Community discussions

MikroTik App
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Q: VPN L2TP/IPSec

Wed Mar 07, 2012 10:32 am

Hello,

i need little help with L2TP/IPSec VNP. ere is what is going...

I got working VPN on ROS, which is on Public IP and two clients on same LAN on remote location.
One client is able to connect and the second isnt, is it possible to resolve this in some way ?

thank you for reply
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Thu Mar 08, 2012 4:14 pm

nobody ? :/
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Mon Mar 12, 2012 4:55 pm

somebody must know something about this :)
 
samsung172
Forum Guru
Forum Guru
Posts: 1191
Joined: Sat Apr 04, 2009 3:45 am
Location: Østfold - Norway
Contact:

Re: Q: VPN L2TP/IPSec

Mon Mar 12, 2012 6:06 pm

U need to explane a bit more. Maybe with your config.
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Tue Mar 13, 2012 10:39 am

U need to explane a bit more. Maybe with your config.
thank you for reaction. I will try to explain my problem more...

Im trying to use L2TP/IPSec VPN. For now I have router with public IP and working VPN server, configured by several manuals to work with windows.... but the problem is this.

When a client try to connect to VPN server, everything work fine, VPN is established and network is reachable. But if there is another client on the same remote network and he try to connect to VPN server, the connection will fail, because there is established connection and remote peer for the first client with same IP. even if first client disconects and second try to connect, he fails (because of remote peer on the router with same IP)

Is it possible to resole this in some way ?

here is config I use:
Firewall rules:
196   ;;; L2TP/IPSec VPN na router
     chain=input action=accept protocol=udp in-interface=eth01.WAN 
     dst-port=500 
197   chain=output action=accept protocol=udp out-interface=eth01.WAN 
     src-port=500 
198   chain=input action=accept protocol=udp in-interface=eth01.WAN 
     dst-port=1701 
199   chain=output action=accept protocol=udp out-interface=eth01.WAN 
     src-port=1701 
200   chain=input action=accept protocol=udp in-interface=eth01.WAN 
     dst-port=4500 
201   chain=output action=accept protocol=udp out-interface=eth01.WAN 
     src-port=4500 
IPSec rules:
;;; L2TP VPN
     address=0.0.0.0/0 port=500 auth-method=pre-shared-key 
     secret="supersecretpassword" generate-policy=yes 
     exchange-mode=main send-initial-contact=no nat-traversal=yes 
     my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 
IPSec proposal:
 name="L2TP/IPSec VPN" auth-algorithms=sha1 enc-algorithms=3des 
      lifetime=1d pfs-group=modp1024 
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Thu Mar 22, 2012 3:08 pm

still nobody ?
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Sat Mar 24, 2012 9:32 pm

I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Mon Mar 26, 2012 9:36 am

I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)
yes, there is posibility to turn on only one server and users are dynamic
no, every user have his own secret

I think there will be some problem with IPSec, not L2TP
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Mon Apr 02, 2012 4:59 pm

nobody ? :)
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Thu Apr 05, 2012 4:22 pm

Come on guys
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Thu Apr 05, 2012 11:56 pm

I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)
yes, there is posibility to turn on only one server and users are dynamic
no, every user have his own secret

I think there will be some problem with IPSec, not L2TP
Ok, I will try your config, but I have openvpn config too in our routers and it is same.
There are in the secret IPs of user: local and remote.
If you have secrets separately for users then you need to add local and remote IP pair and you have to use /30 (255.255.255.252) mask!! (eg. ...0 is net, ... 1 is local, ...2 is remote, ...3 is broadcast)
And you can use ...5 ...6 but you can not use ...11 ...12 pair... and more.
(You didn't copy/paste to here secret config.)
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Fri Apr 06, 2012 12:02 am

What is your ROS version??
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Fri Apr 06, 2012 12:26 am

"nat-traversal=yes "
Why?

and where is this?
add action=accept chain=input disabled=no protocol=ipsec-esp in-interface=eth01.WAN;
(ip protocol 50 for ESP)
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Fri Apr 06, 2012 9:16 am

Ok, I will try your config, but I have openvpn config too in our routers and it is same.
There are in the secret IPs of user: local and remote.
If you have secrets separately for users then you need to add local and remote IP pair and you have to use /30 (255.255.255.252) mask!! (eg. ...0 is net, ... 1 is local, ...2 is remote, ...3 is broadcast)
And you can use ...5 ...6 but you can not use ...11 ...12 pair... and more.
(You didn't copy/paste to here secret config.)
Thank you.
users have IPs from DHCP server, only local address are manualy entered (on the router side)

this is ppp profile config
0 * name="default" local-address=192.168.1.1 remote-address=LAN use-mpls=default use-compression=yes use-vj-compression=yes use-encryption=required only-one=no change-tcp-mss=yes rate-limit=10m/10m dns-server=192.168.1.10 wins-server=192.168.1.10
and ppp secrets are on this profile
What is your ROS version??
v5.14 on RB1100AHx2
"nat-traversal=yes "
Why?

and where is this?
add action=accept chain=input disabled=no protocol=ipsec-esp in-interface=eth01.WAN;
(ip protocol 50 for ESP)
NAT travelsal
because almost every user conecting from behind some NATed network

ipsec-esp
I had this rule in firewall, but it wasnt used in any way (there were no packet flow) so I deleted it and it works without it
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Fri Apr 06, 2012 8:03 pm

Ok, you are right!
Need NAT-T for NATed user.
But I don't understand your all config because I tested today with my 1100AH (ROS 5.14) and I needed this:

mod: I tested with: win7, winXP and Android phone are working well.

1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled

2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp

3.
/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes

4. ipsec peer
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no

5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024

6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100

7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Apr 05, 2012 8:16 pm

Re: Q: VPN L2TP/IPSec

Sat Apr 07, 2012 9:13 pm

Ok, you are right!
Need NAT-T for NATed user.
But I don't understand your all config because I tested today with my 1100AH (ROS 5.14) and I needed this:

mod: I tested with: win7, winXP and Android phone are working well.

1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled

2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp

3.
/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes

4. ipsec peer
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no

5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024

6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100

7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24
Thank you so very much. This worked perfectly for me!!! Been wanting to get L2TP working instead of PPTP. Now I can disable PPTP connections.
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Apr 05, 2012 8:16 pm

Re: Q: VPN L2TP/IPSec

Sun Apr 08, 2012 1:19 am

Further question, following your instructions worked well. However.....

If I create a new 'secret' for a new user and they try to simultaneously connect at the same time they can but one user will lose network access.

I have also created a new l2tp server interface and mapped the new user to it and the same thing still happens.

Specifics:-

User A connects to VPN. User A pings device on remote network. Device ping responds OK.
User B connects to VPN. User A can no longer ping that device but User B can.
User A will no longer have access to any device on remote network until they disconnect and reconnect.

Any advice?
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Sun Apr 08, 2012 12:18 pm

Please check assigned IPs for userA and userB.
Do you use pool for local and remote IP assignements?
Solutions:
1. you assign from pool but you need set for local and remote too!! (you can not give fix IP for local and dynamic for remote! because /30 mask)
2. you give fix IP for local and remote too ( you have to calculate IP address exactly for /30 mask!)

and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Apr 05, 2012 8:16 pm

Re: Q: VPN L2TP/IPSec

Sun Apr 08, 2012 8:19 pm

Please check assigned IPs for userA and userB.
Do you use pool for local and remote IP assignements?
Solutions:
1. you assign from pool but you need set for local and remote too!! (you can not give fix IP for local and dynamic for remote! because /30 mask)
2. you give fix IP for local and remote too ( you have to calculate IP address exactly for /30 mask!)

and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
Thanks for your reply.

The only difference was under the ipsec peer setup I used exchange-mode=main instead of exchange-mode=main-l2tp as the version on my mikrotik was 5.6 and did not support main-l2tp. I upgraded to 5.14 and changed it to use main-l2tp and it appears to be working ok now.

Thanks for your help.
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 9:22 am

Hi,

thank you for your exhausive explanation :) however, I have problem you described above
and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
this is what I need to solve. I got plenty of users on one remote LAN (with 1 public IP) and only the firs one is able to connect, others are screwed :)
1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled
I dont think I need to create interface for every user when they are created dynamicaly by default
2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp
Yes I have this, every user have its own secret
/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes
I have configured profile for VPN
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no
I have hanged from main to main-l2tp and see what will happen
5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024
I came to this :)
6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100
Why VPN user cannot get IP from same server as locally connected user ? I see no diference
7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24
[/quote]
As i sad before, I had rule for protocol=ipsec-esp, but there wasnt any packet flow, so I deleted it, I will add it again ans see what will happen


by the way thank you for your time
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 12:53 pm

and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
this is what I need to solve. I got plenty of users on one remote LAN (with 1 public IP) and only the firs one is able to connect, others are screwed :)
I think this is your problem. You have to try from other IPs and not from same.
1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled
I dont think I need to create interface for every user when they are created dynamicaly by default
Yes, may be you are right but I think because you have to give user name in l2tp-server therefore you need l2tp-server for each user separately.
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Apr 05, 2012 8:16 pm

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 1:41 pm

I am the same, I can't have two connections from the same public IP address even if I create an L2TP server for each user.

This is a problem for me as you can't always guarantee where remote workers will be, there are times they may both be in the same place needing to connect back to the office. It works fine from separate public IP's.

This has never been an issue with L2TP on other routers I have used.

There must be a solution.
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 2:48 pm

I am the same, I can't have two connections from the same public IP address even if I create an L2TP server for each user.

This is a problem for me as you can't always guarantee where remote workers will be, there are times they may both be in the same place needing to connect back to the office. It works fine from separate public IP's.

This has never been an issue with L2TP on other routers I have used.

There must be a solution.
precisely, you hit it, this is all I talking about all the time.

I had about 60 VPN users and they are offten on the same remote LAN and need to connect to office, but they cant...
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 4:35 pm


I had about 60 VPN users and they are offten on the same remote LAN and need to connect to office, but they cant...
Ok, but this is not problem of the mikrotik!
This is a property of ipsec.
a solution: use openvpn
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Apr 05, 2012 8:16 pm

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 4:46 pm

Ok thanks but Open VPN isn't an option to me as there is no iPad / iPhone client.

PPTP is the only other option.
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri May 02, 2008 11:14 pm

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 4:54 pm

Ok, but this is not problem of the mikrotik!
This is a property of ipsec.
a solution: use openvpn
so there is no solution to solve this behavior ? I didnt find any clean OpenVPN client with easy use, I have gourmet users :)
Ok thanks but Open VPN isn't an option to me as there is no iPad / iPhone client.

PPTP is the only other option.
PPTP is nice and clean, but not as safe as I would expect
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Apr 05, 2012 8:16 pm

Re: Q: VPN L2TP/IPSec

Tue Apr 10, 2012 4:58 pm

I agree about the PPTP thats why I have avoided it so far.
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Tue Apr 24, 2012 11:58 pm

Don't use i- pad/phone.. use Linux/Android.. ;)

so you can chose a simple client for openvpn: http://openvpn.net/index.php/open-source.html it is working well.
(and Linux knows openvpn basically)
 
_saik0
Member Candidate
Member Candidate
Posts: 129
Joined: Sun Aug 26, 2007 11:18 pm

Re: Q: VPN L2TP/IPSec

Mon May 07, 2012 12:11 am

Someone should rename this topic to a more meaningful name.

Anyhow, same problem here with L2TP/IPSec and multiple clients behind one public IP. Is there really no solution or workaround?

OpenVPN w/ mikrotik isn't a solution since UDP support is missing; PPTP on the other hand isn't secure.
 
User avatar
xpkiller
just joined
Posts: 19
Joined: Wed Feb 29, 2012 7:20 pm
Location: Hungary, Budapest
Contact:

Re: Q: VPN L2TP/IPSec

Thu May 10, 2012 12:51 am

Someone should rename this topic to a more meaningful name.

Anyhow, same problem here with L2TP/IPSec and multiple clients behind one public IP. Is there really no solution or workaround?

OpenVPN w/ mikrotik isn't a solution since UDP support is missing; PPTP on the other hand isn't secure.
Why can not you use openvpn w/ tcp?
Openvpn client (for win... and Linux) is support it.
 
tasc45
just joined
Posts: 2
Joined: Sat Aug 24, 2013 4:37 am

Re: Q: VPN L2TP/IPSec

Thu Aug 28, 2014 7:50 am

I am having a similar issue. I have a VoIP phone connecting remotely to a pbx server behind a mikrotik router.( connects via open ports on the firewall) The phone operates fine until I vpn to the remote network using my computer, which is on the same LAN as the phone. The minute i vpn the phone connection no longer works.

Once i disconnect from the vpn and reboot, the phone registers again without any problems.

My conclusion is because of the policy created, any traffic originating from that remote network connecting to the vpn with the same ip forces priority to the vpn connection and ignores any other connections for the same IP address. . How to i tell the router to allow firewall connections and vpn connections from the same remote IP address at the same time?

Who is online

Users browsing this forum: IvanEffiz, kolinsmk, voytecky and 98 guests