L2TP IPSec IP pool in second subnet

pravyroxor · April 26, 2019, 3:55am

Hi folks! I’m a new owner of Mikrotik RB4011iGS+5HacQ2HnD RouterOS 6.44.3.
I’m trying to setup the L2TP IPSec vpn server for connecting remote users from windows stations. The problem lay in VPN IP pool that is set to different network subnet as the LAN (bridge) subnet or maybe it’s a routing problem. I haven’t solved this problem, so I’d like to ask you for a solution or ponit me to the right direction.
My configuration looks like:

/interface bridge
add admin-mac=xxxxx arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024
/ip pool
add comment=VPN name=l2tp-pool ranges=172.19.190.200,172.19.190.250
/ppp profile
add change-tcp-mss=yes dns-server=172.19.190.1,172.19.187.10 local-address=\
    172.19.190.1 name=l2tp-ipsec remote-address=l2tp-pool
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-ipsec enabled=yes \
    ipsec-secret=xxxxx use-ipsec=yes
/ip address
add address=172.19.187.3/24 comment=defconf interface=bridge network=\
    172.19.187.0
add address=xxx.xxx.xxx.xxx interface=ether1-wan network=xxxxxxxxx
/ip dns
set allow-remote-requests=yes servers=\
    172.19.187.10, 8.8.8.8
/ip route
add distance=1 gateway=xxx.xxx.xxx.xxx
/ppp secret
add name=user password=psw profile=l2tp-ipsec service=l2tp

Sob · April 27, 2019, 12:32am

Other than “ranges=172.19.190.200,172.19.190.250” in pool, which I suspect was meant to be “ranges=172.19.190.200-172.19.190.250”, what exactly seems to be the problem? You didn’t describe that.

pravyroxor · June 3, 2019, 5:26am

I have already solved the problem. My PPP users was able to connect into VPN, but they’re unable to reach the LAN subnet in 172.19.187.0/24.
The final solution was that I have to add firewall filter/nat rules:

/ip pool
add comment=VPN name=l2tp-pool ranges=172.19.190.201-172.19.190.250
add comment=LAN name=172.19.187.0/24 ranges=172.19.187.20-172.19.187.200
/ppp profile
add change-tcp-mss=yes dns-server=172.19.187.10 interface-list=LAN \
    local-address=172.19.190.1 name=l2tp-ipsec remote-address=l2tp-pool \
    use-encryption=required
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-ipsec enabled=yes \
    ipsec-secret=********* use-ipsec=yes
/interface bridge port
add bridge=bridge interface=ether2
/interface list member
add interface=ether2 list=LAN
add interface=ether1-wan list=WAN
/ip address
add address=172.19.187.3/24 interface=bridge network=172.19.187.0
add address=172.19.190.1/24 interface=bridge network=172.19.190.0
/ip firewall filter
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp src-port=""
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=forward dst-address=172.19.190.0/24 src-address=\
    172.19.187.0/24
add action=accept chain=forward dst-address=172.19.187.0/24 src-address=\
    172.19.190.0/24
add action=drop chain=forward comment="VPN drop outside bridge" in-interface=\
    all-ppp out-interface=!bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=172.19.190.0/24 src-address=\
    172.19.187.0/24
add action=masquerade chain=srcnat dst-address=172.19.187.0/24 src-address=\
    172.19.190.0/24