two L2TP/IPSEC client connection possible from RB2011?

coopertown · January 30, 2018, 2:46pm

Have RB2011 with 10 ports. Wanted to do the following:

LAN 1 = VPN 1 = WAN 6
LAN 2 = VPN 2 = WAN 6
LAN 3 = VPN 3 = WAN 6

Mikrotik is connected to to ISP router which provides public IP. Also, each end point for VPN 1-3 is different and each route is marked with Mangle rule. The issue i’m experience is this… When one tunnel connects the other are also trying but not transferring, then one will disconnect and the other one will come online and so on. It takes forever for one tunnel to come online. Any idea why that might be happening?

pe1chl · January 30, 2018, 3:14pm

You forgot to include your configuration export!

coopertown · January 30, 2018, 4:12pm

figured i would ask if its possible to begin with. Anyways, here is the configuration, unfortunately given the issues i just limited it to 2 to see if that would work, which does not:

/ip firewall nat 
add action=masquerade chain=srcnat out-interface=VPN#1 src-address=192.168.24.0/24
add action=masquerade chain=srcnat out-interface=VPN#2 src-address=192.168.48.0/24

/ip firewall mangle
add action=mark-routing chain=prerouting comment=VPN#1 new-routing-mark=vpn1 passthrough=yes \
    src-address=192.168.24.11-192.168.24.11
add action=mark-routing chain=prerouting comment=VPN#2 new-routing-mark=vpn2 passthrough=yes \
    src-address=192.168.48.11-192.168.48.110
    
    /ip route export
add distance=1 gateway=VPN#1 routing-mark=vpn1
add distance=1 gateway=VPN#2 routing-mark=vpn1
    
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes comment=VPN_Client#1 connect-to=XXX.XXX.XXX.01 dial-on-demand=yes disabled=no ipsec-secret=****** keepalive-timeout=10 name=VPN#1 password=******* use-ipsec=yes user=*******
add add-default-route=yes allow-fast-path=yes comment=VPN_Client#2 connect-to=XXX.XXX.XXX.02 dial-on-demand=yes disabled=no ipsec-secret=****** keepalive-timeout=10 name=VPN#2 password=******  use-ipsec=yes user=*******

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=0s name=IPSEC-VPN

/ip ipsec peer
add address=10.11.11.2/32 dh-group=modp1024 enc-algorithm=aes-256,3des exchange-mode=main-l2tp generate-policy=\
    port-override local-address=192.168.48.0 passive=yes secret=*****

ip ipsec peer only 1 as the other one is struggling to connect…

UPDATED w/ ROUTES!

pe1chl · January 30, 2018, 4:43pm

You should not have that ip ipsec peer when you are using l2tp/ipsec for your VPN!
However, you do require routes for the remote subnets reachable via the VPN links.
When your remote subnets overlap and you require the 2 local networks to connect to them, you need to have
routes with a route-mark and a way to apply this route-mark to the traffic (either via ip firewall mangle rules or via ip route rules)

coopertown · January 30, 2018, 4:59pm

IPSEC peer was automatically creates when i set up L2TP client in ‘ppp’ and enabled IPSEC. As you see my routes are marked in MANGLE, both have different end point. Those VPNs are all clients and dont have control over Server nor its configuration as automatically connect to their server’s public ip etc. I see i missed the routes export in previous post, thus just added, these are marked routes:

/ip route export
add distance=1 gateway=VPN#1 routing-mark=vpn1
add distance=1 gateway=VPN#2 routing-mark=vpn1

The issue still persists..

pe1chl · January 30, 2018, 5:36pm

I hope you see your mistake now that you show it so clearly…
But, you also have to be careful that you do not take away the default route for the outgoing VPN packets from the router.
So, the default route for VPN1 and VPN2 traffic can be those marked routes, but there still has to be an unmarked default
route pointing to your ISP gateway and you have to make sure those VPN packets themselves do not get marked.

coopertown · January 30, 2018, 7:21pm

that would be my mistake for not exporting full table. However, your suggestion about ISP gateway and default + marked routes, all there… and so is the connection issue.

 /ip route
add distance=1 gateway=VPN#1 routing-mark=vpn1
add distance=1 gateway=VPN#2 routing-mark=vpn2
add comment=WAN6 distance=2 gateway=192.168.1.1
add distance=1 dst-address=10.11.11.0/24 gateway=10.11.11.2 (vpn route created through default)

There is an unmarked default WAN route to ISP1, however, it doesnt change the connection issue…