I have 2 offices connected together with 2 RB3011UiAS routers using an EoIP/IPsec Tunnel. Traffic is flowing between the 2 sites as expected.
I need to add the ability to allow RoadWarriors or remote users to connect to the main office for access to a Remote Access Server with clients: Windows 10, Apple iOS devices & Android devices.
I need a more secure way to allow Remote Desktop connections than using NAT port forwarding rules.
After reading many documents on secure remote access. OpenVPN seems like an option & allows me to use certificates for a more secure connection but the user setup isn’t simple enough for most of my users to use. L2TP/IPSec is a pretty easy client setup but doesn’t appear to allow the use of certificates. EoIP/IPsec & L2TP/IPsec use the default Profiles and proposals so you can’t create an Identity to allow Certificates.
If I setup L2TP/IPSec to allow remote users to connect, the EoIP connection stops working and no longer connects. I can get either one of the EoIP or L2TP connections working by themselves but not together.
Questions:
- What is the best/secure way to allow remote users access to a private network?
- Can EoIP/IPsec & L2TP/IPsec work on the same router at the same time?
- Is there a way to use certificates with EoIP/IPsec & L2TP/IPsec setups?
- Is it better to use a separate router behind my main router to allow remote connections?
Hi!
I have been using EoIP/IPsec & L2TP/IPSec on multiple environments just fine.
Can you share your config to see what might cause the issues?
Here is the config for both routers with only the EoIP/IPsec point-to-point connection.
Two Offices:
SP - Main Office
WAN:192.168.5.1/24
LAN:192.168.1.254/24
HV - Remote Office
WAN:192.168.6.1/24
LAN:192.168.3.254/24
SP Config:
# model = RouterBOARD 3011UiAS
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface eoip
add allow-fast-path=no ipsec-secret=IPsecPassword local-address=\
192.168.5.1 mac-address=00:00:5E:15:BE:2E name=sp2hv remote-address=\
192.168.6.1 tunnel-id=10
/interface list
add name=WAN
add name=LAN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.254/24 comment="Local Network" interface=ether2 \
network=192.168.1.0
add address=192.168.5.1/24 comment="Public WAN" interface=ether1 network=\
192.168.5.0
add address=172.22.22.1/30 interface=sp2hv network=172.22.22.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.90.126 comment="Admins local network" list=Admins
add address=8.2.8.125 comment="Admins public IP" list=Admins
add address=192.168.1.0/24 comment="Springdales Local LAN" list=LocalLAN
/ip firewall filter
add action=accept chain=input comment=\
"Allow access to the router from LAN using address list LocalLAN" \
in-interface=bridge1 src-address-list=LocalLAN
add action=accept chain=input comment=\
"Allow admins access from the WAN ether1 using address list Admins" \
in-interface=ether1 src-address-list=Admins
add action=drop chain=input comment=\
"Block anyone but my network from using DNS server." dst-port=53 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment=\
"Allow established & related connections to the router" connection-state=\
established,related
add action=accept chain=input comment="Allow GRE for eoip tunnel from ether1" \
in-interface=ether1 protocol=gre
add action=drop chain=input comment="Drop All other traffic to the router" \
log=yes log-prefix=DropAllOther
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=forward comment=\
"Allow established, related & new connections from the LAN" \
connection-state=established,related,new
add action=drop chain=forward comment="Drop All Forward" log=yes log-prefix=\
Final-drop
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.5.254
add distance=1 dst-address=192.168.3.0/24 gateway=172.22.22.2
/system identity
set name=SP
HV Config:
# model = RouterBOARD 3011UiAS
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/interface eoip
add allow-fast-path=no ipsec-secret=IPsecPassword local-address=\
192.168.6.1 mac-address=00:00:5E:FF:B9:1C name=hv2sp remote-address=\
192.168.5.1 tunnel-id=10
/interface list
add name=WAN
add name=LAN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.6.1/24 comment="Public WAN" interface=ether1 network=\
192.168.6.0
add address=192.168.3.254/24 comment="Local LAN" interface=ether2 network=\
192.168.3.0
add address=172.22.22.2/30 interface=hv2sp network=172.22.22.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.90.126 comment="admins local network" list=Admins
add address=8.2.8.125 comment="admins public IP" list=Admins
add address=192.168.3.0/24 list=LocalLAN
/ip firewall filter
add action=accept chain=input comment=\
"Allow access to the router from LAN using address list" in-interface=\
bridge1 src-address-list=LocalLAN
add action=accept chain=input comment=\
"Allow admins access from the WAN ether1 using the Admins Address List" \
in-interface=ether1 src-address-list=Admins
add action=drop chain=input comment=\
"Block anyone but my network from using DNS server." dst-port=53 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment=\
"Allow established & related connections to the router" connection-state=\
established,related
add action=accept chain=input comment="Allow GRE for eoip tunnel from ether1" \
in-interface=ether1 protocol=gre
add action=drop chain=input comment="Drop All other traffic to the router" \
log=yes log-prefix=DropAllOther
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=forward comment=\
"Allow established, related & new connections from the LAN" \
connection-state=established,related,new
add action=drop chain=forward comment="Drop All Forward" log=yes log-prefix=\
Final-drop
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.6.1
add distance=1 dst-address=192.168.1.0/24 gateway=172.22.22.1
/system identity
set name=HV
This setup works for sending traffic between both offices. Since the EoIP/IPsec setup automatically generates the IPsec part, I don’t see any way to use certificates.
I reset everything and started over so I will work on adding the RoadWarrior L2TP/IPsec setup and post it next.
I added the client setup as follows:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des,des pfs-group=modp2048
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=\
pass max-mru=1460 max-mtu=1460 use-ipsec=required
/ip firewall filter
add action=accept chain=input comment="Allow l2tp on udp port 500,1701,4500" \
in-interface=ether1 port=1701,500,4500 protocol=udp
add action=accept chain=input comment="Allow l2tp on Protocol 50 (ESP)" \
protocol=ipsec-esp
/ppp secret
add local-address=192.168.1.254 name=client1 password=password remote-address=\
192.168.1.200 service=l2tp
add local-address=192.168.1.254 name=client2 password=password \
remote-address=192.168.1.201 service=l2tp
When I first set up these routers I had clients connecting. Using the same setup as before, the first time I tried this yesterday the clients would not connect. I kept getting errors: “…possible wrong password” & “..connection rejected no ipsec encryption while it was required”
After many hours of research and troubleshooting I finally deleted all the L2TP/IPsec settings in the router and client devices and started over. This time it allowed connections from Windows, Android and iOS devices and the link between the 2 routers continued to work.
I can’t explain why it didn’t all work together before and now it does…
Since both connections (EoIP & L2TP) automatically generate the required IPsec settings, how do you use certificates?