Mikrotik hAP mini as l2tp ipsec client behind nat

RouterOS Beginner Basics
1

Hi,

I successfuly setup hEX as vpn server l2tp ipsec. I can connect from Windows client and access local lan on server side.

Now I wan to establish connection from hAP mini. From hAP I can ping router IP but no local server lan on server side..
hAP mini is behind NAT.

Config from office hEX:

# sep/16/2020 23:11:29 by RouterOS 6.47.3
# software id = 1KGD-95WT
#
# model = RB750Gr3
# serial number = CC210C571448
/interface bridge
add admin-mac=48:8F:5A:58:C1:C3 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether4 ] arp=proxy-arp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add enc-algorithm=aes-256,aes-128,3des name=profile_ipsec
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.40.100-192.168.40.200
add name=vpn_pool ranges=192.168.40.201-192.168.40.216
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes local-address=192.168.40.1 name=profile_vpn1 \
    remote-address=vpn_pool use-upnp=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=profile_vpn1 enabled=yes \
    use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.40.1/24 comment=defconf interface=ether2 network=\
    192.168.40.0
add address=WAN-IP-STATIC/27 interface=ether1 network=WAN-IP-STATIC-NETWORK
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.40.0/24 comment=defconf gateway=192.168.40.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=xxx.xxx.xxx.xxx
/ip dns static
add address=192.168.40.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
    dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp src-port=""
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=WAN-IP-GATEWAY
/ppp secret
add name=user1 profile=profile_vpn1
/system clock
set time-zone-name=
/system identity
set name=OFFICE_VPN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Config from hAP mini:

# sep/16/2020 23:33:29 by RouterOS 6.47.3
# software id = IKDN-RTL4
#
# model = RB931-2nD
# serial number = B7B10BAEBDC0
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik1 \
    wireless-protocol=802.11
/interface l2tp-client
add connect-to=OFFICE-VPN-IP disabled=no name=l2tp-out1 use-ipsec=yes user=\
    user1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.90.100-192.168.100.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.90.1/24 interface=ether2 network=192.168.90.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.90.0/24 gateway=192.168.90.1 netmask=24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=l2tp_offfice \
    passthrough=yes src-address=192.168.40.0-192.168.40.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface=l2tp-out1
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=l2tp-out1 routing-mark=l2tp_offfice

Can any one check this.

Regards,

2

Most probably on your WAN port of your hAP mini you need a public IP to get working.

Regards.

3

Of course not, L2TP/IPSec works behind NAT.

It’s just missing route. If you don’t use VPN as gateway, you need route to remote network:

/ip route
add dst-address=192.168.40.0/24 gateway=l2tp-out1

Because by default you get only point to point route between client and server.

Btw, that thing with routing mark l2tp_offfice doesn’t make sense, in short, it’s creative way how to create config that does nothing.

4

VPN is only for specific apps without internet access. With route entered it’s working.

Thanks.

5

How about internet traffic. With this setup I have no internet on client side.
How to setup internet traffic through VPN ?

6

If you don’t use VPN as gateway, internet traffic uses client’s default connection, the same one that’s used to connect to VPN server. If you want to route everything through VPN, select “Add Default Route” in client’s VPN config. And then you have to configure server to allow it to go out to internet.

7

There must be something else wrong with initla setup. I managet to get VPN traffic to server only if set in NAT

add action=masquerade chain=srcnat dst-address=192.168.40.1-192.168.40.250 out-interface=l2tp-out1

And default NAT for WAN disabled.
In router I have

8

NAT on VPN client is one way. Other is proper routing, on server you’d add route to client’s LAN (“Routes” in PPP secret).