and press New Terminal.
The first step is to create a PPP Profile on the MikroTik. Use a 192.168.102.1 for the local address (the VPN Gateway), assuming this is not already in use. You will also need to add a DNS Server. Use this command:
/ppp profile add name=ipsec_vpn local-address=192.168.102.1 dns-server=18.104.22.168
Next, you need to add an L2TP-server interface and set the allowed authentication methods, mschap1 and mschap2. Use this command:
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2
Then you need to define the peering of IPSec and also the default IPsec policy. You will also set the pre-shared-key secret in the process. Use these commands to do so:
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="password" peer=l2tpserver
Next, set the default encryption algorithms:
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
Now, add a user and allocate an IP Address:
/ppp secret add name="username" password="password" service=l2tp profile=ipsec_vpn remote-address=192.168.102.2
Open the IPSec ports from the WAN:
/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
Now go to IP > Firewall and change positions of the 2 Firewall rules you just created (drag it to the top like in the example) in order to move them, press # sign.
Access RUTXxx WebUI and go to Services > VPN > L2TP. There create a new configuration by selecting role Client, writing New configuration name and pressing Add button. It should appear after a few seconds. Then press Edit.
Then apply the following configuration.
- Enable instance.
- Write Server IP address (MikroTik public IP address).
- Write Username (write the username which you created with this command /ppp secret add name="username" password="password" service=l2tp profile=ipsec_vpn remote-address=192.168.102.2).
- Write Password (write the password which you created with this command /ppp secret add name="username" password="password" service=l2tp profile=ipsec_vpn remote-address=192.168.102.2).
- Press Save & Apply.
Now go to Services > VPN > IPsec.
- Write IPsec interface name.
- Press Add.
- When the interface appears like in the example, press Edit.
- Enable instance.
- Write Remote endpoint (MikroTik public IP address).
- Sellect Authentication method (Pre-shared key)
- Write Pre-shared key (write the password which you created with this command /ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="password" peer=l2tpserver).
- Select Type (Transport).
- Select Encryption algorithm, Authentication and DH group (sellect options that you set with command /ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024).
- Set all of the settings in Phase 2 to be exactly the same as in the Phase 1.
- Press Save & Apply.
Try to ping the remote VPN endpoint via CLI or SSH using this command: