Let's dive into setting up an L2TP/IPsec VPN on a MikroTik router using certificates for authentication. This method is more secure than using pre-shared keys and adds a layer of trust by verifying the identities of the client and server. If you're looking to bolster your network's security and ensure that only authorized users can connect, you've come to the right place. I'll guide you through each step, from generating the necessary certificates to configuring your MikroTik and client devices. So, let's get started and make your network rock-solid!

Understanding L2TP/IPsec with Certificates

Before we jump into the configuration, let's clarify what L2TP/IPsec is and why certificates are a fantastic choice for authentication. L2TP (Layer Two Tunneling Protocol) creates a VPN tunnel, while IPsec (Internet Protocol Security) provides the security by encrypting the data transmitted through that tunnel. Think of L2TP as the road, and IPsec as the armored car driving on it.

Using certificates enhances security by replacing the simpler (and potentially vulnerable) pre-shared keys. Certificates are digital documents that bind a public key to an identity, verified by a Certificate Authority (CA). When a client connects to the VPN, the server checks the client's certificate against the CA to ensure it's valid and trusted. This prevents unauthorized access, even if someone intercepts the pre-shared key. It's like having a VIP pass that's checked against a master list at the entrance of a club.

Certificates provide several advantages:

• Enhanced Security: Certificates are much harder to compromise than pre-shared keys.
• Scalability: Managing certificates is easier in large networks compared to distributing and updating pre-shared keys.
• Centralized Management: A CA allows you to revoke certificates if a device is lost or compromised, instantly blocking access.

Prerequisites

Before you begin, ensure you have the following:

• A MikroTik Router: Running RouterOS with a public IP address.
• RouterOS version 6.43 or higher: Earlier versions may have limitations with certificate handling.
• Basic understanding of MikroTik RouterOS: Familiarity with WinBox or the command-line interface (CLI).
• A computer: To generate certificates and configure the client.
• OpenSSL (Recommended): For generating certificates. You can use other tools, but OpenSSL is widely available and well-documented.

Step-by-Step Configuration

Step 1: Generate Certificates

First, we need to create a Certificate Authority (CA), a server certificate, and a client certificate. The CA is the root of trust, signing the server and client certificates. This process might seem daunting, but I'll break it down. We will generate these with openssl, but there are other tools available.

1. Create the CA Certificate:

   Open your terminal or command prompt and run the following commands:

   openssl genrsa -out ca.key 2048
   openssl req -x509 -new -nodes -key ca.key -subj "/CN=My Root CA" -days 3650 -out ca.crt
   

   • openssl genrsa -out ca.key 2048: This generates a 2048-bit RSA key for the CA and saves it to ca.key.
   • openssl req -x509 -new -nodes -key ca.key -subj "/CN=My Root CA" -days 3650 -out ca.crt: This creates a self-signed certificate for the CA, valid for 3650 days (10 years). You'll be prompted for information like country, organization, etc. The /CN=My Root CA sets the Common Name for your CA. Make sure to choose something descriptive. This is super important for identifying your CA later.

2. Create the Server Certificate:

   openssl genrsa -out server.key 2048
   openssl req -new -key server.key -subj "/CN=vpn.yourdomain.com" -out server.csr
   openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
   

   • openssl genrsa -out server.key 2048: Generates a 2048-bit RSA key for the server.
   • openssl req -new -key server.key -subj "/CN=vpn.yourdomain.com" -out server.csr: Creates a certificate signing request (CSR) for the server. Replace vpn.yourdomain.com with the actual domain name or IP address of your VPN server. This is crucial; otherwise, clients may not trust the certificate.
   • openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650: Signs the server's CSR with the CA, creating the server certificate (server.crt).

3. Create the Client Certificate:

   openssl genrsa -out client.key 2048
   openssl req -new -key client.key -subj "/CN=client1" -out client.csr
   openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650
   

   • openssl genrsa -out client.key 2048: Generates a 2048-bit RSA key for the client.
   • openssl req -new -key client.key -subj "/CN=client1" -out client.csr: Creates a CSR for the client. Replace client1 with a unique identifier for the client. This helps you manage individual client access.
   • openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650: Signs the client's CSR with the CA, creating the client certificate (client.crt).

4. Create a PKCS12 File for the Client:

   This bundles the client certificate and key into a single file for easy import on client devices.

   openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -certfile ca.crt -out client.p12
   

   You'll be prompted for an export password. Remember this password; you'll need it when importing the certificate on the client device.

Step 2: Import Certificates into MikroTik

Now, let's import the CA and server certificates into your MikroTik router.

1. Using WinBox:

   • Connect to your MikroTik router using WinBox.
   • Go to System -> Certificates.
   • Click the + button and select Import.
   • Import ca.crt. Set Name to My Root CA and check Trusted. This tells the router to trust certificates signed by this CA. Trusting the CA is absolutely vital.
   • Import server.crt. Set Name to Server Certificate and provide the server.key as the key file. Ensure that the Key is selected under the import options after selecting the file. This is needed for the server to identify itself.

2. Using CLI:

   | Read Also : Commanders Player Ejected: What Happened & Why?

   /certificate import file-name=ca.crt certificate=yes trusted=yes
   /certificate import file-name=server.crt certificate=yes private-key=server.key
   

   • Make sure the files are uploaded to the MikroTik router first, for example, using FTP or the Files section in Winbox.

Step 3: Configure L2TP/IPsec Server

Next, we'll configure the L2TP/IPsec server settings on the MikroTik.

1. Enable IPsec:

   /ip ipsec proposal
   add name=default-proposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=modp2048
   
   /ip ipsec policy
   add proposal=default-proposal src-address=0.0.0.0/0 dst-address=0.0.0.0/0 sa-dst-address=0.0.0.0/0 sa-src-address=0.0.0.0/0 tunnel=yes template=yes
   

   These commands set up the IPsec proposal and policy. The proposal defines the encryption and authentication algorithms, while the policy defines which traffic should be protected.

2. Configure L2TP Server:

   /interface l2tp-server server
   set enabled=yes allow-chap=no allow-pap=no auth-methods=eap default-profile=default ipsec-secret= 
   

   • enabled=yes: Enables the L2TP server.
   • allow-chap=no allow-pap=no: Disables CHAP and PAP authentication, as we're using certificates.
   • auth-methods=eap: Specifies EAP (Extensible Authentication Protocol) for authentication.
   • default-profile=default: Sets the default PPP profile.
   • ipsec-secret=: Remove any pre-shared key, we will be using certificates.

3. Configure PPP Profile:

   /ppp profile
   set default local-address=192.168.88.1 remote-address=192.168.88.10-192.168.88.20 use-encryption=yes only-one=default
   

   • local-address: The IP address of the MikroTik on the VPN network.
   • remote-address: The IP address range for VPN clients.
   • use-encryption=yes: Enables encryption.
   • only-one=default: Limits the profile to a single connection.

Step 4: Create a User for L2TP

Now, let's create a user account for L2TP and link it to the client certificate.

1. Create the User:

   /ppp secret
   add name=client1 password=password123 profile=default service=l2tp
   

   • name: The username for the client. This should match the Common Name (CN) you set in the client certificate. This is crucial for certificate-based authentication to work correctly.
   • password: You can set a password, but it won't be used since we're using certificates. It's still a good practice to set a strong password, even if it's not the primary authentication method.
   • profile: The PPP profile we configured earlier.
   • service: Specifies that this user is for L2TP.

Step 5: Configure the Client Device

Finally, configure your client device (e.g., Windows, macOS, iOS, Android) to connect to the L2TP/IPsec VPN.

Windows

1. Import the Certificate:

   • Double-click the client.p12 file.
   • Follow the prompts to import the certificate. Enter the password you set when creating the .p12 file.
   • Choose to store the certificate in the Local Machine store.

2. Create the VPN Connection:

   • Go to Settings -> Network & Internet -> VPN -> Add a VPN connection.
   • Set the following:
     • VPN provider: Windows (built-in)
     • Connection name: A descriptive name (e.g., "My MikroTik VPN")
     • Server name or address: The public IP address or domain name of your MikroTik router.
     • VPN type: Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)
     • Type of sign-in info: User name and password
     • User name: client1 (or whatever you named the client in the MikroTik PPP secrets).
     • Password: The password you set, though it won't be used for authentication, Windows requires it.
   • Click Save.

3. Advanced IPsec Settings:

   • Go to Network and Sharing Center -> Change adapter settings.
   • Right-click on your VPN connection and select Properties.
   • Go to the Security tab.
     • Set Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).
     • Click Advanced settings.
     • Select Use certificate for authentication.
     • Verify that the correct certificate is selected.
     • Click OK on all windows to save the changes.

macOS

1. Import the Certificate:

   • Double-click the client.p12 file.
   • Keychain Access will open. Choose the System keychain.
   • Enter the password you set when creating the .p12 file.

2. Create the VPN Connection:

   • Go to System Preferences -> Network.
   • Click the + button to add a new service.
   • Set the following:
     • Interface: VPN
     • VPN Type: L2TP over IPsec
     • Service Name: A descriptive name (e.g., "My MikroTik VPN")
   • Click Create.
   • Set the following:
     • Server Address: The public IP address or domain name of your MikroTik router.
     • Account Name: client1 (or whatever you named the client in the MikroTik PPP secrets).
   • Click Authentication Settings.
     • Select Certificate.
     • Choose the client certificate you imported.
     • Enter the password you set, though it won't be used for authentication, macOS requires it.
   • Click OK.
   • Click Apply.

Step 6: Test the Connection

Now, try connecting to the VPN from your client device. If everything is configured correctly, you should be able to establish a secure L2TP/IPsec connection using certificate authentication. Check your MikroTik logs for any errors if you have trouble connecting. Common problems include incorrect certificate settings, mismatched usernames, or firewall rules blocking the VPN traffic.

Troubleshooting Tips

• Certificate Issues: Double-check that the CA certificate is trusted on the MikroTik and that the client certificate is correctly installed on the client device.
• Firewall Rules: Ensure that your firewall allows UDP ports 500, 1701, and 4500.
• IPsec Policy: Verify that the IPsec policy is correctly configured and enabled.
• Logs: Check the MikroTik logs for any error messages related to IPsec or L2TP.
• Client Configuration: Double-check all the settings on the client device, especially the server address, username, and certificate selection.

Conclusion

Setting up L2TP/IPsec with certificates on a MikroTik router provides a robust and secure VPN solution. While the initial configuration might seem complex, the added security and scalability are well worth the effort. By following these steps, you can ensure that your network is protected from unauthorized access and that your data is transmitted securely. Remember to keep your certificates up-to-date and to monitor your network for any suspicious activity. Congrats, you have now secured your network!