Basic question about L2TP + IPsec VPN

rbuserdl · March 18, 2020, 5:51pm

Hello people,

I just created many L2TP VPNs in many Mikrotiks, you know why, just creating a pool (Outside the local nework), many ip ipsec settings, ppp settings and adding the rules to allow the connection.
The VPNs are working fine
I just realliced that when I connect to one of these VPNs, I use the remote gateway to navigate to Internet.
What is making to clients to go out through the remote gateway?
Is there any setting to change to make clients to use their local Internet connections?
If I uncheck the “Use the remote gateway” options in the client side I cannot reach the LAN through the VPN
If you want I can attach the settings but I just need to know where to configure a kind of split tunnel

Any idea?
Thanks in advance.
Regards,
Damián

rbuserdl · March 18, 2020, 6:24pm

Hello people,

Adding the following:
I find: http://forum.mikrotik.com/t/l2tp-ipsec-tunnel-from-windows-split-tunnel-issue/120473/1
In this thread, Sob suggested to uncheck the option to use the remote gateway in the client side and add a route for the remote network.
As there are a lot of users and many use any connection whereever they are, I cant create a script for all users.
Is there a way to configure the split tunneling from the server side?

Thanks in advance.
Regards

th3game · March 19, 2020, 1:16am

hi..

could you post your config here? i tried to setup this also but ,my phone can connect to L2TP server but dont have internet access and cannot access my LAN network

Thanks.

My thread:

http://forum.mikrotik.com/t/l2tp-ipsec-server-for-remote-clients-can-connect-but-no-internet-cannot-access-local-lan/137705/1

rbuserdl · March 19, 2020, 12:46pm

Hello,

This is my config:

/ip pool
add name=poolL2TP ranges=192.168.6.10-192.168.6.254

/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah

/ip ipsec mode-config
add address-pool=poolL2TP name=L2TP_Config system-dns=no
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des name=profileL2TP
/ip ipsec peer
add name=peerL2TP passive=yes profile=profileL2TP send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=proposal1
/ip ipsec identity
add generate-policy=port-override peer=peerL2TP remote-id=ignore secret=AnySecret
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes ipsec-secret=AnySecret max-mru=1460 max-mtu=1460 use-ipsec=required
/ppp profile
add change-tcp-mss=yes dns-server=192.168.6.1,8.8.8.8 local-address=192.168.6.1 name=L2TP remote-address=poolL2TP
/ppp secret
add name=usuario password=AnyPassword profile=L2TP service=l2tp

I tested the powershell command to add the route and worked fine, but this should be nice to know any way to do the split tunnel from the server side.

Regards.
Damián

seho · March 19, 2020, 11:03pm

One idea is to setup a NAT rule. So data to the devices connected per L2TP looks like its originated by the MikroTik.

Example:
Network for L2TP 10.0.0.0/24
10.0.0.254/24 is the MikroTik

/ip firewall nat 
add action=src-nat chain=srcnat dst-address=10.0.0.0/24 to-addresses=10.0.0.254

So you don’t have to make any tweaks on the connected devices.

Sob · March 20, 2020, 1:57am

That’s default config for Windows clients, they use VPN as gateway for everything. I never understood this. As user, I need to access some remote private network, but why would I also want to do all my internet browsing through there? Same as server admin, I need users to access local network, but they should do their internet browsing through their own connection and not overload the one on server. Sure, in some cases it may be desirable to route everything through server, but as default? No, just no. But if I can judge by what Microsoft gave us, I must be in minority.

But it doesn’t end there. If I disable option to use VPN as default gateway, there’s another problem. There are three options for routes:

a) None, only manually added ones.
b) Class-based (also enabled by default), which is really bad. Depending on what address client gets, Windows add route. If the address is 192.168.x.x, Windows add route to 192.168.x.0/24. Perfectly useless when you have separate pool for VPN clients and your LAN is 192.168.y.0/24. If it’s 10.x.x.x, you’ll get route to 10.0.0.0/8. So you can forget about connecting to two VPNs at once, where one has e.g. 10.0.1.0/24 and the other 10.0.2.0/24.
c) Routes from VPN server using DHCP. This one looks promising. Unfortunatelly, with RouterOS it’s supposedly supported only with IKEv2. And I say supposedly, because manual says it’s there, but so far it doesn’t work for me. I see client sending DHCP request, but nothing comes back from server. I’ll have to play with that some more.

In the end, option a) is not too bad. If you have static networks, it’s one-time config. And if you have Windows 10 and don’t need to support older ones, it’s just one PowerShell command. Of course it wouldn’t be Microsoft if they did something completely right. You can disable VPN as gateway with another PowerShell command (Set-VpnConnection -Name “connection name” -SplitTunneling $True), but do you think it can disable also the class-based route? Because especially in case of 10.x.x.x, it can be problematic. Of course it can’t.

rbuserdl · March 20, 2020, 12:41pm

Thank you Sob,
Really good explanation!!!
Until now, I though that the split tunnel option is something in the VPN server settings but I do understand what you said and understand that it depends on this “Use default gateway in the remote network” Windows option. I never tested this behavior in another OSs
In this case, I prefer to dont change the VPN (If it works, dont touch it) xD

Seho, I dont uderstand what you mean. Maybe we have different concepts of “Split tunnel”
What I wanted is to clients to browse Internet using their “local” gateways and only access the remote network from the VPN
So, to navigate from one client, the packet should never reach the router, then the nat rule should not apply, how this nat rule can avoid to clients to use the remote gateway to browse internet?

Regards,
Damián

Sob · March 20, 2020, 2:47pm

Srcnat rule is fix for this (when you have different subnets for LAN and VPN,uncheck remote gateway, but don’t add manual route):

tippenring · March 20, 2020, 4:00pm

I just posted this for Windows in another thread. Here’s how to add a VPN tunnel in Windows 10. We push this out via group policy so it is available when users are off the network.

Add-VpnConnection -Name "SLHV CNE" -ServerAddress "<URL or IP>" -AllUserConnection:$true -AuthenticationMethod MSChapv2 -TunnelType L2TP -l2tppsk "<PSK>" -SplitTunnel:$false -EncryptionLevel Required -UseWinlogonCredential -PassThru -Force

Note the “-SplitTunnel:$false”. When users are connected, we route all traffic via the organization network so we can manage and inspect internet traffic. If you want split tunneling, change the option to “-SplitTunnel:$true”. I believe you’ll have to add static routes on the client in that case to route traffic over the L2TP VPN however.

rbuserdl · April 15, 2020, 9:07pm

I just posted this for Windows in another thread. Here’s how to add a VPN tunnel in Windows 10. We push this out via group policy so it is available when users are off the network.
Add-VpnConnection -Name "SLHV CNE" -ServerAddress "<URL or IP>" -AllUserConnection:$true -AuthenticationMethod MSChapv2 -TunnelType L2TP -l2tppsk "<PSK>" -SplitTunnel:$false -EncryptionLevel Required -UseWinlogonCredential -PassThru -Force
Note the “-SplitTunnel:$false”. When users are connected, we route all traffic via the organization network so we can manage and inspect internet traffic. If you want split tunneling, change the option to “-SplitTunnel:$true”. I believe you’ll have to add static routes on the client in that case to route traffic over the L2TP VPN however.

Thank you, this is a good Method to create the VPN:
When users are away, they cannot login on AD, so they wont be able to get the settings. Client could reach AD if the VPN is already created
But this will help me later

Regards,
Damian

Zacharias · April 15, 2020, 10:34pm

I mostly create VPN Tunnels with the VPN subnet being different from the LAN subnet and i do not have to create any src-nat rule on the VPN Server… Enabling split tunneling on the client machine is all it takes for it to work…
So, maybe you mean something else?

rbuserdl · April 16, 2020, 3:38pm

Hello,

In my tests, if I uncheck the “Use the remote gateway” option, I can not reach the remote network unless I add manually a route in the client side if VPN subnet is different than LAN subnet.
When the VPN subnet is inside the LAN subnet I do not need to add a route

Regards,
Damián

Zacharias · April 16, 2020, 5:15pm

Let me give a totally simple example…
VPN server 10.10.10.1, VPN client 10.10.10.2..
So i am on my computer connected to the VPN server and i have been assigned the address 10.10.10.2…
I want to reach the VPNs Server’s LAN network that is 192.168.8.0/24 and specifically the server 192.168.8.10…
The only thing i will do is add a dst-nat rule on my VPN server for dst-adress e.g. 10.10.10.10 and dst-nat to 192.168.8.10…

This means that through my computer i will initiate e.g. a remote session with that computer by just using the address 10.10.10.10, i will imediatelly be port forwarded to 192.168.8.10…
I do not need any route, since my computer knows how to reach that network and ofcorse there is no need for any src-nat rule on the VPN server…
And ofcorse remote-gateway is unchecked under the VPN Network settings…

rbuserdl · April 16, 2020, 5:31pm

Ok, thanks
I understand this, I dont know if I will need this in the future but it is a great idea!

Regards,
Damián