WEcfXa6U

1require-mschap-v2
2ipcp-accept-local
3ipcp-accept-remote
4ms-dns  8.8.8.8
5auth
6crtscts
7idle 1800
8mtu 1310
9mru 1310
10hide-password
11modem
12name l2tpd
13multilink
14lcp-echo-interval 5
15lcp-echo-failure 4
16proxyarp 
17     
18[global]
19ipsec saref = yes
20force userspace = yes
21auth file = /etc/ppp/chap-secrets
22
23[lns default]
24ip range = 192.168.1.128-192.168.1.254
25local ip = 192.168.1.99
26refuse chap = yes
27refuse pap = yes
28require authentication = yes
29name = LinuxVPNserver
30ppp debug = yes
31pppoptfile = /etc/ppp/options.xl2tpd
32length bit = yes 
33     
34config setup
35        protostack=netkey
36        dumpdir=/var/run/pluto/
37        nat_traversal=yes
38        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.250.0/24,%v4:!192.168.$
39        keep_alive=1800
40
41conn L2TP-PSK-NAT
42    rightsubnet=vhost:%priv
43    also=L2TP-PSK-noNAT
44
45conn L2TP-PSK-noNAT
46    authby=secret
47    pfs=no
48    auto=add
49    keyingtries=8
50    ikelifetime=8h
51    keylife=1h
52    type=transport
53    left=146.185.XXX.XXX
54    leftprotoport=17/%any
55    right=%any
56    rightprotoport=17/%any 
57     
58admin@MikroTik] > /ip ipsec policy print 
59Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
60 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
61
62 1     src-address==%MIKROTIK EXTERNAL IP%/32 src-port=any dst-address=%SERVERIP%/32 dst-port=any protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no
63       sa-src-address=%MIKROTIK EXTERNAL IP% sa-dst-address=%SERVERIP% proposal=default priority=0 
64[admin@MikroTik] > /ip ipsec peer print   
65Flags: X - disabled, D - dynamic 
66 0    address=%SERVERIP%/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="KEY" generate-policy=no policy-template-group=default 
67      exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
68      dpd-maximum-failures=5 
69     
70iptables -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
71iptables -A INPUT -p udp --dport 1701 -j DROP