Hello.
I’ve a central office connected to several branch offices with IPsec tunnels.
The central office also acts a road-warrior clients concentrator that bring access to all the offices (L2TP over IPsec).
We have over 40 branch offices that consists in one ip network, but one of them needs route to 2 subnetworks and other 6 subnetworks.
Simple branch offices works without problems, but I’ve problems accessing multi-subnet branch offices from the central office network: ping works fine, but heavy protocols as HTTP lost responses at the local lan.
It’s curious, but L2TP clients works without problems.
This is the central office config:
# oct/09/2014 14:04:40 by RouterOS 6.20
# software id = 3SUZ-S174
#
; interface 8 is connected to local lan.
/ip address add address=192.168.1.250/24 comment="Internal" interface=ether8 network=192.168.1.0
; configuration to access ISP (PPPoE over vlan 6) on interface 1
/interface vlan add interface=ether1 l2mtu=1584 name=vlan6 vlan-id=6
/interface pppoe-client add ac-name="" add-default-route=yes allow=pap,chap default-route-distance=1 dial-on-demand=no disabled=no interface=vlan6 keepalive-timeout=disabled max-mru=1492 max-mtu=1492 \
mrru=disabled name=pppoe-telefonica password=adslppp profile=default service-name="" use-peer-dns=no user=adslppp@telefonicanetpa
/ip firewall filter
add chain=input comment="IKE auth" dst-port=500 in-interface=pppoe-telefonica protocol=udp
add chain=input comment=L2TP dst-port=1701 in-interface=pppoe-telefonica protocol=udp
add chain=input comment="IPsec NAT traversal" dst-port=4500 in-interface=pppoe-telefonica protocol=udp
add chain=input comment="IPsec Encapsulating Security Payload (ESP)" in-interface=pppoe-telefonica protocol=ipsec-esp
add action=drop chain=input comment="Drop all input traffic from internet" in-interface=pppoe-telefonica
/ip firewall nat
add chain=srcnat comment="No nat in PPPoE to allow 192.168.0.0 subnets to use IPsec" dst-address=192.168.0.0/16 out-interface=pppoe-telefonica
add chain=srcnat comment="No nat in PPPoE to allow 10.0.0.0 subnets to use IPsec" dst-address=10.0.0.0/8 out-interface=pppoe-telefonica
add action=masquerade chain=srcnat comment="Full cone NAT for internet access" out-interface=pppoe-telefonica
; RoadWarriors config
/interface ethernet set [ find default-name=ether8 ] arp=proxy-arp
/ip ipsec peer add comment="L2TP roadwarriors" enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=XXXXX
/ip ipsec proposal set [ find default=yes ] enc-algorithms=3des,aes-256-cbc pfs-group=none
/interface l2tp-server server set authentication=mschap2 default-profile=L2TP-ppp-profile enabled=yes
/ppp profile add name=profile1 add change-tcp-mss=yes comment="Profile used for L2TP connections " local-address=192.168.1.250 name=L2TP-ppp-profile remote-address=L2TP-pool
/ip pool add name=L2TP-pool ranges=192.168.1.91-192.168.1.100
/ppp secret add name=XXXX password=XXXXX profile=L2TP-ppp-profile service=l2tp
; several other secrets goes here
;VPN configs
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=des lifetime=8h name=md5-des-8h-nopfs pfs-group=none
; this VPN works fine
/ip ipsec peer add address=remotePublicIP1/32 dh-group=modp768 dpd-interval=disable-dpd enc-algorithm=des hash-algorithm=md5 lifetime=8h nat-traversal=no secret=XXXXX
/ip ipsec policy add dst-address=10.20.31.0/24 proposal=md5-des-8h-nopfs sa-dst-address=remotePublicIP1 sa-src-address=LocalPublicIP src-address=192.168.1.0/24 tunnel=yes
:And this VPN has problems from the local lan
/ip ipsec peer add address=remotePublicIP2/32 dh-group=modp768 dpd-interval=disable-dpd enc-algorithm=des hash-algorithm=md5 lifetime=8h nat-traversal=no secret=XXXXX
/ip ipsec policy add dst-address=10.20.91.0/24 level=unique proposal=md5-des-8h-nopfs sa-dst-address=remotePublicIP2 sa-src-address=LocalPublicIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=192.168.13.0/24 level=unique proposal=md5-des-8h-nopfs sa-dst-address=remotePublicIP2 sa-src-address=LocalPublicIP src-address=192.168.1.0/24 tunnel=yes
; general config
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes primary-ntp=150.214.94.5
And this is the remote branch config:
; interface 2 is connected to local lan.
/ip address add address=10.20.91.254/24 comment="Internal" interface=ether2 network=10.20.91.0
; configuration to access ISP (PPPoE over vlan 6) on interface 1
/interface vlan add interface=ether1 l2mtu=1584 name=vlan6 vlan-id=6
/interface pppoe-client add ac-name="" add-default-route=yes allow=pap,chap default-route-distance=1 dial-on-demand=no disabled=no interface=vlan6 keepalive-timeout=disabled max-mru=1492 max-mtu=1492 \
mrru=disabled name=pppoe-telefonica password=adslppp profile=default service-name="" use-peer-dns=no user=adslppp@telefonicanetpa
/ip firewall filter
add chain=input comment="IKE auth" dst-port=500 in-interface=pppoe-telefonica protocol=udp
add chain=input comment=L2TP dst-port=1701 in-interface=pppoe-telefonica protocol=udp
add chain=input comment="IPsec NAT traversal" dst-port=4500 in-interface=pppoe-telefonica protocol=udp
add chain=input comment="IPsec Encapsulating Security Payload (ESP)" in-interface=pppoe-telefonica protocol=ipsec-esp
add action=drop chain=input comment="Drop all input traffic from internet" in-interface=pppoe-telefonica
/ip firewall nat
add chain=srcnat comment="No nat in PPPoE to allow 192.168.0.0 subnets to use IPsec" dst-address=192.168.0.0/16 out-interface=pppoe-telefonica
add chain=srcnat comment="No nat in PPPoE to allow 10.0.0.0 subnets to use IPsec" dst-address=10.0.0.0/8 out-interface=pppoe-telefonica
add action=masquerade chain=srcnat comment="Full cone NAT for internet access" out-interface=pppoe-telefonica
;VPN config
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=des lifetime=8h name=md5-des-8h-nopfs pfs-group=none
/ip ipsec peer add address=remotePublicIP2/32 dh-group=modp768 dpd-interval=disable-dpd enc-algorithm=des hash-algorithm=md5 lifetime=8h nat-traversal=no secret=XXXXX
/ip ipsec policy add dst-address=192.168.1.0/24 level=unique proposal=md5-des-8h-nopfs sa-dst-address=remotePublicIP2 sa-src-address=LocalPublicIP src-address=10.20.91.0/24 tunnel=yes
/ip ipsec policy add dst-address=192.168.1.0/24 level=unique proposal=md5-des-8h-nopfs sa-dst-address=remotePublicIP2 sa-src-address=LocalPublicIP src-address=192.168.13.0/24 tunnel=yes