I have set up a basic L2TP/IPSEC Road Warrior VPN on an RB951Ui-2HnD running 6.40.4. When I connect to the VPN with a Mac everything works as expected. When I connect with an iPhone or Android device that device can access anything on the LAN but is unable to get back out to the Internet through the VPN. All DNS lookups also fail. I have been unable to look at the routing tables inside the iPhone or Android devices to further diagnose the issue so far.
My procedure for setting up this test is as follows:
- Reset the router configuration with
/system reset-configuration
- Connect to the router with a browser and go to the Quick Set screen
- On the Quick Set screen, set the mode to Home AP, configure the Wireless, check Firewall Router, set the IP address, set the DHCP range, check NAT, uncheck UPnP, and uncheck VPN access
- Execute the script listed below
#
# VPN setup
#
# Sites used in the development of this config:
# http://bluepilltech.blogspot.com/2017/08/mikrotik-routeros-6401-stable-l2tpipsec.html
# http://forum.mikrotik.com/t/pptp-ios10/101539/1 (sergejs first post)
/interface bridge set bridge arp=proxy-arp
/ip pool add name=ipsec-ip-pool ranges=10.0.34.100-10.0.34.109
/ppp profile add name=ipsec-ppp-profile local-address=10.0.34.1 remote-address=ipsec-ip-pool \
dns-server=10.0.34.1 change-tcp-mss=yes use-encryption=yes
/ppp secret
add disabled=no name=jhc-phone password="login1password" service=l2tp \
profile=ipsec-ppp-profile
add disabled=no name=jhc-mac password="login2password" service=l2tp \
profile=ipsec-ppp-profile
add disabled=no name=pmc-phone password="login3password" service=l2tp \
profile=ipsec-ppp-profile
/interface l2tp-server server set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=mschap2 keepalive-timeout=30 default-profile=ipsec-ppp-profile \
use-ipsec=yes ipsec-secret="ipsecsecret" caller-id-type=ip-address
/ip ipsec proposal set 0 disabled=no auth-algorithms=sha1 \
enc-algorithms=aes-256-cbc pfs-group=modp1024
/ip ipsec peer add disabled=no address=0.0.0.0/0 auth-method=pre-shared-key \
exchange-mode=main-l2tp passive=no secret="ipsecsecret" \
policy-template-group=default send-initial-contact=yes nat-traversal=yes \
my-id=auto generate-policy=port-override lifetime="1d 00:00:00" dpd-interval=2s \
dpd-maximum-failures=5 proposal-check=obey compatibility-options=skip-peer-id-validation \
hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp1024
/ip firewall filter
add disabled=no action=accept chain=input in-interface-list=WAN \
src-address=0.0.0.0/0 connection-state=new protocol=ipsec-ah \
place-before=[/ip firewall filter find comment="defconf: drop all not coming from LAN"]
add disabled=no action=accept chain=input in-interface-list=WAN \
src-address=0.0.0.0/0 connection-state=new protocol=ipsec-esp \
place-before=[/ip firewall filter find comment="defconf: drop all not coming from LAN"]
add disabled=no action=accept chain=input in-interface-list=WAN \
src-address=0.0.0.0/0 connection-state=new protocol=udp dst-port=500 \
place-before=[/ip firewall filter find comment="defconf: drop all not coming from LAN"]
add disabled=no action=accept chain=input in-interface-list=WAN \
src-address=0.0.0.0/0 connection-state=new protocol=udp dst-port=1701 \
place-before=[/ip firewall filter find comment="defconf: drop all not coming from LAN"]
add disabled=no action=accept chain=input in-interface-list=WAN \
src-address=0.0.0.0/0 connection-state=new protocol=udp dst-port=4500 \
place-before=[/ip firewall filter find comment="defconf: drop all not coming from LAN"]
I am sure I have configured something incorrectly but have been unable to find it thus far. Any help will be greatly appreciated.
John