Friday, November 09, 2018

L2tp IPSec VPN with Mikrotik

I recently discovered the VPN feature on my Android phone and though let me try this to set up a VPN with my home gateway, which is a MikroTik router.

I followed a few guides on the internet, but this just did not work, Android just gave me a short "does not work" message and that's it. So I dropped the ball again.

Now I am going to talk at a conference and I thought, I could set up the scenario on my BigBox at home instead of the Laptop. But how do I expose that? Well, perhaps I should use a VPN. So I googled "MikroTik macOS VPN" and found a few pages that also repeated what I had set up before. I tried again, no luck. Did some packet sniffing on the router. No luck.

And then I got a thought: what if my provider filters udp port 500? Googled around, does not seem so. But it brought me to another idea:


If you look at the above setup, you can see that my MikroTik is not directly connected to the internet, but there is a provider router in-between. And this guy also has a firewall and is filtering out ports. In the past I had poked some holes into this (but I log forgot since), but udp port 500 and others needed for IPsec were not forwarded to the MikroTik.

Once I enabled forwarding of these ports, both VPN on macOS and Android started to work like a charm. :-)

One thing I still had to enable was proxy-arp as described in the above guide to be able to reach not only the router, but also my real target host on my LAN.

I have after the good setup played a bit with the configuration (and not put it under version control and everything failed with "no IKEv1 peer config for". Solution was that I had a local address in the /ip ipsec peer and this meant that MikroTik would only allow for connections to that specific IP, which failed.

Another good guides on the topic: