how to fix forward wan to local lan with load banloance + vpn

w9iii · January 24, 2016, 5:37am

my diagram
Untitled.png

Revelation · January 24, 2016, 7:26pm

Since you don’t identify what the problem actual is, nor any troubleshooting steps taken… I don’t think anyone can help.

You need to take the time and provide a detailed breakdown of what the problem is.

w9iii · January 25, 2016, 9:18am

sorry
the problem is in VPN i use l2tp/IPSec Head office can not ping to branch office
but branch office can ping to Head office

Revelation · January 25, 2016, 3:52pm

Okay, what are the private IP addresses that are used on each side?

What do your routes look like on each side of the VPN?

w9iii · January 26, 2016, 4:15am

Head office ip : 192.168.88.0/24
ip vpn l2tp/ipsec : 9.9.9.9

branch office ip : 192.168.99.0/23
ip vpn l2tp/ipsec : 9.9.9.10

this script

/interface l2tp-client
add connect-to=xx.xx.xx.xx disabled=no ipsec-secret=“\E5/-\C0\B6\D8” max-mru=
1460 max-mtu=1460 name=xxxx password=xxxxxx use-ipsec=yes user=
xxxxxx

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des

/ip address
add address=192.168.99.1/24 interface=ether5 network=192.168.99.0

/ip firewall mangle
add chain=prerouting in-interface=ether1
add chain=prerouting in-interface=ether2

add action=mark-connection chain=input comment=
in-interface=ether1 new-connection-mark=PORT1_conn
add action=mark-connection chain=input in-interface=ether2
new-connection-mark=PORT2_conn
add action=mark-routing chain=output connection-mark=PORT1_conn
new-routing-mark=to_PORT1
add action=mark-routing chain=output connection-mark=PORT2_conn
new-routing-mark=to_PORT2
add chain=prerouting dst-address=61.91.54.29 in-interface=ether5
add chain=prerouting dst-address=192.168.1.0/24 in-interface=ether5
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT1_conn
per-connection-classifier=both-addresses-and-ports:5/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT1_conn
per-connection-classifier=both-addresses-and-ports:5/1
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT1_conn
per-connection-classifier=both-addresses-and-ports:5/2
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT2_conn
per-connection-classifier=both-addresses-and-ports:5/3
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT2_conn
per-connection-classifier=both-addresses-and-ports:5/4

add action=mark-routing chain=prerouting connection-mark=PORT1_conn
in-interface=ether5 new-routing-mark=to_PORT1
add action=mark-routing chain=prerouting connection-mark=PORT2_conn
in-interface=ether5 new-routing-mark=to_PORT2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2

/ip ipsec peer
add address=9.9.9.9/32 comment=Bangkok enc-algorithm=3des local-address=
0.0.0.0 nat-traversal=no secret=123456

/ip ipsec policy
set 0 disabled=yes
add comment=“Connect Bangkok” dst-address=192.168.88.0/24 sa-dst-address=
9.9.9.9 sa-src-address=9.9.9.10 src-address=192.168.99.0/24 tunnel=yes

/ip route

add check-gateway=ping distance=1 gateway=61.xx.xx.xx routing-mark=to_PORT1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_PORT2
add check-gateway=ping distance=1 gateway=61.xx.xx.xx,192.168.1.1
add check-gateway=ping distance=1 dst-address=192.168.88.0/24 gateway=9.9.9.9