Hi, I’m trying to connect two miktorik RB2011 with vpn. I’m testing all in lab and removed the default configuration of routerboards

The configuration is the following:
Site A (Client)
Wan: 10.10.10.1/24 (eth1)
Lan: 192.168.10.1/24 (eth2)
local-address: 172.16.1.2
remote: 172.16.1.1

Site B (Server)
Wan: 10.10.10.2/24 (eth1)
Lan: 192.168.20.1/24 (eth2)
local-address: 172.16.1.1
remote: 172.16.1.2

I’ve tried with SSTP and now with L2TP and I can connect the two routerboards, by when I try to ping internal lan from one device I receive timeout error.

[admin@MikroTik - Client] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ether1-wan 1
1 ADC 10.10.10.0/24 10.10.10.1 ether1-wan 0
2 ADC 172.16.1.1/32 172.16.1.2 l2tp-out1 0
3 ADC 192.168.10.0/24 192.168.10.1 ether2 0
4 A S 192.168.20.0/24 172.16.1.1 1

[admin@MikroTik - Client] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=192.168.20.1 out-interface=ether2
log=yes log-prefix=“”

1 chain=srcnat action=masquerade src-address=192.168.10.0/24 log=no
log-prefix=“”

[admin@MikroTik - Server] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADC 10.10.10.0/24 10.10.10.2 ether1 0
1 ADC 172.16.1.2/32 172.16.1.1 l2tp-in1 0
2 A S 192.168.10.0/24 172.16.1.2 1
3 DC 192.168.20.0/24 192.168.20.1 ether2 255

[admin@MikroTik - Server] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.20.0/24 dst-address=192.168.10.0/24 log=yes
log-prefix=“”

1 chain=srcnat action=masquerade src-address=192.168.20.0/24 out-interface=ether1 log=no
log-prefix=“Masq”


[admin@MikroTik - Server] > ping 192.168.10.254
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.254 timeout
1 192.168.10.254 timeout
2 192.168.10.254 timeout
3 192.168.10.254 timeout
4 192.168.10.254 timeout
5 192.168.10.254 timeout
sent=6 received=0 packet-loss=100%

NB: 192.168.10.254 is a notebook connected with eth2 con client routerboard.
What’s the problem with my config?

Your IPSEC site-to-site peers should be specified by their WAN IP addresses, so I don’t understand what you mean by:
local-address: 172.16.1.2
remote: 172.16.1.1

In any case, the instructions for IPSEC site-to-site are here: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel

You’ve got a fair bit going on here. Thankfully you posted a lot of information. Using technologies like L2TP you gain the benefit of being able to change a value and get the IPSec portion up and running. Like you said, you’ve removed the default configuration. This can help somewhat. Ideally you’ll want to apply at least the firewall portion back into the configuration but let’s not get to over focused.

Goal: Build a tunnel between two routerboards that we can apply security to.

Network 1 Details
WAN1: 10.10.10.1/24
LAN1: 192.168.10.1/24
Tunnel Address: 172.16.1.1

Network 2 Details
WAN1: 10.10.10.2/24
LAN1: 192.168.20.1/24
Tunnel Address: 172.16.1.2

• Pick a tunneling technology. My default choice is GRE, sadly in MikroTik land this means we need to have public IPs unless we want to do a lot of scripting. If we don’t have a public IP and need NAT traversal capabilities we look to L2TP. Since you’ve already experimented with L2TP and I’m unaware of your NAT traversal or multicast needs we’ll go with that.
• L2TP selected!

Mikrotik 1

We’ll set this one up as the L2TP server. We’ll need a PPP profile, PPP secret and L2TP server configuration. We can use the default PPP profile so we’ll skip that.

/ppp secret add name=user1 password=1234 service=l2tp remote-address=172.16.1.2 local-address=172.16.1.1 routes="192.168.20.0/24 172.16.1.2 1"
/interface l2tp-server set enabled=yes use-ipsec=yes ipsec-secret=locked

MikroTik 2

/interface l2tp-client add use-ipsec=yes ipsec-secret=locked user=user1 password=1234 connect-to=10.10.10.1 add-default-route=no
/ip route add dst-address=192.168.10.0/24 gateway=172.16.1.1

• Fix the NAT rules allowing you to get Internet access to only apply to traffic destined out the interface you are going for the Internet

Run This on Both

/ip firewall nat remove [ find ]
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

^^ This is all that should be needed. If you have any firewall filters configured you will need to allow that through. A simple rule could be an allow anything src’d from one and dst’d to the other just to get it working. From there you can lock it down to the right ports and protocols.