I’m trying to learn about setting up VPNs.
I have a really simple virtual network set up in VirtualBox as follows:
I have set up the MikroTik virtual machine broadly according to this tutorial. My entire configuration is as follows:
/interface ethernet
set [ find default-name=ether1 ] comment=\
"Bridged between LAN and VirtualBox intnet." name="ether1 (WAN)"
set [ find default-name=ether2 ] arp=proxy-arp comment=\
"VirtualBox intnet gateway to real LAN and internet." name="ether2 (LAN)"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
lifetime=0s pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=172.16.16.100-172.16.16.150
add name=vpn_pool ranges=172.16.17.100-172.16.17.150
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface="ether2 (LAN)" lease-time=\
1h name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=172.16.16.1,8.8.8.8 local-address=\
172.16.17.1 name=l2tp-ipsec_profile remote-address=vpn_pool \
use-encryption=required use-upnp=no
/ip settings
set rp-filter=strict
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-ipsec_profile \
enabled=yes ipsec-secret=ipsec_secret use-ipsec=yes
/ip address
add address=192.168.0.19/24 comment=\
"Bridged between LAN and VirtualBox intnet." interface="ether1 (WAN)" \
network=192.168.0.0
add address=172.16.16.1/24 comment=\
"VirtualBox intnet gateway to real LAN and internet." interface=\
"ether2 (LAN)" network=172.16.16.0
/ip dhcp-server lease
add address=172.16.16.149 mac-address=08:00:27:C4:A8:9C server=dhcp1
/ip dhcp-server network
add address=172.16.16.0/24 dns-server=172.16.16.1,8.8.8.8,8.8.4.4 gateway=\
172.16.16.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
"Allow external WinBox access (VM only)." dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop malformed packets." \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=\
"Allow LAN (ether2) access to router and internet." connection-state=new \
in-interface="ether2 (LAN)"
add action=accept chain=input comment="Allow established and 'related' connect\
ions originating from LAN." connection-state=established,related
add action=accept chain=input comment="Allow L2TP/IPSEC VPN." dst-port=1701 \
protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment=\
"Drop everything else (i.e. anything not matching the previous rules)."
add action=accept chain=forward comment=\
"Allow established and 'related' connections originating from LAN." \
connection-state=established,related
add action=accept chain=forward comment=\
"Allow connections originating from LAN."
add action=drop chain=forward comment="Drop everything else."
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"NAT to access real LAN and internet." dst-address=0.0.0.0/0 \
out-interface="ether1 (WAN)" src-address=172.16.16.0/24
add action=masquerade chain=srcnat comment=\
"NAT for addresses from L2TP pool." src-address=172.16.17.0/24
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des \
generate-policy=port-override secret=ipsec_secret
/ip route
add check-gateway=ping comment="Default route to real LAN." \
distance=1 gateway=192.168.0.1
/ppp secret
add name=l2tp_user password=pa55word profile=l2tp-ipsec_profile service=l2tp
This works. I can create a VPN connection from any machine on the real LAN (192.168.0.0/24), connect to the L2TP server listening at 192.168.0.19, and then connect directly to the test share running on the 172.16.16.149 virtual machine. I can ping the two virtual PCs from the VPN connection, ssh into them, and so on.
However, I can’t ping the router itself at 172.16.16.1, and this is really confusing me. It’s on the same 172.16.16.0/24 subnet as the two virtual PCs, but there doesn’t seem to be a route to it. Traceroute gives me this:
tracert 172.16.16.149
Tracing route to 172.16.16.149 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.16.17.1
2 <1 ms <1 ms <1 ms 172.16.16.149
Trace complete.
But then also this:
tracert 172.16.16.1
Tracing route to 172.16.16.1 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * ^C
This makes no sense to me at all. They’re on the same subnet, and the traceroute to 172.16.16.149 suggests that the VPN pool NAT is working as it should, so why can I not reach the router? The packets are clearly travelling through it, otherwise there’d be no access to the internet or the file shares.
I feel like this may point to some fundamental gap in my understanding of how the VPN connection works, and how the packets are actually travelling back and forth, and also what the local and remote addresses in the PPP Profile represent in this context. If anyone can help me out here, I’d appreciate it very much.
Additionally, I find that I can’t connect to the VPN unless I specify the shared secret in both the IP/Ipsec/Peer menu and the PPP/Interface/L2TP Server setup screen. Is this the way it should be? I don’t feel like it should be necessary to enter it in two different places.