Setup L2TP VPN for MikroTik

[abitrolly]

• [x] start L2TP server

This checks the state of L2TP server.

[admin@MHS-MikroTik] /interface l2tp-server> server print 
               enabled: no
               max-mtu: 1450
               max-mru: 1450
                  mrru: disabled
        authentication: pap,chap,mschap1,mschap2
     keepalive-timeout: 30
          max-sessions: unlimited
       default-profile: default-encryption
             use-ipsec: no
          ipsec-secret: 
        caller-id-type: ip-address
  one-session-per-host: no
       allow-fast-path: no

This enables it.

/interface l2tp-server server
set enabled=yes use-ipsec=required ipsec-secret=strongpassis...

The final status.

[admin@MHS-MikroTik] /interface l2tp-server server> print 
               enabled: yes
               max-mtu: 1450
               max-mru: 1450
                  mrru: disabled
        authentication: pap,chap,mschap1,mschap2
     keepalive-timeout: 30
          max-sessions: unlimited
       default-profile: default-encryption
             use-ipsec: required
          ipsec-secret: strongpassis...
        caller-id-type: ip-address
  one-session-per-host: no
       allow-fast-path: no

• [ ] set firewall to enable connections to L2TP

Using any L2TP client try to connect to malino.mhs.by and watch the response with Wireshark. If there is no response, them MikroTik firewall needs to be configured to allow L2TP UDP port 1701 to pass.

/ip firewall filter
add chain=input protocol=udp port=1701

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup

[abitrolly]

Oops. L2TP needs to be wrapped into IPSec for security.

[abitrolly]

https://mum.mikrotik.com/presentations/HR13/kirnak.pdf

• [x] Set IPSec logging

  
  /system logging add topics=ipsec
  /system logging print
  ...
  6    ipsec                                                              memory
  ...

Checking the logs should probably be done with.

/log print follow where topic~"ipsec"

[abitrolly]

IKEv2 is the protocol on UDP port 500 that is used for IPSec handshake. IPSec proposal is used to set algorithms for encrypting traffic.

• [x] Create IPSec proposal

Make sense to configure for protocols that are supported by hardware.

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048

• https://mum.mikrotik.com/presentations/US18/presentation_5369_1523883851.pdf
• https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Proposals

Done. Modified default proposal.

print
Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc
      lifetime=30m pfs-group=modp2048