This article explains how to setup your Grandstream UCM6200 IPPBX with remote extensions over IPSec+L2TP VPN using a MikroTik Router as your Internet Gateway and VPN Server at Head Office and MikroTik Routers setup as VPN Clients for remote offices. This gives you control over the remote office connections, allows for remote management and maintains a high level of security as your UCM does not have to be publicly accessible with the associated SIP ports being opened on your firewall. The MikroTik VPN Client Router is simply plugged into the clients local network and does not need to replace their existing Internet Gateway Router.



The following Head Office and Client Router exports can be pasted into the New Terminal window directly in MikroTik winbox or you can save each export with a .rsc extension (i.e. head_office.rsc, client_router.rsc), upload it to your MikroTik router and import the file.

  1. Save the exports onto your computer as head_office.rsc and client_router.rsc (Paste into Notepad, when saving change type to all files and ensure the filename has the .rsc extension.
  2. On your MikroTik, run the following command to perform a reset with no configuration:
    /system reset-configuration no-defaults=yes


  3. After your MikroTik router comes back, connect via winbox and drag 'n' drop the appropriate config file into the Files root directory. 
  4. In the Terminal, restore the head_office.rsc file onto the Head Office router:
    /import file=head_office.rsc


  5. And restore the client_router.rsc file onto the Client Router:
    /import file=client_router.rsc


  6. Ensure you get a successful import response back and troubleshoot the script if you don't. You can do this by copy and pasting sections of the the export into the router terminal to help locate the error.



Head Office Router with VPN Server Export:

/interface bridge
add name=lan1
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Gateway"
/ip pool
add name=dhcp ranges=192.168.10.3-192.168.10.254
add name=vpn-pool ranges=192.168.200.10-192.168.200.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=lan1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=192.168.10.1 local-address=192.168.200.1 name=ipsec-profile remote-address=vpn-pool
/interface bridge port
add bridge=lan1 hw=no interface=ether2
add bridge=lan1 hw=no interface=ether3
add bridge=lan1 hw=no interface=ether4
add bridge=lan1 hw=no interface=ether5
/interface l2tp-server server
set default-profile=ipsec-profile enabled=yes ipsec-secret=ipsecsecretkey use-ipsec=yes
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=accept chain=input comment="allow access to this router from lan" in-interface=lan1
add action=accept chain=input comment="allow established and related connections" connection-state=established,related
add action=accept chain=input comment="allow IPSec and L2TP" dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="allow IPSec GRE" protocol=gre
add action=accept chain=input comment="allow IPSec-AH" protocol=ipsec-ah
add action=accept chain=input comment="allow IPSec-ESP" protocol=ipsec-esp
add action=drop chain=input comment="drop everything else into the router"
add action=drop chain=forward comment="drop invalid traffic through the router" connection-state=invalid
add action=accept chain=forward comment="accept local forwarding" in-interface=lan1
add action=accept chain=forward comment="allow established and related connections through the router" connection-state=established,related
add action=drop chain=forward comment="drop everything else through the router"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ppp secret
add name=john.doe password=johnspassword profile=ipsec-profile service=l2tp
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=Head-Office-Router



VPN Client Router Export:

/interface bridge
add name=lan1
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Gateway"
/interface l2tp-client
add allow-fast-path=yes connect-to=209.14.78.123 disabled=no ipsec-secret=ipsecsecretkey name=vpn-head-office password=johnspassword use-ipsec=yes user=john.doe
/ip pool
add name=dhcp ranges=192.168.20.3-192.168.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=lan1 name=dhcp1
/interface bridge port
add bridge=lan1 hw=no interface=ether2
/ip address
add address=192.168.20.1/24 interface=ether2 network=192.168.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=accept chain=input comment="allow access to this router from lan" in-interface=lan1
add action=accept chain=input comment="allow established and related connections" connection-state=established,related
add action=drop chain=input comment="drop everything else into the router"
add action=drop chain=forward comment="drop invalid traffic through the router" connection-state=invalid
add action=accept chain=forward comment="accept local forwarding" in-interface=lan1
add action=accept chain=forward comment="allow established and related connections through the router" connection-state=established,related
add action=drop chain=forward comment="drop everything else through the router"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=vpn-head-office
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=vpn-head-office
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=VPN-Client-Router


Important:

Be sure to change the following! The values defined have been used for simplicity and troubleshooting only.

  • Set a password on both routers for the admin user (currently MikroTik default which is blank - no password)
  • Change L2TP username and password (john.doe, johnspassword)
  • Change ipsec-secret password (ipsecsecretkey).
  • Change the connect-to IP Address in the Client Router config (This is the Public Internet IP Address of the Head Office Router).


Verify end-to-end connectivity over the VPN from the Client Router Network:

From port 2 on the Client Router you should receive an IP address of 192.168.20.x and should have internet connectivity. Ensure that you can ping the Head Office Network UCM IP Address. If you cannot ping the UCM, verify the VPN is connected and troubleshoot the MikroTik configuration.


UCM Setup:

Ensure you have a fully functioning system where you have phones registered to the UCM on the Head Office Router and can make outbound calls and calls to other extensions. In the following example i have setup two extensions, 1000 and 1001 which are registered and working on the Head Office network. I have then moved the phone registered to extension 1001 and connected this to port 2 of the MikroTik Client Router.


UCM Extensions:

There are no special settings required on the UCM or Extensions (unless you are experiencing issues):


I have provisioned the extensions via GDMS as Zero Config on the UCM requires additional configuration to be able to provision remote extensions over the VPN:

SIP Server:


SIP Accounts (Extensions):




Devices: