Saturday, August 19, 2017

Mikrotik RouterOS 6.40.1 (stable) L2TP/IPSEC VPN with iPhone/iPad IOS 10 and/or Mac OS X 10.12.6+

This is a very brief guide explaining how to make this 'just work' so that your Apple iPad/iPhone devices can reach your Mikrotik router via a L2TP/IPSEC VPN.  There are 7 distinct steps required inside the Mikrotik, and basically three steps on OSX and only 3 as well on an iPhone/iPad.  This configuration will also work with Android 6.0.1.  We'll start with the Mikrotik:


--------------------
Step 1: define the VPN IP pool by clicking on IP -> Pool -> Pools -> Add New

Enter the name of your pool: ipsec
Enter the Addresses of your pool: 10.0.10.2-10.0.10.99 (ensure this does not overlap with another network attached to the mikrotik!)
Next Pool: none


Click on Apply, then OK.  Your new VPN pool should now be shown in the list.
--------------------
Step 2: create a new ppp profile by clicking on PPP -> Profiles -> Add New

Name: ipsec
Local Address: 10.0.10.1 (ensure this is in the same subnet as what you've defined above)
Remote Address: ipsec (the name of the pool you defined above)
DNS Server: 10.0.10.1 (the same address as your local address)
Change TCP MSS: yes
Use UPnP: default
Use MPLS: default
Use Compression: default
Use Encryption: yes
Only One: default


Click on Apply, then OK.  Your new profile should now be shown in the list.
--------------------
Step 3: create a new user by clicking on PPP -> Secrets -> Add New

Enabled: Yes
Name: johnsmith
Password: smitty1234
Service: l2tp
Profile: ipsec (the name of the profile you defined above)


Click on Apply, then OK.  Your new username should now be shown in the list. Repeat as necessary for additional users.
--------------------
Step 4: enable the L2TP server by clicking on PPP -> L2TP Server

Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Keepalive Timeout: 30
Default Profile: ipsec (the name of the profile you defined above)
Authentication: mschap2 (all others disabled)
Use IPsec: yes
IPsec Secret: homeipsecsecret
Caller ID Type: ip address
One Session Per Host:
Allow Fast Path:


Click on Apply, then OK.
--------------------
Step 5: modify the default IPsec proposal by clicking on IP -> IPsec -> Proposals -> Default

Enabled: Yes
Name: l2tp-ipsec
Auth. Algorithms: sha1
Encr. Algorithms: aes-256-cbc
PFS Group: modp1024


--------------------
Step 6: create a new IPsec peer entry by clicking on IP -> IPsec -> Peers -> Add New

Enabled: Yes
Address: 0.0.0.0/0
Auth. Method: pre shared key
Exchange Mode: main l2tp
Passive: No
Secret: homeipsecsecret (same as defined under PPP -> L2TP Server)
Policy Template Group: default
Send Initial Contact: Yes
NAT Traversal: Yes
My ID Type: auto
Generate Policy: port override
Lifetype: 1d 00:00:00
DPD Interval: 2s
DPD Maximum Failures: 5
Proposal Check: obey
Compatibility Options: skip peer id validation
Hash Algorithm: sha256
Encryption Algorithm: aes-256
DH Group: modp1024


--------------------
Step 7: enter the required firewall rules by clicking on IP -> Firewall -> Add New

Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-ah

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-esp

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 500


Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 1701

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 4500


You should have five firewall rules added once completed.
--------------------
Now go to your Mac System Preferences -> Network -> and click on the '+' symbol.  If it is grayed out, click on the clock and enter your administrator password.

Interface: VPN
VPN Type: L2TP over IPSec
Service Name: VPN (Home Router)

Click "+"

Configuration: Default
Server Address: (your router WAN address or DNS)
Account Name: johnsmith

Click Authentication Settings...

Click Authentication Settings:
User Password: smitty1234

Machine Authentication:
Shared Secret: homeipsecsecret
Group Name: (blank)

Click OK.

Click Advanced, then under Session Options, check the following:
Disconnect when switching user accounts
Disconnect when user logs out
Send all traffic over VPN connection (provides a 0.0.0.0/0 route via the VPN!)

Click OK. Click Connect.

Enjoy!

No comments:

Post a Comment