I’m trying to configure a CRS112 as L2TP/IPSec server and I’ve found a strange problem (to me). With no filter rules an prior to configure incoming destination NAT to private network, L2TP/IPSec works fine. But after configuring incoming NAT (without filter rules) it fails EVER. On the other hand, doing masquerade of outgoing connections to the Internet has no effect and L2TP works with it configured.
First I’ve tried to follow instructions here http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP in order to configure filter rules (input chain) to accept UDP ports 500, 1701, 4500 and ipsec-esp protocol with the same bad result using IPSec or not using it:
with IPSec: ipsec, error phase1 negotiation failed due to time up Origin IP[500]<=>Destination IP[500]
without IPSec: l2tp, info fisrt L2TP UDP packet received from Origin IP
I’ve also tried to disable (first) and to eliminate all the firewall filter and NAT rules (except outgoing masquerade), but the problem remains and is not possible to connect anymore with L2TP/IPSec nor with L2TP. The only way I have is to reset the configuration and start again without incoming NAT rules.
As my client is publishing several services with his provider cable router, to perform incoming destination NAT is a must to me, so the mikrotik needs to have the public IP address to become a L2TP/IPSec server.
I’ve spent almost all friday morning and the whole day yesterday trying and debugging a configuration that could be done easily in less than 1 hour. There is any issue related with CRS and L2TP (or PPP)?
I forgot to mention other problem that points to FW as the cause of problems with CRS. After incoming NAT configurations the router can’t be pinged and loses the default gateway (unreachable).
I’m using ether1-master-local as Router interface, the rest of the RJ-45 switched interfaces have now ether2-master-local and SFP interfaces have sfp9-master-local interface.
As the problem is not only related to L2TP (see my second post), I’m wondering if there is an intrinsic mechanism triggered by configuring this kind of rules in the firewall. As the ethernet ports are all switched together by default on the CRS and I’ve changed this configuration.
Forgot to mention the RouterOS version of the CRS is 6.30.4.
Now, after resetting the config once more, I’m suffering continuous disconnections of winbox and I’m thinking more seriously about a possible bug or hardware problem.
Does anybody had this kind of problems with CRS112 devices?