I am having issues with successfully passing data using IPSec over L2TP. I am using two RouterBoard’s with RouterOS 6.23 installed.
RB1 (L2TP Server):
LAN: 172.30.10.0/24
MacBook: 172.30.10.3/24 (static)
L2TP: 10.10.0.1/32
RB2 (L2TP Client):
LAN: 172.30.11.0/24
AP (Apple Express): 172.30.11.2/24 (static)
L2TP: 10.10.0.2/32
I have followed the guide for creating an L2TP connection as posted here, http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Site-to-Site_L2TP. I am able to pass data using this tunnel. According to what I have read on here, http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel, I should able to create a IPSec tunnel using the L2TP IP’s as the SA Src & Dst Address.
So far, I am able to ping form my MacBook to the remote AP, however, I do not get a reply back. Installed SA’s on RB1 shows two connections. One shows Current Bytes’s count increasing. The other shows no change and remains at 0. On RB2, I see two Installed SA’s but Current Bytes remains at 0, on both. My gut says I have a firewall issue but I am not seeing where.
I have tried to add a NAT bypass filter rule using the LAN IP’s as the Src & Dst Address, L2TP IP’s as the Src & Dst Address, enable NAT-T with NAT bypass, NAT-T with no NAT bypass, and replace IPSec L2TP SA Src & Dst Address with the RB Public IP’s. I am pretty sure there are some other attempts that I have tried but did not list, they all end up being the same. I am able to successfully pass data using straight L2TP. When I add in IPSec, I am not able to pass any data.
I am hoping someone here could point me in the right direction. I have provided below compact exports from both RouterBoards for review.
RB1 /export compact:
/interface bridge
add name=br-LAN
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=secure1 supplicant-identity="" wpa2-pre-shared-key=SECRECT
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2422 l2mtu=1600 mode=ap-bridge security-profile=secure1 ssid=Home
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=pool1 ranges=172.30.10.10-172.30.10.250
/ip dhcp-server
add address-pool=pool1 disabled=no interface=br-LAN lease-time=1d name=server1
/interface bridge port
add bridge=br-LAN interface=wlan1
add bridge=br-LAN interface=ether2
add bridge=br-LAN interface=ether6
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set enabled=yes ipsec-secret=SUPER-SECRET-PASSWORD keepalive-timeout=60 max-mru=1460 max-mtu=1460 mrru=1600
/ip address
add address=172.30.10.1/24 interface=br-LAN network=172.30.10.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=172.30.10.3 client-id=1:0:25:4b:8f:ab:59 mac-address=00:25:4B:8F:AB:59 server=server1
/ip dhcp-server network
add address=172.30.10.0/24 dns-server=172.30.10.1 gateway=172.30.10.1 ntp-server=172.30.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=172.30.10.1 name=rb493g
add address=172.30.11.1 name=rb600a
add address=172.30.10.2 name=c2940
add address=172.30.10.4 name=syno
add address=172.30.10.5 name=xserver
/ip firewall address-list
add address=172.30.10.0/24 list=trusted-networks
add address=RB2-PUBLIC-IP list=remote-networks
add address=172.30.11.0/24 list=trusted-networks
add address=10.0.0.0/8 list=rfc-1918
add address=172.16.0.0/12 list=rfc-1918
add address=192.16.0.0/16 list=rfc-1918
/ip firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Allow private trusted networks" in-interface=!ether1 src-address-list=trusted-networks
add action=drop chain=input comment="Drop leaked public RFC 1918 traffic" in-interface=ether1 src-address-list=rfc-1918
add action=jump chain=input comment="Jump to Public Services Chain" in-interface=ether1 jump-target=public-services
add action=jump chain=input comment="Jump to ICMP Chain" jump-target=icmp protocol=icmp
add chain=input comment="Allow remote networks" disabled=yes in-interface=ether1 src-address-list=remote-networks
add action=drop chain=input comment="Drop port scan attempts" in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=3,32 in-interface=ether1 protocol=tcp src-address-list=dos_blacklist
add action=add-src-to-address-list address-list=dos_blacklist address-list-timeout=1d chain=input comment="Detect DoS attack" connection-limit=10,32 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=input comment="SSH connection attempt 3" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_attempt_3
add action=add-src-to-address-list address-list=ssh_attempt_3 address-list-timeout=1m chain=input comment="SSH connection attempt 2" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_attempt_2
add action=add-src-to-address-list address-list=ssh_attempt_2 address-list-timeout=1m chain=input comment="SSH connection attempt 1" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_attempt_1
add action=add-src-to-address-list address-list=ssh_attempt_1 address-list-timeout=1m chain=input comment="SSH connection attempt made" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop everything else"
add chain=public-services comment="Allow MAC Winbox " disabled=yes dst-port=20561 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow Winbox" dst-port=8291 in-interface=ether1 protocol=tcp
add chain=public-services comment=" MT Discovery Protocol" disabled=yes dst-port=5678 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow SSH" disabled=yes dst-port=22 in-interface=ether1 protocol=tcp
add chain=public-services comment="Bandwidth server" disabled=yes dst-port=2000 in-interface=ether1 protocol=tcp
add chain=public-services comment="Allow Web Proxy" disabled=yes dst-port=8080 in-interface=ether1 protocol=tcp
add chain=public-services comment="Allow L2TP Connections" dst-port=1701 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow BGP" disabled=yes dst-port=179 in-interface=ether1 protocol=tcp
add chain=public-services comment="Allow PPTP and EoIP" disabled=yes in-interface=ether1 protocol=gre
add chain=public-services comment="Allow IPIP" disabled=yes in-interface=ether1 protocol=ipencap
add chain=public-services comment="Allow IPSec connections" disabled=yes dst-port=500 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow IPSec ESP" disabled=yes in-interface=ether1 protocol=ipsec-esp
add chain=public-services comment="Allow IPSec AH" disabled=yes in-interface=ether1 protocol=ipsec-ah
add action=return chain=public-services in-interface=ether1
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add chain=forward comment="Allow outbound LAN traffic" connection-state=new out-interface=ether1
add action=drop chain=forward comment="Drop BOGON" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward comment="Jump chains" jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=tcp comment="Deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111,135 protocol=tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="Deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="Deny TFTP" dst-port=69 protocol=udp src-address-list=!trusted-networks
add action=drop chain=udp comment="Deny RPC portmapper" dst-port=111,134 protocol=udp
add action=drop chain=udp comment="Deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="Deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="Deny BackOriffice" dst-port=3133 protocol=udp
add chain=icmp comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="Net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="Host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="Host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=icmp comment="Host source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="Host echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="Host time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="Host parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Deny all other types"
/ip firewall nat
add chain=srcnat comment="NAT bypass" disabled=yes dst-address=172.30.11.0/24 src-address=172.30.10.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=ether1 src-address=172.30.10.0/24
/ip ipsec peer
add address=10.10.0.2/32 disabled=yes dpd-interval=5s dpd-maximum-failures=2 enc-algorithm=3des hash-algorithm=md5 nat-traversal=no secret=SUPER-SECRET-PASSWORD
/ip ipsec policy
add disabled=yes dst-address=172.30.11.0/24 sa-dst-address=10.10.0.2 sa-src-address=10.10.0.1 src-address=172.30.10.0/24 tunnel=yes
/ip route
add distance=1 gateway=RB1-PUBLIC-IP-GATEWAY
add distance=1 dst-address=172.30.11.0/24 gateway=10.10.0.2
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=br-LAN type=internal
/ppp secret
add caller-id=RB2-PUBLIC-IP local-address=10.10.0.1 name=exo-remote password=SUPER-SECRET-PASSWORD profile=default-encryption remote-address=10.10.0.2 service=l2tp
RB2 /export compact:
/interface bridge
add name=br-LAN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=pool1 ranges=172.30.11.10-172.30.11.50
/ip dhcp-server
add address-pool=pool1 disabled=no interface=br-LAN lease-time=1d name=dhcp1
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=RB1-PUBLIC-IP dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=1600 name=l2tp-bolo-out password=SUPER-SECRET-PASSWORD profile=default-encryption user=SUPER-SECRET-USERNAME
/interface bridge port
add bridge=br-LAN interface=ether2
add bridge=br-LAN interface=ether3
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip address
add address=172.30.11.1/24 interface=ether2 network=172.30.11.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=172.30.11.3 client-id=1:0:25:4b:8f:ab:59 mac-address=00:25:4B:8F:AB:59 server=dhcp1
/ip dhcp-server network
add address=172.30.11.0/24 dns-server=172.30.11.1 gateway=172.30.11.1 ntp-server=172.30.11.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=172.30.10.1 name=rb493g
add address=172.30.11.1 name=rb600a
add address=172.30.10.4 name=syno
add address=172.30.10.5 name=xserver
/ip firewall address-list
add address=172.30.10.0/24 list=trusted-networks
add address=RB1-PUBLIC-IP list=remote-networks
add address=172.30.11.0/24 list=trusted-networks
add address=10.0.0.0/8 list=rfc-1918
add address=172.16.0.0/12 list=rfc-1918
add address=192.16.0.0/16 list=rfc-1918
/ip firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Allow private trusted networks" in-interface=!ether1 src-address-list=trusted-networks
add action=drop chain=input comment="Drop leaked public RFC 1918 traffic" in-interface=ether1 src-address-list=rfc-1918
add action=jump chain=input comment="Jump to Public Services Chain" in-interface=ether1 jump-target=public-services
add action=jump chain=input comment="Jump to ICMP Chain" jump-target=icmp protocol=icmp
add chain=input comment="Allow remote networks" disabled=yes in-interface=ether1 src-address-list=remote-networks
add action=drop chain=input comment="Drop port scan attempts" in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=3,32 in-interface=ether1 protocol=tcp src-address-list=dos_blacklist
add action=add-src-to-address-list address-list=dos_blacklist address-list-timeout=1d chain=input comment="Detect DoS attack" connection-limit=10,32 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=input comment="SSH connection attempt 3" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_attempt_3
add action=add-src-to-address-list address-list=ssh_attempt_3 address-list-timeout=1m chain=input comment="SSH connection attempt 2" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_attempt_2
add action=add-src-to-address-list address-list=ssh_attempt_2 address-list-timeout=1m chain=input comment="SSH connection attempt 1" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_attempt_1
add action=add-src-to-address-list address-list=ssh_attempt_1 address-list-timeout=1m chain=input comment="SSH connection attempt made" connection-state=new disabled=yes dst-port=22 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop everything else"
add chain=public-services comment="Allow MAC Winbox " disabled=yes dst-port=20561 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow Winbox" dst-port=8291 in-interface=ether1 protocol=tcp
add chain=public-services comment=" MT Discovery Protocol" disabled=yes dst-port=5678 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow SSH" disabled=yes dst-port=22 in-interface=ether1 protocol=tcp
add chain=public-services comment="Bandwidth server" disabled=yes dst-port=2000 in-interface=ether1 protocol=tcp
add chain=public-services comment="Allow Web Proxy" disabled=yes dst-port=8080 in-interface=ether1 protocol=tcp
add chain=public-services comment="Allow L2TP Connections" dst-port=1701 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow BGP" disabled=yes dst-port=179 in-interface=ether1 protocol=tcp
add chain=public-services comment="Allow PPTP and EoIP" disabled=yes in-interface=ether1 protocol=gre
add chain=public-services comment="Allow IPIP" disabled=yes in-interface=ether1 protocol=ipencap
add chain=public-services comment="Allow IPSec connections" disabled=yes dst-port=500 in-interface=ether1 protocol=udp
add chain=public-services comment="Allow IPSec ESP" disabled=yes in-interface=ether1 protocol=ipsec-esp
add chain=public-services comment="Allow IPSec AH" disabled=yes in-interface=ether1 protocol=ipsec-ah
add action=return chain=public-services in-interface=ether1
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add chain=forward comment="Allow outbound LAN traffic" connection-state=new out-interface=ether1
add action=drop chain=forward comment="Drop BOGON" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward comment="Jump chains" jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=tcp comment="Deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111,135 protocol=tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="Deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="Deny TFTP" dst-port=69 protocol=udp src-address-list=!trusted-networks
add action=drop chain=udp comment="Deny RPC portmapper" dst-port=111,134 protocol=udp
add action=drop chain=udp comment="Deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="Deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="Deny BackOriffice" dst-port=3133 protocol=udp
add chain=icmp comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="Net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="Host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="Host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=icmp comment="Host source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="Host echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="Host time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="Host parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Deny all other types"
/ip firewall nat
add chain=srcnat comment="NAT bypass" disabled=yes dst-address=172.30.10.0/24 src-address=172.30.11.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=ether1 src-address=172.30.11.0/24
/ip ipsec peer
add address=10.10.0.1/32 disabled=yes dpd-interval=5s dpd-maximum-failures=2 enc-algorithm=3des hash-algorithm=md5 secret=SUPER-SECRET-PASSWORD
/ip ipsec policy
add disabled=yes dst-address=172.30.10.0/24 sa-dst-address=10.10.0.1 sa-src-address=10.10.0.2 src-address=172.30.11.0/24 tunnel=yes
/ip route
add distance=1 gateway=RB2-PUBLIC-IP-GATEWAY
add distance=1 dst-address=172.30.10.0/24 gateway=10.10.0.1