Mikrotik L2TP/IPsec VPN and android device as client

Mikrotik should have a real internet IP to a certain interface. If it is located behind nat, the modem that provides internet access should be able to forward ipsec-esp packages. If your mikrotik is behind an internet modem that does not forward ipsec-esp, then you should stop here.

Your android smart phone must be in version 4 or newer in order to support  L2TP/IPsec. The android client supports the following :

Authentication algorithm : sha1
Encryption algorithm : 3des
Diffie-Hellman : Group2 (modp1024)

Let’s start by creating a PPP Profile on mikrotik.

ppp profile add name=ipsec_vpn local-address=192.168.2.1 dns-server=8.8.8.8

On local-address= we assing an IP address that will appear as the default gateway for the VPN clients. A good hint is to find a network that it is not used. Then we have to activate the L2TP server of the mikrotik and bind it with a PPP Profile.

interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2

Once the the L2TP server is activated , we have to define the peering of IPSec and also the default ipsec policy. WARNING : On newer RouterOS versions,  generate-policy set to yes is not supported. On this case just use generate-policy=port-override

Older :

/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret=123456 exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 generate-policy=yes

Newer :

/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret=123456 exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 generate-policy=port-override

On secret = you should define the pre-shared key that must match the pre-shared key of the client (android phone). After we defined the peering, we must make some changes on the default ipsec proposal.

ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

To complete the configuration, we need to add a user.

ppp secret add name=user password=pass service=l2tp profile=ipsec_vpn remote-address=192.168.2.2

On user= we define the user name and the user password on password=. On remote-address= we define the desired IP address that will be assigned to the client.

Next steps :

If our mikrotik has real internet IP to an interface and we have enabled firewalling, we must allow the UDP ports : 500, UDP: 1701, UDP: 4500 and Protocol 50: ipsec-esp

For the android client, we must set the following :

Name : Home VPN
Type : L2TP/IPSec PSK
Server address : real ip address of mikrotik
IPSec pre-shared key : the value that you set as secret=

Good luck.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

10 thoughts on “Mikrotik L2TP/IPsec VPN and android device as client

  1. Superstar

    Good manual, thaks for that. Can you please help, why when i run packet sniffer, I see only UDP packets, not ipsec? I have other ipsec site to site connection on the same mikrotik, on site2site I see ipsec. Are there any ideas?

    Reply
  2. Krasimir Kazakov

    On the command

    set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

    I get “syntax error (line 1 column 5)” and the “d” in default is highlighted. As I can see, there’s no such command. Version 6.41

    Reply
    1. wizzy Post author

      The command was ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024. I just made the corrections needed on the guide

      Reply
  3. DejanR

    I did all that and in the log I have:

    dec/05 00:36:46 ipsec,info respond new phase 1 (Identity Protection): 95.140.124.22
    3[500]192.168.28.116[500]
    dec/05 00:36:47 ipsec,info ISAKMP-SA established 95.140.124.223[500]-192.168.28.116
    [500] spi:a1d96c2fe8700d38:4417360f28e8ed27
    dec/05 00:36:48 l2tp,info first L2TP UDP packet received from 192.168.28.116

    and after that… nothing. Phone just say unsuccessful

    Reply
    1. wizzy Post author

      Which mikrotik version are you using ??? Is there any logging for phase 2 ?

      Reply
      1. Maciej

        My setup is freezeing in the same state.
        But there additional 2 errors
        192.167.90.132 (my remore ip) failed to pre-process ph2 packet
        192.167.90.13 peer sent packet for dead phase2

        I use 6.39.3

        Reply
        1. wizzy Post author

          There might a bug in ipsec. It was referred in the past in versions 6.38.5 and 6.39.3. I will need some time to make some tests. But you can try downgrading to 6.37

          Reply
        2. wizzy Post author

          Ok I have made some changes on the guide. I have tested it with version 6.41.1.

          Please apply the following commands and let me know of the outcome :

          /ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes

          /ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

          Don’t forget to change the field secret on the following command. this field must match with the value preshared key (PSK) on your client device

          /ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret=123456 exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 generate-policy=port-override

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *