• MikroTik GRE Tunnel

    A GRE Tunnel is a very quick and easy way to setup a, optionally encrypted, tunnel between 2 endpoints whose WAN IP Addresses are known and static. The GRE tunnel does NOT work with dynamic IP addresses.
    Setup the following on both endpoints, swapping remote and local where applicable.
    /interfacegre addallow-fast-path=nocomment="Site 2 Site Network"ipsec-secret="VERY_STRONG_PASSWORD"keepalive=5s,5local-address=LOCAL_WAN_IP_ADDRESS name=gre-tunnel-location1 remote-address=REMOTE_WAN_IP_ADDRESS
    adddistance=1dst-address=REMOTE_LAN_IP_SUBNET gateway=gre-tunnel-location1
    /iproute adddistance=1dst-address=REMOTE_L2TP_VPN_IP_SUBNET gateway=gre-tunnel-location1

    LOCAL_WAN_IP_ADDRESS - External STATIC IP Address assigned by your ISP to the local router.
    REMOTE_WAN_IP_ADDRESS - External STATIC IP Address assigned by your ISP to the remote router.
    GRE_INTERFACE_IP_ADDRESS - is an arbitary ip address, not in use anywhere else in your network(s) AND the other end of the GRE tunnel is in the same subnet. eg: one end is, the other is
    REMOTE_LAN_IP_SUBNET - is the LAN subnet of the remote LAN eg:
    REMOTE_VPN_IP_SUBNET - is the LAN subnet of the remote L2TP VPN network, if any. eg: See Mikrotik L2TP-IPSec Server.
    Adding this will allow VPN clients to route packets to/from the other end of the GRE tunnel.
     N.B. Including the ipsec-secret= option requires the allow-fast-path=no option.
  • MikroTik L2TP-IPSec Server

    /ipipsecproposalset defaultauth-algorithms=sha256,sha1enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp1024

    The 192.168.11.x ip addresses are an arbitary, NOT-in-use IP address range for use by the VPN. Remember to add an appropriate route in the connecting user client to get access to the 'real/normal' internal network LAN with the gateway being the above specified local-address ip address (in the above case, Each /ppp secret (user login) needs a unique ip address in the same range. 
    Move the firewall filter rules to the top (first) of the firewall rules using:  /ip firewall filter print all, /ip firewall filter move from_number to_number.
    DNS1,DNS2 are the DNS servers used on the normal LAN - I normally include any LAN server running a DNS server and the gateway router itself. Separate IP addresses with a comma. You can have just one.
    STRONGSECRET1 is typically a nice long password.
    STRONGSECRET2 is typically something an end user might know or remember (but not necessarily).
    Remember these DO show up in any 'export'ed file config.
  • Network Manager - L2TP/IPSec VPN with non-Network Manager VPN Servers


    Issue with VPN servers only proposing IPsec IKEv1 weak legacy algorithms

    There is a general consensus that the following legacy algorithms are now considered weak or broken in regards to security and should be phased out and replaced with stronger algorithms.

    Encryption Algorithms :


    Integrity Algorithms :


    Diffie Hellman Groups :


    Legacy algorithms that are considered weak or broken are regularly removed from the default set of allowed algorithms with newer releases of strongSwan and Libreswan.

    As of strongSwan 5.4.0 and Libreswan 3.20, the above algorithms (apart from SHA1 and MODP1536 for Libreswan which still includes them for backwards compatibility) have been or in some cases already been removed from the default set of allowed algorithms.

    If you are not sure which IKEv1 algorithms your VPN server uses, you can query the VPN server with the ike-scan.sh script located in the IPsec IKEv1 algorithms section of the Wiki :


    If the VPN server is only proposing weak or broken algorithms, it is recommended that it be reconfigured to propose stronger algorithms, e.g. AES, SHA2 and MODP2048.

    If for some reason the VPN server cannot be reconfigured and you are not too concerned about security, for a workaround, user specified phase 1 (ike) and phase 2 (esp) algorithms can be specified in the IPsec Options dialog box in the Advanced section. See the following example and the IPsec IKEv1 algorithms section of the Wiki for more details :


    Example workaround for 3DES, SHA1 and MODP1024 broken algorithms

    Unfortunately there are many L2TP/IPsec VPN servers still offering only 3DES, SHA1 and MODP1024. One of the main reasons possibly for this is because it is the default Microsoft has offered with their L2TP/IPsec VPN servers since the days Windows XP was the main client.

    If you are using strongSwan for IPsec client support, enter the following in the corresponding IPsec Options dialog box advanced section:

    Phase1 Algorithms : 3des-sha1-modp1024
    Phase2 Algorithms : 3des-sha1

    If you are using Libreswan >= 3.20 for IPsec client support, enter the following in the IPsec Options dialog box advanced section:

    Phase1 Algorithms : 3des-sha1;modp1024
    Phase2 Algorithms : 3des-sha1

  • Windows L2TP VPN Clients

    I have a couple of customers whose L2TP-IPSEC VPN Windows 10 client connections stopped connecting to the company VPN.
    To fix this:
    1. Uninstall all the WAN Miniport devices, under Network Adapters, in Windows Device Manager.
    2. Then Scan for Hardware Changes and let Windows reinstall the WAN Miniport devices.
    3. Then try your L2TP WPN Client. It's bound to work!