I have a configuration with l2tp-clients (behind NAT) and l2tp-server and this configuration works in tunnel mode, while don't in transport mode.
Policy on the server-side is a generic template:
Code: Select all
[doka@Nachtigal] > /ip/ipsec/policy/print detail
Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default
0 T group=default src-address=srv.ext.ip/32 dst-address=0.0.0.0/0 protocol=udp proposal=l2ngr template=yes priority=0x10000
Code: Select all
[doka@MICL] > /ip/ipsec/policy/print detail
Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default
3 peer=nach tunnel=yes src-address=0.0.0.0/0 src-port=65053 dst-address=srv.ext.ip/32 dst-port=1701 protocol=udp action=encrypt level=unique ipsec-protocols=esp proposal=l2ngr priority=0x20100 ph2-count=0 ph2-state=no-phase2
Code: Select all
1 D peer=l2ng-in tunnel=yes src-address=srv.ext.ip/32 src-port=1701 dst-address=0.0.0.0/0 dst-port=61053 protocol=udp action=encrypt level=unique ipsec-protocols=esp sa-src-address=srv.ext.ip sa-dst-address=client.white.ip proposal=l2ngr priority=0x18000 ph2-count=1 ph2-state=established
To be frank, I have no ideas, why.
Client side configured with 0.0.0.0/0 as src-address because it receive IP address dynamically by DHCP and (a) this is out of control and (b) can be changed anytime.
Server side policy configured with 0.0.0.0/0 because it's a server and need to accept incoming connections from anywhere. Actually, from '0.0.0.0/0's point of view, tunnel vs transport modes should have no difference
Where I'm wrong?
Thank you.