Setting up a secure VPN is crucial for protecting your data, especially when you're dealing with sensitive information or accessing networks remotely. One robust solution is combining L2TP (Layer Two Tunneling Protocol) with IPSec (Internet Protocol Security) on a Mikrotik router, enhanced by certificate authentication. This guide will walk you through the process step-by-step, ensuring a secure and reliable VPN connection.

    Understanding L2TP, IPSec, and Certificates

    Before diving into the configuration, let's clarify what each component does:

    • L2TP (Layer Two Tunneling Protocol): L2TP creates a VPN tunnel, allowing data to be transmitted securely between two points. It doesn't provide encryption on its own, which is why it's often paired with IPSec.
    • IPSec (Internet Protocol Security): IPSec provides encryption, authentication, and integrity checks for your data packets. It ensures that the data transmitted through the L2TP tunnel is protected from eavesdropping and tampering.
    • Certificates: Certificates are digital documents that verify the identity of a device or user. Using certificates for authentication adds a strong layer of security, making it harder for unauthorized users to access your VPN. Instead of relying solely on passwords, which can be vulnerable to cracking or phishing, certificates use cryptographic keys to confirm the identity of the connecting device. This method significantly enhances security because the private key, which is essential for authentication, remains securely stored on the device and is never transmitted over the network. The certificate authority (CA) issues these certificates, acting as a trusted third party that vouches for the identities of the parties involved. When a device attempts to connect to the VPN, the server checks the device's certificate against the CA's public key to verify its authenticity. This process ensures that only devices with valid certificates issued by a trusted CA can establish a VPN connection, greatly reducing the risk of unauthorized access.

    Why Use Certificates for L2TP/IPSec?

    While pre-shared keys (PSK) are a common method for IPSec authentication, certificates offer several advantages:

    • Enhanced Security: Certificates are much harder to compromise than pre-shared keys. Pre-shared keys can be vulnerable to brute-force attacks or exposure if not managed carefully. Certificates, on the other hand, rely on cryptographic keys, making them significantly more secure.
    • Scalability: Managing certificates is easier in large deployments. Distributing and updating pre-shared keys across many devices can be a logistical nightmare. Certificates can be managed centrally, making it simpler to deploy and maintain a secure VPN for a large number of users.
    • Improved Authentication: Certificates provide stronger authentication. They verify the identity of the connecting device, ensuring that only authorized devices can access the VPN. This level of authentication is crucial for protecting sensitive data and preventing unauthorized access.

    Prerequisites

    Before you begin, make sure you have the following:

    • A Mikrotik Router: This guide assumes you have a Mikrotik router with RouterOS installed and configured.
    • RouterOS Version: Ensure your RouterOS is up to date. Newer versions often include security patches and improvements.
    • Basic Networking Knowledge: Familiarity with IP addressing, subnets, and routing will be helpful.
    • Certificate Authority (CA): You'll need a CA to issue certificates for your server and client. You can use an internal CA (if you have one) or a public CA.

    Step-by-Step Configuration Guide

    Step 1: Create a Certificate Authority (CA)

    If you don't have an existing CA, you can create one on your Mikrotik router:

    1. Open Winbox and connect to your Mikrotik router.
    2. Go to System > Certificates.
    3. Click the "+" button and select "Issue".
    4. Fill in the following details:
      • Name: A descriptive name for your CA (e.g., "MyInternalCA").
      • Common Name: The domain name or IP address of your router (e.g., "router.example.com" or "192.168.88.1").
      • Days Valid: The validity period of the CA certificate (e.g., 3650 for 10 years).
      • Key Size: 2048 (or higher for better security).
      • Key Usage: check keyCertSign and crlSign.
    5. Click "Apply" and then "Sign".
    6. Choose the CA you just created and enter the passphrase.
    7. Click "OK".
    8. Export the CA certificate: Select the CA certificate and click "Export". Choose a location to save the certificate file (e.g., "ca.crt"). You'll need this file to import the CA certificate on your client devices.

    Step 2: Create a Server Certificate

    Next, create a certificate for the L2TP/IPSec server (your Mikrotik router):

    1. In the Certificates window, click the "+" button and select "Issue".
    2. Fill in the following details:
      • Name: A descriptive name for your server certificate (e.g., "L2TPServerCert").
      • Common Name: The domain name or IP address of your router (same as the CA). This is crucial for proper validation.
      • Days Valid: The validity period of the server certificate (e.g., 3650).
      • Key Size: 2048 (or higher).
      • Key Usage: check digitalSignature, keyEncipherment and tlsServer.
    3. Click "Apply" and then "Sign".
    4. Choose the CA you created earlier and enter the passphrase.
    5. Click "OK".

    Step 3: Create a Client Certificate

    Now, create a certificate for the client device that will connect to the VPN. You'll need to create a separate certificate for each client device.

    1. In the Certificates window, click the "+" button and select "Issue".
    2. Fill in the following details:
      • Name: A descriptive name for your client certificate (e.g., "Client1Cert").
      • Common Name: A unique identifier for the client (e.g., "client1").
      • Days Valid: The validity period of the client certificate (e.g., 365).
      • Key Size: 2048 (or higher).
      • Key Usage: check digitalSignature, keyEncipherment and tlsClient.
    3. Click "Apply" and then "Sign".
    4. Choose the CA you created earlier and enter the passphrase.
    5. Click "OK".
    6. Export the Client certificate and key: Select the Client certificate and click "Export". Choose a location to save the certificate and key files (e.g., "client1.crt" and "client1.key"). Important: Protect these files carefully! They are needed to configure the VPN client and should be kept secure. Consider using a password to protect the exported files.

    Step 4: Configure IPSec

    Configure IPSec settings to use the certificates for authentication:

    1. Go to IP > IPSec > Profiles.
    2. Click the "+" button to create a new profile.
    3. Fill in the following details:
      • Name: A descriptive name for the profile (e.g., "L2TPIPSecProfile").
      • Hash Algorithm: sha256 (or sha512 for higher security).
      • Encryption Algorithm: aes256 (or aes128).
      • DH Group: modp2048 (or modp4096 for higher security).
    4. Go to IP > IPSec > Peers.
    5. Click the "+" button to create a new peer.
    6. Fill in the following details:
      • Address: 0.0.0.0/0 (to allow connections from any IP address – for testing, it is recommended to limit to one IP).
      • Profile: Select the profile you created earlier (e.g., "L2TPIPSecProfile").
      • Exchange Mode: ike2.
      • Send Initial Contact: Yes.
      • Certificate: Select the server certificate you created earlier (e.g., "L2TPServerCert").
      • Verify Certificate: Yes.
      • Verify Certificate Authority: Select the CA you created earlier (e.g., "MyInternalCA").

    Step 5: Configure L2TP Server

    Configure the L2TP server to use IPSec for encryption:

    1. Go to PPP > Interfaces.
    2. Click the "+" button and select "L2TP Server Binding".
    3. Fill in the following details:
      • Name: A descriptive name for the L2TP server (e.g., "L2TPServer").
      • Interface: The interface on which the L2TP server will listen (e.g., "ether1" or your WAN interface).
      • IPSec Secret: Leave this blank (as we're using certificates).
      • Authentication: Select "mschap2".
      • Default Profile: default-encryption. Alternatively create your own profile and set it in PPP > Profiles. Make sure encryption is enabled in that profile!

    Step 6: Create a PPP Profile

    Create a PPP profile to assign IP addresses and DNS settings to the VPN clients:

    1. Go to PPP > Profiles.
    2. Click the "+" button to create a new profile.
    3. Fill in the following details:
      • Name: A descriptive name for the profile (e.g., "L2TPProfile").
      • Local Address: The IP address of the Mikrotik router on the VPN network (e.g., "192.168.10.1").
      • Remote Address: A pool of IP addresses to assign to VPN clients (e.g., "192.168.10.2-192.168.10.254"). Make sure this range doesn't conflict with your existing network.
      • DNS Server: The DNS server(s) to use for VPN clients (e.g., "8.8.8.8, 8.8.4.4").
      • Use Encryption: yes.

    Step 7: Create a PPP Secret (User Account)

    Create a PPP secret for each user who will connect to the VPN. This is a username and password combination that the user will use to authenticate.

    1. Go to PPP > Secrets.
    2. Click the "+" button to create a new secret.
    3. Fill in the following details:
      • Name: The username for the VPN user (e.g., "john.doe").
      • Password: The password for the VPN user.
      • Service: l2tp.
      • Profile: The PPP profile you created earlier (e.g., "L2TPProfile").
      • Disabled: No.

    Step 8: Configure the Client Device

    Now, configure the client device to connect to the L2TP/IPSec VPN using the certificate. The steps will vary depending on the operating system of the client device.

    Windows

    1. Import the CA certificate:
      • Open the Run dialog box (Windows Key + R).
      • Type mmc and press Enter.
      • In the MMC console, go to File > Add/Remove Snap-in...
      • Select Certificates and click Add >. Select Computer account and click Next. Select Local computer and click Finish. Click OK.
      • In the MMC console, go to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
      • Right-click in the right pane and select All Tasks > Import...
      • Follow the wizard to import the CA certificate file (ca.crt) you exported from the Mikrotik router.
    2. Import the client certificate:
      • In the MMC console, go to Certificates (Local Computer) > Personal > Certificates.
      • Right-click in the right pane and select All Tasks > Import...
      • Follow the wizard to import the client certificate file (client1.crt) and the associated private key (client1.key). You may be prompted for a password if you set one when exporting the certificate.
    3. Create a VPN connection:
      • Go to Settings > Network & Internet > VPN > Add a VPN connection.
      • VPN provider: Windows (built-in).
      • Connection name: A descriptive name for the VPN connection (e.g., "MyL2TPVPN").
      • Server name or address: The domain name or IP address of your Mikrotik router.
      • VPN type: Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).
      • Type of sign-in info: Certificate.
      • User name (optional): The username you created in PPP Secrets on the Mikrotik router.
      • Password (optional): The password you created in PPP Secrets on the Mikrotik router.
      • Click Save.
    4. Connect to the VPN:
      • Click on the VPN connection you created.
      • Click Connect.

    macOS

    1. Import the CA certificate:
      • Open Keychain Access (in /Applications/Utilities/).
      • Drag the CA certificate file (ca.crt) into Keychain Access.
      • When prompted, choose the System keychain.
      • Find the imported certificate in the Keychain Access list. Double-click it.
      • Expand the Trust section. In the When using this certificate: dropdown, select Always Trust.
      • Close the certificate window. You'll be prompted to enter your administrator password to update the trust settings.
    2. Import the client certificate:
      • Drag the client certificate file (client1.crt) and the associated private key (client1.key) into Keychain Access.
      • When prompted, choose the Login keychain.
    3. Create a VPN connection:
      • Go to System Preferences > Network.
      • Click the "+" button to add a new network service.
      • Interface: VPN.
      • VPN Type: L2TP over IPSec.
      • Service Name: A descriptive name for the VPN connection (e.g., "MyL2TPVPN").
      • Click Create.
    4. Configure the VPN connection:
      • Configuration: Default.
      • Server Address: The domain name or IP address of your Mikrotik router.
      • Account Name: The username you created in PPP Secrets on the Mikrotik router.
      • Click Authentication Settings...
        • Password: The password you created in PPP Secrets on the Mikrotik router.
        • Machine Authentication: Certificate
        • Select the appropriate client certificate from the popup menu.
      • Click OK.
      • Click Apply.
    5. Connect to the VPN:
      • Click Connect.

    Step 9: Verify the Connection

    Once the client is connected, verify that the VPN connection is working correctly:

    • Check the IP address: On the client device, check the IP address to ensure it's within the range you configured in the PPP profile.
    • Test connectivity: Try pinging a device on the VPN network (e.g., the Mikrotik router's LAN IP address).
    • Monitor the connection: On the Mikrotik router, go to PPP > Active Connections to see the active VPN connections.

    Troubleshooting

    If you encounter issues, here are some common troubleshooting steps:

    • Check the logs: Examine the Mikrotik router's logs (System > Logging) for any error messages related to IPSec or L2TP.
    • Verify certificate validity: Ensure that the certificates are valid and haven't expired.
    • Check firewall rules: Make sure that the firewall rules on the Mikrotik router are not blocking the VPN traffic. Ensure that port 500 and 4500 UDP traffic is allowed.
    • Verify IPSec configuration: Double-check the IPSec profile and peer settings to ensure they are configured correctly.
    • Check client configuration: Verify that the client device is configured correctly with the correct certificates and settings.
    • MTU Issues: Sometimes, MTU (Maximum Transmission Unit) issues can cause connectivity problems. Try adjusting the MTU settings on the client device or the Mikrotik router.

    Security Considerations

    • Keep RouterOS Updated: Regularly update your Mikrotik RouterOS to the latest version to patch security vulnerabilities.
    • Strong Passwords: Use strong, unique passwords for all user accounts.
    • Monitor Logs: Regularly monitor the Mikrotik router's logs for any suspicious activity.
    • Limit Access: Only allow necessary users to access the VPN.
    • Certificate Revocation: Implement a certificate revocation process to revoke certificates that have been compromised.

    Conclusion

    Setting up L2TP IPSec with certificate authentication on a Mikrotik router provides a secure and reliable VPN solution. By following this guide, you can create a secure tunnel for remote access to your network, protecting your data from unauthorized access. Remember to keep your RouterOS updated and monitor your logs for any suspicious activity to maintain a secure VPN environment. This comprehensive approach not only secures your network but also ensures that your data remains protected, whether you're accessing it from home, a coffee shop, or anywhere in between. By investing the time to configure these security measures, you're taking a proactive step in safeguarding your digital assets and maintaining your peace of mind.

Lastest News