L2TP Site to Site between PFsense and Mikrotik
-
Hi!
I'm trying to setup a site to site VPN using L2TP between PFSense and Mikrotik. My network topology is:
I'm trying with L2TP because i because I couldn't set up an ipsec tunnel. So i'm trying use l2tp without IPSec.
I configured a L2TP server in PFSense, a L2TP user and created firewall rules to release traffic and 1701 port.
In mikrotik i created the l2tp Dial UP, but not works. I checked on the pfsense firewall there are packets between the points:
Bellow my both sides configuration:
PFSense:
Mikrotik:
Any ideas? Thanks a lot!
-
Use IPSec. L2TP without it is unencrypted you realise?
But, really, forget just solve the issues with IPSec. How was that failing?
Steve
-
@stephenw10 well, when i tried to use IPSec, in mikrotik side appears the error:
"error got critical error: AUTHENTICATION_FAILED".The ISP has already created the rules for redirecting ports 500 and 4500 to my IP, but the above error keeps happening.
-
No errors on the pfSense side? Does it try to establish both ways?
That error looks like a pretty basic mismatch though. Can you show us the setting used at each end that generated it?
Steve
-
@stephenw10
PFsense Config:
Mikrotik config:
Pfsense log:
Mikrotik log:
The autentication method is Mutual PSK and I've already checked all the settings and apparently everything is correct.
-
Ok, the pSense log shows the Mikrotik is using the wrong hash value at P1 when it's initiating for some reason. The settings look correct on it though so maybe something is not applied?
You can see it's proposing SHA1. pfSense rejects it because it's set to SHA256.
The other thing that could be an issue is the identifier. You said you had the ISP forward ports to you? Does that mean you are behind NAT? If the identifier in pfSense would have to be set to match the external IP. We can't see that in the above screenshot.
Steve
-
@stephenw10 yes the mikrotik is behind nat (in the first post there is an image with the network topology rsrs).
Basically this is the origin of everything (the existence of NAT). I need to be able to implement this VPN with this NAT enabled, the provider cannot give me a fixed IP
-
@felipefonsecabh i try to change the encryption and hash algorithms in pfsense to sha1 and 3des (to test the functioning), and the error changes:
-
Aha, OK now the proposal matches but the identifier is mismatched. The Mikcrotik is sending it's internal private IP as the identifier [192.168.188.10] and pfSense is expecting the external public IP.
You can change that so it matches at either end but I've no idea how to do it in RouterOS. So edit the Phase 1 config in pfSense and change the 'Peer Identifier' from 'Peer IP Address' to 'IP Address' then set it to 192.168.188.10.It will then match when the Mikrotik tries to establish. There may be other errors after that
Steve
-
@stephenw10 after change "Peer Identifier" as you suggested, works!
In mikrotik, i have to disable passive:
The strange thing is that the mikrotik does not send the proposal as configured, but works! Thanks a lot!
-
@felipefonsecabh the connection was estabilished but devices between sites doesn't ping. I created all firewall rules necessary.
-
@felipefonsecabh I restared my pfsense and all works. Thanks a lot!
-
Nice! Good result. Pure IPSec is waay better than trying to use L2TP over it.
Steve
