L2TP/IPsec VPN routing problem

manderson · March 5, 2014, 6:57pm

I’ve setup a L2TP/IPsec VPN from my user machine to a Mikrotik routerboard. The VPN works fine. My problem is that I can’t seem to get it to route past the routerboard to access the LAN or WAN. The routerboard by itself can ping both the internal and external IP’s that are associated with it and beyond, (servers on the internal IP range and the internet). Once I’m logged in via the VPN from a workstation though the only thing that I can ping is the routerboards IP’s and the VPN IP’s through the VPN.

I’ve enabled proxy-arp on all of the routerboard interfaces and I’ve played around with some of the firewall rules. I don’t need to have access to the internet through the VPN, but I do need RDP access to the private IP’s that are on the servers on the other side of the router. At the moment though I’m at a loss as to what I’m missing here. Anyone have any ideas? Thank you in advance for taking the time to help.

efaden · March 5, 2014, 9:20pm

Post your export. Could be firewall.

Sent from my SCH-I545 using Tapatalk

jaytcsd · March 6, 2014, 7:36am

http://mikrotik.patokatech.com/

This is my config, I connect from a Sprint EVDO card and some wifi systems without any problems.

I can copy files over the VPN, use VNC and RDP to control PCs, etc.

I did not see a difference between arp or proxy arp on the public interface.
Exchange mode under IPsec / peers works with main or main l2tp.

manderson · March 6, 2014, 2:59pm

Here's my export - if this isn't what you wanted can you tell me how to get it, I'm pretty new to routerOS - Thanks

mar/06/2014 08:50:12 by RouterOS 6.10

software id = GWFF-SIRR

/certificate
add common-name=vpn.forbin.com country=US locality=Waterloo name=vpnCert
organization=forbin.com state=IA subject-alt-name=
email:hostmaster@forbin.com
add common-name=vpn.forbin.com name=cert_4 subject-alt-name=
DNS:vpn.forbin.com trusted=yes
/interface bridge
add admin-mac=D4:CA:6D:CC:49:B5 arp=proxy-arp auto-mac=no l2mtu=1598 name=
bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n distance=indoors l2mtu=2290
mode=station-pseudobridge ssid=MikroTik-CC49B9 wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-gateway
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=418502FA0602
wpa2-pre-shared-key=418502FA0602
/ip dhcp-server
add interface=ether1-gateway name=dhcp1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=bridge-local
name=default
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=10.0.0.30 name=
"L2TP Profile" remote-address=default-dhcp use-encryption=required
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether1-gateway
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set authentication=mschap2 default-profile="L2TP Profile" enabled=yes
/interface ovpn-server server
set auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
/interface pppoe-server server
add disabled=no interface=bridge-local keepalive-timeout=disabled
service-name=service1
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set enabled=yes
/ip address
add address=10.0.0.30/28 comment="default configuration" interface=
ether2-master-local network=10.0.0.16
add address=xxx.xxx.xxx.xxx/22 interface=ether1-gateway network=xxx.xxx.xxx.xxx
/ip dhcp-client
add add-default-route=no comment="default configuration" dhcp-options=
hostname,clientid disabled=no interface=bridge-local
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration"
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=xxx.xxx.xxx.xxx list=Name
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
add chain=forward comment="default configuration" connection-state=
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration"
connection-state=invalid
add chain=forward protocol=rdp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway
add chain=dstnat dst-address=10.0.0.16/28 src-address=10.0.0.16/28
add chain=srcnat dst-address=10.0.0.16/28 src-address=192.168.0.0/16
/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override
nat-traversal=yes secret=xxxxxxx
/ip route
add distance=1 gateway=xxx.xxx.xxx.xxx
/ip service
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=test password=testuser profile="L2TP Profile" service=l2tp
/routing ospf interface
add network-type=broadcast
/routing ospf network
add area=backbone network=10.0.0.16/28
add area=backbone
/routing rip interface
add interface=ether2-master-local passive=yes send=v1-2
add send=v1-2
/routing rip network
add network=10.0.0.16/28
add
/system clock
set time-zone-name=America/Chicago
/system identity
set name=vpntest
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local

jaytcsd · March 17, 2014, 3:01am

When it comes to Mikrotik OS I’m no expert even though I’ve been using it since 2.8.

I don’t bridge any interfaces, my setup is very close to the demo router plus some tip from the forum and wiki.