Site to Site VPN

KarelVDM · June 25, 2019, 7:26am

Evening Everyone,

I’m trying to setup SITE to Site VPN, HO with 4 remote sites and a user connecting with a Laptop.
I have used the instructions from https://wiki.mikrotik.com/wiki/PPTP_VPN_-_multiple_ADSL_remote_locations_to_Cental_Office and https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP but to no success. The client side dials out but from the client log it states:

19:17:25 l2tp,ppp,info l2tp-out1: initializing…
19:17:25 l2tp,ppp,info l2tp-out1: connecting…
19:17:49 l2tp,ppp,info l2tp-out1: terminating… - session closed
19:17:49 l2tp,ppp,info l2tp-out1: disconnected

At first I thought is was firewall rules on my ISP router, but eliminated that by testing the scenario with 2 Mikrotik Routers in a “Test” enviroment.

HO Mikrotik Config:

jun/24/2019 19:20:39 by RouterOS 6.44.3

software id = 2IIS-GC0D

model = 750GL

serial number = 2E1A01A34BBC

/interface bridge
add admin-mac=00:0C:42:7E:13:0C auto-mac=no comment=“created from master port” name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-local-master speed=100Mbps
set [ find default-name=ether3 ] name=ether3-local-slave speed=100Mbps
set [ find default-name=ether4 ] name=ether4-local-slave speed=100Mbps
set [ find default-name=ether5 ] name=ether5-local-slave speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.15.100-192.168.15.150
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=3d name=default
/queue interface
set ether1-gateway queue=ethernet-default
set ether2-local-master queue=ethernet-default
set ether3-local-slave queue=ethernet-default
set ether4-local-slave queue=ethernet-default
set ether5-local-slave queue=ethernet-default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=ether3-local-slave
add bridge=bridge1 interface=ether4-local-slave
add bridge=bridge1 interface=ether5-local-slave
add bridge=bridge1 interface=ether2-local-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes max-mru=1460 max-mtu=1460
/interface list member
add interface=ether1-gateway list=discover
add interface=bridge1 list=discover
add interface=ether3-local-slave list=discover
add interface=ether4-local-slave list=discover
add interface=ether5-local-slave list=discover
add interface=bridge1 list=mactel
add interface=ether3-local-slave list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether4-local-slave list=mactel
add interface=ether3-local-slave list=mac-winbox
add interface=ether5-local-slave list=mactel
add interface=ether4-local-slave list=mac-winbox
add interface=ether5-local-slave list=mac-winbox
/ip address
add address=192.168.15.1/24 comment=“Port 2-5 Bridged” interface=bridge1 network=192.168.15.0
add address=172.16.0.1/24 interface=ether1-gateway network=172.16.0.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.15.0/24 comment=“default configuration” dns-server=8.8.8.8 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration” connection-state=related in-interface=ether1-gateway
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=“Synology DiskStation” dst-port=15151 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=15151
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=5000
add action=dst-nat chain=dstnat dst-port=55539 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=55539
add action=dst-nat chain=dstnat dst-port=3690 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=3690
add action=dst-nat chain=dstnat comment=UBNT-Server dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=443
add action=dst-nat chain=dstnat dst-port=9080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=9080
add action=dst-nat chain=dstnat dst-port=9443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=9443
add action=dst-nat chain=dstnat comment=Rpi-VPN dst-port=15152 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.6 to-ports=15152
add action=dst-nat chain=dstnat dst-port=15155 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.6 to-ports=15155
/ip route
add comment=“Routing for Internet” distance=1 gateway=172.16.0.254
/ip service
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add local-address=172.16.1.1 name=chinacity password=password remote-address=172.16.1.2 routes=“10.0.1.0/24 172.16.1.2 1” service=l2tp
add local-address=172.16.1.1 name=karel password=passwprd remote-address=172.16.1.3 routes=“10.0.1.0/24 172.16.1.3 1” service=l2tp
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=MikroTik-KarelHouse
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool user-manager database
set db-path=user-manager

Remote Office Mikrotik:

jun/24/2019 19:26:41 by RouterOS 6.42.10

software id = RTL3-VR03

model = RB941-2nD

serial number = 9D740AAE1BBE

/interface bridge
add admin-mac=74:4D:28:31:68:61 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-316865 wireless-protocol=802.11
/interface l2tp-client
add connect-to=172.16.0.1 name=l2tp-out1 password=password user=karel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.16.0.5/24 interface=ether1 network=172.16.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=ether1
/system identity
set name=TestROUTER
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanx in Advance.

Karel

KarelVDM · June 25, 2019, 1:56pm

I have tried the steps in the below thread aswell… no Luck…

You can find the basic config for a l2tp server, mikrotik client and widows client below, you can put the IP address of the local and remote side in either the profile the secret is using or in the secret. A good idea would be to have a profile with one local address put in it then in the remote address you can put a pool in but doing what is in below is fine for just setting this up and playing around with it.
Also setting IPsec to required means that all clients have to use it, this isnt an isue for windows clients as they have to use IPsec if they are using the inbuilt vpn client but the Mikrotik doesnt have to. If you want to use both ipsec and non ipsec encrypted l2tp you would set the use-ipsec to required.

For the mikrotik:
/interface l2tp-server server
set enabled=yes ipsec-secret=Password1 use-ipsec=required default-profile=default-encryption
/ppp secret
add name=test password=Password2 add local-address=192.168.50.1 remote-address=192.168.40.1

For the windows client:
VPN provider= windows built in
connection name =(what ever you would like to name it)
Server name or address= (IP address of the router you applyed the configuration on, please ping this address to make sure it is reachable)
VPN type= L2TP/IPsec with pre-shared key
Pre-shared key = Password1
type of sign in info = username and password
username = test
password = Password2

for mikrotik client:
/interface l2tp-client
add connect-to=(IP address of the router you applyed the configuration on, please ping this address to make sure it is reachable) disabled=no ipsec-secret=Password1 name=l2tp-out1
password=Password2 use-ipsec=yes user=test

Karel

KarelVDM · June 25, 2019, 4:53pm

So it seems that my problem was firewall rules on the HO Mikrotik

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=<your WAN interface> protocol=udp dst-port=500 to-address=192.168.88.113 to-address=500
add chain=dstnat action=dst-nat in-interface=<your WAN interface> protocol=udp dst-port=4500 to-address=192.168.88.113 to-address=4500

Now to test if the routing actually works…

KarelVDM · June 26, 2019, 1:02pm

So I finally got it working, now I just need some assistance with the routing.

From a PC on HO Network I can access PC’s on site A and Site B network. But from a PC on Site A, I cant access a PC on Site B network, and vice versa. Keep in mind that Site C, D and mobile laptop still needs to be added to the scenario later on. Im sure my problem is with routes… Any one that have an idea of what Im missing??

HO Mikrotik Config

jun/26/2019 13:04:32 by RouterOS 6.42.10

software id = S8WE-9HT2

model = RB941-2nD

serial number = 9D740ABB64DD

/interface bridge
add admin-mac=74:4D:28:33:9F:A1 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=“ChinaCity Secure” supplicant-identity=“”
wpa-pre-shared-key=M3rc3d35E6e wpa2-pre-shared-key=password
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce comment=“ChinaCity Wireless” disabled=no distance=indoors frequency=auto mode=ap-bridge
name=Medikist-ChinaCity security-profile=“ChinaCity Secure” ssid=Medikist-ChinaCity wireless-protocol=802.11
/interface wireless manual-tx-power-table
set Medikist-ChinaCity comment=“ChinaCity Wireless”
/interface wireless nstreme
set Medikist-ChinaCity comment=“ChinaCity Wireless”
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=Medikist-ChinaCity
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=password keepalive-timeout=60 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=10.0.1.2/24 comment=“Bridge Port 2-5 & Wireless” interface=bridge network=10.0.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1-WAN protocol=udp
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=CCTV in-interface=ether1-WAN protocol=tcp to-addresses=10.0.1.65 to-ports=37777
/ppp secret
add local-address=192.168.10.1 name=karelhouse password=password remote-address=192.168.10.2 routes=“192.168.15.0/24 192.168.10.2 1” service=l2tp
add local-address=192.168.10.1 name=chara password=password remote-address=192.168.10.3 routes=“10.0.2.0/24 192.168.10.3 1” service=l2tp
add local-address=192.168.10.1 name=stjohns password=password remote-address=192.168.10.4 routes=“10.0.9.0/24 192.168.10.4 1” service=l2tp
add local-address=192.168.10.1 name=kevinhouse password=password remote-address=192.168.10.5 routes=“10.0.8.0/24 192.168.10.5 1” service=l2tp
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=MikroTik-ChinaCity
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Site A Mikrotik Config

jun/26/2019 13:47:57 by RouterOS 6.44.3

software id = 2IIS-GC0D

model = 750GL

serial number = 2E1A01A34BBC

/interface bridge
add admin-mac=00:0C:42:7E:13:0C auto-mac=no comment=“created from master port” name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-local-master speed=100Mbps
set [ find default-name=ether3 ] name=ether3-local-slave speed=100Mbps
set [ find default-name=ether4 ] name=ether4-local-slave speed=100Mbps
set [ find default-name=ether5 ] name=ether5-local-slave speed=100Mbps
/interface l2tp-client
add connect-to=(HO WAN IP) disabled=no ipsec-secret=password name=karelvpn password=password use-ipsec=yes user=karelhouse
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.15.100-192.168.15.150
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=3d name=default
/queue interface
set ether1-gateway queue=ethernet-default
set ether2-local-master queue=ethernet-default
set ether3-local-slave queue=ethernet-default
set ether4-local-slave queue=ethernet-default
set ether5-local-slave queue=ethernet-default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=ether3-local-slave
add bridge=bridge1 interface=ether4-local-slave
add bridge=bridge1 interface=ether5-local-slave
add bridge=bridge1 interface=ether2-local-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set ipsec-secret=password max-mru=1460 max-mtu=1460 use-ipsec=yes
/interface list member
add interface=ether1-gateway list=discover
add interface=bridge1 list=discover
add interface=ether3-local-slave list=discover
add interface=ether4-local-slave list=discover
add interface=ether5-local-slave list=discover
add interface=bridge1 list=mactel
add interface=ether3-local-slave list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether4-local-slave list=mactel
add interface=ether3-local-slave list=mac-winbox
add interface=ether5-local-slave list=mactel
add interface=ether4-local-slave list=mac-winbox
add interface=ether5-local-slave list=mac-winbox
/ip address
add address=192.168.15.1/24 comment=“Port 2-5 Bridged” interface=bridge1 network=192.168.15.0
add address=172.16.0.1/24 interface=ether1-gateway network=172.16.0.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.15.0/24 comment=“default configuration” dns-server=8.8.8.8 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=vpn in-interface=ether1-gateway protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration” connection-state=related in-interface=ether1-gateway
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=“Synology DiskStation” dst-port=15151 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=15151
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=5000
add action=dst-nat chain=dstnat dst-port=55539 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=55539
add action=dst-nat chain=dstnat dst-port=3690 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=3690
add action=dst-nat chain=dstnat comment=UBNT-Server dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=443
add action=dst-nat chain=dstnat dst-port=9080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=9080
add action=dst-nat chain=dstnat dst-port=9443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=9443
add action=dst-nat chain=dstnat comment=Rpi-VPN dst-port=15152 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.6 to-ports=15152
add action=dst-nat chain=dstnat dst-port=15155 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.6 to-ports=15155
/ip route
add comment=“General Route to Internet” distance=1 gateway=172.16.0.254
add distance=1 dst-address=10.0.1.0/24 gateway=karelvpn
add distance=1 dst-address=10.0.2.0/24 gateway=karelvpn (Manually added to see if I can access Site B, but didnt work)
/ip service
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=“Karel House”
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool user-manager database
set db-path=user-manager

Site B Mikrotik Config

jun/26/2019 14:08:23 by RouterOS 6.44.3

software id = QHWN-ZZY9

model = RB941-2nD

serial number = 9D740A4D7922

/interface bridge
add admin-mac=74:4D:28:34:00:33 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether1-WAN
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2-LAN
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface l2tp-client
add connect-to=(HO WAN IP) disabled=no ipsec-secret=password name=charaphy password=password use-ipsec=yes user=chara
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-340037
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.2.200-10.0.2.250
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=10.0.2.2/24 comment=defconf interface=bridge network=10.0.2.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=8.8.8.8 gateway=10.0.2.2
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add chain=input comment=ipsec-ike-natt dst-port=4500 in-interface=ether1-WAN protocol=udp
add chain=forward comment=vpn01 dst-address=10.0.2.0/24 in-interface=ether1-WAN ipsec-policy=in,ipsec src-address=10.0.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=37777 in-interface=ether1-WAN protocol=tcp to-addresses=10.0.2.10 to-ports=37777
add action=dst-nat chain=dstnat dst-port=23 in-interface=ether1-WAN protocol=tcp to-addresses=10.0.2.1 to-ports=23
/ip route
add distance=1 dst-address=10.0.1.0/24 gateway=charaphy
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanx in advance
Karel

KarelVDM · June 27, 2019, 9:56am

So I finally got VPN working, now I just need some assistance with the routing.

From a PC on HO Network I can access PC’s on site A and Site B network. But from a PC on Site A, I cant access a PC on Site B network, and vice versa. Keep in mind that Site C, D and mobile laptop still needs to be added to the scenario later on. Im sure my problem is with routes… Any one that have an idea of what Im missing??

Configs of all Routers are in the post above.

Is this possible or is there a WIKI Document or Manual that can assist me in accomplishing the above.

Thanx Karel

mkx · June 27, 2019, 11:41am

My guess is that site A with routes

/ip route
add distance=1 dst-address=10.0.1.0/24 gateway=karelvpn
add distance=1 dst-address=10.0.2.0/24 gateway=karelvpn #(Manually added to see if I can access Site B, but didnt work)

is fine, however site B needs additional route

/ip route
add distance=1 dst-address=10.0.1.0/24 gateway=charaphy
add distance=1 dst-address=192.168.15.0/24 gateway=charaphy # add route towards site A via HO

There could be some roadblocks also in firewall rules, but I didn’t check those.

KarelVDM · June 27, 2019, 2:53pm

Hi ,
Sadly that didnt work.

Site A Routing

/ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; General Route to Internet
        0.0.0.0/0                          172.16.0.254              1
 1 A S  10.0.1.0/24                        karelvpn                  1
 2 A S  10.0.2.0/24                        karelvpn                  1
 3 ADC  172.16.0.0/24      172.16.0.1      ether1-gateway            0
 4 ADC  192.168.10.1/32    192.168.10.2    karelvpn                  0
 5 ADC  192.168.15.0/24    192.168.15.1    bridge1                   0

Site A Firewall

 /ip firewall filter
add action=accept chain=input comment=vpn in-interface=ether1-gateway protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="Synology DiskStation" dst-port=15151 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=15151
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=5000
add action=dst-nat chain=dstnat dst-port=55539 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=55539
add action=dst-nat chain=dstnat dst-port=3690 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.5 to-ports=3690
add action=dst-nat chain=dstnat comment=UBNT-Server dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=443
add action=dst-nat chain=dstnat dst-port=9080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=9080
add action=dst-nat chain=dstnat dst-port=9443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.8 to-ports=9443
add action=dst-nat chain=dstnat comment=Rpi-VPN dst-port=15152 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.6 to-ports=15152
add action=dst-nat chain=dstnat dst-port=15155 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.15.6 to-ports=15155

Site B Routing

/ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.2.2               1
 1 A S  10.0.1.0/24                        charaphy                  1
 2 ADC  10.0.2.0/24        10.0.2.2        bridge                    0
 3 ADC  192.168.2.0/24     192.168.2.3     ether1-WAN                0
 4 ADC  192.168.10.1/32    192.168.10.3    charaphy                  0
 5 A S  192.168.15.0/24                    charaphy                  1

Site B Firewall

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=ipsec-ike-natt disabled=yes dst-port=4500 in-interface=ether1-WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=37777 in-interface=ether1-WAN protocol=tcp to-addresses=10.0.2.10 to-ports=37777
add action=dst-nat chain=dstnat dst-port=23 in-interface=ether1-WAN protocol=tcp to-addresses=10.0.2.1 to-ports=23

Thanx for the help thus far
Karel

sindy · June 29, 2019, 10:55am

In these cases /tool sniffer is your best friend. “Access PCx in subnet X from PCy in subnet Y” means that the initial packet has to get from PCx to PCy, PCy has to accept and respond it, and the response has to reach the PCx.

Also, it is necessary to compare apples to apples - do you use the same client&server app combination to test access from HO to A and to test access from B to A?

Your routes seem fine, your firewalls on Mikrotik seem fine (from the above point of view - on Site A forwarding is fully open which isn’t exactly fine with me but that’s another discussion), so maybe the PCy’s firewall drops the packet, or there is some MTU issue preventing large packets from getting through (is PPPoE used somewhere on the path between the two?) - this last point is only relevant if you use different client&server combination to test the HO-SiteX path than to test the SiteX-SiteY path.

So I’d open a CLI window as wide as your screen allows on each of (A, HO, B) Mikrotiks, run /tool sniffer quick ip-address=ip.of.the.server.at.site.B ip-protocol=icmp on all of them, and try to ping the server at site B from the client at site A, restricting the packet count to 1. You should see how far the icmp echo request gets and, if it reaches the server at B, whether the server responds and how far the response gets.

If ping does get through but TCP connection doesn’t, I’d repeat the exercise with /tool sniffer quick ip-address=ip.of.the.server.at.site.B port=the-tcp-port-where-the-server-listens. You may find out that a large packet is dropped by one of the links, so you can see it multiple times at that link’s end closer to the source and not at all at that link’s end closer to the destination.

KarelVDM · July 2, 2019, 8:55pm

Evening Sindy,

Apologies for only replying now.
My actual problem was the routing, but was corrected by MKX’s suggestion. The reason hy it didnt work, was that the Linux server I was testing from, had an openvpn connection running, and that routed 192.168.15.0/24 via the openvpn connection. My home ip range is 192.168.15.0/24. When I added Site C and did the routing, all of them worked aswell.

from the above point of view - on Site A forwarding is fully open which isn’t exactly fine with me but that’s another discussion

Pls explain. If im doing something wrong, I would prefer to fix it and do it the right way.

@MKX Thanx again for pointing out the routes for me.

sindy · July 4, 2019, 10:20am

What I had in mind is simply the fact that there is no rule at all in chain=forward of /ip firewall filter at Site A, which means that any connection requests coming via WAN towards LAN hosts are let in, while at the same time you took the effort to set up dst-nat rules. Not knowing the overall topology of your network, I am cautious - maybe you have some other firewall between the Mikrotik and the internet, but maybe you just suppose that use of NAT on WAN automatically means that requests to other addresses than the one of the WAN interface are blocked, which is not true.

KarelVDM · July 4, 2019, 3:58pm

@Sindy

Thanx for that. I missed that rule.

Now hopefully my last question for the VPN… Would I be able to add a Laptop to the VPN Connections? AND it have access to all the sites?
It would be a Roadwarrior as the person is on the Road most of the time and needs to be able to connect from anywhere. And He has a MAC BOOK.

Karel

sindy · July 5, 2019, 7:02pm

I don’t know how the embedded L2TP/IPsec client of iOS behaves in terms of routing, but otherwise it is yet another L2TP/IPsec client of your server.

So basically he should be able to connect once you enable the encryption and authentication algorithms required by the iOS client in the default peer profile and default proposal on the MIkrotik (ipsec log on the Mikrotik will help you here, telling you which algorithms the initiator offers), and it depends on settings available in iOS whether it is only possible to redirect all traffic via the VPN, or whether you can only use one of the private subnets in the old-fashioned classes like on Windows (where a route to 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 is automatically set via the L2TP tunnel depending on into which subnet the address assigned to the client fits) or whether you can configure destination subnets of your choice.

Mikrotik currently prefers IKEv2 (but currently only with machine certificate) to L2TP, and supports both mode-config and DHCPINFORM way of pushing routes to the client on IKEv2, but no support of DHCPINFORM for L2TP has been announced. I have no idea whether iOS could use it, though.

And, not to be forgotten, if using L2TP/IPsec, the iOS user MUST NOT connect from LAN of sites which are the HO’s L2TP/IPsec clients themselves, as it would cause trouble. Detailed explanation and solution available here.