Followed Greg’s instructions here - http://gregsowell.com/?p=1290 and setup both sides of the VPN but still not having any luck getting them to actually ping through, let alone send any traffic.
Both sites have static IP addresses.
Steps I’ve done to troubleshoot:
1 - Made sure the system clocks on both sides are near exact so that IPSec doesn’t fail (per Mikrotik’s manual)
2 - Setup Mangle rule (you can see in configs below) to shrink packet size so packets are not dropped because they’re too large. Disabled or enabled, seems to have no effect.
3 - Setup the IPSec peers with and without NAT Transversal selected on both sides.
4 - Verified IPSec secret same on both sides.
5 - I’m sure more but it’s been 4 days of fighting, wiping, resetting up, verifying, following each step again and I’m losing it.
It’s probably something stupid I’m overlooking, when isn’t it right - but would love some feedback.
Note - First two octets of static IP addresses have been modified for security. Site 1 was also originally setup to allow VPN clients to connect directly, but we felt that a consistent site to site setup would be more advantageous.
# ROUTER 1 - MAIN SITE
# jul/09/2013 11:42:18 by RouterOS 6.1
#
/interface bridge
add admin-mac=D4:CA:6D:96:F7:B7 arp=proxy-arp auto-mac=no l2mtu=1598 name=\
bridge-local protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 1 arp=proxy-arp
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
set 10 name=sfp1-gateway
/interface l2tp-server
add name=l2tp-in1 user=""
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.150
add name=vpn-local ranges=192.168.1.20-192.168.1.40
add name=vpn-remote ranges=192.168.1.41-192.168.1.60
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8,4.2.2.2,192.168.1.2 local-address=vpn-local name=VPN \
remote-address=vpn-remote wins-server=192.168.1.2
add dns-server=8.8.8.8,4.2.2.2,192.168.1.2 local-address=192.168.1.10 name=OPC \
remote-address=192.168.1.11 wins-server=192.168.1.2
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=wlan1 \
network=192.168.1.0
add address=1.1.25.120/24 interface=ether1-gateway network=1.1.25.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no \
interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.1.2,8.8.8.8,4.2.2.2 domain=NWLAM gateway=192.168.1.1 netmask=24 \
wins-server=192.168.1.2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip firewall filter
add chain=input comment="Uptime Check" protocol=icmp
add chain=input comment="VPN Rules" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input dst-port=500,1701,4500 protocol=udp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.2.0/24 new-mss=1350 \
protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=873 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.1.2 to-ports=873
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=yes
/ip ipsec peer
add address=2.2.26.25/32 dpd-interval=disable-dpd dpd-maximum-failures=1 \
hash-algorithm=sha1 nat-traversal=yes secret=XXXXXXXX
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=2.2.26.25 sa-src-address=\
1.1.25.120 src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=1.1.25.1
/ip service
set api disabled=yes
/ppp secret
add name=XXXXXXXX password=XXXXXXXX profile=OPC service=l2tp
add name=XXXXXXXX password=XXXXXXXX profile=VPN service=l2tp
/system clock
set time-zone-name=America/Los_Angeles
/system logging
add topics=ipsec
# ROUTER 2 - SECONDARY SITE
# jul/09/2013 11:32:28 by RouterOS 6.1
#
/interface bridge
add admin-mac=D4:CA:6D:99:28:68 auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
set 10 disabled=yes name=sfp1-gateway speed=100Mbps
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.2.1/24 comment="default configuration" interface=wlan1 network=192.168.2.0
add address=2.2.26.25/32 interface=ether1-gateway network=2.2.26.26
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 comment="default configuration" dns-server=8.8.8.8,4.2.2.2 domain=NWL gateway=192.168.2.1 netmask=24 wins-server=192.168.1.2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip dns static
add address=192.168.2.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input dst-port=500,1701,4500 protocol=udp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.1.0/24 new-mss=1350 protocol=tcp src-address=192.168.2.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=yes
/ip ipsec peer
add address=1.1.25.120/32 dpd-interval=disable-dpd dpd-maximum-failures=1 hash-algorithm=sha1 nat-traversal=yes secret=XXXXXXXX
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=1.1.25.120 sa-src-address=2.2.26.25 src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=2.2.26.26
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system logging
add topics=ipsec