Overview
Microsoft Windows XP/Vista has built-in PPTP client and L2TP/IPSec client.
We will see how to create L2TP/IPsec between MikroTik RouterOS and Windows. It
is possible to run a L2TP connection between RouterOS and Windows but you will
need to change a registry entry in Windows.
RouterOS
Configuration
L2TP Server configuration
/ interface
l2tp-server server set enabled=yes
- Enable L2TP server;
/ ppp secret
add name=12345 password=12345 profile=default-encryption \
local-address=192.168.1.1 remote-address=192.168.1.2
- Add PPP client, if you don't need to run double encryption use default profile for L2TP and keep with IPSec encryption. Adjust Windows and RouterOS L2TP tunnel properties whether to run encryption or not.
- It is also possible to use any DHCP address pool instead of local and remote addresses. Both can be assigned from the identical pool.
IPSec configuration
/ip ipsec peer
add address=192.168.1.1
auth-method=pre-shared-key exchange-mode=main-l2tp\
secret=123456789 hash-algorithm=sha1
enc-algorithm=3des generate-policy=yes
- Add IPSec peer settings settings, these settings should match at both ends,
- address=192.168.1.1 address of your Windows computer, it's possible to use 0.0.0.0/0, when IP address of remote client is unknown; (Note: Typing 0.0.0.0 (without /0) makes Mikrotik listen to 0.0.0.0 only, therefore disabling any connection. Make sure to specify the network mask using /0.)
- port=500 port number;
- hash-algorithm=sha1 and enc-algorithm=3des are used by default on Windows XP;
- generate-policy=yes to generate IPSec policy automatically;
Note: Windows XP does not work
according to RFC. You need to set main-l2tp exchange mode, otherwise Win
XP client will not be able to establish Phase 1.
Adjust firewall settings
- Do not forget to allow UDP 500 (Dst.Port), UDP 1701, UDP 4500 (Nat-Traversal) and Protocol 50 (ESP) in the firewall filter settings. (Input chain, accept).
Windows configuration
Windows configuration consists of two parts, first part Adding New Network
connection and second part Adjusting IPSec settings.
Add Network Connection
All the configuration are step by step,
- Start;
- Settings;
- Control Panel;
- Network Connections;
- New Connection Wizard and Next;
- Connect to the network at my workspace and Next;
- Select Virtual Private Network connection;
- Set Company Name, which is the name of new connection;
- Add IP address of the MikroTik RouterOS, where L2TP server is running, then Click Finish;
- Connection window opens, select Properties;
- Modify Security options to match encryption on Windows computer and L2TP server on RouterOS;
- Click on IPsec Settings and select Use pre-shared key for authentication;
- Go to Networking Tab and select L2TP IPSec VPN;
On the Connection Window you need to input the L2TP credentials;
Adjusting IPSec settings
Well, in my case the following step was not
necessary. Actually, it disallowed repetitive connections from the windows
XP(SP3) computer without unassigning and reassigning the politic (see the last
step). Reviewing of
this article would be appreciate.
- Go to Start -> Run, put mmc
- Enter to Console, select Add/Remove Snap in, add IP Security Policy Management snap-in;
- Select IP Security Policies, and proceed to Action, open Create IP Security Policy;
- Follow wizard instructions, unset Activate the default response rule and set Edit Properties;
- Click on Add and proceed to answer wizard questions;
- Select The rule does not specify a tunnel;
- Select LAN;
- Select Use this string to protect the key exchange, enter the same preshared key as configured on RouterOS;
- Create new IP Filter List, where target should be My computer, аnd destination - IP address of the RouterOS, proceed with Next;
- Select Require security, you may leave settings as default [remember we configured on RouterOS hash-algorithm=sha and encryption-algorithm=3des];
- Restart IPSec policy agent in Windows services;
- On the newly created politic click and select Assign.
·
Iniciar
regedit.exe
·
Localizar
·
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
·
Agregar un
nuevo valor DWORD llamado ProhibitIpSec
·
Darle el
valor de 1
·
Reiniciar la
PC
If you observe problems using Windows 7, you
might check the firewall advanced settings (Control panel / Network and sharing
center / Windows firewall / Advanced settings / Actions (right pane) /
Properties / IPSec settings ).
Check Connectivity
- Windows computer should establish link successfully for new connection, Virtual Private Network Connection is now connected....
- MikroTik RouterOS should list L2TP tunnel,
/ /ppp
active> print
Flags: R -
radius
#
NAME SERVICE
CALLER-ID ADDRESS UPTIME ENCODING 4
0 monitor l2tp
192.168.1.1 5.5.5.6 40s MPPE128 stateless
- IPSec should show intalled-sa,
/ip ipsec installed-sa print
No hay comentarios:
Publicar un comentario