VPN Routing

Quester · June 29, 2019, 8:01am

Hello,
I have the following Setup.
I have a Fritzbox for Internet. Behind the Fritzbox i have a Mikrotik router for firewalling etc. The Fritbox is also responsible for the VPN Connection. I have a Home Automation System with a webserver in a VLAN of the mikrtoik router.

If I am in the WLAN of the Fritbox and try to open the Website of the home Automation. → It works
If i try to open the Website comming from the VPN it does not work. Both have the the IP Ranges.

The Home Automation System has the IP 192.168.14.X
The FritzBox WLAN has 192.168.0.x, also commig from the VPN

What configuration could be wrong?
What nat rule must i add?

If I am comming from the VPN the Log says that the Connection is invalid. But if I don’t block invalid Connections it also does not work.

Many thanks in Advance.

batista · July 4, 2019, 8:32am

Maybe you just need add in NAT subnet from VPN.

Polard55 · July 9, 2019, 7:42am

Try This Configuration:
Frizbox Configuration:

vpncfg {
        connections {
                enabled = yes;
                editable = yes;
                conn_type = conntype_lan;
                name = "IPSec2Mkt";				// Name of the connection
                boxuser_id = 0;
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = xxx.xxx.xxx.xxx;		// Remote IP
                remote_virtualip = 0.0.0.0;
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "$$$$D2GZVKMCVTYZFEPAH1FJ4JGTX6URTE1SVAHTUJ3GBHRJUZ251NFNDE3MCQYZ21RWWNJ1NWPIBYP6G32J";
                }
                remoteid {
                        ipaddr = xxx.xxx.xxx.xxx;	// Remote IP
                }
                mode = phase1_mode_idp;
                phase1ss = "alt/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "PRESHAREDKEY";			// Presharedkey
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.178.0;		// Local Subnet
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.88.0;		// Remote Subnet
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
                accesslist = "permit ip any 192.168.88.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF

Mikrotik configuration:

Phase1 : 

-	Authentication : SHA1
-	Encryption : AES-256
-	DH Group 2
-	Nat-t : disabled

Phase2 :

-	Authentication : SHA1
-	Encryption : 3DES
-	DH Group 2