Use a MAC/IOS to VPN to a Mikrotik router

In this post I will help you setup a VPN connection from a MAC or IOS device to a Mikrotik router which according to all posts on the Internet should be fairly easy, but in real life will waste about 2 hours of your life if you are anyone like me.

So here is the topology I am using

vpn layout

 

So here are some of the details that apply to my setup
Ether1 is connected to the Internet and uses DHCP
The Ip number of the Mikrotik is 172.26.0.1/24

So first things first, we need to create the configuration, I use telnet cos that is how you are suppose to manage networking stuff

First we need to enable the l2tp server

/interface l2tp-server server set enabled=yes

Then we have to update the proposal

/ip ipsec proposal set default enc-algorithms=3des auth-algorithms=sha1 disabled=no lifetime=30m pfs-group=modp1024

Then we add a peer entry

/ip ipsec peer add address=0.0.0.0/0 \ 
auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2 dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main-l2tp \
generate-policy=port-override hash-algorithm=sha1 \
lifetime=1d nat-traversal=yes port=500 \
secret=XXXXX send-initial-contact=yes

Make sure you update the secret key, but that should be logical
Then we need to add the PPP client (end user)

/ppp secret add name=user password=12345 \
profile=default-encryption local-address=[local address] \
remote-address=[remote address] service=l2tp

So for a local address choose an address in your range for me that would be 172.26.0.200 and for the remote 172.26.0.201.

Now all you have to do is setup your Client, and connect.

So this is basically straight forward so why did I start off by saying it took me hours, we as soon as you connect you notice that you cannot reach anything on your local network! thing defeats the point of having a VPN.  The solution to this problem is to enable proxy arp.

Now if you have a Mirkrotik router that a connection to an external switch then you need to do the following:

/interface ethernet set 0 arp=proxy-arp

Replacing 0 with what ever port number you have connected to your external switch

if you have a Mikrotik with an embedded switch like the RB2011UiAS-2HnD-IN then you need to update your bridge as follows:

/interface bridge set 0 arp=proxy-arp

This should take care of everything, Enjoy!

4 thoughts on “Use a MAC/IOS to VPN to a Mikrotik router

  1. geordy Post author

    Thanx!!! Glad it helped. Advice to all that read this, do not try and setup a VPN when you are in a hotel 1400 KM away from your router *lol*

    Give me a shout when you have the VPN to vCHS running or need help.

  2. RoarinPenguin

    Followed your instruction but VPN from iPhone (L2TP) failed to establish.
    On iPhone it says server did non reply, while on Mikrotik Logs no specific issue is mentioned… any hint about how to troubleshoot this?
    Thanks

  3. RoarinPenguin

    Got it sorta working. but need a helping hand:
    internet –> router NATting 500/4500/1701 to external MTik interface –> external net –> mikrotik –> internal net.
    Now, if I connect my Mac or iPhone setup in L2TP to external NET and point to external net IP of Mikrotik, everything works.
    If I come from internet via the router NATting, it does not complete VPN negotiation… what am I doing wrong?
    And how to increase verbosity of logs?
    Thanks in advance!

Leave a Reply

Your email address will not be published. Required fields are marked *