Difference between revisions of "MikroTik RouterOS and Windows XP IPSec/L2TP"

From MikroTik Wiki
Jump to: navigation, search
m (Add IPSec/L2TP)
 
Line 1: Line 1:
 
=Overview=
 
=Overview=
  
Microsoft Windows XP/Vista has built-in PPTP client and L2TP/IPSec client. We will see how to create L2TP/IPsec between MikroTik RouterOS and Windows.
+
Microsoft Windows XP/Vista has built-in PPTP client and L2TP/IPSec client. We will see how to create L2TP/IPsec between MikroTik RouterOS and Windows. It's possible to run only L2TP connection between RouterOS and Windows, then you need to change registry on Windows.
  
 
=RouterOS Configuration=
 
=RouterOS Configuration=
 +
 +
==L2TP Server configuration==
 +
 +
<pre>
 +
/ interface l2tp-server server set enabled=yes
 +
</pre>
 +
 +
* Enable L2TP server;
 +
 +
<pre>
 +
/ ppp secret add name=12345 password=12345 default-profile=default-encryption local-address=1.1.1.1 remote-address=1.1.1.2
 +
</pre>
 +
 +
* Add PPP client, perhaps you don't need to run double encryption use default profile for L2TP and keep with IPSec encrytion. Adjust Windows and RouterOS L2TP tunnel properties whether to run encryption or not,
 +
 +
==IPSec configuration==
 +
 +
<pre>
 +
/ipsec peer add address=1.1.1.1 auth-metod=pre-shared-key secret=123456789 hash-algorithm=sha encryption-algorithm=3des generate-policy=yes generate-policy=yes
 +
</pre>
 +
 +
* Add IPSec peer settings settings, these settings should match on both ends,
 +
** '''address=1.1.1.1''' address of your Windows computer, it's possible to use 0.0.0.0,  when IP address of remote client is unknown;
 +
** '''hash-algorithm=sha''' and '''encryption-algorithm=3des''' are used by default on Windows XP;
 +
** '''generate-policy=yes''' to generate IPSec policy automatically;
 +
 +
=Windows configuration=
 +
 +
Windows configuration consists of two parts, first part Adding New Network connection and second part Adjusting IPSec settings.
 +
 +
== Add Network Connection==
 +
 +
All the configuration are step by step,
 +
* '''Start''';
 +
* '''Settings''';
 +
* '''Control Panel''';
 +
* '''Network Connections''';
 +
* '''New Connection Wizard''' and '''Next''';
 +
* '''Connect to the network at my workspace''' and '''Next''';
 +
* Select '''Virtual Private Network connection''';
 +
* Set '''Company Name''', which is the name of new connection;
 +
* Add '''IP address''' of the MikroTik RouterOS, where L2TP server is running, then Click '''Finish''';
 +
* Connection window opens, select '''Properties''';
 +
* Modify '''Security''' options to match encryption on Windows computer and L2TP server on RouterOS;
 +
* Click on '''IPsec Settings''' and select '''Use pre-shared key for authentication''';
 +
* Go to '''Networking''' Tab and select '''L2TP IPSec VPN''';
 +
 +
On the Connection Window you need to put L2TP credentials;
 +
 +
==Adjusting IPSec settings==
 +
 +
* Go to '''Start''' -> '''Run''', put '''
 +
* Enter to '''Console''', select  '''Add/Remove Snap in''', add  '''IP Security Policy Management snap-in''';
 +
* Select '''IP Security Policies''', and proceed to '''Action''', open '''Create IP Security Policy''';
 +
* Follow wizard instructions, unset '''Activate the default response rule''' and set '''Edit Properties''';
 +
* Click on '''Add''' and proceed to answer wizard questions;
 +
* Select '''The rule does not specify a tunnel''';
 +
* Select '''LAN''';
 +
* Select '''Use this string to protect the key exchange''', enter the same preshared key as configured on RouterOS;
 +
* Create new '''IP Filter List''', where '''target''' should be '''My computer''', аnd '''destination''' - IP address of the RouterOS, proceed with  '''Next''';
 +
* Select '''Require security''', you may leave settings as default [remember we configured on RouterOS hash-algorithm=sha''' and '''encryption-algorithm=3des];
 +
* Restart '''IPSec policy agent''' in Windows services;
 +
* On the newly created politic click and select '''Assign'''.
 +
 +
=Check Connectivity=
 +
* Windows computer should establish link successfully for new connection, '''Virtual Private Network Connection is now connected...'''.
 +
* MikroTik RouterOS should list L2TP tunnel,
 +
 +
<pre>
 +
/ /ppp active> print
 +
Flags: R - radius
 +
#  NAME        SERVICE CALLER-ID        ADDRESS        UPTIME  ENCODING      4                                                                                                 
 +
0  monitor      l2tp        1.1.1.1          5.5.5.6        40s      MPPE128 stateless
 +
</pre>
 +
 +
* IPSec should show intalled-sa,
 +
 +
<pre>
 +
/ip ipsec installed-sa print
 +
</pre>

Revision as of 15:52, 10 September 2008

Overview

Microsoft Windows XP/Vista has built-in PPTP client and L2TP/IPSec client. We will see how to create L2TP/IPsec between MikroTik RouterOS and Windows. It's possible to run only L2TP connection between RouterOS and Windows, then you need to change registry on Windows.

RouterOS Configuration

L2TP Server configuration

/ interface l2tp-server server set enabled=yes
  • Enable L2TP server;
/ ppp secret add name=12345 password=12345 default-profile=default-encryption local-address=1.1.1.1 remote-address=1.1.1.2
  • Add PPP client, perhaps you don't need to run double encryption use default profile for L2TP and keep with IPSec encrytion. Adjust Windows and RouterOS L2TP tunnel properties whether to run encryption or not,

IPSec configuration

/ipsec peer add address=1.1.1.1 auth-metod=pre-shared-key secret=123456789 hash-algorithm=sha encryption-algorithm=3des generate-policy=yes generate-policy=yes
  • Add IPSec peer settings settings, these settings should match on both ends,
    • address=1.1.1.1 address of your Windows computer, it's possible to use 0.0.0.0, when IP address of remote client is unknown;
    • hash-algorithm=sha and encryption-algorithm=3des are used by default on Windows XP;
    • generate-policy=yes to generate IPSec policy automatically;

Windows configuration

Windows configuration consists of two parts, first part Adding New Network connection and second part Adjusting IPSec settings.

Add Network Connection

All the configuration are step by step,

  • Start;
  • Settings;
  • Control Panel;
  • Network Connections;
  • New Connection Wizard and Next;
  • Connect to the network at my workspace and Next;
  • Select Virtual Private Network connection;
  • Set Company Name, which is the name of new connection;
  • Add IP address of the MikroTik RouterOS, where L2TP server is running, then Click Finish;
  • Connection window opens, select Properties;
  • Modify Security options to match encryption on Windows computer and L2TP server on RouterOS;
  • Click on IPsec Settings and select Use pre-shared key for authentication;
  • Go to Networking Tab and select L2TP IPSec VPN;

On the Connection Window you need to put L2TP credentials;

Adjusting IPSec settings

  • Go to Start -> Run, put
  • Enter to Console, select Add/Remove Snap in, add IP Security Policy Management snap-in;
  • Select IP Security Policies, and proceed to Action, open Create IP Security Policy;
  • Follow wizard instructions, unset Activate the default response rule and set Edit Properties;
  • Click on Add and proceed to answer wizard questions;
  • Select The rule does not specify a tunnel;
  • Select LAN;
  • Select Use this string to protect the key exchange, enter the same preshared key as configured on RouterOS;
  • Create new IP Filter List, where target should be My computer, аnd destination - IP address of the RouterOS, proceed with Next;
  • Select Require security, you may leave settings as default [remember we configured on RouterOS hash-algorithm=sha and encryption-algorithm=3des];
  • Restart IPSec policy agent in Windows services;
  • On the newly created politic click and select Assign.

Check Connectivity

  • Windows computer should establish link successfully for new connection, Virtual Private Network Connection is now connected....
  • MikroTik RouterOS should list L2TP tunnel,
/ /ppp active> print 
Flags: R - radius 
 #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING       4                                                                                                  
 0   monitor      l2tp         1.1.1.1          5.5.5.6         40s      MPPE128 stateless 
  • IPSec should show intalled-sa,
/ip ipsec installed-sa print