Saturday, August 19, 2017

Mikrotik RouterOS 6.40.1 (stable) L2TP/IPSEC VPN with iPhone/iPad IOS 10 and/or Mac OS X 10.12.6+

This is a very brief guide explaining how to make this 'just work' so that your Apple iPad/iPhone devices can reach your Mikrotik router via a L2TP/IPSEC VPN.  There are 7 distinct steps required inside the Mikrotik, and basically three steps on OSX and only 3 as well on an iPhone/iPad.  This configuration will also work with Android 6.0.1.  We'll start with the Mikrotik:


--------------------
Step 1: define the VPN IP pool by clicking on IP -> Pool -> Pools -> Add New

Enter the name of your pool: ipsec
Enter the Addresses of your pool: 10.0.10.2-10.0.10.99 (ensure this does not overlap with another network attached to the mikrotik!)
Next Pool: none


Click on Apply, then OK.  Your new VPN pool should now be shown in the list.
--------------------
Step 2: create a new ppp profile by clicking on PPP -> Profiles -> Add New

Name: ipsec
Local Address: 10.0.10.1 (ensure this is in the same subnet as what you've defined above)
Remote Address: ipsec (the name of the pool you defined above)
DNS Server: 10.0.10.1 (the same address as your local address)
Change TCP MSS: yes
Use UPnP: default
Use MPLS: default
Use Compression: default
Use Encryption: yes
Only One: default


Click on Apply, then OK.  Your new profile should now be shown in the list.
--------------------
Step 3: create a new user by clicking on PPP -> Secrets -> Add New

Enabled: Yes
Name: johnsmith
Password: smitty1234
Service: l2tp
Profile: ipsec (the name of the profile you defined above)


Click on Apply, then OK.  Your new username should now be shown in the list. Repeat as necessary for additional users.
--------------------
Step 4: enable the L2TP server by clicking on PPP -> L2TP Server

Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Keepalive Timeout: 30
Default Profile: ipsec (the name of the profile you defined above)
Authentication: mschap2 (all others disabled)
Use IPsec: yes
IPsec Secret: homeipsecsecret
Caller ID Type: ip address
One Session Per Host:
Allow Fast Path:


Click on Apply, then OK.
--------------------
Step 5: modify the default IPsec proposal by clicking on IP -> IPsec -> Proposals -> Default

Enabled: Yes
Name: l2tp-ipsec
Auth. Algorithms: sha1
Encr. Algorithms: aes-256-cbc
PFS Group: modp1024


--------------------
Step 6: create a new IPsec peer entry by clicking on IP -> IPsec -> Peers -> Add New

Enabled: Yes
Address: 0.0.0.0/0
Auth. Method: pre shared key
Exchange Mode: main l2tp
Passive: No
Secret: homeipsecsecret (same as defined under PPP -> L2TP Server)
Policy Template Group: default
Send Initial Contact: Yes
NAT Traversal: Yes
My ID Type: auto
Generate Policy: port override
Lifetype: 1d 00:00:00
DPD Interval: 2s
DPD Maximum Failures: 5
Proposal Check: obey
Compatibility Options: skip peer id validation
Hash Algorithm: sha256
Encryption Algorithm: aes-256
DH Group: modp1024


--------------------
Step 7: enter the required firewall rules by clicking on IP -> Firewall -> Add New

Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-ah

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-esp

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 500


Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 1701

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 4500


You should have five firewall rules added once completed.
--------------------
Now go to your Mac System Preferences -> Network -> and click on the '+' symbol.  If it is grayed out, click on the clock and enter your administrator password.

Interface: VPN
VPN Type: L2TP over IPSec
Service Name: VPN (Home Router)

Click "+"

Configuration: Default
Server Address: (your router WAN address or DNS)
Account Name: johnsmith

Click Authentication Settings...

Click Authentication Settings:
User Password: smitty1234

Machine Authentication:
Shared Secret: homeipsecsecret
Group Name: (blank)

Click OK.

Click Advanced, then under Session Options, check the following:
Disconnect when switching user accounts
Disconnect when user logs out
Send all traffic over VPN connection (provides a 0.0.0.0/0 route via the VPN!)

Click OK. Click Connect.

Enjoy!

2 comments:

  1. Works a treat. Many thanks.

    ReplyDelete
  2. With the Popularity of iOS Devices comes the threat of hacking. FastestVPN is the Best iOS VPN that encodes all your personal and financial data securing it from intruders.

    ReplyDelete