L2TP/IPsec VPN issues

rbuserdl · March 17, 2020, 4:08pm

Hello,

I just created a L2TP/IPsec VPN with the following settings:

/ip pool
add name="Pool L2TP" ranges=192.168.5.10-192.168.5.254

/ip ipsec mode-config
add address-pool="Pool L2TP" name=l2tp_config system-dns=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des name=profile1
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes profile=profile1 send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TP
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore secret=Secret
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes ipsec-secret=Secret max-mru=1460 max-mtu=1460 use-ipsec=required
/ppp profile
add change-tcp-mss=yes dns-server=192.168.5.1,8.8.8.8 local-address=192.168.5.1 name=L2TP remote-address="Pool L2TP"
/ppp secret
add name=soporte password=Password profile=L2TP

/ip firewall filter
add action=accept chain=input comment="Para L2TP + IPSEC" dst-port=500,1701,4500 in-interface-list=WANs protocol=udp
add action=accept chain=input comment="Para L2TP + IPSEC" in-interface-list=WANs protocol=ipsec-esp
add action=accept chain=input comment="Para L2TP + IPSEC" in-interface-list=WANs protocol=ipsec-ah

If I connect from my W10 PC (from outside of local network), I get 192.168.5.254, I ping 192.168.1.1(Mikrotik LAN IP) and work but when I ping anything else in the LAN, does not work.

When I do a tracert from a machine inside the local network to my PC (Outside, connected through the VPN) the Mikrotik router is getting me to another direction:

C:\Windows\system32>tracert -d 192.168.5.254

Tracing route to 192.168.5.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     2 ms     2 ms     1 ms  190.210.230.254
  3     5 ms     3 ms     3 ms  190.210.118.106
  4     *        *        *     Request timed out.

I dont know what is this IP 190.210.230.254 but I get the same second hope with a tracert to 8.8.8.8
It seems the mikrotik router is directing everything to 192.168.5.0/24 to Internet
I see when I connect that there is a route created for my dynamic IP to use the dinamically created VPN interface
I added a blackhole route to 192.168.5.0./24 but still the same

/ip route
add distance=100 dst-address=192.168.5.0/24 type=blackhole

Any idea?
Thanks in advance.
Regards,
Damián

rbuserdl · March 17, 2020, 5:58pm

Sorry, I found the issue
I have connection and routing marks in “/ip firewall mangle”, that were triggering the issue
Just added a rule to do not mark anything going to 192.168.5.0/24

/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.5.0/24

Works fine.
Regards,
Damián