I try to setup l2tp+ipsec server for my mobile use and my home router use.
So I made some setup and checked it works fine from android device. I see encryption on ipsec –status.
My system is CentOS Linux release 7.0.1406 (Core) based on Digital Ocean.
My problem is that I can connect to L2TP server from Mikrotik without ipsec.
So now I need some advices:
How to deny L2TP connection without IPSEC encryption on linux side, because I can connect to xl2tpd from mikrotik even if ipsec demon stopped.
How to properly configure mikrotik to connect to l2tp+ipsec server in ipsec transport mode.
Here is my linux configs:
/etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
auth
crtscts
idle 1800
mtu 1310
mru 1310
hide-password
modem
name l2tpd
multilink
lcp-echo-interval 5
lcp-echo-failure 4
proxyarp
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
force userspace = yes
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
refuse chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.250.0/24,%v4:!192.168.$
keep_alive=1800
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=8
ikelifetime=8h
keylife=1h
type=transport
left=146.185.XXX.XXX
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
Best Answer
I've posted this question to xl2tpd team on GitHub, this is the answer (checked and worked on my setup):
https://github.com/xelerance/xl2tpd/issues/97