Quick Set VPN: can connect from LAN, but not WAN

lonkelly · June 16, 2017, 7:49am

I’ve read the various guides for setting up Road Warrior access, and I haven’t made progress. It seems like there must be a problem with my firewall settings, but I’m completely stumped.

I reset my MikroTik router and tried to set up VPN using Quick Set. I can connect to the MikroTik VPN server from the LAN side but not the WAN side.

Here’s the MikroTik log of a successful connection from the LAN side (times are UTC):
06:05:34 l2tp,ppp,info,account vpn logged in, 192.168.89.255
06:05:34 l2tp,ppp,info : authenticated
06:05:39 l2tp,ppp,info : connected
06:05:48 l2tp,ppp,info : terminating…
06:05:48 l2tp,ppp,info,account vpn logged out, 14 17601 4294 235 67
06:05:48 l2tp,ppp,info : disconnected

This is the corresponding pppd log from my Mac, successfully connecting to the VPN from the LAN side (times are local):
default 22:05:30.417969 -0800 pppd L2TP connecting to server ‘xxxxxxxxxxxx.sn.mynetname.net’ (xx.xxx.xx.x)…
default 22:05:30.420605 -0800 pppd IPSec connection started
default 22:05:31.460573 -0800 pppd IPSec connection established
default 22:05:31.464274 -0800 pppd L2TP connection established.
…

When I try to connect from the WAN the only thing logged is:
06:11:06 l2tp,info first L2TP UDP packet received from xx.xxx.xxx.xx

where xx.xxx.xxx.xx is the address of the router I’m behind.

This is what is logged on my Mac when it fails to connect to the VPN from the WAN side:
default 22:10:54.233175 -0800 pppd L2TP connecting to server ‘xxxxxxxxxxxx.sn.mynetname.net’ (xx.xxx.xx.x)…
default 22:10:54.234508 -0800 pppd IPSec connection started
default 22:11:05.291679 -0800 pppd IPSec connection established
default 22:11:25.294615 -0800 pppd L2TP cannot connect to the server

These are the applicable firewall filters (for rule 3 I added ports 500 and 4500 to 1701 as configured by Quick Set):
3 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no

4 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723

5 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443

I notice my failed attempts leave behind dynamically created ipsec policies like this:
1 D src-address=xx.xxx.xx.x/32 src-port=1701 dst-address=yy.yyy.yyy.yy/32 dst-port=48702 protocol=udp
action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=xx.xxx.xx.x
sa-dst-address=yy.yyy.yyy.yy priority=2

I would be very thankful for thoughts on how to fix my problem, or further troubleshoot to isolate the problem.

Delte · June 16, 2017, 12:41pm

Allow public IP where you connecting from in your mikrotik firewall on top of all the rules

/ip firewall filter add chain=forward dst-address=X.X.X.X

This can help you weather your firewall is blocking connection or not.

lonkelly · June 16, 2017, 2:44pm

Thank you for the suggestion. Adding the forwarding rule at the top doesn’t change the behavior.

lonkelly · June 17, 2017, 1:11am

In Quick Set, if you check the VPN Access checkbox and fill in the information, then click the “Apply” button should the VPN Access checkbox stay checked? It does not stay checked for me.

How do I find the script run by Quick Set to set up the VPN? Is there a way to trace the script execution to see everything is getting done?

Also, the “VPN Address” shown in Quick Set is different than the “DNS Address Name” in

/ip cloud

. If the DNS Address Name is

123456789abc.sn.mynetname.net

then the “VPN Address” is

bc9a785634120000.sn.mynetname.net

(i.e. the hex digits are reversed and then 4 zeros added in the VPN area of Quick Set). Nslookup of the “VPN Address” fails, while the “DNS Address Name” is resolved. Does this indicate a problem?

The VPN works when I’m behind the MikroTik, but does not work when I’m on a different network.