Setting up a secure site-to-site VPN using MikroTik routers with IL2TP/IPsec can seem daunting, but fear not, we're here to break it down! This article will guide you through the process, ensuring that you can establish a secure connection between two networks using MikroTik devices. So, let's dive in and get those networks talking securely to each other.

Understanding the Basics

Before we jump into the configuration, let's cover some essential concepts.

First, what is a VPN? A Virtual Private Network (VPN) creates a secure, encrypted connection over a less secure network, like the internet. This allows you to extend a private network across a public network, enabling secure data transmission.

Second, why IL2TP/IPsec? Layer Two Tunneling Protocol (L2TP) is a VPN protocol that, on its own, lacks encryption. That's where IPsec comes in! IPsec (Internet Protocol Security) provides the necessary encryption to secure the L2TP connection. Together, they form a robust and secure VPN solution.

Third, why MikroTik? MikroTik routers are known for their flexibility, powerful features, and cost-effectiveness. They offer a wide range of VPN options, including L2TP/IPsec, making them a popular choice for both home and business users.

Fourth, what is Site-to-Site? In a Site-to-Site VPN setup, two or more networks are connected over the internet, creating a secure tunnel through which data can be transmitted as if they were on the same physical network. This is especially useful for businesses with multiple locations that need to share resources securely. This connection encrypts all traffic passing between the two sites, ensuring that no one can eavesdrop on your sensitive data. The IL2TP protocol encapsulates the data, while IPsec provides the encryption, authentication, and integrity checks. The combination of the two ensures a secure tunnel between the networks. The advantage of using MikroTik routers is the flexibility and control they offer. You can customize the settings to suit your specific needs and requirements, such as defining the encryption algorithms, key exchange methods, and authentication protocols. Plus, MikroTik's RouterOS provides advanced features like traffic shaping, firewall rules, and routing policies, allowing you to optimize your VPN performance and security.

Network Diagram

Before we begin, it's helpful to visualize our setup. Imagine two MikroTik routers, one at Site A and another at Site B. Each site has its own local network (LAN) with a different subnet. Our goal is to create an L2TP/IPsec VPN tunnel between these two routers, allowing devices on each LAN to communicate securely.

• Site A:
  • Router IP: 192.168.1.1
  • LAN Subnet: 192.168.1.0/24
• Site B:
  • Router IP: 192.168.2.1
  • LAN Subnet: 192.168.2.0/24

Make sure to replace these IP addresses and subnets with your actual network configurations.

Configuration Steps

Now, let's get to the fun part: configuring the MikroTik routers. We'll go through the necessary steps for both Site A and Site B. Remember to adjust the settings according to your specific network environment.

Site A Configuration

1. IPsec Proposal:

   • Open WinBox and connect to your Site A router.
   • Go to IP > IPsec > Proposals and add a new proposal.
   • Set the Name (e.g., "vpn-proposal").
   • Choose the Encryption Algorithms (e.g., aes-256-cbc, aes-128-cbc).
   • Select the Hash Algorithms (e.g., sha256, sha1).
   • Set the PFS Group (e.g., modp1024).

   The IPsec Proposal defines the security parameters for the IPsec connection. These settings must match on both sides of the VPN tunnel. The Encryption Algorithms determine how the data will be encrypted. AES (Advanced Encryption Standard) is a widely used and secure option, with AES-256-CBC providing stronger encryption than AES-128-CBC. The Hash Algorithms are used to ensure the integrity of the data. SHA256 is a more secure option compared to SHA1. The PFS Group (Perfect Forward Secrecy) generates a new secret key for each session, enhancing security. Modp1024 is a common choice, but you can opt for stronger groups like modp2048 or modp3072 if your hardware supports it. It's essential to choose algorithms and groups that are both secure and compatible with your hardware capabilities to ensure optimal performance. It's also important to regularly review and update these settings as new security standards and recommendations emerge. Outdated or weak algorithms can make your VPN vulnerable to attacks. Regularly consulting security advisories and best practices will help you keep your VPN secure and up-to-date.

2. IPsec Peer:

   • Go to IP > IPsec > Peers and add a new peer.
   • Set the Address to the public IP address of Site B.
   • Set the Secret (this is your pre-shared key; keep it secure!).
   • Select the Exchange Mode (e.g., ike2).
   • Choose the Proposal you created earlier (e.g., "vpn-proposal").

   The IPsec Peer defines the remote end of the VPN tunnel. The Address field should be set to the public IP address of the remote MikroTik router. The Secret is a pre-shared key that acts as a password for the IPsec connection. It's crucial to choose a strong and unique secret to prevent unauthorized access. Keep this secret safe and do not share it with unauthorized parties. The Exchange Mode determines how the IPsec security association is established. IKEv2 (Internet Key Exchange version 2) is a more modern and secure option compared to IKEv1. It offers improved performance, better security, and more robust negotiation capabilities. However, both routers must support IKEv2 for it to work. If you encounter compatibility issues, you may need to fall back to IKEv1. The Proposal field links the peer to the IPsec Proposal you created earlier. This ensures that the same security parameters are used for the connection. It's essential to double-check that the settings in the IPsec Peer match the settings on the remote router to avoid connection problems. Also, consider enabling additional security features like certificate-based authentication for enhanced security. Certificate-based authentication uses digital certificates to verify the identity of the peers, providing a more secure alternative to pre-shared keys.

3. IPsec Identity:

   | Read Also : KPR BRI 10 Tahun: Simulasi Angsuran & Tips!
   • Go to IP > IPsec > Identities and add a new identity.
   • Set the Peer to the peer you created (e.g., Site B's peer).
   • Set Auth. Method to pre-shared-key and input the secret you configured.

   The IPsec Identity associates the pre-shared key with the IPsec Peer. This step is essential for authenticating the connection. The Peer field should be set to the IPsec Peer you created in the previous step. This links the identity to the specific remote router. The Auth. Method should be set to pre-shared-key, and you should enter the same secret that you configured in the IPsec Peer settings. This secret is used to verify the identity of the remote router. It's crucial to ensure that the secret matches exactly on both sides of the VPN tunnel to avoid authentication failures. If you are using certificate-based authentication, you would configure the Auth. Method to use certificates and specify the appropriate certificates for authentication. However, since we are using a pre-shared key in this example, we will stick with the pre-shared-key method. Properly configuring the IPsec Identity is crucial for establishing a secure and authenticated VPN connection. Double-check the settings to ensure that they match the settings on the remote router. Incorrect settings can lead to connection problems and security vulnerabilities.

4. L2TP Server:

   • Go to PPP > L2TP Server and enable it.
   • Set Default Profile to a new profile (we'll create this next).

   Enabling the L2TP Server allows the MikroTik router to accept incoming L2TP connections. The Default Profile setting specifies the profile that will be used for all incoming L2TP connections. It's essential to configure a separate profile for L2TP connections to define the IP address pool, DNS settings, and other parameters. This allows you to control the network settings for the VPN clients. Before enabling the L2TP Server, make sure that you have configured the IPsec settings correctly. The L2TP Server relies on IPsec for encryption and authentication, so the IPsec settings must be in place before you enable the L2TP Server. Also, consider enabling additional security features like CHAP or MS-CHAP authentication for L2TP connections. These authentication methods provide an additional layer of security on top of IPsec. However, it's important to note that MS-CHAP is considered less secure than CHAP and should be avoided if possible. If you are using CHAP or MS-CHAP authentication, make sure that the settings match on both sides of the VPN tunnel. Incorrect settings can lead to authentication failures and connection problems.

5. PPP Profile:

   • Go to PPP > Profiles and add a new profile.
   • Set the Name (e.g., "vpn-profile").
   • Go to the IP tab and set Local Address to an IP address within your subnet (e.g., 192.168.1.10).
   • Set Remote Address to an IP address range for VPN clients (e.g., 192.168.1.11-192.168.1.20).
   • Go to the DNS tab and set the DNS Servers (e.g., 8.8.8.8, 8.8.4.4).

   The PPP Profile defines the network settings for the L2TP clients. The Name field allows you to give the profile a descriptive name. The IP tab specifies the IP addresses that will be assigned to the L2TP server and clients. The Local Address is the IP address that the MikroTik router will use for the L2TP connection. This IP address should be within the same subnet as your local network. The Remote Address is the range of IP addresses that will be assigned to the L2TP clients. Make sure that this range does not overlap with any other IP addresses in your network. The DNS tab allows you to specify the DNS servers that will be used by the L2TP clients. It's recommended to use reliable and fast DNS servers like Google DNS (8.8.8.8 and 8.8.4.4) or Cloudflare DNS (1.1.1.1 and 1.0.0.1). Using the correct DNS servers can improve the performance and reliability of the VPN connection. Also, consider enabling additional features like MPPE encryption for L2TP connections. MPPE encryption provides an additional layer of encryption on top of IPsec. However, it's important to note that MPPE encryption is not as strong as IPsec encryption and should not be used as a replacement for IPsec. If you are using MPPE encryption, make sure that the settings match on both sides of the VPN tunnel. Incorrect settings can lead to connection problems and security vulnerabilities.

6. Firewall Rules:

   • Go to IP > Firewall > Filter Rules and add rules to:
     • Accept IPsec traffic (protocol esp).
     • Accept L2TP traffic (port 1701).
     • Allow forwarding between your LAN and the VPN subnet.

   Firewall rules are essential for allowing traffic to pass through the VPN tunnel. The first rule allows IPsec traffic (protocol esp) to pass through the firewall. This is necessary for establishing the IPsec connection. The second rule allows L2TP traffic (port 1701) to pass through the firewall. This is necessary for establishing the L2TP connection. The third rule allows forwarding between your LAN and the VPN subnet. This is necessary for allowing devices on your LAN to communicate with devices on the VPN subnet. When creating firewall rules, it's important to be as specific as possible to minimize the risk of unauthorized access. For example, you can specify the source and destination IP addresses and ports to restrict the traffic that is allowed to pass through the firewall. Also, consider enabling additional security features like connection tracking and stateful firewalling. Connection tracking allows the firewall to keep track of the state of each connection, while stateful firewalling allows the firewall to make decisions based on the state of the connection. These features can help to prevent unauthorized access and improve the security of your network. It's also important to regularly review and update your firewall rules to ensure that they are still effective. Outdated or misconfigured firewall rules can create security vulnerabilities and allow unauthorized access to your network.

Site B Configuration

Repeat the steps above on Site B, with the following changes:

1. IPsec Peer:

   • Set the Address to the public IP address of Site A.
   • Use the same Secret as Site A.

2. PPP Profile:

   • Set Local Address to an IP address within Site B's subnet (e.g., 192.168.2.10).
   • Set Remote Address to an IP address range for VPN clients on Site B's subnet (e.g., 192.168.2.11-192.168.2.20).

Testing the Connection

After configuring both routers, it's time to test the connection. From a device on Site A's LAN, try to ping a device on Site B's LAN, and vice versa. If the ping is successful, congratulations! You've successfully set up an L2TP/IPsec site-to-site VPN between your MikroTik routers.

• Troubleshooting: If the ping fails, double-check the following:
  • IPsec and L2TP settings on both routers.
  • Firewall rules on both routers.
  • Routing configuration on both routers.
  • Ensure that there are no IP address conflicts.

Conclusion

Setting up an L2TP/IPsec site-to-site VPN on MikroTik routers can seem complicated at first, but with careful configuration and attention to detail, it's definitely achievable. By following the steps outlined in this article, you can establish a secure connection between two networks, allowing for secure data transmission and resource sharing. So go ahead, give it a try, and enjoy the benefits of a secure and connected network!

Remember always to keep your devices updated with the latest firmware to patch any security vulnerabilities that may come up. Stay secure, folks!