Today, connecting to the Internet via a local or virtual network based on wireless technologies has become very popular among both ordinary users and corporate clients. It is not surprising, because when establishing such a secure connection, the best protection is provided for transmitted and received data, or, more simply put, outgoing and incoming traffic. One of the most common types is the use of the L2TP connection protocol. What it is and how to set up a connection based on it yourself is what we’re asking you to figure out below. There is nothing fundamentally different from creating a regular connection based on wireless technologies, but many experts advise meeting several conditions and taking into account some recommendations in order to avoid common mistakes.
L2TP connection: what is it?
First, let's look at what this data or network using exactly this type of access is. In fact, the L2TP protocol is one of the types of establishing Internet access based on VPN using so-called tunneling.
When connecting computers to the Internet in this way, the greatest possible privacy is ensured. And this is achieved not only because access to the tunnel is blocked, but also because all input and output data is encrypted. Plus, there are verification keys on both sides. In other words, without knowing the automatically generated keys, no one can steal or view information. In addition, as is already clear, it is in encrypted form.
Prerequisites for the connection to work
But this was just brief theoretical information, so to speak, for general development. Now let's move on to practical actions and consider using an L2TP connection. What kind of technology this is, I think, is a little clear, so the basic steps for creating such a connection will be practically no different from the standard one.
However, before engaging in such actions, pay attention to several mandatory points, without which the connection being created will not only not work, it will not even be possible to create it. The main criteria are:
- operating system no lower than Windows Vista (recommended), although customization is also possible in XP;
- availability of the address of the corporate server to which the connection is supposed to be made;
- Availability of login and password to enter the network.
The initial stage of creating a connection
So, first you need to enter the “Network and Sharing Center” (you can call this section either from the standard “Control Panel” or through the RMB menu on the network icon in the system tray (to the left of the clock and date).
Choose the first one, since using the second one only makes sense if the connection is through a mobile operator using a modem.
Next, the question of how to set up an L2TP connection involves choosing a delayed connection rather than an immediate connection (this action is recommended, but not required, and there is no single solution on this matter).
At the next stage, be especially careful, since the accuracy of entering the server address plays a paramount role here. Enter the address, enter an arbitrary name for the new connection (destination type), and then in the checkbox, check the box to remember the entered data (this will save you from constantly entering information during subsequent logins). Next, simply click the button to create a connection, after which it will appear in the network settings section and in the system tray.
VPN type
Now the most important thing. A new connection seems to have been created, but without additional settings it may not work correctly.
Use the connection properties through the RMB menu, and then on the security tab for the L2TP connection type, select the protocol of the same name with IPsec (security level). This is also a required parameter. All other settings offered for use by default can, in principle, be left unchanged.
Sometimes, on some non-standard router models, you will need to specify the PPTP L2TP connection type in the web interface parameters, but when using regular routers and ADSL modems, such actions are not required.
Possible errors and failures
As for the occurrence of errors and failures when establishing an Internet connection through the created connection, there can be any number of problems. The most important thing is the usual carelessness of the user, who simply entered the server address incorrectly or entered an invalid login and password.
The second point to pay attention to is the properties of the IPv4 protocol. Its parameters and settings must necessarily indicate automatic acquisition of all addresses, including both IP and DNS. In addition, the use of proxies must be disabled for local addresses. Keep in mind that wireless technologies do not want to work with static IP. The only option is to connect several terminals, united in a local or virtual network through one L2TP server (in this case, logins and passwords are assigned to each machine).
Finally, if errors occur even with this formulation of the question, try using free DNS addresses for the preferred and alternative server, provided, for example, by Google (combinations of fours and eights).
Instead of an afterword
That's all there is to it regarding the L2TP connection. What kind of technology this is and how to establish the appropriate connection, I think, is already clear. If you look closely at the practical steps, they all represent a standard procedure for creating a VPN connection. The only difference is that you must specify the address of the corresponding server and select the protocol with the preferred level of protection. Router settings were not considered fundamentally in this material, since in most cases you can do without changing them.
b.VPN offers the user two VPN connections simultaneously. Therefore, if you would like to use the b.VPN service on two devices at the same time, you can use the b.VPN application on one device and manually set up an L2TP VPN connection on the other. Instructions for setting up L2TP VPN on Windows 10.
Important:
* Return to the profile page to view the list of available L2TP VPN servers and the corresponding "Shared Key".
*Your username and password, you have registered an email address and password with b.VPN.
*You must pay and be a paying user to use the L2TP VPN connection.
Follow these steps to set up L2TP VPN on Windows 10:
Enter in search "Control Panel" and click on the first result.
Click on the button "Network and Internet".
Press "Network and Environment".
Click on the button “Set up a new connection or network.”
Click on the button "Connecting to the workplace" and then "Further".
Now click on “Use my Internet connection (VPN).”
In field "Server address" insert any b.VPN server that suits you. (For example, ca.usa.site).
In field "Destination name" insert whatever name you prefer. However, we recommend using the server address again. ( ca.usa.site )
Click the button "Create".
Click on the connection icon in the taskbar, and click on the name of the connection you just created.
From the menu below, select "Adapter modification options."
Right-click on the connection name and select "Properties".
Click on the tab "Safety". From the menu "TypeVPN» Select " Layer 2 TunnelingProtocolwithIPsec (L2 TP/ IPsec)» .
Press « Advanced settings".
Select "Use shared key for authentication" and insert the appropriate key. Click the button « OTo".
Having examined in detail in the previous article how to raise the server part of a VPN connection on the Windows platform, we move on to setting up an L2TP client connection. To begin with, I would like to remember this L2TP just in case.
L2TP is a Layer 2 tunneling protocol, a more advanced protocol built on PPTP and L2F (Cisco's Layer 2 Forwarding Protocol). Its advantages include much higher security due to encryption using the IPSec protocol and combining the data channel and control channel into one UDP session. For this protocol to work, you must have 2 open external ports. These are the rules for port 1701 (TCP) and 500 (UDP). You can read how to create such rules in a standard firewall if you are directly connected to the Internet. If you are behind a router, you can read here.
But we’ve already read all this, we know. Therefore, let’s get down to setting up a client VPN connection for L2TP.
First you need to go to Control Panel, in Win7 all you have to do is click Start. and go to Control Panel. Next, depending on the display settings, we either click Network and Internet-> -> . Or we go straight to Network and Sharing Center -> Setting up a new connection or network.
A wizard will appear Installation and connections and networks. Choose Connection to the workplace
Next, enter the Internet address (server address) and the name of the connection to be created, best of all Allow other users to use this connection. Also, just in case, I advise you to check the Don’t connect now box. Because we will configure the VPN settings manually.
Our connection has been successfully created. Now you need to configure it. Go to the section Changing adapter settings from the window Network and Sharing Center.
There we look for our VPN connection and use RMB to go to the menu item Properties. On the tab Safety For VPN type, select L2TP.
Since the technology of the L2TP protocol is a technology with increased security due to encryption via the IPSec protocol, we can set a Pre-shared key for authentication on the server ourselves, or face the fact that it is already set there. It should be entered in the section Safety -> Extra options-> Enter the key in the field Use a pre-shared key for authentication In fact, that's all. There is nothing more to configure on the client side using the L2TP protocol. If you suddenly get error 789 when connecting, don’t be upset, these are the guys from the small-soft office who again forgot to finish what they were doing. But you can read the solution to Error 789 l2tp.
Sometimes it seems to me that the creators of Mikrotik are deliberately depriving themselves of profits by not creating clear step-by-step guides for setting up their creations. Almost 100% of consumers of these routers are trying to set up a VPN, use two or more WANs simultaneously or as backups. This is exactly what the happy owners of these wonderful devices are looking for throughout the network (and often outside the RuNet). Imagine how much the army of owners would increase if there were two or three wizards in the web interface to configure these functions. And now... now, precisely because of the complexity of setup (and, accordingly, fewer people willing to buy), we have an inexpensive, low-capacity device for simple tasks that needs to be made to work 24x7x365. For example, as a VPN server. Go!
L2TP protocolprovides a data transmission channel, a tunnel.
IPSec protects data from viewing.
We will also configure it in parts - first the tunnel, then data protection.
Note 1: I don’t really like text commands with a bunch of keys when setting up things that are described quite a lot, but described each time with unnoticeable typos, somewhere something was not copied when writing (or when copied from another site, which happens most often) or simply eaten by the site’s CMS text editor. Setting up a VPN is just such a case. That’s why I specially wrote out each step for the GUI Mikrotik - Winbox, especially since there’s not that much to do here.
Note 2: Before version 6.18, there is a bug in the firmware due to which the default policy template is always applied, so update the firmware to the latest stable one. Do not update the firmware to the latest but unstable version if you are setting up a VPN.
So, we have a Mikrotik router with firmware 6.30 (July 2015) with LAN 192.168.88.0/24 (default network). WAN is not important, for example 1.2.3.4.
Setting up tunneling (L2TP)
1. IP - Pool / Determine the range of VPN user addresses
Name: vpn_pool
Addresses: 192.168.112.1-192.168.112.10
Next pool: none
It is better for VPN clients to use separate addressing. This makes it easier to separate one from the other. And in general, best practice.
2. PPP - Profiles / Profile for our specific tunnel
General:
Name: l2tp_profile
Local address: vpn_pool (or you can specify 192.168.88.1
, see for yourself what you like best)
Remote address: vpn_pool
Change TCP MSS: yes
Protocols:
all to default:
Use MPLS: default
Use compression: default
Use Encription: default
Limits:
Only one: default
3. PPP - Secrets / Preparing a VPN user
Name: vpn_user1
Password: bla-bla-bla
Service: l2tp
Profile: l2tp_profile
4. PPP - Interface - click on L2TP Server / Enable L2TP server
Enabled - yes
MTU/MRU - 1450
Keepalive Timeout - 30
Default profile - l2tp_profile
Authentication - mschap2
Use IPSec - yes
IPSec Secret: tumba-yumba-setebryaki (this is not a user password, but a pre-shared key that will need to be specified on clients in addition to the login/password)
Configuring data encryption in the "tunnel" (IPSec)
In the previous step, we created a tunnel for data transfer and enabled IPSec. In this section, we will configure the IPSec settings.
5. IP - IPSec - Groups
Because there is a high probability of appearance, just delete it and create it right away. For example, with the name "policy_group1". You can also simply delete this group, but errors will be shown through the web interface.
6. IP - IPSec - Peers
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Passive: yes (set)
Secret: tumba-yumba-setebryaki (this is not the user password!)
Policy template group: policy_group1
Exchange mode: main l2tp
Send Initial Contact: yes (set)
NAT Traversal: yes (set)
My id: auto
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
7. IP - IPSec - Proposals / "Proposals".
Something like "what can we offer you." In other words, we set connection options that remote clients can try to use.
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
You probably noticed that points 6 and 7 are similar, and if we add that we added the same Secret to both points 4 and point 6, then the question arises: why are the same options re-configured? My answer is this: purely from practice it turned out that Windows 7 required one thing, and the iPhone another. I don't know how it works. But the fact is purely from practice. For example, I change the Proposal PFS Group to 2048 - Windows connects normally, but the iPhone stops. I do the opposite (in proposal I set 1024, and in ip-ipsec-peers I set 2048) - the iPhone connects, but Windows does not :) That is. When connecting different clients, different parts of the configs are used. Rave? Maybe this is a consequence of gradual changes in the VPN server configuration, I can’t say, because... There may even be an influence of old firmware, configs, etc. I do not rule out that something is redundant here, but I don’t know what exactly.
Firewall
Let's go to the console, for a change:
/ip firewall filter
add chain=input action=accept protocol=udp port=1701,500,4500
add chain=input action=accept protocol=ipsec-esp
If your default forward policy is set to drop (the last rule for forward is "chain=forward action=drop"), you may need to allow forward from vpn_pool IP addresses to the local network:
add chain=forward action=accept src-address=192.168.112.0/24 in-interface=!ether1 out-interface=bridge-local comment="allow vpn to lan" log=no log-prefix=""
That's all with the server now.
Connecting a remote client
Trying to connect Windows 7:
Control Panel Network and Internet Network and Sharing Center:
Setting up a new connection or network
Connection to the workplace
Create a new connection
Use my internet connection (VPN)
Internet address: ip or name of the router on the network
User and password from PPP->Secrets. In our case, this is vpn_user1 and its password.
We are trying to connect.
If it doesn’t work, or you just need to configure the created connection:
Security tab:
VPN type: L2TP IPSec VPN
Additional options: Use a pre-shared key for authentication. In our case it is "tumba-yumba-setebryaki" (IP - IPSec - Peers):
Here, in the “Authentication” group, we leave only CHAP v2:
Click OK and try to connect. It should work. If not, take a look at the VPN setup errors page.
Update 1: Often people are interested in how several (more than one) clients from the same local network (behind nat) can connect to one remote Mikrotik VPN server. I don’t know how to ensure this in an L2TP/IPSec connection. You can call this an implementation bug. I haven't found a simple explanation or solution to the problem.
07/18/2016 19:29 Ptrrr
08/09/2016 10:00 Mapc
08/19/2016 17:35 Vertall
10.09.2016 23:29 Nikpo
02.10.2016 15:28 Anatoly
10/18/2016 12:39 Daimos
10/19/2016 01:02 Boomer
10/19/2016 01:05 Boomer
10/19/2016 01:16 Boomer
10/19/2016 09:34 Daimos
10/19/2016 10:07 Daimos
20.10.2016 12:54 bzzz
20.10.2016 13:04 bzzz
22.10.2016 13:44 Hippomsk
10/24/2016 00:01 bzzz
10/24/2016 00:04 bzzz
10/24/2016 00:11 bzzz
10/24/2016 10:35 Daimos
24.10.2016 14:41 bzzz
24.10.2016 14:46 bzzz
10/25/2016 08:41 Daimos
10/25/2016 08:51 Daimos
Setting up VPN (L2TP/IPsec) for Windows
This instruction demonstrates how to connect to the VPN Gate relay server using the L2TP/IPsec VPN client built into the operating systems Windows 10, 8.1, 8, 7, Vista, XP, RT, Server 2019, 2016 and 2003, 2008, 2012.
Right-click on the Network (Internet) icon in the taskbar notification area (system tray) and select the “Network and Sharing Center” option.
Select the “Create and configure a new connection or network” option on the main page of the Network and Sharing Center.
Select the “Connect to Workplace” option.
Then select “Use my Internet connection (VPN).”
http://www.vpngate.net/en/
Important information
Copy the DDNS host name (an ID that ends in ".opengw.net") or IP address (the numeric value xxx.xxx.xxx.xxx) and enter it in the Internet Address field.
Note
If the username and password entry screen appears, enter vpn in both fields. You can also check the “Remember password” checkbox.
Then go to Network and Sharing Center and click the “Change adapter settings” link.
A list of configured connections will be shown. Right-click on the VPN connection icon created in the previous step and click “Properties”.
Go to the “Security” tab and in the “VPN Type” field from the drop-down list, select the “L2TP Protocol with IPsec (L2TP/IPsec)” option. For Data Encryption, select "Required (disable if not encrypted)."
Then click the “Advanced Options” button. A new window will appear in which you need to select the option “Use a shared key for authentication” and enter vpn in the “Key” field.
After completing the configuration, click “OK” twice to close the VPN connection settings screen.
2. Connect to a VPN server
Click the Network (Internet) icon in the taskbar notification area (system tray) and select the created VPN connection. Click the “Connect” button.
If Username and Password are not filled in automatically, enter vpn in both fields and click OK.
When you try to connect, the message “Connecting to [selected VPN server]” will be displayed. If you get an error when trying, make sure the VPN type is set to "L2TP/IPsec" and the authentication key is set correctly.
If the VPN connection is successfully established, a new “VPN connection” item will appear in the list of networks with the status “Connected”.
Now you can quickly and easily establish a VPN connection using the corresponding icon in the list of networks.
Once the connection is established, all network traffic will go through the VPN server. You can verify this using the tracert 8.8.8.8 command in the Windows command line.
As shown in the screenshot above, if the packets pass through "10.211.254.254", then your connection is relayed through one of the VPN Gate servers.
You can also go to the VPN Gate main page
Setting up VPN (L2TP/IPsec) for MacOS
This instruction demonstrates how to connect to the VPN Gate relay server using the L2TP/IPsec VPN client built into the MacOS operating system.
1. Pre-configuration
Click the network connection icon in the top-right corner of your Mac screen. Select "Open Network Settings..." from the menu.
Click the "+" button on the network setup screen.
Select the "VPN" interface, the "L2TP over IPsec" connection type and click the "Create" button.
A new VPN (L2TP) configuration will be created and the connection settings screen will appear.
On this screen, you must enter either the host name or the IP addresses of the server from the VPN Gate pool of public servers.
Open the list of public relay servers http://www.vpngate.net/en/ and select the VPN server you want to connect to.
Important information
For the L2TP/IPsec Windows, Mac, iPhone, Android No client required column, the list of servers must have a checkmark that indicates support for the custom L2TP/IPsec protocol.
Copy the DDNS host name (an ID that ends with ".opengw.net") or IP address (the numeric value xxx.xxx.xxx.xxx) and enter it in the Server Address field on the configuration screen.
Note: It is recommended to use the DDNS name - you can continue to use it even if the corresponding DDNS IP address changes in the future. However, in some countries you may not be able to use a DDNS hostname, in which case you must use an IP address.
After you have specified the "Server Address", enter vpn in the "Account Name" field.
Then click the "Authentication Settings" button.
The Authentication Settings screen appears. Enter vpn in the "Password" field and in the "Shared Secret" field. After that, click the "OK" button.
Then return to the previous screen, check the “Show VPN status in menu bar” option and click the “Advanced...” button.
The advanced settings screen will open. Check the box next to "Send all traffic through VPN" and click OK.
On the VPN connection settings screen, click the "Apply" button to save the connection settings.
2. Starting a VPN connection
You can establish a new connection to the VPN server at any time by clicking the "Connect" button. You can also start a VPN connection by clicking the VPN icon in the top toolbar of MacOS.
Once your VPN connection is established, the VPN settings screen will show you a "Connected" status, along with your new IP address and connection duration.
Once the connection is established, all network traffic will go through the VPN server. You can also go to the main VPN Gate page to view the global IP address. You will be able to see the location visible from the network, which will differ from your actual location.
When connected to a VPN, you will be able to visit blocked websites and play blocked games.
Found a typo? Highlight and press Ctrl + Enter