VPN L2TP Mikrotik+Radius (Windows NPS)

Today I’ll tell you how I set up L2TP on Mikrotik with authorization through Active Directory (AD). I’ll tell you about 2 schemes for implementing access to networks (a little about security).

Of course you say that there are a lot of such articles ( exampleexample 2), but I did a little automation for users, read on….

Let’s start with a description of the circuit

Users connect to Mikrotik, it is better of course Mikrotik with hardware support for IPsec, these are models such as RB730Gr3 or RB4011 or CCR1009, logging in via AD, for this we need RAIDUS, and then the user must enter the network to access the terminal server (in our case only to the network 192.168.10.0/24 vlan 20).

The user is prohibited from connecting to our network and network of servers (see the latest screenshot).

Let’s start creating a network, create a pool ip that we will distribute to our clients

Create a pool for our VPN network
Create a pool for our VPN network

This is the range I chose, but you can take any of private:

this is the range i chose
this is the range i chose

Next, we create a PPP profile IP-> PPP-> Profiles, I indicated DNS – this is also the ip of this microtic, you can use this example to specify 172.16.45.1 (this will be useful to us later), specify the name, address of our microtic 172.16.45.1 and select our newly created pool.

Change TCP MSS – yes

Use UPnP can be selected no

in the protocols tab, remove the ability to use IPv6 (if you have it)

“We left Encryption in the PPP Profile, Compression in default – hello MPPE inside IPsec”, we don’t need this, so we enable it.

After we created the profile, we go back and turn on the L2TP Server, indicate everything as in the figure, only between the second and third steps you need to select our newly created profile.

In the third step, we turn on the use of encryption, so that our data, if we can intercept, could not be decrypted. in the fourth step, we specify our IPsec key (the longer the better)

“The Pre Shared Key for IKE AUTH must be at least 32 characters long and created with an entropy of at least 256 bits.

IKE Aggressive exchange must be disabled to avoid Offline Dictionary Attack on your PSK.”

Called ID Type, I have ip address specified, and a little later I checked one session per host (but if it works from under NAT, then more than 1 client will still not connect)

in Default-Profile we specify our profile, see figure

“If you don’t reduce the MTU to fail-safe 1400, then fragmentation after encapsulation will occur, resulting in poor IPsec tunnel performance.

That is, we encapsulate the IP packet into a PPP frame, then into an L2TP packet, then into UDP, then into ESP, then if we are lucky, immediately into IP, if not again into UDP and then into IP, the last step will require fragmentation, since the final size of UDP / ESP will exceed MTU.”

Obviously, the reason for this is the complex way of processing traffic, which falls entirely on the shoulders of the CPU. Can this be avoided somehow? It is possible, in RouterOS v6 a new technology appeared for this – fast path (fast track), which allows you to direct traffic along a fast path, without processing by the OS kernel, which can significantly reduce the load on the system.

The main idea underlying this technology is that packets of already established connections, as well as those sections of traffic transmission where filtering and control are not required, can be sent along a fast path, thereby unloading the processor and speeding up data transfer. Fast Path is an interface driver extension that allows it to interact directly with some RouterOS subsystems and skip the rest.

We will authorize users through Windows Active Directory, for this we need Radius, go

IP->PPP->Secrets and, as shown in the figure, enable Radius authentication

enable Radius authentication
enable Radius authentication

Next, we need to configure the work of Radius, let’s start from the Mikrotik side, as shown in the figure below, the radius will be used only for PPP connections,

  • specify the ip of our server with the deployed NPS service on Windows Server, in our case it is 192.168.10.2

  • We come up with a key for Radius to work (Mikrotik and NPS interactions) this is not the key that we came up with IPsec

  • Source IP address of the packets sent to RADIUS server leave 0.0.0.0/0

2. Windows Server setup

First, let’s add a new role, this is the “Network Policy Server” (NPS), required to deploy the Radius server, step by step instructions below.

And we also need the CMAK administration package

enable CMAK
enable CMAK

Launching NPS

Registering the server in Active Directory

If we work with Mikrotik, then it is enough to leave only ports 1812 and 1813

Create a RADIUS client

In our case, it will be Mikrotik, we indicate its ip address, we have a gateway, in paragraphs 3.4 (see figure) we indicate the secret phrase that we will use to connect the client

We go to the AD controller, create a VPN access group, add users to it who will have access to the connection.

Let’s get back to NPS.

Let’s go to “Policies-> Network Policies”, create a new

We indicate in the policies that we will let a specific group.

Specify a normal client name so that bots do not connect

Authentication will be MS-CHAP-v2, we do not use EAP certificates, whoever wants to can deploy a certification authority and issue certificates, but that’s a completely different story …

Create a request policy

We will limit VPN operation by days of the week and time of day (there is nothing to break us while we sleep)

I banned work from 1 am to 5 am and on Sunday

3. Customizing the client package via CMAK

please note if you need to create a package for 32-bit systems, you will need to install CMAK on a 32bit machine and do the same manipulations on it

Below are step-by-step screenshots for creating a package

specify a later windows
specify a later windows
create a new profile
create a new profile
the name of the service is better to call the name of the organization so it will be clearer for the user
the name of the service is better to call the name of the organization so it will be clearer for the user
because  ip can change, it is better to specify a domain name, it will not be difficult to register cname or A record
because ip can change, it is better to specify a domain name, it will not be difficult to register cname or A record
IPv6 is hard for me, that's why we don't use it
IPv6 is hard for me, that’s why we don’t use it
specify VPN strategies - L2TP, I have not chosen correctly!,
specify VPN strategies – L2TP, I have not chosen correctly!,

go to settings

We will not distribute the Internet through ourselves, so we uncheck
We will not distribute the Internet through ourselves, so we uncheck

Specify the IPsec key in the section and the “shared key” the one from the Mikrotik settings section (see above)

We come up with a PIN code to launch this application, we will inform the user of this pin instead of a long IPsec password. I have a pin is something not complicated for example:

#You2021Company!, where YouCompany is your company name.

And here is just that trick, here we indicate “batch file” with a route, so that the user would transparently get and work with the network that we want to provide him.

Here is what is specified in our route.bat

If you want, you can brandunder the style of the company, specify the logotype

Specify the agreement file for the user (something scary, so that they would not disclose their passwords to anyone!)

Along this path, we create a working package, pack it in zip and upload it to our site, and send all users there, and you can also make instructions on the site so that the user can determine if he needs a 32 or 64-bit package.

Firewall setup

Create a Rule in Mikrotik

Exclusion from NAT L2TP clients via ipsec:out is not required, this is only relevant for transit traffic and pure IPsec. Since XFRM lookup is performed after SNAT, for L2TP clients RD is performed before SNAT, and after encapsulating L2TP in ESP, traffic is generated locally and does not enter SNAT.”

In the main rule of s-nat or masquerading (who has a special case configured), we indicate that we "NOT NATIM"!
In the main rule of s-nat or masquerading (who has a special case configured) we indicate that we “DO NOT HAVE”!

We prohibit the interaction of the network with each other ip->firewall->rules tab, withset the action value “drop”.

That’s all, now you can check, throw the user into the domain group, download the zip package, install and try to log in.

Used the following posts:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *