After struggling for a few days, I just want to share a successful roadwarrior setup between strongswan and mikrotik / windows 10 as a vpn client!
Assumption
StrongSwan (Public Static IP) -> Mikrotik 6.48.1 (Behind a NAT router)
Code:Select all
VPN Server (Strongswan) ipsec.conf config setup cachecrls=yes uniqueids=yes charondebug="ike, knl 3, cfg 2" ######## this allows you to see both phase 1 and phase 2 in action between the server and client without turning this on, it's hard to troubleshoot conn %default keyingtries=%forever dpddelay=30s dpdtimeout=120s conn L2TP dpdaction=clear left=your_public_ip_address leftsubnet=your_subnet_behind_the_vpn_server leftid=your_public_ip_address leftauth=psk leftprotoport=17/1701 rightprotoport=17/%any right=%any rightauth=psk ikelifetime=1h keylife=8h ike=aes256-sha1-ecp384,aes256-sha256-modp1024,aes128-sha1-modp1024! ###### aes256-sha1-ecp384 windows 10 proposal esp=aes256-sha1,aes256-sha256-modp1024,aes128-sha1-modp1024! ###### aes256-sha1 expect by windows 10 ###### to match up with the GUI in winbox box this is how i wrap around my head ###### ike=encryption_algorithm-authentication_algorithm-pfs_group ###### esp=encryption_algorithm-authentication_algorithm-pfs_group (optional) e.g aes256-sha1 auto=add keyexchange=ike type=transport /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = no debug tunnel = no debug avp = no debug network = no debug state = no [lns default] ip range = 10.0.0.20-10.0.0.30 local ip = 10.0.0.1 require authentication = yes name = l2tp pass peer = yes ppp debug = no pppoptfile = /etc/ppp/options.xl2tpd length bit = yes unix authentication = yes /etc/ppp/options.xl2tpd require-chap #### required for non windows 10 chap authentication require-mschap-v2 #### required for windows 10 authentication ipcp-accept-local ipcp-accept-remote ms-dns 10.0.0.1 auth idle 1800 mtu 1200 mru 1200 nodefaultroute lock proxyarp connect-delay 5000 name l2tpd ifname l2tp login logfile /var/log/xl2tpd.log