Setting up VPN's. L2TP/IPSEC RSA for Android, IKEv2 for IOS, SSTP for PC's

Hardware mikrotik
, , , ,
1

Massive headline yes, but It’s a nice little setup that I like.

Difficulty: Easy to Advanced, change the values as you need to suit your setup.

Requirements:

  • IP cloud enabled or equivalent domain name or a DNS provider. For this guide, I’ll be using Mikrotik’s built-in ip cloud ddns system.
/ip cloud set ddns-enabled=yes update-time=yes

Write down the dns-name obtained from the command below as we will need that a bit later

/ip cloud print

Creating the certificates

  1. Create a self-signed CA certificate (valid for ten years!)
    NB: common-name should be the dns-name from the ip cloud print command
 /certificate add name=My-CA common-name=123.sn.mynetname.net key-usage=key-cert-sign,crl-sign trusted=yes days-valid=3650
  1. Sign the Certificate
 /certificate sign My-CA
  1. Generate a certificate for the router (Server) (valid for 10 years!)
    NB: common-name should be the dns-name from the ip cloud print command
 /certificate add name=VPN-Server-Certificate common-name=123.sn.mynetname.net days-valid=3650 key-usage=digital-signature,key-encipherment,data-encipherment,ipsec-tunnel,ipsec-end-system,tls-server
  1. Sign the server certificate
/certificate sign VPN-Server-Certificate ca=My-CA
  1. Trust the server certificate
 /certificate set trusted=yes VPN-Server-Certificate
  1. Create a client certificate
/certificate add name=VPN-Client-Certificate common-name=client.123.sn.mynetname.net days-valid=3650 key-usage=digital-signature,key-encipherment,data-encipherment,ipsec-user,tls-client
  1. Sign the client certificate
 /certificate sign VPN-Client-Certificate ca=My-CA
  1. Trust the client certificate
 /certificate set trusted=yes VPN-Client-Certificate
  1. Export the CA certificate & the Client certificate and import it on the IOS & Android devices (I just e-mail the certificates to the devices)
/certificate export-certificate My-CA type=pem
/certificate export-certificate VPN-Client-Certificate type=pkcs12 export-passphrase=12345678

L2TP/IPSEC RSA for Android

  1. First off we need a VPN pool for all our clients to obtain IP addresses.
 /ip pool add name=vpn-pool ranges=192.168.89.2-192.168.89.22
  1. A ppp profile
 /ppp profile set default-encryption local-address=192.168.89.1 remote-address=vpn-pool
  1. A ppp secret (A username and password)
 /ppp secret add name=l2tp-user password=userpassword service=l2tp profile=default-encryption
  1. An IPSec proposal (offering your devices a choice of encyrption types)
 /ip ipsec proposal set [find default=yes] enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc
  1. A mode config
 /ip ipsec  mode-config add name=vpn-mode-config address-pool=vpn-pool static-dns=1.1.1.1
  1. An IPSec peer
    NB: Use fqdn obtained from ip cloud print command dns-name 
 /ip ipsec peer add address=0.0.0.0/0 auth-method=rsa-signature certificate=VPN-Server-Certificate remote-certificate=VPN-Client-Certificate exchange-mode=main-l2tp passive=yes my-id=fqdn:123.sn.mynetname.net mode-config=vpn-mode-config generate-policy=port-strict proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,aes-192,aes-256 dh-group=modp1024 comment=L2TP-RSA
  1. Enable L2TP server
/interface l2tp-server server set enabled=yes default-profile=default-encryption use-ipsec=no caller-id-type=ip-address authentication=mschap2
  1. Add a masquerade rule for the VPN traffic
 /ip firewall nat add action=masquerade chain=srcnat src-address=192.168.89.0/24
  1. Finally, allow it via the firewall - make sure the rule precedes any drop rule.
    (eg: use place-before=3 to create the rule as number 3 on your firewall config)
 /ip firewall filter add action=accept chain=input comment="L2TP-Server" protocol=udp dst-port=500,1701,4500

On Android, set up a vpn connection (L2TP/IPSec PSK) with the following values from above:

Name: My-vpn
Type: L2TP/IPSec RSA
Server Address: 123.sn.mynetname.net (the dns-name obtained from the ip cloud print command above)
L2TP Secret: (not used)
IPSec identifier: (not used)
IPSec User Certificate: VPN-Client-Certificate
IPSec CA Certificate: My-CA
IPSec Server Certificate: (received from server)

IKEv2 for IOS (certificate based)

Since we have the majority of the items already set up from above we just need to add a few things to for this to work.

  1. Create the IPSec peer (since we use the same proposal from above)
    NB: Use fqdn obtained from ip cloud print command dns-name 
/ip ipsec peer add address=0.0.0.0/0 auth-method=rsa-signature exchange-mode=ike2 passive=yes certificate=VPN-Server-Certificate remote-certificate=VPN-Client-Certificate send-initial-contact=yes my-id=fqdn:123.sn.mynetname.net mode-config=vpn-mode-config generate-policy=port-strict enc-algorithm=aes-128 dh-group=modp1024 comment=IKEv2
  1. Trust the root certificate on iOS, go to Settings > General > About > Certificate Trust Settings. Under “Enable full trust for root certificates,” turn on trust for the CA certificate.

Setup the VPN on IOS as follows:
Type: IKEv2
Description: My-VPN
Server: 123.sn.mynetname.net (your ip cloud dns name)
Remote ID: 123.sn.mynetname.net
local ID: client.123.sn.mynetname.net (this must match the client certificate name)
User Authentication: None
User certificate: On
Certificate: VPN-Client-Certificate

SSTP: (For Pc’s)

Why SSTP? Most free/public wifi’s block the ports needed for IKEv2 & L2TP-IPsec. So I set SSTP to use a common port of 443 - The same port for secure web browsing which is available on any free/public wifi)

  1. Enable SSTP
    (For added security you can set verify-client-certificate=yes which will require you to load the VPN-Client-Certificate onto the pc as well as the My-CA certificate)
 /interface sstp-server server set enabled=yes port=443 default-profile=default certificate=VPN-Server-Certificate authentication=mschap2
  1. Create firewall rule to allow the traffic - make sure the rule precedes any drop rule.
    (eg: use place-before=3 to create the rule as number 3 on your firewall config)
    Note: check that ssl http is disabled -miktotik webfig- as the port will conflict.
 /ip firewall filter add chain=input  protocol=tcp dst-port=443 in-interface=all-ppp action=accept comment="SSTP-server"
  1. Create a user account
 /ppp secret add name=sstp-user password=sstppassword service=sstp profile=default

Next, import the CA certificate (and client certificate if you chose the extra security on step 1) onto your windows systems, under the user & machine certified root authorities for My-CA and the user certificate under the user section. Linux you can import the certificate or just ignore it - you will however need the client certificate if you chose the extra security option.

Setup a SSTP vpn connection on your systems. (not going to cover this here - google it)

Server: 123.sn.mynetname.net (as above you should be used to this by now!)
Username: sstp-user (step 3)
Password: sstppassword (step 3)

1 Like