L2TP + IPSEC between Mikrotik router and a PC
L2TP is a protocol used to support VPNs and it does not provide any encryption or confidentiality by itself - it relies on an encryption protocol that it passes within the tunnel to provide privacy. Because of that, it is often implemented along with IPsec. This is referred to as L2TP/IPsec.
On the server side we first create an user who will connect to the server: (Be sure to set a complex password and a longer username)
/ppp secret add caller-id="" comment="Some description" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 local-address=10.0.16.9 name=ka password=ka profile=default \ remote-address=10.0.16.10 routes="" service=l2tp
Then we create a L2TP server interface for the created user:
/interface l2tp-server add disabled=no name=l2tp-ka user=ka
Creating the server interface is not nececery for all this to work since the ROS will dynamicly create the interface each time the user authenticates, but will ease creation of firewall rules.
Enable the server:
/interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 \ default-profile=default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled
Create a ipsec proposal:
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des \ lifetime=30m name=default pfs-group=modp1024
Create an ipsec policy:
/ip ipsec policy add action=encrypt disabled=no dst-address=10.1.16.0/28:any \ ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \ sa-dst-address=10.0.16.10 sa-src-address=10.0.16.9 src-address=10.0.0.0/24:any tunnel=yes
Create an ipsec peer:
/ip ipsec peer add address=10.0.16.10/32:500 auth-method=pre-shared-key \ dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \ enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 \ lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no proposal-check=obey \ secret=test send-initial-contact=yes
If you don't have a static IP on the routers WAN interface, use this example to setup a dynamic DNS with ChangeIP.org
If you dont't know the IP of the remote client, do not set any policy and use 0.0.0.0/0 as the address in ipsec peer. See Windows Pc Example.
Check this for more.
Since i don't own an Apple machine, I invite everyone to try the example above, to connect with an Apple machine and write here to complete the example