Hey,
I can help you with the LT2P with ipsec on Mikrotik, as I have set this up myself in my personal capacity, except to my own VPS not to Afrihost's servers, so some of it may differ but let let's go.
It took me 2 weeks to figure this out. Also, take note, I have done this on Router OS 6.1, although I am currently on 6.2, don't ask me to help with previous versions, though it may work.
You will need to set up 3 different things on your mikrotik RB75x router.
1.) The L2TP connection
2.) The IPSEC tunnel
3.) A scheduled script, that checks if your dynamic public ip on your PPPoE session has changed, and if so, updates the IPSEC tunnel endpoint ip.
Timeout: Busy making screenshots ect. rest incoming soon.
1.) The L2TP connection
This is the easy part. In my example, replace 37.139.20.42 with the ip address Axxess/Afrihost gave you.
Create the L2TP connection. In the first tab, give it a name:
In the second tab, add in the ip address 37.139.20.42 and your VPN username/password which is the same as your pppoe username/password allegedly. In my case it is test/********
2.) The IPSEC tunnel
Now we start with the difficult stuff, and you guys may have to make changes here. Keep in mind the Mikrotik RB75x doesn't have a very good CPU, so you will probably end up doing max 5-6Mbit/sec over this tunnel, at least in my experience.
In Winbox, in the menu IP -> Ipsec.
1st go to the Proposal TAB. There should already be a "default" proposal. Mine looks like this:
This is the best settings I could find to not abuse my RB cpu too much. Depending on what Axxess/Afrihost force on you, you may need aes-192/256 for encryption algorithm.
Next, go to the "peers" tab.
Important here is, you need the following:
- ip address 37.139.20.42 (again replace with the axxess/afrihost server)
- your shared secret
- main l2tp exchange mode
- send initial contact
- nat traversal (even though we dont need it)
- generate policy
- rest can be different, may need to be different
Last part of ipsec tunnel making it work initially, is in the policy tab.
Create a new policy.
- src address is the current ip you have on your pppoe- connection (dynamic) mine is 196.210.201.36
- dst address is again 37.139.20.42 / whatever axxess/afrihost gave you
- dst port 1701 (l2tp port)
- protocol is udp
2nd tab here:
- action encrypt
- level require
- ipsec protocol esp (you may need the other one, but esp is what works for me)
- again the public pppoe ip 196.x and the lns server ip 37.x
At this point, your VPN should come up and work. But you still need this for when your dynamic ip changes:
3.) A scheduled script, that checks if your dynamic public ip on your PPPoE session has changed, and if so, updates the IPSEC tunnel endpoint ip.
You need to create a scheduler to update the dynamic ip (when it changes).
Here is my script, make sure to update your pppoe connection name away from pppoe-openweb-test otherwise it won't work.
Code:
# ------------------- header -------------------
# Script by Tomas Kirnak, version 1.0.1
# If you use this script, or edit and
# re-use it, please keep the header intact.
#
# For more information and details about
# this script please visit the wiki page at
# http://wiki.mikrotik.com/wiki/IPSec_Policy_Dynamic
# ------------------- header -------------------
{
:global oWANip
# Configure the WAN interface name here
:local WANip [/ip address get [find interface="pppoe-openwebtest"] address]
:set WANip [:pick "$WANip" 0 ([:len $WANip] - 3)]
if ($WANip != $oWANip) do={
:log warning "WAN IP changed, fixing IPSec"
# I assume you only have a single ipsec policy
/ip ipsec policy disable 0
/ip ipsec peer disable 0
/ip ipsec policy set 0 tunnel=yes
/ip ipsec policy set 0 src-address="$WANip/32"
/ip ipsec policy set 0 sa-src-address=$WANip
/ip ipsec policy set 0 tunnel=no
/ip ipsec peer enable 0
/ip ipsec policy enable 0
:set oWANip $WANip
}
}
