Mikrotik L2tp Ipsec Site To Site
In L2TP over IPSec we have to create an IPSec peer as below: /ip ipsec peer add dpd-maximum-failures=2 enc-algorithm=3des,aes-128,aes-256 exchange-mode=main-l2tp generate-policy=port-override local-address=172.30.19.1 secret=. With the configuration above, the Mikrotik should be ready to accept L2TP request from clients. Mikrotik Fasttrack configuration with L2TP / IPSEC VPN If you have any experience whatsoever with mikrotik hardware, you have definitely heard about Fasttrack. Fastrack was introduced back in April 2016, in v6.29 of router os, and in very simple terms allows packets for established connections to bypass the kernel, thus improving performance.
By Adrian Moreno January 26, 2016
In this post we are going to create an IPsec VPN tunnel between two remote sites using Mikrotik routers with dynamic public IPs . By default, Mikrotik does not allow to use FQDN (domain names) to setup an IPsec tunnel, so we are going to create some scripts to update the IPsec configuration whenever the local or remote IPs change.
The network layout is as follows:
The first thing to take into account is that LAN addresses must be different between Site 1 and Site 2. In our example, Site 1 uses LAN 192.168.1.0/24, whereas Site 2 uses 192.168.2.0/24. You can replace these networks with the ones in your infrastructure.
Another thing to consider is if your routers are behind a NAT. In this case you will have to make sure to forward port 500 (UDP) to the Mikrotik router.
In order to configure the IPsec tunnel, we have to setup the proposal, the peer, and the policy. We are going to provide the commands to configure Site 1, so once you finish with the guide, start over reverting the source and destination LAN addresses to configure Site 2.
First, let’s create an IPsec proposal:
Now, let’s create the peer. Replace the “test” secret with whatever password you want to use. Leave the address as it is as we will update it later from a script.
And, finally, let’s create a policy that will identify interesting traffic that should go through the IPsec tunnel. Again, let’s leave the “sa-src-address” and “sa-dst-address” as shown.
The IPsec portion is now configured in Site 1. But we need to add a couple of NAT rules to accept the IPsec traffic.
The following NAT rule will allow us to reach IPs on the remote LAN from our local network. It is important that this rule is placed in the first position.
Add also this rule If we do not already have a NAT rule to masquerade internal traffic.
Now, we need to create an account in a dynamic DNS service that will allow the remote site to always find out the other site’s public IP. In this guide we are using the No-IP.com service and provide scripts to update the IP of No-IP hosts. You are free to use whatever dynamic DNS service you want.
Once you have created an account and a host for Site 1, go ahead and the following script to update the No-IP host and the IPsec policy in the event of an IP change.
There are two different versions depending on what OS version you are running. Windows XP SP3Note: Windows versions 8, 8.1, 10, and 10 in S Mode include a that works well with the microscope.MacPlugable Digital Viewer is available for macOS/Mac OS X. Windows Vista. Download fuji raw file converter.
The script source is located here: https://gist.github.com/adrianmo/e54fbcd2c9d3cce80260
It may be more convenient to create the script from the UI, whether it is the web UI or Winbox. Enable “read”, “write”, and “test” policies, paste the script in the source field and replace the variables within the “Script Settings” section with your information. If you have followed the guide, leave the “IPsecComment” variable as it is. Replace the “WANInter” with the WAN interface that has the public IP of Site 1.
You can run the script manually and check the logs to verify whether the No-IP host and the IPsec policy are updated successfully.
Now we need to create an scheduler to run the script every time period. We considered that a 10 minute interval is quite balanced, but you can adjust it to your particular needs.
At this point Site 1 No-IP host should update automatically whenever its public IP changes and will also update the IPsec policy accordingly. Now we need to update Site 2 public IP in the IPsec peer and policy configuration, so create a No-IP host for Site 2 if you don’t have it already. Do not worry about the IP that this host is resolving to, it will be updated in Site 2 when we repeat the steps on Site 2.
The script to update the IPsec peer and policy when Site 2 public IP changes can be found here: https://gist.github.com/adrianmo/92e305123b521b7a4400
Again, create a script from the UI and replace “RemoteNOIPHost” with the host name of Site 2.
You can run the script manually and check the logs to verify that the IPsec peer and policy are updated successfully. For testing purposes, you can manually modify the IP from the No-IP control panel and verify that the script updates the IPsec configuration with the new IP.
We are now done with the configuration on Site 1, so it is time to move to Site 2 and go through it again configuring the IPs in the reverse order.
If you feel so inclined, please let us know how it went and leave some feedback if you find it useful.
| pp select 1 | |
| pp keepalive interval 30 retry-interval=30 count=12 | |
| pp always-on on | |
| pppoe use lan2 | |
| pppoe auto disconnect off | |
| pp auth accept pap chap | |
| pp auth myname (User ID) (Password) | |
| ppp lcp mru on 1454 | |
| ppp ipcp ipaddress on | |
| ppp ipcp msext on | |
| ppp ccp type none | |
| ip pp nat descriptor 1000 | |
| pp enable 1 | |
| ip route default gateway pp 1 | |
| NAT settings | nat descriptor type 1000 masquerade |
|---|---|
| nat descriptor masquerade static 1000 1 192.168.100.1 udp 500 | |
| nat descriptor masquerade static 1000 2 192.168.100.1 esp | |
| DHCP Server settings | dhcp service server |
| dhcp server rfc2131 compliant except remain-silent | |
| dhcp scope 1 192.168.100.2-192.168.100.191/24 | |
| DNS settings | dns server pp 1 |
| dns private address spoof on | |
| IPsec VPN settings | tunnel select 1 |
| ipsec tunnel 1 | |
| ipsec sa policy 1 1 esp 3des-cbc sha-hmac local-id=192.168.100.0/24 remote-id=192.168.88.0/24 | |
| ipsec ike keepalive log 1 off | |
| ipsec ike keepalive use 1 on dpd | |
| ipsec ike local address 1 192.168.100.1 | |
| ipsec ike local id 1 192.168.100.0/24 | |
| ipsec ike pre-shared-key 1 text (Pre-shard-key) | |
| ipsec ike remote address 1 200.1.1.202 | |
| ipsec ike remote id 1 192.168.88.0/24 | |
| ip tunnel tcp mss limit auto | |
| tunnel enable 1 | |
| ipsec auto refresh on | |
| ip route 192.168.88.0/24 gateway tunnel 1 | |
| Filter settings | ip filter 200000 reject 10.0.0.0/8 * * * * |
| ip filter 200001 reject 172.16.0.0/12 * * * * | |
| ip filter 200002 reject 192.168.0.0/16 * * * * | |
| ip filter 200003 reject 192.168.100.0/24 * * * * | |
| ip filter 200010 reject * 10.0.0.0/8 * * * | |
| ip filter 200011 reject * 172.16.0.0/12 * * * | |
| ip filter 200012 reject * 192.168.0.0/16 * * * | |
| ip filter 200013 reject * 192.168.100.0/24 * * * | |
| ip filter 200020 reject * * udp,tcp 135 * | |
| ip filter 200021 reject * * udp,tcp * 135 | |
| ip filter 200022 reject * * udp,tcp netbios_ns-netbios_ssn * | |
| ip filter 200023 reject * * udp,tcp * netbios_ns-netbios_ssn | |
| ip filter 200024 reject * * udp,tcp 445 * | |
| ip filter 200025 reject * * udp,tcp * 445 | |
| ip filter 200026 restrict * * tcpfin * www,21,nntp | |
| ip filter 200027 restrict * * tcprst * www,21,nntp | |
| ip filter 200030 pass * 192.168.100.0/24 icmp * * | |
| ip filter 200031 pass * 192.168.100.0/24 established * * | |
| ip filter 200032 pass * 192.168.100.0/24 tcp * ident | |
| ip filter 200033 pass * 192.168.100.0/24 tcp ftpdata * | |
| ip filter 200034 pass * 192.168.100.0/24 tcp,udp * domain | |
| ip filter 200035 pass * 192.168.100.0/24 udp domain * | |
| ip filter 200036 pass * 192.168.100.0/24 udp * ntp | |
| ip filter 200037 pass * 192.168.100.0/24 udp ntp * | |
| ip filter 200080 pass * 192.168.100.1 udp * 500 | |
| ip filter 200081 pass * 192.168.100.1 esp * * | |
| ip filter 200098 reject-nolog * * established | |
| ip filter 200099 pass * * * * * | |
| ip filter 500000 restrict * * * * * | |
| ip filter dynamic 200080 * * ftp | |
| ip filter dynamic 200081 * * domain | |
| ip filter dynamic 200082 * * www | |
| ip filter dynamic 200083 * * smtp | |
| ip filter dynamic 200084 * * pop3 | |
| ip filter dynamic 200085 * * submission | |
| ip filter dynamic 200098 * * tcp | |
| ip filter dynamic 200099 * * udp | |
| pp select 1 | |
| ip pp secure filter in 200003 200020 200021 200022 200023 200024 200025 200030 200032 200080 200081 | |
| ip pp secure filter out 200013 200020 200021 200022 200023 200024 200025 200026 200027 200099 dynamic 200080 200081 200082 200083 200084 200085 200098 200099 | |
| pp enable 1 |