Setting up a secure site-to-site VPN using MikroTik routers, specifically with IL2TP and IPsec, might seem daunting at first, but trust me, it's totally achievable! This comprehensive guide walks you through the entire process, ensuring you create a robust and encrypted connection between two networks. So, grab your coffee, fire up your MikroTik devices, and let’s dive in!

Understanding the Basics

Before we jump into configurations, it's crucial to understand what we're working with. IL2TP (Layer Two Tunneling Protocol) is a VPN protocol that, by itself, doesn't offer encryption. That's where IPsec (Internet Protocol Security) comes in. IPsec adds a layer of security, providing authentication and encryption for our VPN tunnel. Think of IL2TP as the road and IPsec as the armored car driving on it – together, they ensure safe and secure passage for your data. Using MikroTik routers, you can create a secure tunnel between two remote networks with the combination of L2TP and IPsec, enabling resources on both networks to communicate as if they were on the same local network.

The main reason we combine these two is for compatibility and security. While other VPN protocols like WireGuard and OpenVPN are gaining popularity, IL2TP/IPsec is still widely supported across various devices and platforms. This makes it a reliable choice when you need a VPN solution that 'just works' with minimal fuss. Plus, when properly configured, IPsec provides robust encryption, safeguarding your data from prying eyes. Remember, the key to a successful VPN is understanding the purpose of each component and how they work together.

Configuring a secure site-to-site VPN between two MikroTik routers using L2TP and IPsec involves several key steps. First, you must configure the IPsec settings on both routers. This includes setting up the IPsec policy, proposals, and peer configurations. The policy determines which traffic should be encrypted and how, the proposal defines the encryption and hashing algorithms, and the peer configuration authenticates the connection between the two routers. Next, you need to set up the L2TP server on one router and the L2TP client on the other. The L2TP server listens for incoming connections, while the L2TP client initiates the connection to the server. When configuring the L2TP settings, you'll need to specify the IP address of the remote router, a username, and a password for authentication. It's also essential to configure the firewall settings on both routers to allow the necessary traffic to pass through the VPN tunnel. This involves creating firewall rules to accept L2TP and IPsec traffic and to allow traffic between the local networks. By following these steps carefully, you can establish a secure and reliable site-to-site VPN connection between two MikroTik routers, ensuring that your data is protected as it travels between the two networks.

Prerequisites

Before we start, make sure you have the following:

• Two MikroTik Routers: Obviously! These should be running RouterOS (the operating system for MikroTik devices).
• Public IP Addresses: Each router needs a public IP address so they can find each other over the internet. If you're behind a NAT, you'll need to configure port forwarding.
• Basic Networking Knowledge: A grasp of IP addressing, subnetting, and routing will be super helpful.
• Winbox: This is the GUI tool for configuring MikroTik routers. Download it from the MikroTik website.

Step-by-Step Configuration

We'll configure one router as the Server (the one accepting the VPN connection) and the other as the Client (the one initiating the connection).

1. Server Configuration

a. IPsec Configuration

• IPsec Proposals: These define the encryption and hashing algorithms. Go to IP > IPsec > Proposals and create a new proposal. A good starting point is:
  • Name: default
  • Auth. Algorithms: sha256
  • Encryption Algorithms: aes-256-cbc
  • Lifetime: 1h
• IPsec Profiles: Profiles group the proposals and other settings. Go to IP > IPsec > Profiles and create a new profile:
  • Name: default
  • Hash Algorithm: sha256
  • Encryption Algorithm: aes-256-cbc
  • DH Group: modp1024
• IPsec Peer: This defines the remote router's IP address and pre-shared key. Go to IP > IPsec > Peers and create a new peer:
  • Address: <Client's Public IP Address>
  • Profile: default
  • Exchange Mode: ike2
  • Secret: <Your Pre-Shared Key> (Make this strong!)
  • Local Address: <Server's Public IP Address>
• IPsec Policy: This tells the router which traffic to encrypt. Go to IP > IPsec > Policies and create a new policy:
  • Src. Address: <Server's Local Network> (e.g., 192.168.1.0/24)
  • Dst. Address: <Client's Local Network> (e.g., 192.168.2.0/24)
  • Peer: <The peer you created>
  • Profile: default
  • Action: encrypt

b. L2TP Server Configuration

• Create an IP Pool: This pool will assign IP addresses to connecting clients. Go to IP > Pool and create a new pool:
  • Name: l2tp-pool
  • Addresses: 10.0.0.2-10.0.0.10 (Adjust this range as needed, and make sure it doesn't overlap with your existing networks.)
• Create an L2TP Server: Go to PPP > Interfaces and click the '+' button, then select L2TP Server Binding:
  • Name: l2tp-server
  • Interface: <Your Public Interface> (The interface with the public IP address)
  • Authentication: Select mschap2
  • IPsec Secret: <Your Pre-Shared Key> (Must match the IPsec Peer secret)
• Create a PPP Secret: This is the username and password clients will use to connect. Go to PPP > Secrets and add a new secret:
  • Name: <Your Username>
  • Password: <Your Password>
  • Service: l2tp
  • Profile: default-encryption
  • Local Address: 10.0.0.1 (An IP address for the server on the VPN network)
  • Remote Address: l2tp-pool (The IP pool you created)

2. Client Configuration

a. IPsec Configuration

• IPsec Proposals: Create a proposal identical to the one on the server (IP > IPsec > Proposals):
  • Name: default
  • Auth. Algorithms: sha256
  • Encryption Algorithms: aes-256-cbc
  • Lifetime: 1h
• IPsec Profiles: Create a profile identical to the one on the server (IP > IPsec > Profiles):
  • Name: default
  • Hash Algorithm: sha256
  • Encryption Algorithm: aes-256-cbc
  • DH Group: modp1024
• IPsec Peer: This defines the remote router's IP address and pre-shared key. Go to IP > IPsec > Peers and create a new peer:
  • Address: <Server's Public IP Address>
  • Profile: default
  • Exchange Mode: ike2
  • Secret: <Your Pre-Shared Key> (Must match the server)
  • Local Address: <Client's Public IP Address>
• IPsec Policy: This tells the router which traffic to encrypt. Go to IP > IPsec > Policies and create a new policy:
  • Src. Address: <Client's Local Network> (e.g., 192.168.2.0/24)
  • Dst. Address: <Server's Local Network> (e.g., 192.168.1.0/24)
  • Peer: <The peer you created>
  • Profile: default
  • Action: encrypt

b. L2TP Client Configuration

• Create an L2TP Client: Go to PPP > Interfaces and click the '+' button, then select L2TP Client:
  • Name: l2tp-client
  • Connect To: <Server's Public IP Address>
  • User: <Your Username> (The username you created on the server)
  • Password: <Your Password> (The password you created on the server)
  • IPsec Secret: <Your Pre-Shared Key> (Must match the IPsec Peer secret)
  • Profile: default-encryption
  • Add Default Route: yes

3. Firewall Configuration (Both Routers)

You'll need to adjust your firewall to allow the VPN traffic. Here are the basic rules you'll need. Go to IP > Firewall > Filter Rules.

• Allow IPsec Traffic:
  • Chain: input
  • Protocol: udp
  • Dst. Port: 500, 4500
  • Action: accept
• Allow L2TP Traffic:
  • Chain: input
  • Protocol: udp
  • Dst. Port: 1701
  • Action: accept
• Allow ESP Traffic: (This is the encrypted IPsec traffic)
  • Chain: input
  • Protocol: ipsec-esp
  • Action: accept
• Forwarding Rules: You may also need to adjust the forward chain to allow traffic to pass through the VPN tunnel between your local networks.

Troubleshooting

• Check Logs: The MikroTik logs are your best friend! Go to System > Logging to see what's happening.
• IPsec Status: Check the IPsec status under IP > IPsec > Active Peers. It should show an established connection.
• Ping Test: Try pinging devices on the remote network. If you can't ping, double-check your routing and firewall rules.
• MTU Issues: Sometimes, the Maximum Transmission Unit (MTU) can cause problems. Try lowering the MTU on the L2TP interfaces.

Security Considerations

• Strong Pre-Shared Key: Use a strong, randomly generated pre-shared key for IPsec. Don't use a simple password!
• Regular Updates: Keep your RouterOS updated to the latest version to patch security vulnerabilities.
• Firewall Rules: Carefully review your firewall rules to ensure only necessary traffic is allowed.
• Monitor Logs: Regularly monitor your logs for suspicious activity.

Conclusion

Setting up a MikroTik site-to-site VPN with IL2TP and IPsec can be a bit complex, but it’s a powerful way to securely connect two networks. By following this guide and paying close attention to detail, you can create a robust and encrypted tunnel for your data. Remember to prioritize security and regularly review your configuration to ensure it remains effective. Now, go forth and build your secure network! Good luck, and have fun!