Force LT2P (IPSec) tunnel over specific WAN interface

So I have two ISPs, both are a member of “WAN” interface lists in Interface>List.

I have ExpressVPN configured with LT2P+IPSec with NAT/Policy Routing for LAN and it works as expected.

But by default RouterOS picks the shortest route to establish the tunnel and that’s WAN1. I’ve tried with mangle to force LT2P tunnel over WAN2 but it simply does nothing and keeps using shortest route aka WAN1. Any ideas on how to work-around this?

Also, the freshly created LT2P client is now added to “WAN” interface lists as I think it makes more sense than putting it on “LAN” as it is a VPN over WAN where LAN traffic goes through the VPN, hence acting as WAN itself. Maybe this is wrong though?

1. Fill the src-address field in l2tp-client.
2. Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.

ExpressVPN does not support static server IPs. They use DDNS based hostnames and the IPs change in every session. It is a commercial VPN after all.

Any workaround?

src-address

Just what exactly do I use for the src-address in LT2P client? Both my WANs are dynamic IPs over PPPoE.

I tried using something random/unused like “192.168.3.1” but that resulted in errors

phase1 negotiation failed due to send error. 192.168.3.1[500]<=>45.56.157.40[500] 2bf06a1def2a7095:0000000000000000

Two possibilities:

1. Create a loopback interface (empty bridge) and assign this random/unused address there. That should work.
2. Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes.

Anyway, try to make it work with you current dynamiс WAN address first.

I already have load balancing in place. Any way to intercept the LT2P initial connection/handshake using Mangle/Mark connection rules instead? That would simplify this issue greatly.

You can try, if it’s the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don’t see in what way is it simpler.

Yeah, so I went with the null-bridge method, it works!

Basically, I created a null-bridge, then in IP>Address List I added a non-existent network IP and a single static IP, and used said IP for the LT2P client.

1. I used “lookup” instead of “lookup only” in IP>Routes to give it redundancy/failover which works relatively well but not that “fast” in switching between the available tables, it takes some time, any workarounds?
2. But how does this null-bridge/non-existent network/static address work though? I would like to understand it fundamentally.
3. Also, I set the VPN client as “WAN” instead of “LAN” in their interface list to get treated accordingly by the firewall filters, that’s logical, right?

1. You can create second l2tp-tunnel through the second wan connection the same way and revert to lookup-only-in-table for both of them: switching routes between two tunnels will be much faster than rebuilding the tunnel. Especially if OSFP + BFD can be used on top of that.
2. You need this address for two things - to choose the right route from the very packet creation and creating a valid ipsec policy.
   Some random address works because it will be src-nated anyway, and assigning it any interface makes it valid.
   Loopback-bridge is just as good a place for it as any other, with the addition that it won’t interfere with the behaviour of other interfaces. And does not depend on them to be working.
3. That is totally up to you and depends on what is located on the other side of the tunnel.

Hi to xvo and the op writer,
I have the same situation. I have three ISPs. ISP1 and ISP2 are setup with PCC for loadbalancing and FO. Now, I want to force my ExpressVPN L2TP to dial out over ISP3 interface instead of the default gateway.ISP3 is PPPoE and has a valid IP address. I am trying to follow the communications in this thread. But unfortunately I have just recently switched to Mikrotik (coming from PfSense) and I am new to many concepts, so it is somewhat beyond my level. I am trying to read as much as possible to get this working. But unfortunately it seems like I need a little bit of spoon-feeding to get me going and need little of bit explanation in laymen terms. I would really appreciate it if you helped me with my situation. Many thanks.

XVO can you please help me ?
i have three FTTH 16MB bandwidth i have successfully made a PCC Load Balancer using this scrip

/interface ethernet
set [ find default-name=ether5 ] name=LAN
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] disabled=yes

/ip address
add address=192.168.0.1/24 interface=LAN network=192.168.0.0
add address=192.168.1.4/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.4/24 interface=WAN2 network=192.168.2.0
add address=192.168.3.4/24 interface=WAN3 network=192.168.3.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    WAN2_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN3 new-connection-mark=\
    WAN3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
    LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
    LAN
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    in-interface=LAN new-routing-mark=to_WAN3 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1 \
    scope=255
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2 \
    scope=255
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_WAN3 \
    scope=255
add check-gateway=ping distance=1 gateway=192.168.1.1 scope=255
add check-gateway=ping distance=2 gateway=192.168.2.1 scope=255
add check-gateway=ping distance=3 gateway=192.168.3.1 scope=255

and on speedtest.com my speed is balanced 48mb
i added a l2tp ExpressVPN in PPP and create NAT to masquerade out-interface=l2tp-out
and create a mangle rule

add action=mark-routing chain=prerouting new-routing-mark=vpn-now passthrough=no src-address=192.168.0.100-192.168.0.150

and create router for the routing mark vpn-now

add distance=1 gateway=l2tp-out routing-mark=vpn-now

when i assign 192.168.0.110 ip for my laptop the VPN works fine put it is only using 1 of the WAN interfaces and it look like i cant control witch WAN that i can make the VPN connects to
i need you to help me to make a Load Balancer that the VPN connect to all my WAN’s
i can make a 3 l2tp-out connections with my ExpressVPN account but how can i make every l2tp connect throw 1 of the WAN’s and balance the hole thing

Specify src-address in l2tp-out interfaces and use /ip route rule action=lookup-only-in-table (for these src-addresses) to force each of l2tp-out interfaces to use appropriate WAN.

Thank you xvo for the quick response
And after doing this how i can load balance the l2tp interfaces (same way for wan) ??
And if i break the pcc load balancer and do what you have said then i balance the hole thing right ?
Please be patient with me (new to all this)

With several l2tp to the same l2tp-server you can actually do load balancing much easier, as there is no NAT involved for traffic going into the tunnels - all you need is an ECMP route(s) on both sides to the needed destinations.
For example iа first tunnel is 172.16.1.1 ↔ 172.16.1.100, second 172.16.2.1 ↔ 172.16.2.100, third 172.16.3.1 ↔ 172.16.3.100 and local subnet is 192.168.0.1, then routes will look like:

Default route on client side:
/ ip route add dst-address=0.0.0.0/0 gateway=172.16.1.1,172.16.2.1,172.16.3.1 check-gateway=ping

On server side:
/ ip route add dst-address=192.168.0.1/24 gateway=172.16.1.100,172.16.2.100,172.16.3.100 check-gateway=ping

XVO
please help me
when i put src-address in the l2tp client the VPN disconnect and never reconnect
i put the routing rule in the /ip router and still no connect
can u please specify the script needed to force each l2tp-out to use one of the WAN and PCC load Balance the three l2tp-out1 - l2tp-out2 - l2tp-out3

Can you advise how to use this with RoS7.2.3? I’m using CCR2004.

I’ve followed this https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS

My VPN connection is working to Nord but my specific client traffic is not going thru there.

from ros7 u can use VRF

I have tried this rule.
I’m able to ping only my LAN Gateway 192.168.94.1 but not able to ping LAN IPs 192.168.94.44.