RouterOS Configuration
L2TP Server configuration
/ interface l2tp-server server set enabled=yes
Enable L2TP server;
/ ppp secret add name=12345 password=12345 profile=default-encryption \
local-address=192.168.1.1 remote-address=192.168.1.2
Add PPP client, if you don't need to run double encryption use default profile for L2TP and keep with IPSec encryption. Adjust Windows and RouterOS L2TP tunnel properties whether to run encryption or not.
It is also possible to use any DHCP address pool instead of local and remote addresses. Both can be assigned from the identical pool.
IPSec configuration
/ip ipsec peer add address=192.168.1.1:500 auth-method=pre-shared-key \
secret=123456789 hash-algorithm=sha enc-algorithm=3des generate-policy=yes
Add IPSec peer settings settings, these settings should match at both ends,
address=192.168.1.1 address of your Windows computer, it's possible to use 0.0.0.0/0, when IP address of remote client is unknown; (Note: Typing 0.0.0.0 (without /0) makes Mikrotik listen to 0.0.0.0 only, therefore disabling any connection. Make sure to specify the network mask using /0.)
:500 port number;
hash-algorithm=sha and enc-algorithm=3des are used by default on Windows XP;
generate-policy=yes to generate IPSec policy automatically;
Log in
Advanced search
Main Page
Recent changes
Create a book
Download as PDF
Printable version
Page
View source
modified on 13 June 2011 at 10:35 ••• 42,175 views
MikroTik RouterOS and Windows XP IPSec/L2TP
Contents
[hide]
1 Overview
2 RouterOS Configuration
2.1 L2TP Server configuration
2.2 IPSec configuration
2.3 Adjust firewall settings
3 Windows configuration
3.1 Add Network Connection
3.2 Adjusting IPSec settings
4 Check Connectivity
Overview
Microsoft Windows XP/Vista has built-in PPTP client and L2TP/IPSec client. We will see how to create L2TP/IPsec between MikroTik RouterOS and Windows. It is possible to run a L2TP connection between RouterOS and Windows but you will need to change a registry entry in Windows.
RouterOS Configuration
L2TP Server configuration
/ interface l2tp-server server set enabled=yes
Enable L2TP server;
/ ppp secret add name=12345 password=12345 profile=default-encryption \
local-address=192.168.1.1 remote-address=192.168.1.2
Add PPP client, if you don't need to run double encryption use default profile for L2TP and keep with IPSec encryption. Adjust Windows and RouterOS L2TP tunnel properties whether to run encryption or not.
It is also possible to use any DHCP address pool instead of local and remote addresses. Both can be assigned from the identical pool.
IPSec configuration
/ip ipsec peer add address=192.168.1.1:500 auth-method=pre-shared-key \
secret=123456789 hash-algorithm=sha enc-algorithm=3des generate-policy=yes
Add IPSec peer settings settings, these settings should match at both ends,
address=192.168.1.1 address of your Windows computer, it's possible to use 0.0.0.0/0, when IP address of remote client is unknown; (Note: Typing 0.0.0.0 (without /0) makes Mikrotik listen to 0.0.0.0 only, therefore disabling any connection. Make sure to specify the network mask using /0.)
:500 port number;
hash-algorithm=sha and enc-algorithm=3des are used by default on Windows XP;
generate-policy=yes to generate IPSec policy automatically;
Adjust firewall settings
Do not forget to allow UDP 500 (Dst.Port), UDP 1701, UDP 4500 (Nat-Traversal) and Protocol 50 (ESP) in the firewall filter settings. (Input chain, accept).
Windows configuration
Windows configuration consists of two parts, first part Adding New Network connection and second part Adjusting IPSec settings.
Add Network Connection
All the configuration are step by step,
Start;
Settings;
Control Panel;
Network Connections;
New Connection Wizard and Next;
Connect to the network at my workspace and Next;
Select Virtual Private Network connection;
Set Company Name, which is the name of new connection;
Add IP address of the MikroTik RouterOS, where L2TP server is running, then Click Finish;
Connection window opens, select Properties;
Modify Security options to match encryption on Windows computer and L2TP server on RouterOS;
Click on IPsec Settings and select Use pre-shared key for authentication;
Go to Networking Tab and select L2TP IPSec VPN;
On the Connection Window you need to input the L2TP credentials;
Adjusting IPSec settings
Well, in my case the following step was not necessary. Actually, it disallowed repetitive connections from the windows XP(SP3) computer without unassigning and reassigning the politic (see the last step). Reviewing of this article would be appreciate.
Go to Start -> Run, put mmc
Enter to Console, select Add/Remove Snap in, add IP Security Policy Management snap-in;
Select IP Security Policies, and proceed to Action, open Create IP Security Policy;
Follow wizard instructions, unset Activate the default response rule and set Edit Properties;
Click on Add and proceed to answer wizard questions;
Select The rule does not specify a tunnel;
Select LAN;
Select Use this string to protect the key exchange, enter the same preshared key as configured on RouterOS;
Create new IP Filter List, where target should be My computer, аnd destination - IP address of the RouterOS, proceed with Next;
Select Require security, you may leave settings as default [remember we configured on RouterOS hash-algorithm=sha and encryption-algorithm=3des];
Restart IPSec policy agent in Windows services;
On the newly created politic click and select Assign.
If you observe problems using Windows 7, you might check the firewall advanced settings (Control panel / Network and sharing center / Windows firewall / Advanced settings / Actions (right pane) / Properties / IPSec settings ).
source : mikrotik wiki
1 komentar:
hi, I have tried to configure l2tp/ipsec vpn in mikrotik and dial from win7. I follow all the steps given there but failed to connect from win 7. Please help me.
My router Mikrotik3.25,RB450g. Please refer
1. How can I check my VPN configuration alright.
2. How can I check my windows dialup setup alright.
N.B.I found windows 789 error. then I tried a real IP at windows PC but still I fail.
Posting Komentar