IPSec/L2TP and Network Resources

krafg · June 11, 2018, 2:29pm

Hi, I configured a Mikrotik with IPSec/L2TP successfully, but I can´t acces to shared folders (Windows SMB), can’t configure UAP with (UniFi Controller) and can’t access to Mikrotik by MAC address (“CDP” it’s not working by VPN).

I can access to network devices by HTTP/HTTPS and do ping.

I use this tutorial: https://www.youtube.com/watch?v=oeSgOurbkr8

Local Network: 192.168.1.0/24 (192.168.1.1 = Mikrotik)
VPN pool: 172.16.0.1-172.16.0.5

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.99
add name=vpn_pool1 ranges=172.16.0.1-172.16.0.5
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=bridge1 name=dhcp1
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=192.168.1.1 name=profile1 remote-address=vpn_pool1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery settings
set default-for-dynamic=yes
/interface l2tp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.1.3 comment="Antena 2" mac-address=44:D9:E7:02:D0:B0 server=dhcp1
add address=192.168.1.2 comment="Antena 1" mac-address=44:D9:E7:02:D1:31 server=dhcp1
add address=192.168.1.246 mac-address=A8:20:66:1A:65:95 server=dhcp1
add address=192.168.1.251 mac-address=D8:5D:E2:CD:7B:A9 server=dhcp1
add address=192.168.1.253 mac-address=48:BA:4E:51:59:DA server=dhcp1
add address=192.168.1.252 always-broadcast=yes mac-address=AC:1F:74:73:77:B2 server=dhcp1
add address=192.168.1.254 always-broadcast=yes mac-address=1C:65:9D:8F:71:04 server=dhcp1
add address=192.168.1.14 mac-address=1C:39:47:B8:EA:A8 server=dhcp1
add address=192.168.1.12 mac-address=F0:76:1C:B1:D7:DF server=dhcp1
add address=192.168.1.249 mac-address=60:67:20:C7:5A:D4 server=dhcp1
add address=192.168.1.250 always-broadcast=yes mac-address=D4:6A:6A:34:05:D5 server=dhcp1
add address=192.168.1.13 mac-address=D0:53:49:74:A8:5E server=dhcp1
add address=192.168.1.248 always-broadcast=yes mac-address=10:7B:44:27:21:A0 server=dhcp1
add address=192.168.1.247 mac-address=B8:44:D9:B7:B0:56 server=dhcp1
add address=192.168.1.245 mac-address=B8:09:8A:C8:B0:A5 server=dhcp1
add address=192.168.1.244 always-broadcast=yes mac-address=F8:59:71:88:02:E3 server=dhcp1
add address=192.168.1.11 mac-address=A4:17:31:64:0D:D8 server=dhcp1
add address=192.168.1.17 client-id=1:28:92:4a:34:4f:47 comment="Servidor NAS" mac-address=28:92:4A:34:4F:47 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.3-192.168.1.243 list=LIST
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=dst-nat chain=dstnat dst-port=37777 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.108
add action=dst-nat chain=dstnat dst-port=8291 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.1
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 exchange-mode=main-l2tp generate-policy=port-override secret=XXXXXXXXXXXXXXXXX
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.1.1 name=namenamename password=passwordpasswordpassword profile=profile1 service=l2tp
/system clock
set time-zone-name=America/Santiago
/system ntp client
set enabled=yes primary-ntp=200.54.149.19 secondary-ntp=200.1.19.4

To connect to the VPN I use Windows 10 integrated VPN client.

Regards.

krafg · June 11, 2018, 5:56pm

It’s like layer 2 communication isn’t possible.

I not known why.

Regards.

vilpalu · June 12, 2018, 6:41am

IPsec is layer 3 protocol. It do not forward broadcast packets, only IP packets.

sindy · June 12, 2018, 10:14am

The L2TP name is confusing. L2TP does support bridging (L2) mode, but it is just one of possible modes, and the Windows native VPN client does not support it.

The fact that L2TP is secured using IPsec has nothing to do with that, as even without IPsec the L2TP is tunnelling everything via UDP over L3.

krafg · June 12, 2018, 11:01am

I already seemed suspicious. And is there some type of VPN that allows me to do what I need using Windows as a client?

Thanks and regards.

vilpalu · June 12, 2018, 12:34pm

you may refer ipsec over l2tp, not l2tp over ipsec.

sindy · June 12, 2018, 1:01pm

The only VPN I know whose Windows client supports L2 tunnelling is OpenVPN. Its Mikrotik implementation is, however, far from optimal. But you may also consider a small Mikrotik next to the PC which would establish an L2 tunnel using L2TP (over IPsec) in bridge mode, or EoIP over IPsec.

krafg · June 12, 2018, 7:00pm

Ok, thanks for all.

Regards.

Van9018 · June 12, 2018, 8:12pm

I thought there was a trick for this.

If server IP of L2TP/IPSec is the IP of your ether2 ip, and ether2 arp mode is proxy-arp, then it would work? I haven’t tested this myself.

if broadcasts won’t work, then SMB will still work if you use IP or WINS or DNS.

sindy · June 13, 2018, 9:57am

These are different things. ARP proxy functionality allows the router to respond with its own MAC address to ARP requests for IPs outside the requestor’s subnet, so the requestor then sends the packets to the router and the router forwards them to the actual destination at L3, but this is not the same like L2 forwarding. The OP requires full L2 transparency.

krafg · June 13, 2018, 11:39pm

In fact, previously I tried it and isn’t worked for me.

I will to try configure with OpenVPN.

Regards.

vilpalu · June 14, 2018, 7:25am

openvpn support at router os is very poor, because implementation of openvpn in router os use TCP transport which leads in huge performance loss. I suggest to try l2tp only.

krafg · June 14, 2018, 11:57am

And I can have L2TP and OpenVPN?

I no will have problems?

Regards.

krafg · June 20, 2018, 12:49am

Ok, I configured OpenVPN, and I can see the network over HTTP and ping, but again I can’t see the network resouces, UAP access points, and Mikrotik neighbors.

/ip pool
add name=OpenVPN ranges=10.0.0.2-10.0.0.10
/ip neighbor discovery settings
set default-for-dynamic=yes
/interface ovpn-server server
set auth=sha1 certificate=SERVER-OVPN cipher=aes256 enabled=yes require-client-certificate=yes
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=OpenVPN only-one=no remote-address=OpenVPN use-encryption=yes
/ppp secret
add name=XXXXXX password=XXXXXX profile=OpenVPN service=ovpn

Certificates:

https://prnt.sc/jwyhx0

OVPN file:

client
dev tun
proto tcp-client
remote XXXX
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca cert_export_CA-OVPN.crt
cert cert_export_CLIENT-OVPN.crt
key cert_export_CLIENT-OVPN.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass
secret auth-nocache
;redirect-gateway def1
route 10.0.0.0 255.255.255.0
route 192.168.1.0 255.255.255.0

Regards.

martix77 · June 20, 2018, 6:52am

Hi!

To have IPSec/L2TP working at layer 2 level, you should have the VPN address pool in the same broadcast domain of your LAN. Example:
LAN: 192.168.1.0/24
VPN Pool: 192.168.1.10-192.168.1.20

Then in the PPP you should configure as termination address the same address of the Mikrotik (e.g. 192.168.1.1) and configure the proxy-arp on the interface (bridge or ethernet) where the Mikrotik is connected to the LAN.

Regards!

sindy · June 20, 2018, 10:21am

Unfortunately, proxy-arp and L2 tunnel are not the same. Proxy-arp means that the router responds with its own MAC address to ARP requests for IP addresses in one of its subnets, not that it forwards L2 frames with broadcast dst-mac-address to these subnets.

To use an actual L2 bridging functionality of L2TP, you need to indicate a local bridge in the profile to which the /interface l2tp-client (on client side) and /interface l2tp-server server or /ppp secret (on server side) refer.

krafg · June 20, 2018, 11:54am

I tried too, but not works for me. For this reason is that I tried to configure a OVPN if it works, but anyway I have the same results.

Regards.

sindy · June 20, 2018, 12:20pm

For OpenVPN, you need to use the TAP mode to have L2 bridging support. So in the ovpn file on the client, replace dev tun by dev tap, and on the Mikrotik, set the bridge in profile the way I’ve described above for L2TP.

krafg · June 20, 2018, 2:42pm

Now I can’t connect.

Something bad I did.

Regards.

idlemind · June 20, 2018, 5:18pm

Just to make sure we’re hitting all the right points. The video covers a remote access VPN and your requirements that are not working are:

SMB based file access
MAC based access to a MikroTik
UniFi AP registration with a controller

The UniFi AP item is what’s throwing me for a loop. Are you really in need of connecting 2 locations together (site-to-site) VPN? Both?

Note: If you are trying to adopt a UniFi AP remotely it uses a couple of methods similar to how Cisco discovers controllers. You can add a DNS record, use a DHCP option (43) or locally set the controller IP via SSH.

https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers