Hi, I have an IPSEC tunnel working fine with PureVPN, I have specified in the provider’s page a couple of ports to forward and it works perfectly for one of them, the one on port 2202 but not for PLEX running on port 32400. I am new in setting up IPSEC tunnels, so there are many things that I don’t understand.
I can telnet without problems to port 32400 to the tunnel’s external IP and the server responds correctly, so I’m inclined to believe that must be a specific way on how PLEX determines that you have Remote Access or not.So I need help from someone with PLEX knowledge.
I previously had a PPTP connection and the Remote Access worked ok, now that I’m switching to IPSEC PLEX can’t enable it, just saying that is not available outside your network.
Things that I don’t know or understand
- I don’t know if has anything to do but the rule “defconf: accept out ipsec policy” its counters are always 0, even when I can access the port running in 2202 perfectly
- Every once in a while I see a packet from the server internal IP 192.168.1.195 to the tunnel external IP in port 32400
- Now that is a tunnel, I don’t seem to have a way to torch for packets initiated from the outside of the tunnel to troubleshoot, I just can see them once they are decapsulated, and I don’t see any attempt on PLEX side to connect to my server when I request it
Any help will be greatly appreciated, this is the relevant configuration
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec mode-config
add name=PureVPN-Mode responder=no src-address-list=local_net
/ip ipsec policy group
add name=PureVPN-Group
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=PureVPN-Profile
/ip ipsec peer
add address=SERVER.pointtoserver.com name=PureVPN-FixedIP profile=PureVPN-Profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-128-cbc name=PureVPN-Proposal
/interface list member
add comment=defconf interface=ehter2 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.219/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.0/24 comment="Address of the local network" list=local_net
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="PLEX Forward" dst-port=32400 log=yes log-prefix=PLEX protocol=tcp to-addresses=192.168.1.195 to-ports=32400
add action=dst-nat chain=dstnat comment="Ubooquity Forward" dst-port=2202 log=yes log-prefix=UBOOQUITY protocol=tcp to-addresses=192.168.1.195 to-ports=2202
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=PureVPN-Mode password=PASSWORD peer=PureVPN-FixedIP policy-template-group=PureVPN-Group remote-id=user-fqdn:pointtoserver.com secret=SECRET username=USER
/ip ipsec policy
add dst-address=0.0.0.0/0 group=PureVPN-Group proposal=PureVPN-Proposal src-address=0.0.0.0/0 template=yes