Hi!
I have created an IPSEC tunnel between a headquarter and several branches.
I also created a L2TP server + ipsec for people who work remotely.
Everything is working fine until the mikrotik router gets rebooted.
What happens is that a new identity and a new peer is created under ipsec, a dynamic one, with the names of l2tp-server.
The issue is that it takes by default the proposal and the profile of the IPSEC tunnel of the site-to-site between the headquarter and the other locations, it doesn’t take the proposal I made specifically for the remote access.
This is indeed very important because the IPSEC tunnel uses sha512 and aes-256 which is not supported by the remote vpn.
So, my l2tp becomes broken and I need to enter and manually delete that peer and identity that is created by default and use the ones that I’ve created which uses sha1 and other configurations which are required to my needs.
And then it works fine again, but it’s a pain to that everytime that the power gets off or whatever.
I also cannot edit the peer and identity that are created automatically, it doesn’t let me. Thus, I must delete them and use the ones I’ve created
You would untick the use-ipsec option in the L2TP server settings and create the IPsec configuration manually - you have already defined profile and proposal, all that is left is a policy template, a peer and an identity
I cannot ping from the remoce laptop to the stores
the l2tp conecction is to the headoffice location where the server is, the stores are connected to the server using IPSEC.
I can ping from the devices on the headoffice to the stores and viceversa, I can pingo from the remote PCs to the devices on the server but cannot ping to the devices of the stores from the remote PCs.
I think I have something wrong with the routes or the firewall, but cannot figure out what.
or maybe is not possible at all
I’m thinking of a nifty trick which hypothetically should work, but practically not so sure. However, you would need to shift the L2TP pool range to somewhere after the
.151 address. To the PPP profile you would add an address list name and then use it in the following NAT rule:
If you create the properly set and linked peer, identity, policy template group, and policy template items manually, you do not need to set use-ipsec=yes in the L2TP server settings, the behavior of the manually created items will be the same like the one of the dynamically created ones, i.e. the L2TP transport packets will be IPsec-encrypted and encapsulated. You can even increase the security a bit by adding a static /ip ipsec policy item that says src-address=publicIP-headoffice/32 dst-address=0.0.0.0/0 protocol=udp src-port=1701 action=discard as the very last one in the list; this will prevent any L2TP transport packet to slip in or out without encryption should the IPsec session fail for any reason. Mikrotik has implemented some measures protecting the admins from their own stupidity so the src-address in that “killswitch” policy cannot be 0.0.0.0/0 as well, but that doesn’t matter in your case where the WAN address is static.
What puzzles me most is why, if the IPsec setup for L2TP is created dynamically, a power outage causes an issue. I am aware of such issuses when there are more complex setups so some NAT mapping created by the “old” connection keeps being updated by one peer whereas the other one starts knocking from behind another public address.
And as others have already mentioned, you current firewall is a joke: the default handling in RouterOS firewall is “accept”, so if a packet doesn’t match any rule, it is accepted. A combination of a PoS terminal and a leaky firewall is a direct threat to your cash flow. The fact that you did set up some rules makes me fear that the WAN is directly connected to the internet uplink, so you should have a look at how the default firewall rules look like (use /system default-configuration script print and look for the /ip firewall filter part inside) and use that as an inspiration to make your firewall more useful; actually, the right thing to do would be to export the configuration, netinstall the device, recreate the configuration by copying the contents of the export row by row or at least section by section and with a proper firewall that only lets in what you explicitly allow and drops the rest, and only then connect the device back to the internet.
The firewall already is a joke, no matter what you do regarding the IPsec and L2TP. So you should concentrate on fixing that first. While the devices on the LAN side are partially protected by the fcat that they are running on private addresses so cannot be attacked directly from the internet, the fcat that the router itself is not protected enough wipes out that advantage. Even if ssh and api ports are actually protected (which is not clear from your obfuscation - does xx indeed mean the same port number everywhere?), winbox seems to be open to the world. So if some malware has managed to squat on the router already, it may have become a gateway to your LAN devices so some other malware may already reside on them.
Leaving aside that this set of forward rules would prevent the VPN clients from reaching the devices in LAN, if the OP did exactly this, they would lose the IPsec and/or L2TP connection to the router - additionally means “after”, and the rules are appended to the end of each chain unless you specify the desired position, so those four action=accept rules for the L2TP and IPsec would come after the “drop everything that did not come from LAN” and thus never get hit. So you should provide additional information about their required position.
To make things even worse, there are also no permissive rules for management access via the VPN.
So @zezeme, do not copy-paste the rules suggested above blindly.
I have followed your previous suggestion about using the def conf, plus I saw a lot of videos of firewall settings from the guy who makes the udemy courses i was watching about vpns on mikrotik.
i search a lot on other sources too.
So far I have this, which is a mix of the def config plus some stuff I saw.
rules 1,2 and 3 is because I saw a clever way to only allow certain access to winbox and ssh.
Plus I have changed all those ports.
and disable everything on services besides SSH and winbox.
0 ;;; block ip de hackers (this is just some IPs that i noticed were trying to get access to my router but i know isn't practical add one by one, but I was nervous)
chain=input action=drop src-address-list=blocked_ips log=no log-prefix=""
1 ;;; add ip to temporal list
chain=input action=add-src-to-address-list protocol=tcp address-list=Temporary address-list-timeout=10s
dst-port=xxxxx log=no log-prefix=""
2 ;;; ad ip to valid list
chain=input action=add-src-to-address-list protocol=tcp src-address-list=Temporary address-list=Valid
address-list-timeout=1h dst-port=xxxxx log=no log-prefix=""
3 ;;; allow ssh and winbox if comes from valid
chain=input action=accept protocol=tcp src-address-list=Valid dst-port=xxxxx,xxxxx log=no log-prefix=""
4 ;;; drop any other ssh and winbox
chain=input action=drop protocol=tcp dst-port=xxxxx,xxxxx log=no log-prefix=""
5 ;;; allow IPSEC from whitelist
chain=input action=accept protocol=udp src-address-list=IPSEC dst-port=xxxxx,xxxxx log=no log-prefix=""
6 ;;; block IPSEC if not in whitelist
chain=input action=drop protocol=udp dst-port=xxxxx,xxxxx log=yes log-prefix=""
7 ;;; allow only 2 packets per sec on ICMP after frist 5 burst
chain=input action=accept protocol=icmp limit=2,5:packet log=no log-prefix=""
8 ;;; drop any other ICMP
chain=input action=drop protocol=icmp log=no log-prefix=""
9 ;;; accept forward established, related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
10 ;;; accept input established, related
chain=input action=accept connection-state=established,related log=no log-prefix=""
11 ;;; drop forward invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
12 ;;; drop input invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
13 X ;;; defconf: drop all not coming from LAN (THIS RIGHT NOW IS DISABLED, I just saw it was in def conf but didn't want it to be turn on in case my VPN breaks)
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
14 chain=input action=log protocol=udp dst-port=xxxxx log-prefix="L2TP Attempt"
I’m still watching some videos but so far I have this
Sorry to dissapoint but your firewall is still a giant mess. You still don’t have sufficient forward rules to block malicious traffic. I don’t see how rules 1, 2 and 3 “whitelist” certain IPs and you still haven’t allowed proper access for the VPN to work (I don’t know how it hasn’t broken yet). Better use the default firewall rules (or this modified for your needs version) as a base and start upgrading from there:
Thank you, I’ll do that.
rules 1, 2 and 3 are in fact port knocking.
Because you have to access to one port in order to be put in a temporary list for 10s, then if you access to another port it puts you in a valid list for 1h and then if you access the winbox or ssh port you can enter.