first sorry for my very bad english…need help for create a VPN IPSEC,
the problem it’s this… in Italy one of ISP that offer VDSL via Fiber only accept to connect to ISP using only Modem/router that he give to us…so i canno’t leave it for connection…the second problem it’s that not possibile to set in Bridge Mode, and the third it’s that the VOIP call it’s only connection using this Modem…so…
I i would use a better connection that i have now (8 mbps) i have to update service in Fiber…ISP transform my RGT in VOIP and i have to connect my Mikrotik router in DMZ to this Modem (it’s the best solution???)…so if i connect in DMZ i need to create a VPN IPSEC connection to other two office that use a different modem (draytek), can anyone help me to configure it???
First, does that provider’s device get a public IP address from the provider?
Second, is that public address fixed or it may change with each assignment?
Third, how exactly does the DMZ work on that device? To act as the “server” side of the IPsec connection, the RouterBoard needs to be able to receive traffic on UDP ports 500 and 4500, but I have never tried what happens if these are port-forwarded from a public address of a NAT device to private address of the RouterBoard itself. In another words, I don’t know whether the mismatch between L3 destination address of these packets and eventual reference to that address inside them may not prevent the IKE from establishing the “link”.
You can start by configuring that provider’s box to assign a fixed private address to your Routerboard’s WAN interface (or by using static configuration on the Routerboard).
The next step is to set up the DMZ (which I understand as forwarding of all packets coming to the public address of that provider’s box, except those which the box wants to handle itself, like e.g. the VoIP ones, to a configured private address in the private network, which would be the one of your Routerboard) or, maybe safer, to just set up port forwarding of those two UDP ports mentioned earlier to Routerboard’s WAN address.
Will the VPN “clients” on the remote sites be also Routerboards or do you plan to use the Draytek’s own IPsec capabilities, if they exist?
You can start by configuring that provider’s box to assign a fixed private address to your Routerboard’s WAN interface (or by using static configuration on the Routerboard). - It’s the same Mikrotik, i can use this configuration IP because the other router that now it’s in bridge mode (i have to test it on this…so i hope when i’ll change with the new one we will all ok…) or i have to set it in other mode??? How can i set Ip on the wan interface??
I have to Nat che Port in to my drayteck router to Wan Ip of the mirkotik?? Wich ports and protocol i have to do it?
The VPN client has to connect to routerboard
Wait a bit. In the other topic the discussion was about L2TP/IPsec.
Do I get you right that the topic now actually does not deal with pure IPsec (without L2TP session setup) as the subject suggests, but merely with replacing the modem between the already configured Mikrotik and the internet while the rest remains the same?
So, i have to redoing all configuration, the must important for me it’s IPsec (from my central office to other two, after i have reconfigurated it i have to redoing the L2TP, using this ISP Modem that do only mikrotik in DMZ
You don’t have to redo the VPN setup. I just wanted to understand the topic.
So far I think that it should be sufficient to reconfigure the WAN side of Mikrotik, leaving the L2TP/IPsec setup in place, and to set up properly the new modem.
The new modem is most likely prepared to connect PCs etc. at its LAN side, so there is likely a DHCP server running on it.
As you say the old modem was set to bridge mode, I assume that your Mikrotik has a PPPoE interface configured which uses some physical interface (probably, ether1) as “transport”. If so, you would disconnect the Mikrotik from the old modem, disable the PPPoE interface (rather than remove it) and attach a DHCP client to the same physical interface, and connect the Mikrotik to the new modem. You should see almost immediately in the list of local IP addresses that you’ve got a private address from the modem.
So until we get past this step, no point in digging further to the DMZ or port forwarding.
A modem in bridge mode in the same subnet as Mikrotik sounds really strange. Can you paste here output of “/interface export hide-sensitive”, “/ip address export” and “ip arp print” after replacing any eventual public address there with some p1.p1.p1.p1 value?
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
# ADDRESS MAC-ADDRESS INTERFACE
0 DC 192.168.98.222 9C:8E:99:66:73:98 bridge
1 DC 192.168.98.19 8C:89:A5:C4:CA:B3 bridge
2 DC 192.168.98.110 00:06:4F:67:0C:C5 bridge
3 DC 192.168.98.5 74:27:EA:10:4F:E3 bridge
4 DC 192.168.98.120 00:06:4F:67:0C:CD bridge
5 DC 192.168.98.194 94:A1:A2:4B:9A:67 bridge
6 DC 192.168.98.70 28:57:BE:9C:7F:4F bridge
7 DC 192.168.98.241 30:05:5C:A8:4D:AA bridge
8 DC 192.168.98.3 00:90:A9:38:F6:3A bridge
9 DC 192.168.98.209 2C:0E:3D:F6:74:28 bridge
10 DC 192.168.98.223 54:72:4F:71:36:CE bridge
11 DC 192.168.98.210 BC:3D:85:AA:0B:6C bridge
12 DC 192.168.98.24 BC:AE:C5:D6:CE:D0 bridge
13 DC 192.168.98.221 30:63:6B:CC:7C:28 bridge
14 DC 192.168.98.215 D8:BB:2C:2F:3C:62 bridge
15 DC 192.168.98.178 00:0E:AE:A2:72:DD bridge
16 DC 192.168.98.169 00:0E:AE:A2:75:FE bridge
17 DC 192.168.98.163 00:0E:AE:A2:51:11 bridge
18 DC 192.168.98.167 00:0E:AE:A2:75:FA bridge
19 DC 192.168.98.166 00:0E:AE:A2:75:FB bridge
20 DC 192.168.98.101 54:E1:40:13:F7:38 bridge
21 DC 192.168.98.174 00:0E:AE:A2:76:01 bridge
22 DC 192.168.98.12 00:06:4F:67:0A:E5 bridge
23 DC 192.168.98.224 98:4B:E1:7F:97:ED bridge
24 DC 192.168.98.98 00:1D:AA:D5:0E:00 bridge
“24 DC 192.168.98.98 00:1D:AA:D5:0E:00 bridge” This is the ip of the Main Router (Draytek) In bridge mode
The attachment file it’s the configuration-mode of the Drayteck
Okay. So you already do have a PPPoE client interface there as expected. What I cannot really understand is how comes that although the modem is connected to ether1, which is not a member port of your bridge named “bridge”, it is accessible using an IP address from the same subnet like the rest of your devices, but let’s leave this aside.
As it seems the basic of this configuration (before you’ve set up the L2TP/IPsec) has been created using the “Quick set” function of WebFig or Winbox, you are not aware at all of some settings that need to be made.
So the first thing to do will be to backup the current configuration into a file and then to download that file to your PC, so that we could revert to a working configuration if something goes wrong.
Next, you will disable the PPPoE client in the interface list (which will disconnect the Mikrotik from the internet) and create a DHCP client on the ether1 interface. After doing that, you will also have to replace the “pppoe-out1” by “ether1” everywhere in the ip firewall configuration (in fact, some rules may be omitted afterwards but so far this replacement is the safest way). “/ip firewall export” copy-pasted to a text editor and Ctrl-F will help you find them all, then you’d fix the found ones using your favourite configuration tool.
Next, you will connect ether1 to the Ethernet port of the new modem, and “/ip address print” should show you what IP address you’ve got from the new modem, and “/ip route print” should show you that modem’s own address to which you can connect to configure the DMZ ot port forwarding rules on it.
Well, as the ports are not forwarded, no wonder that the IPsec cannot establish. Can you send me a link to the manual of that provider’s router? Should not matter if it is only in Italian.
If it comes out that there is no way to make it work, another possibility would be to keep both connections, the fast one for normal tasks and the slow one for VPN access.
