I can establish IPSEC connetion to my VPN provider.
/ip ipsec remote-peers> print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 N established l2tpipsecsrv1ipaddress 192.168.10.21 7m12s
and
/ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 pppoe-out1 1
1 ADC 58.32.32.1/32 58.32.33.223 pppoe-out1 0
2 ADC 192.168.10.0/24 192.168.10.21 pppoe-out1 0
3 ADC 192.168.100.0/24 192.168.100.1 bridge1 0
Since IPSEC don’t create a interface, how can i do to archieve a results like pure L2TP can do?
Your interface is l2tp-out, and you can do anything with it that you can do with another dynamic interface.
The fact that IPsec is underneath it does not matter. To the inside it is L2TP.
Of course you should not set the default route to such a connection or at least you should make some other arrangements
for your local to internet traffic.
@pe1chl
Please understand I’m not talking about “/interface L2TP client”, It’s not working when i check “use IPsec”. L2TP (without IPsec) is not stable, usually drop connection every hour in my place.
Try to remove those lifetime=1h declarations from your IPsec configuration.
Sometimes there is confusing when negotiating parameters like this with the remote.
(i.e. locally you force the lifetime to 1h, remote has an 8h lifetime and does not understand this, so
connection is dead after 1h)
I set 1 hr because I know exactly the server side had the same 1 hr set.
2 Do not mess with L2TP-out1 interface stuff, It’s IPSec peer setting, please read my config again
Thanks for your reply.
Let me jump in here and see if I can help. First, are you able to connect using IPsec? If not, then please do the following:
Turn on logging: /system logging add topics=ipsec,!packet
Start a log capture file /log print follow-only file=IPsec.txt where topics~“ipsec”
Try to connect for about 20 seconds.
Then CTRL-C to end the logging capture. Then post the output of the IPsec.txt file here. You can hide IP’s and usernames if you need to.
Hi, @pcunite
I’d like to thanks for your replay first
If you guys ever read my first post, you can see:
I can establisha IPSEC connection to VPN service provider, and get a dynamic address (192.168.10.21) from server:
/ip ipsec remote-peers> print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 N established l2tpipsecsrv1ipaddress 192.168.10.21
Along with a dtnamic route created by IPSEC:
ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 pppoe-out1 1
1 ADC 58.32.32.1/32 58.32.33.223 pppoe-out1 0
2 ADC 192.168.10.0/24 192.168.10.21 pppoe-out1 0 #this route is dynamically created after enabled IPSEC#
3 ADC 192.168.100.0/24 192.168.100.1 bridge1 0
Because there is no interface created by IPSEC, I need instructions to make firewall rules to route traffice like I was able to do with previous L2TP pratice(l2tp is working now but keep dropping randomely, IPSEC seems stable for now, maybe the reason is UDP port 1701 getting interfered but not UDP 500 nor 4500):
Okay, here is a full example, read slowly see how I create an interface name, put it in the LAN interface list, the firewall allow that.
######################################
# Minimal settings for L2TP/IPSec VPN
######################################
# Server settings
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=required ipsec-secret="PasswordSecret"
# Create an username tied to a specific interface
/interface l2tp-server
add name=L2TP1 user=uservpn
# User password
/ppp secret
add name=uservpn password="PasswordUser" service=l2tp
# Give them an IP address from the LAN pool
/ppp profile
set default local-address=192.168.0.1 remote-address=pool_LAN use-encryption=required
#Phase1 IPsec behaviour, Windows 7 requires hash-algorithm=sha1
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
# added automatically when l2tp-server server is enabled=yes
#/ip ipsec peer
#add local-address=PublicIP exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret="PasswordSecret" comment=Phase1
#Phase2 IPsec Settings
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256
# configure the rest of the router
/interface list
add name=LAN
add name=WAN
/interface list member
add interface=bridge-LAN list=LAN
add interface=L2TP1 list=LAN
add interface=ether1 list=WAN
# add these to your firewall rules
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500 comment=L2TP_IPSEC
add chain=input protocol=ipsec-esp
add chain=forward action=accept connection-state=new in-interface-list=LAN comment="Allow LAN"
/interface
set bridge-LAN arp=proxy-arp
Hi, @pcunite
Thanks for your reply again.
But you are still missing my point, there is no such L2TP server stuff in my configuration. I’m talking about create a L2TP client over IPsec to a VPN provider (which means I’m on client side).
I’m doing this by:
