L2TP IPSEC connection problem

RouterOS Beginner Basics
1

Hello
I think i have set everything which i should - i can connect to l2tp/ipsec vpn from locall ip but i cant connect from externall ip it seems something is wrong with firewall setup…

MikroTik RouterOS 6.36.4 (c) 1999-2016 http://www.mikrotik.com/

/interface bridge
add arp=proxy-arp name=LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=xxxxxxxxxxxxxxxxx
set [ find default-name=ether2 ] mac-address=xxxxxxxxxxxxxxxx
set [ find default-name=ether3 ] mac-address=xxxxxxxxxxxxxxxx
set [ find default-name=ether4 ] mac-address=xxxxxxxxxxxxxxxx
set [ find default-name=ether5 ] mac-address=xxxxxxxxxxxxxxxx
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=Mikrotik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=Mikrotik1 supplicant-identity=“” wpa-pre-shared-key=
xxxxxxxxx wpa2-pre-shared-key=xxxxxxxxxxxxxxxxxx
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=“” wpa-pre-shared-key=
xxxxxxxxxxx wpa2-pre-shared-key=xxxxxxxxxxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=poland disabled=no distance=indoors frequency=auto hw-retries=4
mac-address=xxxxxxxxxxxx mode=ap-bridge security-profile=Mikrotik1 ssid=RB951 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=xxxxxxxxxxxxx master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=guest ssid=
RB951-guest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.5-192.168.1.254
add name=L2TPVPN ranges=10.10.10.10-10.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN lease-time=1d name=dhcp1
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.10.10.1 name=L2TP-VPN remote-address=L2TPVPN use-encryption=required
/queue simple
add max-limit=1M/10M name=queue1 target=wlan2
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=wlan1
add bridge=LAN interface=ether5
add bridge=LAN interface=wlan2
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP-VPN enabled=yes keepalive-timeout=disabled
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
add add-default-route=no dhcp-options=hostname,clientid use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/ip firewall filter
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=2m chain=input comment=PortKnock1 dst-port=5678 protocol=tcp
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=2m chain=input comment=PortKnock2 dst-port=4321 protocol=tcp src-address-list=KNOCK1
add action=add-src-to-address-list address-list=Trusted address-list-timeout=30m chain=input comment=“PortKnock3 >> Trust” dst-port=2345 protocol=tcp src-address-list=
KNOCK2
add action=accept chain=input comment=“Allow Trusted IPs” src-address-list=Trusted
add action=accept chain=input comment=“Allow Local IPs” src-address=192.168.1.0/24
add action=accept chain=input comment=“Allow 8.8.8.8” disabled=yes src-address=8.8.8.8
add action=drop chain=input comment=“Drop winbox from Internet” disabled=yes dst-port=8291 protocol=tcp
add action=drop chain=input comment=“Drop BTest from Internet” dst-port=2000 protocol=tcp
add action=drop chain=input comment=“Drop ICMP from Internet” disabled=yes protocol=icmp src-address=!192.168.1.0/24
add action=drop chain=input comment=“Drop telnet from Internet” dst-port=23 protocol=tcp src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“Detect Port-Scanners” protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Dropp Port-Scanners” src-address-list=“port scanners”
add action=add-src-to-address-list address-list=DNS_Exploit address-list-timeout=1d chain=input comment=“Log remote DNS request” dst-port=53 in-interface=ether1 protocol=
udp
add action=drop chain=input comment=“Drop remote DNS request” dst-port=53 protocol=udp src-address=!192.168.1.0/24
add action=drop chain=input comment=“Drop SSH BruteForce” dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input comment=“ssh-stage3 >> blacklist” connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment=ssh-stage2 connection-state=new dst-port=22 protocol=tcp
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=input comment=ssh-stage1 connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment=“Drop All From Blacklisted” src-address-list=ssh_blacklist
add action=accept chain=forward comment=“allow established connections” connection-state=established
add action=accept chain=forward comment=“allow related connections” connection-state=related
add action=drop chain=forward comment=“drop invalid connections” connection-state=invalid
add action=drop chain=forward comment=“Blokada internetu” disabled=yes src-address=192.168.1.10
add action=drop chain=forward comment=“Blokada internetu” disabled=yes src-address=192.168.1.15
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
/ip firewall nat
add action=src-nat chain=srcnat comment=“AccessList NAT” src-address-list=Trusted to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment=Oscam dst-port=4524 protocol=tcp to-addresses=192.168.1.20 to-ports=4524
add action=dst-nat chain=dstnat comment=ssh-terminal dst-port=8132 protocol=tcp to-addresses=192.168.1.5 to-ports=8132
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“NAT L2TP/IPSEC” src-address=10.10.10.0/24
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048,modp1024 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override secret=itsasecret!
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=xxxxxx password=xxxxxxx profile=L2TP-VPN service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=1501
/system package update
set channel=bugfix
/system routerboard settings
set init-delay=0s protected-routerboot=disabled
/tool bandwidth-server
set authenticate=no
/tool graphing
set store-every=hour

have hell no idea whats could be wrong have tryin many combinations
thanks for any help…

2

Seem your internet connect is behind an NAT router.
You must have a direct internet connect.

3

That or (at least) all ports should be forwarded on the other NAT thing as well. Does it have to do NAT? Can it be in bridge modus? Can you make an overview of your network?

4

no :frowning: i have public ip adress and for example use remote ssh on mikrotik without problem

anybody can help ?

5

Any records in log while you trying to connect?
Are counters working during your connection to l2tp? (On front of your allowing rules)
Try to disable all portscan and port knocking protection + allow ping on wan interface and to try to connect to your vpn again.

En example of rules for l2tp permission:
add action=accept chain=input comment="L2TP enable " dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="IPSec enable " protocol=ipsec-esp

6

i am already connected and the reason was firewall this rule should be at first position 0 add action=accept chain=input comment="L2TP enable " dst-port=1701,500,4500 protocol=udp
now i have another problem - proxy arp is enabled on interface ethernet2 but i cant ping other devices in my network while i am connected over remote vpn:

mar/12/2018 18:38:39 by RouterOS 6.36.4

software id = TD02-F7KB

/interface bridge
add arp=proxy-arp name=LAN protocol-mode=none
/interface ethernet

/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=Mikrotik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=Mikrotik1 supplicant-identity=“” wpa-pre-shared-key=
wpa2-pre-shared-key=
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=“” wpa-pre-shared-key=
xxxx wpa2-pre-shared-key=xxx
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=poland disabled=no distance=indoors frequency=auto hw-retries=4
mac-address=xxxxx mode=ap-bridge security-profile=Mikrotik1 ssid=RB951 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=xxxxx master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=guest ssid=
RB951-guest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=0s pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.5-192.168.1.254
add name=L2TPVPN ranges=10.10.10.10-10.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN lease-time=1d name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=10.10.10.1 name=L2TP-VPN remote-address=L2TPVPN use-encryption=yes
/queue simple
add max-limit=1M/10M name=queue1 target=wlan2
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=wlan1
add bridge=LAN interface=ether5
add bridge=LAN interface=wlan2
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP-VPN enabled=yes keepalive-timeout=disabled
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
add add-default-route=no dhcp-options=hostname,clientid use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=2m chain=input comment=PortKnock1 dst-port=5678 protocol=tcp
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=2m chain=input comment=PortKnock2 dst-port=4321 protocol=tcp src-address-list=KNOCK1
add action=add-src-to-address-list address-list=Trusted address-list-timeout=30m chain=input comment=“PortKnock3 >> Trust” dst-port=2345 protocol=tcp src-address-list=
KNOCK2
add action=accept chain=input comment=“Allow Trusted IPs” src-address-list=Trusted
add action=accept chain=input comment=“Allow Local IPs” src-address=192.168.1.0/24
add action=accept chain=input comment=“Allow 8.8.8.8” disabled=yes src-address=8.8.8.8
add action=drop chain=input comment=“Drop winbox from Internet” disabled=yes dst-port=8291 protocol=tcp
add action=drop chain=input comment=“Drop BTest from Internet” dst-port=2000 protocol=tcp
add action=drop chain=input comment=“Drop ICMP from Internet” disabled=yes protocol=icmp src-address=!192.168.1.0/24
add action=drop chain=input comment=“Drop telnet from Internet” dst-port=23 protocol=tcp src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“Detect Port-Scanners” protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Dropp Port-Scanners” src-address-list=“port scanners”
add action=add-src-to-address-list address-list=DNS_Exploit address-list-timeout=1d chain=input comment=“Log remote DNS request” dst-port=53 in-interface=ether1 protocol=
udp
add action=drop chain=input comment=“Drop remote DNS request” dst-port=53 protocol=udp src-address=!192.168.1.0/24
add action=drop chain=input comment=“Drop SSH BruteForce” dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input comment=“ssh-stage3 >> blacklist” connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment=ssh-stage2 connection-state=new dst-port=22 protocol=tcp
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=input comment=ssh-stage1 connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment=“Drop All From Blacklisted” src-address-list=ssh_blacklist
add action=accept chain=forward comment=“allow established connections” connection-state=established
add action=accept chain=forward comment=“allow related connections” connection-state=related
add action=drop chain=forward comment=“drop invalid connections” connection-state=invalid
add action=drop chain=forward comment=“Blokada internetu” disabled=yes src-address=192.168.1.10
add action=drop chain=forward comment=“Blokada internetu” disabled=yes src-address=192.168.1.15
add action=accept chain=input disabled=yes in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input disabled=yes in-interface=ether1 protocol=ipsec-esp
/ip firewall nat
add action=src-nat chain=srcnat comment=“AccessList NAT” src-address-list=Trusted to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment=Oscam dst-port=4524 protocol=tcp to-addresses=192.168.1.20 to-ports=4524
add action=dst-nat chain=dstnat comment=ssh-terminal dst-port=8132 protocol=tcp to-addresses=192.168.1.5 to-ports=8132
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“NAT L2TP/IPSEC” src-address=10.10.10.0/24
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret=xxxxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=xxx password=xxxx profile=L2TP-VPN service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=1501
/system logging
add topics=ipsec
add topics=l2tp
/system package update
set channel=bugfix
/system routerboard settings
set init-delay=0s protected-routerboot=disabled
/tool bandwidth-server
set authenticate=no
/tool graphing
set store-every=hour

FINALLY I FIXED THIS PROBLEM:

when i change vpn masquerade from 4 to position 0 i see other locall machines:

/ip firewall nat
add action=masquerade chain=srcnat comment=“NAT L2TP/IPSEC” dst-address=192.168.1.0/24 src-address=10.10.10.0/24
add action=src-nat chain=srcnat comment=“AccessList NAT” src-address-list=Trusted to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment=ssh-terminal dst-port=8132 protocol=tcp to-addresses=192.168.1.5 to-ports=8132
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24

question - does this rules should stay like that ? NAT L2TP/IPSEC MASQUERADE before this ? add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24 ??? because for vpn all is ok now but maybe this setup could affect main ether1 masquerade ?
thanks for help