VPN L2TP Mikrotik+Radius (Windows NPS)
Today I’ll tell you how I set up L2TP on Mikrotik with authorization through Active Directory (AD). I’ll tell you about 2 schemes for implementing access to networks (a little about security).
Of course you say that there are a lot of such articles ( exampleexample 2), but I did a little automation for users, read on….
Let’s start with a description of the circuit
Users connect to Mikrotik, it is better of course Mikrotik with hardware support for IPsec, these are models such as RB730Gr3 or RB4011 or CCR1009, logging in via AD, for this we need RAIDUS, and then the user must enter the network to access the terminal server (in our case only to the network 192.168.10.0/24 vlan 20).
The user is prohibited from connecting to our network and network of servers (see the latest screenshot).
Let’s start creating a network, create a pool ip that we will distribute to our clients
This is the range I chose, but you can take any of private:
Next, we create a PPP profile IP-> PPP-> Profiles, I indicated DNS – this is also the ip of this microtic, you can use this example to specify 172.16.45.1 (this will be useful to us later), specify the name, address of our microtic 172.16.45.1 and select our newly created pool.
Change TCP MSS – yes
Use UPnP can be selected no
in the protocols tab, remove the ability to use IPv6 (if you have it)
“We left Encryption in the PPP Profile, Compression in default – hello MPPE inside IPsec”, we don’t need this, so we enable it.
After we created the profile, we go back and turn on the L2TP Server, indicate everything as in the figure, only between the second and third steps you need to select our newly created profile.
In the third step, we turn on the use of encryption, so that our data, if we can intercept, could not be decrypted. in the fourth step, we specify our IPsec key (the longer the better)
“The Pre Shared Key for IKE AUTH must be at least 32 characters long and created with an entropy of at least 256 bits.
IKE Aggressive exchange must be disabled to avoid Offline Dictionary Attack on your PSK.”
Called ID Type, I have ip address specified, and a little later I checked one session per host (but if it works from under NAT, then more than 1 client will still not connect)
in Default-Profile we specify our profile, see figure
“If you don’t reduce the MTU to fail-safe 1400, then fragmentation after encapsulation will occur, resulting in poor IPsec tunnel performance.
That is, we encapsulate the IP packet into a PPP frame, then into an L2TP packet, then into UDP, then into ESP, then if we are lucky, immediately into IP, if not again into UDP and then into IP, the last step will require fragmentation, since the final size of UDP / ESP will exceed MTU.”
Obviously, the reason for this is the complex way of processing traffic, which falls entirely on the shoulders of the CPU. Can this be avoided somehow? It is possible, in RouterOS v6 a new technology appeared for this – fast path (fast track), which allows you to direct traffic along a fast path, without processing by the OS kernel, which can significantly reduce the load on the system.
The main idea underlying this technology is that packets of already established connections, as well as those sections of traffic transmission where filtering and control are not required, can be sent along a fast path, thereby unloading the processor and speeding up data transfer. Fast Path is an interface driver extension that allows it to interact directly with some RouterOS subsystems and skip the rest.
We will authorize users through Windows Active Directory, for this we need Radius, go
IP->PPP->Secrets and, as shown in the figure, enable Radius authentication
Next, we need to configure the work of Radius, let’s start from the Mikrotik side, as shown in the figure below, the radius will be used only for PPP connections,
specify the ip of our server with the deployed NPS service on Windows Server, in our case it is 192.168.10.2
We come up with a key for Radius to work (Mikrotik and NPS interactions) this is not the key that we came up with IPsec
Source IP address of the packets sent to RADIUS server leave 0.0.0.0/0
2. Windows Server setup
First, let’s add a new role, this is the “Network Policy Server” (NPS), required to deploy the Radius server, step by step instructions below.
And we also need the CMAK administration package
Registering the server in Active Directory
If we work with Mikrotik, then it is enough to leave only ports 1812 and 1813
Create a RADIUS client
In our case, it will be Mikrotik, we indicate its ip address, we have a gateway, in paragraphs 3.4 (see figure) we indicate the secret phrase that we will use to connect the client
We go to the AD controller, create a VPN access group, add users to it who will have access to the connection.
Let’s get back to NPS.
Let’s go to “Policies-> Network Policies”, create a new
We indicate in the policies that we will let a specific group.
Specify a normal client name so that bots do not connect
Authentication will be MS-CHAP-v2, we do not use EAP certificates, whoever wants to can deploy a certification authority and issue certificates, but that’s a completely different story …
Create a request policy
We will limit VPN operation by days of the week and time of day (there is nothing to break us while we sleep)
I banned work from 1 am to 5 am and on Sunday
3. Customizing the client package via CMAK
please note if you need to create a package for 32-bit systems, you will need to install CMAK on a 32bit machine and do the same manipulations on it
Below are step-by-step screenshots for creating a package
go to settings
Specify the IPsec key in the section and the “shared key” the one from the Mikrotik settings section (see above)
We come up with a PIN code to launch this application, we will inform the user of this pin instead of a long IPsec password. I have a pin is something not complicated for example:
#You2021Company!, where YouCompany is your company name.
And here is just that trick, here we indicate “batch file” with a route, so that the user would transparently get and work with the network that we want to provide him.
Here is what is specified in our route.bat
If you want, you can brandunder the style of the company, specify the logotype
Specify the agreement file for the user (something scary, so that they would not disclose their passwords to anyone!)
Along this path, we create a working package, pack it in zip and upload it to our site, and send all users there, and you can also make instructions on the site so that the user can determine if he needs a 32 or 64-bit package.
Create a Rule in Mikrotik
Exclusion from NAT L2TP clients via ipsec:out is not required, this is only relevant for transit traffic and pure IPsec. Since XFRM lookup is performed after SNAT, for L2TP clients RD is performed before SNAT, and after encapsulating L2TP in ESP, traffic is generated locally and does not enter SNAT.”
We prohibit the interaction of the network with each other ip->firewall->rules tab, withset the action value “drop”.
That’s all, now you can check, throw the user into the domain group, download the zip package, install and try to log in.
Used the following posts: