In this post I will help you setup a VPN connection from a MAC or IOS device to a Mikrotik router which according to all posts on the Internet should be fairly easy, but in real life will waste about 2 hours of your life if you are anyone like me.
So here is the topology I am using
So here are some of the details that apply to my setup
Ether1 is connected to the Internet and uses DHCP
The Ip number of the Mikrotik is 172.26.0.1/24
So first things first, we need to create the configuration, I use telnet cos that is how you are suppose to manage networking stuff
First we need to enable the l2tp server
/interface l2tp-server server set enabled=yes
Then we have to update the proposal
/ip ipsec proposal set default enc-algorithms=3des auth-algorithms=sha1 disabled=no lifetime=30m pfs-group=modp1024
Then we add a peer entry
/ip ipsec peer add address=0.0.0.0/0 \ auth-method=pre-shared-key dh-group=modp1024 \ disabled=no dpd-interval=2 dpd-maximum-failures=5 \ enc-algorithm=3des exchange-mode=main-l2tp \ generate-policy=port-override hash-algorithm=sha1 \ lifetime=1d nat-traversal=yes port=500 \ secret=XXXXX send-initial-contact=yes
Make sure you update the secret key, but that should be logical
Then we need to add the PPP client (end user)
/ppp secret add name=user password=12345 \ profile=default-encryption local-address=[local address] \ remote-address=[remote address] service=l2tp
So for a local address choose an address in your range for me that would be 172.26.0.200 and for the remote 172.26.0.201.
Now all you have to do is setup your Client, and connect.
So this is basically straight forward so why did I start off by saying it took me hours, we as soon as you connect you notice that you cannot reach anything on your local network! thing defeats the point of having a VPN. The solution to this problem is to enable proxy arp.
Now if you have a Mirkrotik router that a connection to an external switch then you need to do the following:
/interface ethernet set 0 arp=proxy-arp
Replacing 0 with what ever port number you have connected to your external switch
if you have a Mikrotik with an embedded switch like the RB2011UiAS-2HnD-IN then you need to update your bridge as follows:
/interface bridge set 0 arp=proxy-arp
This should take care of everything, Enjoy!
Awesome article, exactly what I was looking for as I currently use the Win 2012 R2 as my VPN terminator but will look to move to the Mikrotik. I’ve also got a few blog articles relating to my experiences with the router:
http://www.m80arm.co.uk/search/label/RouterBOARD%20RB751G
I might ask you for some help once I get access to vCHS to configure a VPN between my homelab and the vCHS virtual private cloud if you don’t mind?
Thanks
Michael
Thanx!!! Glad it helped. Advice to all that read this, do not try and setup a VPN when you are in a hotel 1400 KM away from your router *lol*
Give me a shout when you have the VPN to vCHS running or need help.
Followed your instruction but VPN from iPhone (L2TP) failed to establish.
On iPhone it says server did non reply, while on Mikrotik Logs no specific issue is mentioned… any hint about how to troubleshoot this?
Thanks
Got it sorta working. but need a helping hand:
internet –> router NATting 500/4500/1701 to external MTik interface –> external net –> mikrotik –> internal net.
Now, if I connect my Mac or iPhone setup in L2TP to external NET and point to external net IP of Mikrotik, everything works.
If I come from internet via the router NATting, it does not complete VPN negotiation… what am I doing wrong?
And how to increase verbosity of logs?
Thanks in advance!