Hey folks,
I’m new to VPNs, and I’m trying for hours already to set up a simple L2TP IPsec VPN. Since I’m testing in a Home lap my setup is like this. My main Network is a 192.168.50.0/24 my Mikrotik Hex has on the WAN network a 192.168.50.102 address. Locally, the Hex LAN is 192.168.88.0/24 and the router itself is 192.168.88.1.
On the Router I configured L2TP IPsec like this:
/interface l2tp-server server set use-ipsec=yes ipsec-secret=123456789 enable=yes
/ppp secret add local-address=192.168.88.1 name=user1 password=user123456 profile=default-encryption remote-address=192.168.88.200 service=l2tp
Just for my understanding local-address is the routers interface and remote-address is just some IP from the 192.168.88.0/24 range?
After configuration on Windows 11 I get a "The L2TP connection attempt failed because the security layer encountered a processing error during inital negotiations with the remote computer. "
What am I doing wrong?
Best regards
On mikrotik side, with reasonable encryption:
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm pfs-group=modp2048
/ip pool
add name=l2tp ranges=$yourprefix.2-$yourprefix.254
/ppp profile
set default dns-server=yourdnsserver interface-list=LAN local-address=$yourprefix.1 remote-address=l2tp
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=required authentication=mschap2 ipsec-secret=$l2tp-psk
/ppp secret
add name=$someusername profile=default-encryption service=l2tp password=$whatever
/ip firewall filter
add chain=input protocol=udp port=500,4500
add chain=input protocol=ipsec-esp
On windows side, in powershell, will configure split VPN connection, credentials, routes, dns search/suffix, encryption algorithms:
Install-Module -Name VPNCredentialsHelper
Add-VpnConnection -Name "name-of-vpn-connection" -ServerAddress public-ip-or-hostname-of-vpn-gateway -RememberCredential -SplitTunneling -DnsSuffix yourdnssuffix -TunnelType "L2tp" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -L2tpPsk $l2tp-psk
Set-VpnConnectionUsernamePassword -connectionname "name-of-vpn-connection" -username $someusername -password $whatever -domain ''
Add-VpnConnectionRoute -ConnectionName "name-of-vpn-connection" -DestinationPrefix "subnet-of-your-lan-on-other-side/24"
Set-VpnConnectionTriggerDnsConfiguration -ConnectionName "name-of-vpn-connection" -DnsSuffixSearchList $your-dns-suffix -PassThru -Force
Set-VpnConnectionIPsecConfiguration -ConnectionName "name-of-vpn-connection" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -DHGroup Group14 -PassThru
In all honesty, switch to Wireguard, it is 99.99% simpler
L2TP does work, you have to change the settings on windows, security settings enable mschap and pap
Thanks for the comments. I got the VPN working. My problem was that the default Windows 11 VPN config didn’t match with the configuration from Mikrotik. On the Router I messed up the Firewall rules. But nothing a couple of hours of work couldn’t solve.
Just in short how I did it to get working:
-
IP => IPsec => Profiles => default: Hash Algorithms sha1, aes-128, aes-192, aes-256 modp 1024, modp2048.
-
PPP => Interface => L2TP Server = enabend, Authentication only mschapv2, use IPsec = yes and IPsec Secret.
-
PPP => Secret: Name user1, Password 123456, Service l2tp, Local Address = Router local IP, Remote Address = 192.168.88.200. Remote Address shouldn’t be in conflict with DHCP range.
-
IP => Firewall: add new Rule => Chain = input, Protocal = UDP, Dst.Port = 500,1701,4500
-
IP => Firewall: add new Rule => Chain = input, Protocal = 50
On Windows 11 under VPN Settings create a new connection.
Connection name and Servername change to your liking.
VPN-Type = L2TP/IPsec with preshared Key
Add the preshared Key
User = user1
Password = 123456
Hit save.
After creation hit the advanced options tab and go the last field to edit. Under security change the protocal to Microsoft-CHAP Version 2 and uncheck the rest.
Now the Tunnel should work.