> Martin Polden

IPsec VPN with RouterOS and Android

I occasionally use WiFi hotspots on my Android phone when I'm either running low on my data plan quota, or when I require more bandwidth. The problem is that most hotspots are insecure, and often use nothing but a basic captive portal for authentication.

Security considerations when using a hotspot

  • No encryption between client and hotspot which means that traffic can easily be eavesdropped
  • Any authenticated client can easily be spoofed by hijacking their MAC address
  • No control over what happens to traffic when it leaves the hotspot router (logging, fingerprinting, packet sniffing, MITM attacks etc.)

One possible solution to these issues is to use a VPN for end-to-end encryption of all traffic leaving your device.

Configuring IPsec/L2TP on RouterOS

RouterOS has builtin support for IPsec/L2TP. The following steps describe a configuration that works with Android devices. This configuration also includes NAT traversal, so it will work for clients behind NAT.

  • Enable L2TP server [doc]
/interface l2tp-server server set default-profile=l2tp enabled=yes
  • Add an IP address pool for clients [doc]
/ip pool add name=l2tp-pool ranges=192.168.0.10-192.168.0.20
  • Set the router IP inside the tunnel by adding a PPP profile [doc]
/ppp profile add local-address=192.168.0.1 name=l2tp remote-address=l2tp-pool
  • Add a PPP user [doc]
/ppp secret add name=myusername secret=mypassword profile=l2tp service=l2tp
  • Configure IPsec proposal (phase 2) [doc]
/ip ipsec proposal set [ find default=yes ] \
enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=1h
  • Configure IPsec peer (phase 1) [doc]
/ip ipsec peer add enc-algorithm=aes-256 exchange-mode=main-l2tp \
generate-policy=yes hash-algorithm=sha1 nat-traversal=yes \
secret=mysharedsecret send-initial-contact=no
  • Allow IPsec/L2TP traffic (and NAT traversal) in firewall
/ip firewall filter add chain=input dst-port=4500 protocol=udp
/ip firewall filter add chain=input dst-port=1701 protocol=udp
/ip firewall filter add chain=input dst-port=500 protocol=udp
/ip firewall filter add chain=input protocol=ipsec-esp

If RouterOS is not your thing, Debian has an excellent guide on setting up a similar Android-compatible VPN stack on their wiki.

Configuring Android client

These are steps required to configure the client-side on Android 4.2.2:

  • Go to Settings -> Wireless & Networks -> More… -> VPN
  • Add a new VPN profile, give it a name and set the type to L2TP/IPSec PSK
  • Enter your pre-shared key under IPSec pre-shared key
  • Connect and you should be prompted for your username and password