This technical guide will help you connect the router to the Internet with the L2TP wan connection type (for example, Beeline). The router model doesn't matter. The differences are only in different manufacturers of routers, in the layout of the settings functions and the names of menu items in the administrative mode of the device. The guide is suitable for all providers using L2TP connection!

Setting up a router

1. On the router we find the WAN port (usually the blue color of the port). We insert a twisted pair cable from an Internet provider into it, which before that could be connected directly to a computer if you had not previously used a router. After there we find several yellow LAN ports. In any of them we insert the network cable that came with the router, and the other end into the network card on the computer.

2. On a PC or laptop running on OS Windows 7, open the network settings section: Start - Control Panel - Network and Internet - Network and Sharing Center - Manage network connections - Change adapter settings.

Right-click on the "Local Area Connection" item, go to "Properties", then to the Internet Protocol "TCP / IPv4" section and select the following items "IP automatically" and "DNS servers automatically"

Click "OK".

3. On the router, we are looking for the IP address that is used to enter the router settings (by default - 192.168.0.1), and a login with a password (often login: admin, password: admin)

4. Then in the browser we write in the address bar 192.168.0.1 (if it is the same on the router), and we hammer in the login and password that we saw on the router.

6. In the column "WAN Connection Type" (type of Internet connection), select "L2TP / Russia L2TP" / Specify the login and password from the agreement with the provider. We specify the server name: tp.internet.beeline.ru (or another, we also look in the contract). We save the settings.

7. Open the "Wireless Network" section in the menu and write your own values for the items:

SSID is the name of the wifi network.

Network Security - WPA2-Personal
Encryption - AES or TKIP
Secret key - password for Wi-Fi, at least 8 characters.

8. Apply the settings. We go from the device that should receive the Internet (it must have a Wi-Fi module). Click on the wireless connection icon (in the lower right corner of the Windows icons, next to the clock). We find our network in the list and connect, enter the password (one that contains at least 8 characters).

See the end of the page for some important features!

1. Open Notification Center in the lower right corner of the screen:

3. In the opened window Options in the VPN tab, click on the button Adding a VPN connection:

4. In the window Add a VPN connection fill in the following parameters:

VPN Service Provider: Windows (embedded)

Connection name: VPNki

Connection name or address: website

VPN type: PPTP protocol(or L2TP/IPSec protocol)

Username and password: received in the vpnki system (for example, userXXX)

7. Right-click on the VPNki adapter and select Properties:

8. Select from the list IP version 4 (TCP/IPv4) and press the button Properties:

9. Leave a receipt IP addresses and DNS server addresses automatically and press the button Additionally:

10. Tab IP Options Uncheck the Use default gateway to remote networks and press the button OK

Allow the following protocols and leave only Password Validation Protocol (CHAP)

12. (Only for L2TP) press the button More options and select

Use a shared key for authentication and enter the key: vpnki

13. This completes the setting, press the button Connect and on successful connection

condition VPNki should change to Connected

14. If you need to be connected to a remote home network (for example, 192.168.x.x/x), then you need to tell Windows that the addresses of your remote network should be looked up in the VPN tunnel.

This can be done in two ways:

By adding the networks 192.168.x.x/x (your remote network) and 172.16.0.0/16 (the VPNKI network) to the route table using the route add command

By receiving data from the server via DHCP

Before making a choice, it is highly advisable for you to read this instruction and go through it to the end.

Feature 1

To use a connection with encryption, you need in the connection settings:
- use MS-CHAPv2 authorization and specify what encryption will be used(MPPE)

To connect without encryption, you need:
- use CHAP authorization and specify that encryption will not be used.

Be careful,
all other combinations of authorization and encryption methods will cause the connection to fail!!!

Feature 2

The operation of the PPTP protocol is carried out using the GRE protocol, with which some Internet providers in Russia have technical difficulties. These difficulties will prevent you from using PPTP to build VPN tunnels. These providers include MGTS (Moscow City Telephone Network), Yota, Megafon. However, this is not the case in all parts of their networks.

For the user, the situation will look like that the verification of the username and password will not pass. More precisely, it will not even reach this moment ... In the "Security Events" menu item, you will see the beginning of a successful connection and the last will be a phrase saying that we are ready to check the name and password, but ...

Access granted. No whitelist is set for user. Ready to check username / password.

The absence of a connection and further entries in the log (despite the fact that you are firmly convinced that the login and password are correct) most likely indicates that GRE is not skipped by your provider. You can google about this.

PS: In order to combat hanging sessions, we forcibly disable user tunnels with PPTP, L2TP, L2TP/IPsec protocols 24 hours after a connection is established. When configured correctly, connections should automatically re-establish.

Our system will work with many types of home and office routers. For more details, see the section on setting up equipment, and it's better to start setting up with this example.

Tunneling setup (L2TP)

1. IP - Pool / Determine the range of addresses of VPN users

Name: vpn_pool
Addresses: 192.168.112.1-192.168.112.10
Next pool: none

Better for vpn clients to use separate addressing. This makes it easier to separate one from the other. And in general, best practice.

2. PPP - Profiles / Profile for our specific tunnel

General:
Name: l2tp_profile
Local address: vpn_pool (or you can specify 192.168.88.1 , see for yourself how you like it)
Remote address: vpn_pool
Change TCP MSS: yes

protocols:
all to default:
Use MPLS: default
Use compression: default
Use Encryption: default

Limits:
Only one: default

3. PPP - Secrets / Cooking VPN user

Name: vpn_user1
Password: bla-bla-bla
Service: l2tp
Profile: l2tp_profile

4. PPP - Interface - click on L2TP Server / Turn on L2TP server

Enabled - yes
MTU/MRU-1450
Keepalive Timeout - 30
Default profile - l2tp_profile
Authentication-mschap2
Use IPSec - yes
IPSec Secret: tumba-yumba-setebryaki (this is not the user's password, but a preshared key that will need to be specified on clients in addition to the login/password)

Configuring data encryption in the "tunnel" (IPSec)

In the previous step, we created a data tunnel and enabled IPSec. In this section, we will configure the IPSec settings.

5. IP - IPSec - Groups

Because there is a high probability of occurrence, just delete it and immediately create it. For example, with the name "policy_group1". You can also just delete this group, but errors will be shown through the web interface.

6. IP - IPSec - Peers

Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Passive: yes (set)
Secret: tumba-yumba-setebryaki (this is not the user's password!)

Policy template group: policy_group1
Exchange mode: main l2tp
Send Initial Contact: yes (set)
NAT Traversal: yes (set)
My id: auto
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256

DH Group: modp 1024
Generate policy: port override
Lifetime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5

7. IP - IPSec - Proposals / "Offers".

Something like "what can we offer you". In other words, we set the connection options that remote clients can try to use.

Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024

You probably noticed that points 6 and 7 are similar, and if we add that we added the same Secret to both point 4 and point 6, then the question arises: why are the same options reconfigured? My answer is this: purely from practice, it turned out that Windows 7 required one, and the iPhone required another. How it works, I don't know. But the fact is purely from practice. For example, I change the Proposal PFS Group to 2048 - Windows connects normally, but the iPhone stops. I do the opposite (in the proposal I put 1024, and in ip-ipsec-peers I put 2048) - iPhone connects, but Windows does not :) Ie. when connecting different clients, different parts of the configs are used. Rave? Maybe this is a consequence of gradual changes in the configuration of the VPN server, I can’t say, because. there may even be the influence of old firmware, configs, etc. I do not exclude that something is redundant here, but I don’t know what exactly.

firewall

Let's go to the console, maybe for a change:

/ip firewall filter
add chain=input action=accept protocol=udp port=1701,500,4500
add chain=input action=accept protocol=ipsec-esp

If you have the forward policy set to drop by default (the last rule for forward is "chain=forward action=drop"), you may need to allow forward from vpn_pool ip addresses to the local network:

add chain=forward action=accept src-address=192.168.112.0/24 in-interface=!ether1 out-interface=bridge-local comment="allow vpn to lan" log=no log-prefix=""

Now everything is with the server.

Remote client connection

Trying to connect Windows 7:

Control PanelNetwork and InternetNetwork and Sharing Center:
Set up a new connection or network
Connecting to a workplace
Create a new connection
Use my internet connection (VPN)
Internet address: ip or router name on the network
User and password from PPP->Secrets. In our case, this is vpn_user1 and its password.

We are trying to connect.

If it doesn’t work, or you just need to configure the created connection:

Security tab:

VPN type: L2TP IPSec VPN

Additional options: Use a preshared key for authentication. In our case, this is "tumba-yumba-setebryaki" (IP - IPSec - Peers):

Here, in the "Authentication" group, we leave only CHAP v2:

Click OK and try to connect. It should work. If not, take a look at the error page when setting up a VPN.

Update 1: Often people are interested in how several (more than one) clients from the same local network (behind nat) can connect to one remote Mikrotik vpn server. I don't know how to provide this in L2TP/IPSec. You can call it an implementation bug. I did not find a simple explanation and solution to the problem.

07/18/2016 19:29 Ptrrr

08/09/2016 10:00 Mapc

19.08.2016 17:35 Vertall

10.09.2016 23:29 Nikpo

02.10.2016 15:28 Anatoly

10/18/2016 12:39 Daimos

10/19/2016 01:02 Boomer

10/19/2016 01:05 Boomer

10/19/2016 01:16 Boomer

10/19/2016 09:34 Daimos

10/19/2016 10:07 Daimos

10/20/2016 12:54 pm

10/20/2016 01:04 pm

22.10.2016 13:44 Hippomsk

10/24/2016 00:01 bzzz

10/24/2016 00:04 bzzz

10/24/2016 00:11 bzzz

24.10.2016 10:35 Daimos

10/24/2016 02:41 pm

10/24/2016 02:46 pm

25.10.2016 08:41 Daimos

25.10.2016 08:51 Daimos

//Settings for advanced

Local network settings.

IP address, routes, default gateway (Default Gateway), domain name server (DNS) - your computer or router receives via DHCP.
To access the Internet, a vpn connection is used via L2TP (without IPsec) or PPTP protocols. We recommend using an L2TP connection.

Server addresses:

tp.internet.beeline.ru - for connection via L2TP protocol.
vpn.internet.beeline.ru - for connection via PPTP protocol.

For the vpn connection to work correctly, make sure that your security software does not block the ports used when establishing a vpn session.

L2TP - 1701
PPTP - 1723
www-80/8080

Equipment - routers, switches.
We support and recommend the following models of routers for operation in the Beeline network:

Wi-Fi router Beeline
Beeline Smart Box
Beeline N150L
Beeline D150L
Asus 520GU
D-Link DIR 300/NRU rev. B1-B6, C1
Linksys WRT610n

This equipment has been tested by us and meets all the requirements for working in the Beeline network. Detailed information on setting up this equipment can be found in the section " Router settings ».
If your router is not on the recommended list, you can try setting it up yourself:

Make sure your router supports L2TP/PPTP.
Download the latest firmware from the manufacturer's website.
Enter tp.internet.beeline.ru or vpn.internet.beeline.ru as a vpn server
Set the acquisition of an IP address and DNS addresses to automatic (via DHCP).
Enter your registration details.

You can find more information on setting up non-recommended hardware on the user forum. Home Internet "Beeline".

A television.

Watching TV with a set-top box (STB).

We support the following console models*:

with TV control function: Cisco CIS 430, ISB7031, ISB2230, Motorola VIP 1216, 2262E, Tatung STB3210
without TV control function: Cisco CIS 2001, ISB2200, Motorola VIP 1200, 1002E, Tatung STB2530

* Other models of set-top boxes will not work with the Beeline-TV Digital Television service.

Watching TV on a computer:

To watch TV on your computer, install the free VLC program and download the channel list. You can find more detailed information on the Beeline Home Internet user forum.