MikroTik RouterOS and Windows XP IPSec/L2TP: Difference between revisions
(One intermediate revision by the same user not shown) | |||
Line 24: | Line 24: | ||
<pre> | <pre> | ||
/ip ipsec peer add address=192.168.1.1 | /ip ipsec peer | ||
secret=123456789 hash-algorithm= | add address=192.168.1.1 auth-method=pre-shared-key exchange-mode=main-l2tp\ | ||
secret=123456789 hash-algorithm=sha1 enc-algorithm=3des generate-policy=yes | |||
</pre> | </pre> | ||
* Add IPSec peer settings settings, these settings should match at both ends, | * Add IPSec peer settings settings, these settings should match at both ends, | ||
** '''address=192.168.1.1''' address of your Windows computer, it's possible to use '''0.0.0.0/0''', when IP address of remote client is unknown; (Note: Typing 0.0.0.0 (without /0) makes Mikrotik listen to 0.0.0.0 only, therefore disabling any connection. Make sure to specify the network mask using /0.) | ** '''address=192.168.1.1''' address of your Windows computer, it's possible to use '''0.0.0.0/0''', when IP address of remote client is unknown; (Note: Typing 0.0.0.0 (without /0) makes Mikrotik listen to 0.0.0.0 only, therefore disabling any connection. Make sure to specify the network mask using /0.) | ||
** ''' | ** '''port=500''' port number; | ||
** '''hash-algorithm= | ** '''hash-algorithm=sha1''' and '''enc-algorithm=3des''' are used by default on Windows XP; | ||
** '''generate-policy=yes''' to generate IPSec policy automatically; | ** '''generate-policy=yes''' to generate IPSec policy automatically; | ||
Latest revision as of 08:13, 14 May 2012
Overview
Microsoft Windows XP/Vista has built-in PPTP client and L2TP/IPSec client. We will see how to create L2TP/IPsec between MikroTik RouterOS and Windows. It is possible to run a L2TP connection between RouterOS and Windows but you will need to change a registry entry in Windows.
RouterOS Configuration
L2TP Server configuration
/ interface l2tp-server server set enabled=yes
- Enable L2TP server;
/ ppp secret add name=12345 password=12345 profile=default-encryption \ local-address=192.168.1.1 remote-address=192.168.1.2
- Add PPP client, if you don't need to run double encryption use default profile for L2TP and keep with IPSec encryption. Adjust Windows and RouterOS L2TP tunnel properties whether to run encryption or not.
- It is also possible to use any DHCP address pool instead of local and remote addresses. Both can be assigned from the identical pool.
IPSec configuration
/ip ipsec peer add address=192.168.1.1 auth-method=pre-shared-key exchange-mode=main-l2tp\ secret=123456789 hash-algorithm=sha1 enc-algorithm=3des generate-policy=yes
- Add IPSec peer settings settings, these settings should match at both ends,
- address=192.168.1.1 address of your Windows computer, it's possible to use 0.0.0.0/0, when IP address of remote client is unknown; (Note: Typing 0.0.0.0 (without /0) makes Mikrotik listen to 0.0.0.0 only, therefore disabling any connection. Make sure to specify the network mask using /0.)
- port=500 port number;
- hash-algorithm=sha1 and enc-algorithm=3des are used by default on Windows XP;
- generate-policy=yes to generate IPSec policy automatically;
Note: Windows XP does not work according to RFC. You need to set main-l2tp exchange mode, otherwise Win XP client will not be able to establish Phase 1.
Adjust firewall settings
- Do not forget to allow UDP 500 (Dst.Port), UDP 1701, UDP 4500 (Nat-Traversal) and Protocol 50 (ESP) in the firewall filter settings. (Input chain, accept).
Windows configuration
Windows configuration consists of two parts, first part Adding New Network connection and second part Adjusting IPSec settings.
Add Network Connection
All the configuration are step by step,
- Start;
- Settings;
- Control Panel;
- Network Connections;
- New Connection Wizard and Next;
- Connect to the network at my workspace and Next;
- Select Virtual Private Network connection;
- Set Company Name, which is the name of new connection;
- Add IP address of the MikroTik RouterOS, where L2TP server is running, then Click Finish;
- Connection window opens, select Properties;
- Modify Security options to match encryption on Windows computer and L2TP server on RouterOS;
- Click on IPsec Settings and select Use pre-shared key for authentication;
- Go to Networking Tab and select L2TP IPSec VPN;
On the Connection Window you need to input the L2TP credentials;
Adjusting IPSec settings
Well, in my case the following step was not necessary. Actually, it disallowed repetitive connections from the windows XP(SP3) computer without unassigning and reassigning the politic (see the last step). Reviewing of this article would be appreciate.
- Go to Start -> Run, put mmc
- Enter to Console, select Add/Remove Snap in, add IP Security Policy Management snap-in;
- Select IP Security Policies, and proceed to Action, open Create IP Security Policy;
- Follow wizard instructions, unset Activate the default response rule and set Edit Properties;
- Click on Add and proceed to answer wizard questions;
- Select The rule does not specify a tunnel;
- Select LAN;
- Select Use this string to protect the key exchange, enter the same preshared key as configured on RouterOS;
- Create new IP Filter List, where target should be My computer, аnd destination - IP address of the RouterOS, proceed with Next;
- Select Require security, you may leave settings as default [remember we configured on RouterOS hash-algorithm=sha and encryption-algorithm=3des];
- Restart IPSec policy agent in Windows services;
- On the newly created politic click and select Assign.
If you observe problems using Windows 7, you might check the firewall advanced settings (Control panel / Network and sharing center / Windows firewall / Advanced settings / Actions (right pane) / Properties / IPSec settings ).
Check Connectivity
- Windows computer should establish link successfully for new connection, Virtual Private Network Connection is now connected....
- MikroTik RouterOS should list L2TP tunnel,
/ /ppp active> print Flags: R - radius # NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING 4 0 monitor l2tp 192.168.1.1 5.5.5.6 40s MPPE128 stateless
- IPSec should show intalled-sa,
/ip ipsec installed-sa print