Mikrotik RoutersOS VPN L2TP-IPSec.md

01:34 03/07/2020
Setting up Proxy ARP for VPN connections on Mikrotik routers

One of the main purposes of VPN connections is to provide access for remote clients to the local network. And despite the fact that this topic is widely covered, many administrators continue to face difficulties. Routing is usually the biggest problem. This is partly due to the relative complexity of this topic, which requires a sufficient level of theoretical knowledge, and partly due to the technical capabilities of the implemented solution. In some scenarios, you can do without routing by using other technologies to access the network, today we will talk about one of them.

There are two main scenarios for building a VPN: providing access to remote client devices and interconnecting remote networks. In the latter case, it’s easier, the administrator configures devices on both sides of the tunnel exactly as he sees fit, but client devices, there can be the most diverse zoo. Installing third-party software, adding your own routes, all this can be quite difficult, especially if this is a client’s personal device. Therefore, it is desirable to perform a remote connection using standard means, with minimal interference in the client system.

The method described by us is applicable specifically for connecting client devices, it should not be used to combine networks. Its distinguishing feature is the issuance of addresses to VPN clients from the range of the local network. Let’s consider the following circuit:

In our case, there is a local network with a range of addresses 192.168.111.0/24, in which there is a server 192.168.111.101 and a router 192.168.111.1, for access by remote clients, we set up a VPN server on the router with a local address 192.168.111.140 and a pool of addresses for clients 192.168.111.141-149. We need to organize transparent access to the local network for connecting clients (green dotted line).

At the same time, it is important to follow a number of rules. Firstly, the range of the local network of clients should not overlap with the range of the office network, so we strongly do not recommend using the ranges 192.168.0.0/24, 192.168.1.0/24, etc. in corporate networks. due to their widespread use in consumer grade devices. Secondly, the range allocated for remote clients should be excluded from issuance and assignment to devices on the local network. Finally, the local address of the VPN server must be allocated from the local range and must not be used by other devices or router interfaces.

The type of VPN itself is not of fundamental importance, but it is recommended to use those connection options for which standard clients are available on the target client devices, this can be PPTP or L2TP/IPsec.

In our example, this will be an L2TP client that successfully connected to our router and received the address 192.168.111.148:

At first glance, everything is fine, the client received an address from the range of the local network and it seems that it should interact with it without routing, but if we try to access the server indicated by us on the diagram, we will fail.

When we want to connect to host 192.168.111.101, the host sends a broadcast ARP request:

All network nodes receive it, but only the owner of the address answers:

192.168.111.101 my MAC address is 00:26:57:00:1f:02

Moreover, the exchange almost exactly happens, below is a real example of ARP requests and responses in the local network.

Having received the MAC address, the host puts it in the ARP table and can then communicate with these hosts without sending ARP requests each time.

But what went wrong in our case? The VPN client 192.168.111.148 thinking it is part of the 192.168.111.0/24 network will send an appropriate ARP broadcast request to access 192.168.111.101 to find out its MAC address. But a VPN connection is not an IP network, but a point-to-point structure, and the only node that will receive an ARP request will be the VPN server 192.168.111.140, and since it is not the desired address, it will «modestly» remain silent. The client will not receive a response to its request and it will not be possible to establish communication with the target host.

To get out of this situation, you can use Proxy ARP, this technology is a proxy server for ARP requests, allowing you to connect different networks at the data link layer. Now, having received an ARP request from the client, the server will respond with a MAC address to which the client can send Ethernet frames.

There are different options for ARP proxy, in the simplest case, which is implemented in Mikrotik, the router will respond to an ARP request with its own MAC address, and after receiving an Ethernet frame, it will transmit it to the interface on which Proxy ARP is enabled. Thus, a remote client and local network nodes will be able to communicate with each other at the data link level without involving a router (as it seems to them).

In order to enable Proxy ARP in the Mikrotik router, go to the settings of the interface serving your local network, most often it will be a bridge interface, in our case it is one of the ether ports, and in the ARP field set the proxy- arp.

As you can see, everything is quite simple and we got full access to the local network behind the VPN server using completely standard means on the client side without setting up routing and other «extra» movements.

Material from MikroTik Wiki

The article deals with setting up an L2TP and L2TP/IPSec tunnel on MikroTik equipment in order to connect an employee’s workplace (client-to-site VPN). After the VPN link is created, routing will work between networks and a health check will be performed. Also, typical problems that may arise during the configuration and verification process will be analyzed.

A GW1 router is installed in the head office. It will also be configured as a VPN server. In the same office, the DC1 server is running, which is a domain controller and simultaneously performs the functions of a DNS and WINS server. A computer will be connected to the head office and configured as a VPN client.

Useful materials on MikroTik

On the Mikrotik sensei Telegram channel, you can get access to classified information from the official MikroTik trainer. In April and May 2023, Wi-Fi and QoS topics will be discussed. Subscribe

Via GUI

Enable L2TP server. Even though L2TP does not carry normal encryption, it is better to leave only «mschap2» authentication as the most secure one.

Create an address pool for VPN connections:

Create a profile for VPN connections. Specify the address of the DC1 server, which is the DNS and WINS server. Without specifying DNS and WINS, the VPN connection will succeed, but it will not be possible to address hosts by name.

Add user account:

Enable arp-proxy on the interface of the router that looks to the local network. This is necessary so that the remote client can communicate with local hosts:

Create an IPSec profile for client connection (address 0.0.0.0/0 because the client’s remote address is unknown):

/interface l2tp-server serverset authentication=mschap2 enabled=yes

/ip pooladd name=vpn-pool ranges=172.16.30.102-172.16.30.253

/ppp profileadd name=»L2TP client-to-site» change-tcp-mss=yes local-address=172.16.30.101 remote-address=vpn-pool dns-server=192.168.15.10 wins-server=192.168 .15.10

/interface ethernetset ether1-LAN1 arp=proxy-arp

In order to check the VPN connection, it is enough to start ping from the VPN client computer to any computer on the network behind the GW1 router.

The article deals with setting up an SSTP tunnel on MikroTik equipment in order to connect an employee’s workplace (client-to-site VPN). After the VPN link is created, routing will work between networks and a health check will be performed. Also, typical problems that may arise during the configuration and verification process will be analyzed.

Setting up the first router

Enable SSTP Server:

/interface sstp-server serverset authentication=mschap2 enabled=yes certificate=server

/ppp profileadd name=»SSTP client-to-site» local-address=172.16.30.101 remote-address=vpn-pool change-tcp-mss=yes dns-server=192.168.15.10 wins-server=192.168 .15.10

Note: If multiple clients are behind NAT, then only one L2TP/IPSec connection can be established.

Базовая настройка

/ip address
add address=91.219.55.10/24 interface=ether1
add address=10.20.0.1/24 interface=ether2

/ip route
add gateway=91.219.55.1

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

/ip dns
set allow-remote-requests=yes servers=91.219.55.1,8.8.8.8

/ip pool
add name=lan_dhcp ranges=10.20.0.100-10.20.0.199

/ip dhcp-server
add name=lan_dhcp address-pool=lan_dhcp interface=ether2 disabled=no
/ip dhcp-server network
add address=10.20.0.0/24 dns-server=10.20.0.1 gateway=10.20.0.1

Настройка L2TP

Создадим еще один пул IP адресов из той-же подсети, который будет использоваться для VPN клиентов:

/ip pool add name=lan_vpn ranges=10.20.0.200-10.20.0.254

Создайте новый PPP профиль:

/ppp profile add name=l2tp-vpn-lan local-address=10.20.0.1 remote-address=lan-vpn dns-server=10.20.0.1

Включите L2TP сервер. Для наших целей достаточно только метода аутентификации mschap2.

/interface l2tp-server server set enabled=yes authentication=mschap2 default-profile=l2tp-vpn-lan

Настройка IPSec

Созадем ipsec peer:

Созадем ipsec proposal

/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des,aes-256 lifetime=30m pfs-group=

Включение Proxy-ARP

Поскольку компьютеры в локальной сети и удаленные клиенты используют IP адреса из одной и той же подсети, необходимо включить proxy-arp на интерфейсе подключенном к локальной сети. В нашем примере это ether2:

/interface ethernet
set ether2 arp=proxy-arp

Ссылки

MikroTik L2TP server is one of the most popular VPN services. It provides a secure and encrypted tunnel across public network for transporting IP traffic using PPP. L2TP/IPsec is more secure than MikroTik PPTP VPN server. MikroTik L2TP Server can be applied in two methods.

The goal of this article is to connect a remote client operating system using L2TP Tunnel across public network. So, in this article I will only show how to configure L2TP/IPsec VPN Server in MikroTik Router for connecting a remote workstation/client.

L2TP/IPsec Network for Remote Client

In this network, MikroTik Router is connected to internet through ether1 interface having IP address 192.168.30.2/30. In your real network, this IP address should replace with public IP address. MikroTik Router’s ether2 interface is connected to local network having IP network 10.10.11.0/24. We will configure L2TP/IPsec server in this router and after L2TP configuration the router will create a virtual interface (L2TP Tunnel) across public network whose IP address will be 10.10.11.1. On the other hand, a remote laptop (workstation/client) is connected to internet and wants to connect to our L2TP/IPsec server for accessing local network resources. We will configure L2TP/IPsec client in this laptop and after establishing a L2TP Tunnel across public network, this laptop will get a MikroTik Router’s local IP 10.10.11.10 and will be able to access MikroTik Router’s private network.

MikroTik L2TP/IPsec VPN Configuration

MikroTik L2TP can be used just as any other tunneling protocol but the L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec. So if your router supports, it will be better to use L2TP Server over IPsec. L2TP/IPsec requires some extra configuration both in L2TP Server and L2TP client. Complete L2TP/IPsec VPN configuration can be divided into four steps.

MikroTik Router Basic Configuration

Basic RouterOS configuration has been completed. Now it is time to enable L2TP server in our MikroTik Router.

Enabling L2TP Server

After enabling proxy-arp, the remote client can successfully reach all workstations in the local network behind the router.

L2TP/IPsec Client Configuration

If everything is OK, you will be able to connect to your L2TP server and a L2TP Tunnel will be created between MikroTik Router and your remote client. Now try to ping and hope there will be no problem to get ping reply.

If you use other operating system than Windows, please search in Google how to create L2TP/IPsec client at that specific operating system. I hope you will a get solution.

Why not a Cup of COFFEE if the solution?

free l2tp ipsec vpn server, l2tp in mikrotik, l2tp server mikrotik, mikrotik l2tp client, mikrotik l2tp configuration, mikrotik l2tp ipsec, mikrotik l2tp ipsec client, mikrotik l2tp ipsec vpn, mikrotik l2tp ipsec vpn server, mikrotik l2tp server, mikrotik l2tp vpn, mikrotik l2tp vpn setup, mikrotik l2tp/ipsec for remote client, MikroTik VPN Configuration, mikrotik vpn l2tp/ipsec

ABU SAYEED

Your name can also be listed here. Have an IT topic? Submit it here to become a System Zone author.

I’m running a MikroTik RouterBOARD 962UiGS-5HacT2HnT with a level 4 license. This set up should work on any level 3 or higher licensed version of RouterOS which I think is now all of them.

I’m setting this up using WinBox, it can also be done using the web interface and the command line.

Add an IP Pool

Add a PPP Profile

Open the PPP window. Select the Profiles tab. Click the add button. Make the settings as shown.

Create a PPP Secret

Enable the L2TP Server

Set up IPSec Peers

Add Proposals

On the IPSec window select the Policy Proposals tab. Double click the default entry and make the settings as shown. The only interesting change here is to set the lifetime longer although that’s not necessary (and possibly bad).

Add Firewall Rules

Second Rule

Turn on Proxy ARP

Open the Bridge window and double click the bridge configuration. Set ARP from “enabled” to “proxy-arp”, if this setting isn’t made you’ll be able to VPN in but you won’t be able to access resources on the network.