HELP: IP/SEC VPN for android and lost "standard" PPTP VPN

Hi guys.

I ve been reading and searching a solution for 2 problems i have im mu Mikrotik HaP Lite with 6.49.17.
The thing is i tried to setup an IPSEC VPN for acessing my home network with my android 14 phone. Because i am no expert, I followed this video:

https://www.youtube.com/watch?v=JYLbNWOCc2c&t=836s&ab_channel=MikrotikIndonesia-Citraweb

I have managed to stablish the VPN - my phone connects, but i do not reach any of my internal equipment (ex. network disk).
Also,- and that i did not know why - i lost / can not manage to connect using my “standard” PPTP VPN that comes with mikrotik “xxxxx.sn.mynetname.net” that i have being using my laptop PPTP PC connection.

Can someone give me a hand how to solve these situations?
tell me if you need any log / settings print i have that i will place it here.

I would be grateful

Kind regards.

Hi.

Anyone? No help at all? I would really like to solve this issue … thanks again!

Hi,

ikev2: If your hap lite is not the internet gateway, you will possibly need to put some sort of NAT on it, so vpn connections
to devices on the local network get masqueraded. (The devices on the local network will likely try to reply to the main gateway rather than the Mikrotik). Otherwise, not quite sure why they cannot connect.

pptp: I have read in these forums that some?? ISP’s are dropping gre packets (which pptp uses as its transport), as well
as pptp being old and very insecure.

You should perhaps use ikev2 for this also.
If you do it using certificates, (mikrotik has instructions) it is pretty solid.


Another (major) option would be to upgrade to version 7 and use wireguard for both clients.

I found this also, which might help.

add action=accept chain=input comment=“Allow IKEv2 Traffic” src-address=
172.17.153.0/24

Change 172.17… for the IP address range from your ikev2 pool.

http://forum.mikrotik.com/t/ikev2-ipsec-psk-server/161577/1

Hi.

Thanks for inputs / help.
Regarding IKEv2: in fact, the mikrotik is not my main gateway, is it behing the ISP router, with a DMZ for it.
In the NAT rules i have:

Rule 0 - defaut configuration:
[General]
Chain=scrnat
Out. Interface=ethr1-gateway
[Action]
Action=masquerade

Rule 1 - masq VPN traffic IPSEC
[General]
Chain=scrnat
Src. Address=10.10.11.0/24
[Action]
Action=masquerade

Rule 2 - masq VPN traffic
[General]
Chain=scrnat
Src. Address=192.168.89.0/24
[Action]
Action=masquerade
Rule 3
[General]
Chain=dstnat
Dst. Address=192.168.1.64 (my internal mikrotik IP)
Protocol=6 (tcp)
Dst. Port=21 (because i wanted to acess to internet FTP server)
In. interface=ether1-gateway
[Action]
Action=dstnat
To Addresses=192.168.2.94 (my internal FTP server ip)
To Port=21

Rule 4
[General]
Chain=dstnat
Protocol=6 (tcp)
Dst. Port=22 (because i wanted to acess to internet FTP server)
In. interface=ether1-gateway
[Action]
Action=dstnat
To Addresses=192.168.2.94 (my internal FTP servel ip)
To Port=21

Should i add the rule:
add action=accept chain=input comment=“Allow IKEv2 Traffic” src-address=
172.17.153.0/24, where “172.17…” should be the IP address range from your ikev2 pool (i’ve created one IP Pool, named “pool-vpn-ipsec”
Addresses=10.10.11.10-10.10.11.20 ?

ISP are not “cutting off” access to the pptp here at least yet, because i have the exact same equipment at my fathers home (and also same ISP, router and OS version) and i managed to connect with PPTP to his mikrotik with no problem (via windows of course). I think is something i did while trying to create ipsec VPN on my router that caused the no access problem, but i do not know what…!

Regarding upgrading for version 7, i ve read that my equipment - HaP lite - is very limited and it does not behave wellwith that OS versin, so i still have 6.49.17 version

Again that you for all the help and cooperation, waiting for your reply,

Kind regards,

Hi,

I have added the following rules near the top of a default config. (after accept icmp)

/ip firewall filter
…
add action=accept chain=input comment=“allow 500,4500 ipsec in” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“allow ipsec-esp in (no nat)” protocol=ipsec-esp

Once the above are added, I can connect to the vpn.
and ping the router.

The following default rules (should be just before the fasttrack rule) are required.
With these rules I can connect (most everywhere) via the vpn.

add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec

In winbox/webfig you can watch the counters on these rules and see if they are being hit.

Hi. somehow i managed to gain access to PPTP VPN with placing firewall rules on the top. Still no access to local ip machines with IPSEC … VPN connects but no ping to internal machines! Even with the rules you have placed on the post… any suggestions?!

Kind regards,

Perhaps time for:

Thanks @mkx
Open terminal window and execute /export file=aynnameyouwish … fetch resulting file to your management computer, open it with your favourite text editor, redact any sensitive information (such as serial number, public IP address, wireless PSK, etc.) and copy-paste it inside

tag pair

Here it goes…

 
 # dec/04/2024 18:25:02 by RouterOS 6.49.17
# software id = xxxx-xxxx
#
# model = RouterBOARD 941-2nD
# serial number = xxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether1-gateway
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master-local
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether3-slave-local
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether4-slave-local
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
    no_country_set default-authentication=no disabled=no disconnect-timeout=\
    10s distance=indoors frequency=2422 frequency-mode=manual-txpower \
    installation=indoor mode=ap-bridge ssid=xxxxxxxxx station-roaming=enabled \
    wireless-protocol=802.11 wmm-support=enabled
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=********* \
    wpa2-pre-shared-key=********
/ip ipsec policy group
add name=ipsec-ikev2
/ip ipsec profile
add dh-group=ecp256,ecp384,ecp521,modp2048,modp1024 enc-algorithm=aes-256 \
    hash-algorithm=sha256 name=ipsec-ikev
/ip ipsec peer
add exchange-mode=ike2 name=vpn-ikev2 passive=yes profile=ipsec-ikev
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=ipsec-ikev2 \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.100
add name=VPN ranges=192.168.3.10-192.168.3.20
add name=vpn ranges=192.168.89.2-192.168.89.25
add name=pool-vpn-ipsec ranges=10.10.11.10-10.10.11.20
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge-local lease-time=1d name=default
/ip ipsec mode-config
add address-pool=pool-vpn-ipsec address-prefix-length=32 name=vpn-ipsec-ikev \
    system-dns=no
/ppp profile
add name=XXXXXX use-encryption=yes
add local-address=192.168.89.1 name=VPN-access remote-address=vpn \
    use-encryption=yes
add local-address=10.1.1.254 name=profile1
set *FFFFFFFE dns-server=192.168.2.254 local-address=192.168.89.1 \
    remote-address=vpn
/interface pptp-client
add connect-to=xxxxxxxxxxx.sn.mynetname.net mrru=1600 name=xxxxxxxxx \
    password=XXXXXXX profile=XXXXXX user=xxxxx
add connect-to=xxx.xxx.xxx.xxx mrru=1600 name=pptp-out2 password=xxxxxxx \
    profile=xxxxx user=xxxxxx
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
/ip neighbor discovery-settings
set discover-interface-list=mactel
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes ipsec-secret=xxxxxxxxxxxxx use-ipsec=yes
/interface list member
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=pptp-out1 list=discover
add interface=pptp-out2 list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=ether1-gateway list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless access-list
add comment="Allow Client above -75dbm" signal-range=-75..120 vlan-mode=\
    no-tag
add authentication=no comment="Deny Client below -75dbm" signal-range=\
    -120..-76 vlan-mode=no-tag
/ip address
add address=192.168.2.254/24 comment="default configuration" interface=\
    bridge-local network=192.168.2.0
add address=192.168.1.250/24 disabled=yes interface=ether1-gateway network=\
    192.168.1.0
/ip arp
add address=xxx.xxx.xxx.xxx interface=bridge-local mac-address=xx:xx:xx:xx:xx:xx
add address=xxx.xxx.xxx.xxx interface=bridge-local mac-address=xx:xx:xx:xx:xx:xx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 comment="default configuration" gateway=\
    192.168.2.254 netmask=24
/ip dns
set cache-max-ttl=1d servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.2.254 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=input comment="allow IPsec NAT & IKE" dst-port=\
    500,1701,4500 port="" protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" dst-port=1723 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="allow pptp" in-interface-list=WAN \
    protocol=gre
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="IPTV: accept IGMP" protocol=igmp
add action=accept chain=forward comment="IPTV: accept UDP forward" protocol=\
    udp
add action=accept chain=forward comment=NAS connection-nat-state="" \
    connection-state=established,related
add action=accept chain=forward connection-state=new dst-address=xxx.xxx.xxx.xxx \
    dst-port=21 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input disabled=yes in-interface-list=!mactel
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masq. vpn traffic IPSEC" \
    src-address=10.10.11.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat dst-address=192.168.1.64 dst-port=21 \
    in-interface=ether1-gateway protocol=tcp to-addresses=xxx.xxx.xxx.xxx \
    to-ports=21
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1-gateway \
    protocol=tcp to-addresses=xxx.xxx.xxx.xxx to-ports=22
add action=masquerade chain=srcnat comment=\
    "------------- NAT para VPN --------------" disabled=yes out-interface=\
    pptp-out1
add action=masquerade chain=srcnat disabled=yes out-interface=pptp-out2
add action=dst-nat chain=dstnat comment=\
    "-------------------- Webserver box -----------------------" disabled=yes \
    dst-port=xx in-interface=ether1-gateway protocol=tcp to-addresses=\
    xxx.xxx.xxx.xxx to-ports=xxx
add action=dst-nat chain=dstnat disabled=yes in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.2.254 to-ports=10090-10100
/ip ipsec identity
add generate-policy=port-strict mode-config=vpn-ipsec-ikev peer=vpn-ikev2 \
    policy-template-group=ipsec-ikev2 secret=xxxxxxxx
/ip ipsec policy
add group=ipsec-ikev2 proposal=ipsec-ikev2 template=yes
/ip route
add disabled=yes distance=1 gateway=192.168.1.254
add distance=1 dst-address=10.5.5.0/24 gateway=pptp-out1
add distance=1 dst-address=192.168.1.123/32 gateway=pptp-out1
add distance=1 dst-address=192.168.1.124/32 gateway=pptp-out1
/ip service
set telnet disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip socks
set auth-method=password enabled=yes port=9555 version=5
/ip socks users
add name=xxxx password=xxxx
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add disabled=yes name=xxxxx password=xxxx profile=VPN-access service=pptp
add name=xxxxx password=xxxxxxx profile=VPN-access service=pptp
add name=xxxxxx password=xxxxxxx profile=profile1 remote-address=10.1.1.2 \
    service=pptp
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether1-gateway upstream=yes
add alternative-subnets=192.168.1.0/24 interface=bridge-local
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=Home_Mikrotik
/system logging
add disabled=yes topics=pptp
/system ntp client
set enabled=yes primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=xxx.xxx.xxx.xxx
/system scheduler
add interval=1d name="Daily Reboot" on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    apr/20/2015 start-time=05:30:00
add interval=10m name="DNS Update" on-event=DNSUpdate start-date=jul/02/2015 \
    start-time=08:33:41
/system script
add dont-require-permissions=no name=DNSUpdate owner=admin source=\
    "/ip cloud force-update"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel

tag pair

Hi,
I changed the firewall filter rules, and while I still don’t like them much, the ikev2 now should work.
They appear to be based on a very old routeros version.

The ipsec policy rules have to go above the fasttrack rule. (They seem to work below it when pinging things,
but fail when actually trying to make connections)

You should reenable the input drop from !mactel rule…

@anav is good at holistic views of firewalls/routers.

/ip firewall filter
add action=accept chain=input comment="allow established/related" connection-state=established,related
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="allow IPsec NAT & IKE" dst-port=500,1701,4500 port="" protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" dst-port=1723 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="allow pptp" in-interface-list=WAN protocol=gre
add action=accept chain=input comment="IPTV: accept IGMP" protocol=igmp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 protocol=tcp
add action=drop chain=input disabled=yes in-interface-list=!mactel
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="allow established/related" connection-state=\
    established,related
add action=accept chain=forward comment="default configuration allow established/related" connection-state=\
    established,related
add action=accept chain=forward comment="IPTV: accept UDP forward" protocol=udp
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1-gateway

impecable… it work. Thank you.
just for me to learn a little more… why “You should reenable the input drop from !mactel rule”, what is the objective of this rule?

Again thank you.

It will block people/devices on the internet from attempting to login to your router.
(Or using other services your router may provide, that you haven’t provided a rule to allow)

The default on a Mikrotik is to allow (input, and also forwarding), you should normally block access you don’t specifically want.

Thank you!

Merry Christmans!