Two earlier tutorial articles discussed RouterOS, an open source operating system that can convert your generic PC into an advanced, enterprise-type router and LAN server.
In Part 1 of that series, you built the machine, installed the Linux-based software, and started setting it up.
In Part 2, you configured the DHCP server to manage the IP addresses, enabled NAT to share the Internet, and configured the wireless interface for Wi-Fi access.
Now that all the basic setup is done, you can play around with the features. In this part, you’ll tinker around with the VPN capabilities.
More specifically, you’ll set up a L2TP/IPsec VPN server.
Then users can remotely connect via the Internet to access files through the tunnel or to just use it to secure their connection on a public network.
Plus you’ll configure site-to-site tunnels, so all your networks are connected.
Configuring the VPN (L2TP) Server
First, make sure that you have the PPP package installed. If it is, you’ll have a menu for it on the console or WinBox interface.
Then you can follow these steps to get the server working using the WinBox utility:
- Click PPP and select the Secrets tab.
- Click the Plus button.
- Enter a Name and Password.
- Enter a Local Address (such as 1.1.1.1) and Remote Address (such as 1.1.1.2).
- Click OK.
Now you can enable the server. Follow these steps:
- On the main PPP window, select the Interface tab.
- Click the L2TP Server button.
- Mark the Enabled checkbox and click OK.
Now you need to add an IPSec peer. Follow these steps:
- Click IP > IPsec and select the Peer tab.
- Click the Plus button.
- Make sure that the Auth Method is Pre-Shared Key.
- For Secret, enter a password to serve as the pre-shared key secret. You'll input this later when configuring Windows.
- Verify that the Hash Algorithm is sha and the Encryption Algorithm is 3des, which are used by default in Windows.
- Mark the Generate Policy checkbox.
Creating a Network Connection in Windows
Now for a Windows user to connect to the VPN server, you must configure the computer with a network connection. Here's how to do it in Windows XP:
- Open the Network Connections window.
- Double-click the New Connection icon to start the wizard and click Next.
- Select Connect To The Network At My Workspace and click Next.
- Select Virtual Private Network Connection and click Next.
- Enter a Company Name, which will be the name of the new connection, and click Next.
- Enter the IP address of your RouterOS server and then click Finish.
- On the connection window that appears, click the Properties button and select the Security tab.
- Click the IPsec Settings button, select the Use Pre-Shared Key For Authentication checkbox, enter the same password you create for the Pre-Shared Key secret on RouterOS, and then click OK.
- On the Properties window, select the Networking tab and choose the L2TP IPSec VPN option.
- Click OK to save the property changes.
Configuring the IPsec Settings in Windows
You must also configure the IPsec settings in Windows XP before connecting:
- Click Start > Run, type mmc, and press Enter.
- Add the IP Security Policy Management snap-in by clicking File > Add/Remove Snap in.
- On the window of the newly added snap-in, select Action > Create IP Security Policy.
- On the wizard, click Next to continue.
- Click Next to accept the default name.
- Uncheck the Activate the default response rule and click Next.
- Make sure the Edit Properties option is checked and click Finish.
Then starting with the properties window that popped up, follow these steps:
- Click Add.
- On the wizard, click Next.
- Make sure that the This Rule Does Not Specify A Tunnel option is marked and click Next.
- Select the Local Area Network option and click Next.
- Select Use This String To Protect The Key Exchange, type the same pre-shared key you created on RouterOS, and click Next.
- Click Add to create a new IP Filter List.
- Click Add and follow the wizard, selecting My IP Address as the Source and the IP address of the RouterOS as the Destination.
- On the window for the new IP Filter List, click OK.
- Select the new IP Filter List you just created from the list and click Next.
- Select Require Security and click Next.
- Uncheck the Properties option and click Finish.
Now you need to bring up the Services snap-in on the Console so you can restart the IPSec service. Then go back to the IP Security Policy snap-in, right-click the new policy and select Assign. Finally, you should be able to connect to the VPN.
Creating a Site-to-Site Tunnel
Now you’ll set up a IPsec VPN tunnel between two RouterOS machines. This is useful when you have multiple offices or locations and you want to share between each of the networks. First you'll configure accept and masquerading rules in SRC-NAT from the command-line.
For Router 1:
ip firewall nat add chain=srcnat src-address=10.1.0.0/24 dst-address=10.2.0.0/24 ip firewall nat add chain=srcnat out-interface=public action=masquerade
For Router 2:
ip firewall nat chain=srcnat add src-address=10.2.0.0/24 dst-address=10.1.0.0/24 ip firewall nat chain=srcnat add out-interface=public action=masquerade
Now you have to configure the IPsec settings on each.
For Router 1:
ip ipsec policy add src-address=10.1.0.0/24 dst-address=10.2.0.0/24 action=encrypt tunnel=yes sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2 ip ipsec peer add address=1.0.0.2 exchange-mode=aggressive secret="gvejimezyfopmekun"
For Router 2:
ip ipsec policy add src-address=10.2.0.0/24 dst-address=10.1.0.0/24 action=encrypt tunnel=yes sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 ip ipsec peer add address=1.0.0.1 bexchange-mode=aggressive secret="gvejimezyfopmekun"
Stay tuned—in the second article of this series you'll experiment with the hotspot features of RouterOS.