i have a modem that connect to my mikrotik wireless and it connect to my firewall .
i have a vpn server in my firewall .
i want to connect my internal network by vpn from out .
i bridge my modem to mikrotik .
but how can i pass through my vpn port and protocol from mikrotik ?
in below picture my vpn connection can not pass mikrotik firewall .
Hi,
Maybe this will help you, presuming your modem is in bridge and your mikrotik will do the rest:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
Adjust firewall settings
Do not forget to allow UDP 500 (Dst.Port), UDP 1701, UDP 4500 (Nat-Traversal) and Protocol 50 (ESP) in the firewall filter settings. (Input chain, accept).
kind regards,
this link is when my l2tp server is in mikrotik . but i have l2tp server is in my firewall
this picture is that rules . look at first row . only udp 500 have connection and the other nothing.
also i add ipsec peer and it changed to this :
how you look tje row 3 that is 500 nat-traversal is working .
what can i do that 2 other port and protocol works correct?
there is no idea for this problem?
how can i pass udp 1701 and esp protocol from mikrotik?
With port 500 and 4500 it should work. In the case of NAT-T, ESP is not used on the
network but is encapsulated in UDP port 4500. L2TP is again encapsulated inside ESP
so it does not appear on the network either.
now i set a dsnat in mikrotik :
1 chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp
dst-port=500 log=no log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp
dst-port=4500 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp
dst-port=1701 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=ipsec-esp
log=no log-prefix=""
192.168.20.10 is my internet iterface behind firewall
but when is see log , only port 500 will be dsnat and other port do not dsnat
That probably means your IPsec router is not correctly configured and never passes Phase1.
And again, there is no port 1701 traffic to match and probably no ESP either, depending on your config.
this is my config :
Firewall–>Filter Rules :
0 XI chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
1 XI chain=input action=accept protocol=udp dst-port=1701 log=yes log-prefix=""
2 XI chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=""
3 XI chain=input action=accept protocol=ipsec-esp log=yes log-prefix=""
Firewall–>Nat :
1 XI chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp
dst-port=500 log=no log-prefix=""
2 XI chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp
dst-port=4500 log=no log-prefix=""
3 XI chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp
dst-port=1701 log=no log-prefix=""
4 XI chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=ipsec-esp
log=no log-prefix=""
IP–>IP Sec -->Policies :
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
IP–>IP sec–>peers :
address=0.0.0.0/0 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="*********" generate-policy=port-strict
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=disable-dpd
dpd-maximum-failures=5
IP–>IPsec–>Proposal:
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024
my config is base on mikrotik doc .
is there any problem in my config ?
what can i do for this problem?
The documentation you used probably was for another scenario.
Also, you probably need to draw a picture that shows what your exact setup is and what you want to connect to what.
picture from my scenario or picture from my config?
A picture that shows how the components are interconnected and what communicates with what.
For example, where is your firewall in that picture and which side of the MikroTik is connected to it.
this is my scenario .
clients in external via internet wants to connect to server network . the modem is bridge in mikrotik A .
Mikrotik A is connected to Mikrotik B by wireless Antenna .
Mikrotik B is behind Firewall server .
there is vpn server in firewall server .
i config ip sec and firewall in mikrotik A .
Ah ok that is much clearer!
May I ask why you don’t operate the two MikroTik AP’s in bridge mode?
And when you use routing mode, why do you use NAT?
There should be no reason to use NAT inside your internal network (the two MikroTik routers and the firewall).
your idea is that i bridge mikrotiks and make a ppoe connection in my firewall server(Kerio Control) ?
I give up. You keep coming with new information that is crucial to your network design.
I would have to re-think the entire design every time, I leave that to you.
l2tp uses random free UDP port at both sides
see RFC 2662, section 8.1:
L2TP uses the registered UDP port 1701 [RFC1700]. The entire L2TP
packet, including payload and L2TP header, is sent within a UDP
datagram. The initiator of an L2TP tunnel picks an available source
UDP port (which may or may not be 1701), and sends to the desired
destination address at port 1701. The recipient picks a free port on
its own system (which may or may not be 1701), and sends its reply to
the initiator’s UDP port and address, setting its own source port to
the free port it found.
So, you must pass trough all UDP traffic.
it means first i have to add a role to trraffic rule for accept all udp trrffic and then add a nat for all udp trraffic?
is this true :
chain=input action=accept protocol=udp log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp
log=no log-prefix=""