User Tools

Site Tools


ubuntu_mikrotik_ipsec

Ubuntu (server):

/etc/ipsec.conf

config setup
        # strictcrlpolicy=yes
        uniqueids = yes
        oe=off
        protostack=netkey
conn home-42
    authby=secret
    auto=start
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart
    auth=esp
    pfs=no
    rekey=no
    fragmentation=yes
    type=transport
    ike=aes128-sha1-modp1024
    ikelifetime=86400s
    lifetime=3600s
    keyexchange=ikev1
    esp=aes128-sha1-modp1024,aes256-sha1-modp1024
    left=x.x.x.x
    right=y.y.y.y

/etc/xl2tpd/xl2tpd.conf

[global]
port = 1701
ipsec saref = yes
[lns default]
ip range = 10.52.0.2-10.52.1.100
local ip = 10.52.0.1
length bit = yes
refuse pap = yes
refuse chap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd

/etc/ppp/options.xl2tpd

require-mschap-v2
#require-mppe
refuse-pap
refuse-chap
refuse-eap
refuse-mschap
ms-dns 1.1.1.1
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name xl2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
nodefaultroute

Mikrotik (client):

peer:

add address=x.x.x.x/32 comment=Hetzner dh-group=modp1024 enc-algorithm=aes-256,aes-128 local-address=y.y.y.y\
  nat-traversal=no secret="secret" send-initial-contact=no

proposal:

add auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name=hetzner pfs-group=modp1024

policy:

add comment="Hetzner VPS; encrypt UDP" dst-address=x.x.x.x/32 proposal=gre-hetzner protocol=udp src-address=y.y.y.y/32
ubuntu_mikrotik_ipsec.txt · Last modified: 2020/01/14 09:37 by admin