So, i followed this http://forum.mikrotik.com/t/pptp-ios10/101539/1
And my ipad can now connect via IPSEC adn i can view the routers homepage by acessing 172.25.75.1, yay!
Then i tried a firewall rule to allow forwarded traffic from the l_j2 interface to 172.25.74.20 but, i am still unable to access any host behind the router.
I feel i must be missing something frustratingly simple? I have also experimented a bit with proxy arp after finding some articles.
Below is my current config, without any rules for forwarding…
[admin@MikroTik] > export
jan/31/2017 10:41:53 by RouterOS 6.38.1
software id = H1DZ-V63X
/interface l2tp-server
add name=l_j2 user=j2
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master name=ether4-tvrum
set [ find default-name=ether5 ] name=ether5-wan
set [ find default-name=ether1 ] master-port=ether2-master name=ether1-arbetsrum
/ip neighbor discovery
set ether1-arbetsrum discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
add name=ipsec+l2tp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=default-dhcp ranges=172.25.74.200-172.25.74.240
add name=ipsec-pool ranges=172.25.75.2-172.25.75.100
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master lease-time=12h name=defconf
/ppp profile
add change-tcp-mss=yes local-address=172.25.75.1 name=ipsec+L2TP remote-address=ipsec-pool use-encryption=yes
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip address
add address=172.25.74.1/24 comment=defconf interface=ether2-master network=172.25.74.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether5-wan
/ip dhcp-server network
add address=172.25.74.0/24 comment=defconf dns-server=172.25.74.1 domain=penthouse.mupp.net gateway=172.25.74.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=ether5-wan protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=ether5-wan protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether5-wan protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether5-wan protocol=udp
l_j2 not ready
add action=accept chain=forward in-interface=l_j2
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=accept chain=input comment=“Allow all from LAN to Router” dst-address=172.25.74.1 src-address=172.25.74.0/24
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether5-wan
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=ether5-wan
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether5-wan
add action=dst-nat chain=dstnat comment=“WAN → HAL9001:RDP” disabled=yes dst-port=13389 in-interface=ether5-wan protocol=tcp to-addresses=172.25.74.30 to-ports=
3389
add action=dst-nat chain=dstnat comment=“WAN → HAL9001:RDP” dst-port=11122 in-interface=ether5-wan protocol=tcp to-addresses=172.25.74.20 to-ports=22
add action=dst-nat chain=dstnat comment=“WAN → HAL9001:RDP” dst-port=11300 in-interface=ether5-wan protocol=tcp to-addresses=172.25.74.20 to-ports=3000
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,aes-128 generate-policy=port-strict secret=[removedfromdump]
/ip ipsec policy
add dst-address=0.0.0.0/0 protocol=udp src-address=0.0.0.0/0 template=yes
/ppp secret
add name=j2 password=[removedfromdump] profile=ipsec+L2TP service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system ntp client
set enabled=yes server-dns-names=se.pool.ntp.org
/system routerboard settings
Warning: memory not running at default frequency
set memory-frequency=1200DDR
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
[admin@MikroTik] >
