I try to setup a VPN connection with a hAPlite to my Fritzbox 7430 at home. For your info: the Fritzbox only can use IPSec. This works good for my when using my Windows 7 laptop, my Android phone or an IPad.
I got the VPN connection to work with my Miktrotik: The connection is established as I can see in my IPSec policies (PH2 state: established) and on my Fritzbox.
But there are no data going through the tunnel! I can browse the Internet with my IP I got from the uses Hotspot but I can not access any device in the home network or even ping them.
The config from my miktrotik and my Fritzbox are attached although the setup I use. I already tried to change the NAT roule in the firewall but there must be an error in my config…
Do you have an idea? My knowledge about RouterOS is very limited…
After I wrote this, I was suddenly able to access devices at my home network (for example the Fritzbox at 192.168.0.1 or an MiLight gateway at 192.168.0.118).
Ping to devices in my home network don’t work (only to 192.168.0.1!).
My main reason for building this VPN connection was to also tunnel the hole internet traffic to get the same internet IP: This don’t work at the moment. The computer connected to the hApLit gets the WAN Ip from the hotspot instead from my home WAN…
How can I tunnel all traffic?
I can’t configure an EoIP on the Fritzbox-(server) side… Is it possible to do it only in the client (Miktrotik) side?
When I connect my Android phone or my Windows laptop via VPN, I have the WAN IP from the server side. That is what I need for my device. The Fritzbox seems to have the possibility for that - but I don’t know, how to usw it with the Mikrotik device
As it’s also me on the client side, same subnet an IP range is ok I think…
Hello!
I cannot establish an L2TP-connection, the Fritzbox only support IPSEC…
I tried to follow the further steps (NAT, Mergel, Routes, …) but as I could not chosse “PPTP” (or similar like L2TP) as outgoing interface, I can’t follow the instruction to the end…
The IPSEC-connection is still working but is limited to access local devices on the server side. When I surf the internet, I get the WAN ip from the local side and not from the server side.
As I said, with my Android phone I can connect to local devices on the server side and surf with the WAN ip from the server side…
I am affraid, I am to stupid for this complex device
All the other-than-Mikrotik IPsec clients you connect to your Fritz are individual devices, right? So they get assigned an IP address from there. The configuration of Fritz assigns 192.168.1.0/24 to the client’s subnet, which means that only packets with source addresses from this network will get to the tunnel. But according to your picture, your Mikrotik’s clients get addresses from 192.168.88.0/24.
So you have several possibilities:
to change Mikrotik’s LAN for clients to 192.168.1.0/24 (it needs to change dhcp pool and dhcp network accordingly)
to use a NAT rule to change source addresses of packets sent from 192.168.88.0/24 towards 192.168.0.0/24 (the network behind Fritz) to 192.168.1.2
to change the configuration of Fritz and replace 192.168.1.0/24 by 192.168.88.1 there
Also bear in mind that regardless which of the approaches above you choose, for packets not sent from Mikrotik itself but from other devices via Mikrotik, you have to shadow the srcnat rule of the default configuration which changes the source IP of all packets sent out through the internet uplink. See https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_and_Fasttrack_Bypass for explanation and details.
As for the complexity - most of it comes from IPsec itself, not Mikrotik.
