L2TP IPSec

dw70 · June 28, 2015, 8:09am

Hello,

I am trying to configure a l2tp ipsec tunnel with two rb2011uias-2hnd-in’s. I have configured it according to the example given in http://wiki.mikrotik.com/wiki/L2TP_%2B_IPSEC_between_2_Mikrotik_routers and both the tunnel and the IPsec connection are working (I think). That is, I can see installed SA’s. What is not working is that when I try to ping a client from either side of the tunnel, it doensn’t work. I have already tried to put in NAT bypass rules but it is still not working.

The reason I want to make the VPN tunnel is that my family and I will be living abroad for a year, but we still want to use our NAS, which stay at home and we also would still like to be using Netflix. We live in Holland by the way. So basically I want to route all traffic from abroad over the tunnel and break out to the internet in Holland. Could anybody give me some suggestions how to accomplish this?

thank you in advance

Dennis

pukkita · June 28, 2015, 2:05pm

bear in mind IPSEC routes by policies.

mrz · June 29, 2015, 10:31am

If you use the same subnet for clients you need proxy-arp

http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Connecting_Remote_Client

dw70 · June 29, 2015, 3:21pm

I am not using the same subnet, it is different subnets. Funny thing is that I can ping the ip addresses of the tunnel, so the tunnel seems to be working fine, but once I go outside, nothing happens. If I ping from the router to for example 192.168.88.1 I get a reply but if I try to ping from the router to a client, nothing happens. So probably I am doing something wrong with routes or NAT but I can’t figure out what it is I am doing wrong. I also double checked my IPSec policies and they seem to be ok.

pukkita · June 29, 2015, 5:07pm

Could you post a New Terminal

/ip export

from both routers?

dw70 · June 29, 2015, 5:47pm

/ip terminal for router with server:

\

jun/29/2015 19:43:15 by RouterOS 6.29.1

software id = 7KIW-8ENX

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name=VPN_Pool ranges=192.168.5.2-192.168.5.20
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=ether2
network=192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=4h name=
default
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=
192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add chain=input in-interface=ether1-gateway port=1701 protocol=udp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=
established,related
add action=drop chain=input comment="default configuration" disabled=yes
in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=
established,related
add action=drop chain=forward comment="default configuration"
connection-state=invalid
add action=drop chain=forward comment="default configuration"
connection-nat-state=!dstnat connection-state=new in-interface=
ether1-gateway
/ip firewall nat
add chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.1.0/2
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=5000 protocol=tcp to-addresse
192.168.1.10 to-ports=5000
add action=dst-nat chain=dstnat dst-port=5005 protocol=tcp to-addresse
192.168.1.10 to-ports=5005
/ip ipsec peer
add address=10.0.16.10/32 dpd-interval=disable-dpd dpd-maximum-failure
enc-algorithm=3des nat-traversal=no secret=test
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.88.0/24 sa-dst-address=10.0.16.10 sa-src-addre
10.0.16.9 src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=10.0.16.10
/ip service
set ftp disabled=yes
set ssh disabled=yes

dw70 · June 29, 2015, 5:52pm

/ip export for client router:
/ip export

jun/29/2015 17:49:55 by RouterOS 6.29.1

software id = CP1R-WTRZ

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=
bridge-local network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=
established,related
add action=drop chain=input comment="default configuration" disabled=yes
in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=
established,related
add action=drop chain=forward comment="default configuration"
connection-state=invalid
add action=drop chain=forward comment="default configuration"
connection-nat-state=!dstnat connection-state=new in-interface=
ether1-gateway
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway
/ip ipsec peer
add address=10.0.16.9/32 dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des nat-traversal=no secret=test
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 sa-dst-address=10.0.16.10 sa-src-address=
10.0.16.9 src-address=192.168.88.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=10.0.16.9

pukkita · June 29, 2015, 6:13pm

Where’s the L2TP? I assume rb client (road warrior) will be behind nat…

Have you read http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ipsec.2FL2TP_behind_NAT ?

dw70 · June 29, 2015, 6:24pm

Maybe I don’t understand it but I don’t have a road warrior setup, I made the site to site L2TP IPSec setup as described in: http://wiki.mikrotik.com/wiki/L2TP_%2B_ … ik_routers

When I look at PPP then it the l2tp connection shows up so I really don’t understand what you mean

pukkita · June 29, 2015, 6:30pm

You mention you will be travelling, will you have a fixed IP while abroad?

dw70 · June 29, 2015, 6:51pm

I think so. I am moving to Italy and will be staying in the same appartment for 14 month’s so I guess the IP will be fixed

dw70 · July 3, 2015, 10:15am

Is there anybody who might have a solution for my problem?

pukkita · July 3, 2015, 12:44pm

You may be forced to use a non bridgeable router, and residential lines doesn’t have fixed ips usually, they vary if you reboot, etc.

I think it’s too soon to know what’s the best tunnelling scheme for your real scenario. One thing is for sure, leave the Holland router firewalled but being able to login remotely, enable ip > cloud and take note of your router’s name. Once in Italy will be the time to get things straight.