The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,822 other followers

some notes on L2TP IPSEC on Mikrotik

Posted by jpluimers on 2017/09/01

For debugging purposes:

/log print where buffer=memory && (message~"l2tp" || message ~"L2TP"))

This will result in an answer like this:

13:43:59 l2tp,info first L2TP UDP packet received from 93.184.216.34
13:43:59 l2tp,ppp,info,account l2tp-jeroenp logged in, 192.168.73.239
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: authenticated
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: connecteda

Some links for when you cannot get connections to work:

Before digging deeper, check the output of settings like these:

/system logging add topics=ipsec

/ip ipsec policy group print
/ip ipsec peer print
/ip ipsec remote-peers print
/ip ipsec proposal print
/ip ipsec installed-sa print

It will give you answers like these (note that a Mac OS X 10.9.5 won’t connect with camelia encryption algorithms and not do better hashing than sha1):

> /ip ipsec policy group print
Flags: * - default
# NAME
0 * default
1 pfs-modp1024


> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="someLoooooooongPasssssword" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5


> /ip ipsec remote-peers print
0 local-address=37.153.243.243 port=4500 remote-address=93.184.216.34 port=15390 state=established side=responder established=22m16s

> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

> /ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x965F243 src-address=93.184.216.34:15390 dst-address=37.153.243.243:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="7f15b06179d0365cd8b7d8f046201703b2ba93f1" enc-key="ffc56f51397f60002d4bc3d7b95f14ede7eaa542" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=24928 replay=128

1 E spi=0xE0A95C3 src-address=37.153.243.243:4500 dst-address=93.184.216.34:15390 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="bd936b323131dea53d26791829640471c03154bc" enc-key="cb1a3e3b21d033c39390aa48b7efe64e835fc404" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=3120 replay=128

In order to switch away from default as Policy Template Group, you will have to:

  1. add a new IPSec group (in /ip ipsec policy group)
  2. add a new IPSec proposal (in /ip ipsec proposal) with the same PFS group name as the policy group.
  3. add a new IPSec policy (in /ip ipsec policy group) with (under General) the same group name as the policy group. *and* (under Action) the same proposal name as the proposal.

Some links on hardening IPSEC with DH algorigthm:

Miscellaneous links:

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: