Mikrotik should have a real internet IP to a certain interface. If it is located behind nat, the modem that provides internet access should be able to forward ipsec-esp packages. If your mikrotik is behind an internet modem that does not forward ipsec-esp, then you should stop here.
Your android smart phone must be in version 4 or newer in order to support L2TP/IPsec. The android client supports the following :
Authentication algorithm : sha1
Encryption algorithm : 3des
Diffie-Hellman : Group2 (modp1024)
Let’s start by creating a PPP Profile on mikrotik.
ppp profile add name=ipsec_vpn local-address=192.168.2.1 dns-server=8.8.8.8
On local-address= we assing an IP address that will appear as the default gateway for the VPN clients. A good hint is to find a network that it is not used. Then we have to activate the L2TP server of the mikrotik and bind it with a PPP Profile.
interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2
Once the the L2TP server is activated , we have to define the peering of IPSec and also the default ipsec policy. WARNING : On newer RouterOS versions, generate-policy set to yes is not supported. On this case just use generate-policy=port-override
Older :
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes /ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret=123456 exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 generate-policy=yes
Newer :
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes /ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret=123456 exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 generate-policy=port-override
On secret = you should define the pre-shared key that must match the pre-shared key of the client (android phone). After we defined the peering, we must make some changes on the default ipsec proposal.
ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
To complete the configuration, we need to add a user.
ppp secret add name=user password=pass service=l2tp profile=ipsec_vpn remote-address=192.168.2.2
On user= we define the user name and the user password on password=. On remote-address= we define the desired IP address that will be assigned to the client.
Next steps :
If our mikrotik has real internet IP to an interface and we have enabled firewalling, we must allow the UDP ports : 500, UDP: 1701, UDP: 4500 and Protocol 50: ipsec-esp
For the android client, we must set the following :
Name : Home VPN
Type : L2TP/IPSec PSK
Server address : real ip address of mikrotik
IPSec pre-shared key : the value that you set as secret=
Good luck.
Good manual, thaks for that. Can you please help, why when i run packet sniffer, I see only UDP packets, not ipsec? I have other ipsec site to site connection on the same mikrotik, on site2site I see ipsec. Are there any ideas?
On the command
set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
I get “syntax error (line 1 column 5)” and the “d” in default is highlighted. As I can see, there’s no such command. Version 6.41
The command was ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024. I just made the corrections needed on the guide
I did all that and in the log I have:
dec/05 00:36:46 ipsec,info respond new phase 1 (Identity Protection): 95.140.124.22
3[500]192.168.28.116[500]
dec/05 00:36:47 ipsec,info ISAKMP-SA established 95.140.124.223[500]-192.168.28.116
[500] spi:a1d96c2fe8700d38:4417360f28e8ed27
dec/05 00:36:48 l2tp,info first L2TP UDP packet received from 192.168.28.116
and after that… nothing. Phone just say unsuccessful
Which mikrotik version are you using ??? Is there any logging for phase 2 ?
My setup is freezeing in the same state.
But there additional 2 errors
192.167.90.132 (my remore ip) failed to pre-process ph2 packet
192.167.90.13 peer sent packet for dead phase2
I use 6.39.3
There might a bug in ipsec. It was referred in the past in versions 6.38.5 and 6.39.3. I will need some time to make some tests. But you can try downgrading to 6.37
Ok I have made some changes on the guide. I have tested it with version 6.41.1.
Please apply the following commands and let me know of the outcome :
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
Don’t forget to change the field secret on the following command. this field must match with the value preshared key (PSK) on your client device
/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret=123456 exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 generate-policy=port-override
thanks, it works and easy to follow.
Thank you for your comment Azma