VPN Problem with 2 wan and 1 lan

apracz · May 8, 2017, 5:06pm

I Have a problem with vpn server, i have 2 Wan and 1 lan

Wan 1 is dinamic ip (ADSL)
Wan 2 is fixed ip (corporate internet)
and my lan

This error on trie connect on Wan 2

When client (mikrotik) trie to connect on my microtik pptp server this error above

this error on log

11:24:35 firewall,info dstnat: in:2-Wan out:(none), src-mac 06:f5:03:xx:xx:xx, proto TCP (SYN), 178.85.159.20:57580->192.168.25.2:1723, len 60

RouterOS 6.39.1

Interface 1-Wan = WAN1
Interface 2-Wan = WAN2
Interface 3-Rede = Lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="Bloqueio Facebook" content=facebook.com disabled=yes protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=1-Wan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=1-Wan
add chain=input comment="allow tcp 1723 for VPN" dst-port=1723 in-interface=2-Wan protocol=tcp
add chain=input comment="allow tcp 1723 for VPN" dst-port=1723 in-interface=2-Wan log=yes protocol=udp
add action=accept chain=input in-interface=2-Wan protocol=gre

/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=1-Wan new-connection-mark=WAN1_connection
add action=mark-connection chain=prerouting in-interface=2-Wan new-connection-mark=WAN2_connection
add action=mark-routing chain=prerouting connection-mark=WAN1_connection in-interface=3-Rede new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_connection in-interface=3-Rede new-routing-mark=to_WAN2
add action=mark-routing chain=output new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.100.1
add action=mark-routing chain=output new-routing-mark=to_WAN2 passthrough=yes src-address=192.168.25.1

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=1-Wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=0.89.168.192-255.89.168.192
add action=masquerade chain=srcnat out-interface=1-Wan
add action=masquerade chain=srcnat out-interface=2-Wan
add action=dst-nat chain=dstnat dst-port=1723 in-interface=2-Wan log=yes protocol=tcp to-addresses=192.168.10.1 to-ports=1723

/ip firewall service-port
set pptp ports=1723

/ip route
add check-gateway=ping distance=1 gateway=192.168.100.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.25.1 routing-mark=to_WAN2
add comment="1-Copel route" distance=1 gateway=192.168.100.1
add check-gateway=ping distance=1 gateway=192.168.100.1
add check-gateway=ping distance=2 gateway=192.168.25.1

apracz · May 9, 2017, 5:13pm

Please help-me, im not found the solution

konstantinJFK · May 10, 2017, 8:04am

fix your firewall to allow l2tp on both wan1 and wan2. Did you use ipsec as well?

Allow ipsec if in use by udp 500 and udp 4500 port and IP ESP protocol as well

Where is you vpn server located? inside lan or on router?

What this rule do for you?

add action=dst-nat chain=dstnat dst-port=1723 in-interface=2-Wan log=yes protocol=tcp to-addresses=192.168.10.1 to-ports=1723

apracz · May 10, 2017, 6:00pm

The vpn is on Router, sorry that rule about dst-nat, i delete this rule.

I tried to config l2tp with ipsec and without ipsec, but still not connect
and allow ports 500/4500 udp and ip esp

konstantinJFK · May 11, 2017, 9:04am

I suggest you to start without ipsec, and when it will be done, restart with ipsec enabled.

Please check that you ipsec settings are clear: no records in ipsec polices except one template rule.

l2tp use one UDP port 1701

apracz · May 12, 2017, 6:00pm

Still not conncet

My Firewall rules filter/nat and manlge

/ip firewall filter
add action=passthrough chain=forward
add action=accept chain=input dst-port=1723 in-interface=2-Wan log=yes protocol=tcp
add action=accept chain=input in-interface=2-Wan log=yes protocol=gre
add action=accept chain=input dst-port=500 in-interface=2-Wan protocol=udp
add action=accept chain=input dst-port=4500 in-interface=2-Wan protocol=udp
add action=accept chain=input dst-port=1701 in-interface=2-Wan protocol=udp
add action=accept chain=input in-interface=2-Wan protocol=ipsec-esp
add action=accept chain=input in-interface=1-Wan protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="Bloqueio Facebook" content=facebook.com disabled=yes protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=1-Wan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=1-Wan

/ip firewall nat
add action=masquerade chain=srcnat out-interface=1-Wan
add action=masquerade chain=srcnat out-interface=2-Wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=no src-address=0.89.168.192-255.89.168.192

/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=1-Wan new-connection-mark=WAN1_connection
add action=mark-connection chain=prerouting in-interface=2-Wan new-connection-mark=WAN2_connection
add action=mark-routing chain=prerouting connection-mark=WAN1_connection in-interface=3-Rede new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_connection in-interface=3-Rede new-routing-mark=to_WAN2
add action=mark-routing chain=output new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.100.1
add action=mark-routing chain=output new-routing-mark=to_WAN2 passthrough=yes src-address=192.168.25.1

Erros on Server and Client

Server
15:06:20 l2tp,info first L2TP UDP packet received from 200.150.xxx.221

Client
15:06:20 l2tp,ppp,info VPN: initializing... 
15:06:20 l2tp,ppp,info VPN: connecting... 
15:06:44 l2tp,ppp,info VPN: terminating... - session closed

konstantinJFK · May 13, 2017, 10:27pm

try to debug l2tp on both client and server.

May this can help you with new ideas

Try to put “allow all” rule for input for both client and server (disable firewall for test)

apracz · May 15, 2017, 8:57pm

Client

17:53:34 l2tp,ppp,info VPN: l2tp-out1: initializing... 
17:53:34 l2tp,ppp,info l2tp-out1: connecting... 
17:53:34 l2tp,ppp,info VPN: l2tp-out1: connecting... 
17:53:34 l2tp,debug VPN: tunnel 7 entering state: wait-ctl-reply 
17:53:34 l2tp,debug,packet VPN: sent control message to 201.22.xx.xx:1701 from 0.0.0.0:1701 
17:53:34 l2tp,debug,packet VPN:     tunnel-id=0, session-id=0, ns=0, nr=0 
17:53:34 l2tp,debug,packet VPN:     (M) Message-Type=SCCRQ 
17:53:34 l2tp,debug,packet VPN:     (M) Protocol-Version=0x01:00 
17:53:34 l2tp,debug,packet VPN:     (M) Framing-Capabilities=0x1 
17:53:34 l2tp,debug,packet VPN:     (M) Bearer-Capabilities=0x0 
17:53:34 l2tp,debug,packet VPN:     Firmware-Revision=0x1 
17:53:34 l2tp,debug,packet VPN:     (M) Host-Name="MKT-Client" 
17:53:34 l2tp,debug,packet VPN:     Vendor-Name="MikroTik" 
17:53:34 l2tp,debug,packet VPN:     (M) Assigned-Tunnel-ID=7 
17:53:34 l2tp,debug,packet VPN:     (M) Receive-Window-Size=4 
17:53:35 l2tp,debug,packet VPN: sent control message to 201.22.xx.xx:1701 from 0.0.0.0:1701 
17:53:35 l2tp,debug,packet VPN:     tunnel-id=0, session-id=0, ns=0, nr=0 
17:53:35 l2tp,debug,packet VPN:     (M) Message-Type=SCCRQ 
17:53:35 l2tp,debug,packet VPN:     (M) Protocol-Version=0x01:00 
17:53:35 l2tp,debug,packet VPN:     (M) Framing-Capabilities=0x1 
17:53:35 l2tp,debug,packet VPN:     (M) Bearer-Capabilities=0x0 
17:53:35 l2tp,debug,packet VPN:     Firmware-Revision=0x1 
17:53:35 l2tp,debug,packet VPN:     (M) Host-Name="MKT-Client" 
17:53:35 l2tp,debug,packet VPN:     Vendor-Name="MikroTik" 
17:53:35 l2tp,debug,packet VPN:     (M) Assigned-Tunnel-ID=7 
17:53:35 l2tp,debug,packet VPN:     (M) Receive-Window-Size=4

Server

17:49:49 l2tp,debug,packet L2TP-VPN: rcvd control message from 189.112.xxx.xxx:1701 to 192.168.25.2:1701 
17:49:49 l2tp,debug,packet L2TP-VPN:     tunnel-id=0, session-id=0, ns=0, nr=0 
17:49:49 l2tp,debug,packet L2TP-VPN:     (M) Message-Type=SCCRQ 
17:49:49 l2tp,debug,packet L2TP-VPN:     (M) Protocol-Version=0x01:00 
17:49:49 l2tp,debug,packet L2TP-VPN:     (M) Framing-Capabilities=0x1 
17:49:49 l2tp,debug,packet L2TP-VPN:     (M) Bearer-Capabilities=0x0 
17:49:49 l2tp,debug,packet L2TP-VPN:     Firmware-Revision=0x1 
17:49:49 l2tp,debug,packet L2TP-VPN:     (M) Host-Name="MKT-Client" 
17:49:49 l2tp,debug,packet L2TP-VPN:     Vendor-Name="MikroTik" 
17:49:49 l2tp,debug,packet L2TP-VPN:     (M) Assigned-Tunnel-ID=2 
17:49:49 l2tp,debug,packet L2TP-VPN:     (M) Receive-Window-Size=4 
17:49:49 l2tp,debug,packet L2TP-VPN: sent control message (ack) to 189.112.xxx.xxx:1701 from 192.168.25.2:1701 
17:49:49 l2tp,debug,packet L2TP-VPN:     tunnel-id=2, session-id=0, ns=1, nr=1 
17:49:57 l2tp,debug,packet L2TP-VPN: sent control message to 189.112.xxx.xxx:1701 from 192.168.25.2:1701 
17:49:57 l2tp,debug,packet L2TP-VPN:     tunnel-id=2, session-id=0, ns=0, nr=1 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Message-Type=SCCRP 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Protocol-Version=0x01:00 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Framing-Capabilities=0x1 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Bearer-Capabilities=0x0 
17:49:57 l2tp,debug,packet L2TP-VPN:     Firmware-Revision=0x1 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Host-Name="MKT-Server" 
17:49:57 l2tp,debug,packet L2TP-VPN:     Vendor-Name="MikroTik" 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Assigned-Tunnel-ID=125 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Receive-Window-Size=4 
17:49:57 l2tp,debug,packet L2TP-VPN: rcvd control message from 189.112.xxx.xxx:1701 to 192.168.25.2:1701 
17:49:57 l2tp,debug,packet L2TP-VPN:     tunnel-id=0, session-id=0, ns=0, nr=0 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Message-Type=SCCRQ 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Protocol-Version=0x01:00 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Framing-Capabilities=0x1 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Bearer-Capabilities=0x0 
17:49:57 l2tp,debug,packet L2TP-VPN:     Firmware-Revision=0x1 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Host-Name="MKT-Client" 
17:49:57 l2tp,debug,packet L2TP-VPN:     Vendor-Name="MikroTik" 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Assigned-Tunnel-ID=2 
17:49:57 l2tp,debug,packet L2TP-VPN:     (M) Receive-Window-Size=4 
17:49:57 l2tp,debug,packet L2TP-VPN: sent control message (ack) to 189.112.xxx.xxx:1701 from 192.168.25.2:1701 
17:49:57 l2tp,debug,packet L2TP-VPN:     tunnel-id=2, session-id=0, ns=1, nr=1 
17:49:57 l2tp,debug L2TP-VPN: tunnel 125 received no replies, disconnecting 
17:49:57 l2tp,debug L2TP-VPN: tunnel 125 entering state: dead

apracz · May 23, 2017, 7:37pm

any solution ?