Community discussions

MUM Europe 2020
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

problem with passing l2tp port and protocol from mikrotik

Thu Jan 19, 2017 8:09 am

i have a modem that connect to my mikrotik wireless and it connect to my firewall .
i have a vpn server in my firewall .
i want to connect my internal network by vpn from out .
i bridge my modem to mikrotik .
but how can i pass through my vpn port and protocol from mikrotik ?

in below picture my vpn connection can not pass mikrotik firewall .
mik.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by softc on Sat Jan 21, 2017 8:00 am, edited 1 time in total.
 
janus20
Member Candidate
Member Candidate
Posts: 111
Joined: Thu Nov 03, 2016 10:31 am
Location: Pitesti, Romania

Re: problem with pass l2tp port and protocol from mikrotik

Thu Jan 19, 2017 10:09 am

Hi,

Maybe this will help you, presuming your modem is in bridge and your mikrotik will do the rest:
http://wiki.mikrotik.com/wiki/MikroTik_ ... IPSec/L2TP
Adjust firewall settings
Do not forget to allow UDP 500 (Dst.Port), UDP 1701, UDP 4500 (Nat-Traversal) and Protocol 50 (ESP) in the firewall filter settings. (Input chain, accept).
kind regards,
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with pass l2tp port and protocol from mikrotik

Thu Jan 19, 2017 10:44 am

this link is when my l2tp server is in mikrotik . but i have l2tp server is in my firewall

this picture is that rules . look at first row . only udp 500 have connection and the other nothing.
You do not have the required permissions to view the files attached to this post.
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with pass l2tp port and protocol from mikrotik

Thu Jan 19, 2017 10:58 am

also i add ipsec peer and it changed to this :
mik3.jpg
how you look tje row 3 that is 500 nat-traversal is working .
what can i do that 2 other port and protocol works correct?
You do not have the required permissions to view the files attached to this post.
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Sat Jan 21, 2017 8:01 am

there is no idea for this problem?
how can i pass udp 1701 and esp protocol from mikrotik?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6252
Joined: Mon Jun 08, 2015 12:09 pm

Re: problem with passing l2tp port and protocol from mikrotik

Sat Jan 21, 2017 12:37 pm

With port 500 and 4500 it should work. In the case of NAT-T, ESP is not used on the
network but is encapsulated in UDP port 4500. L2TP is again encapsulated inside ESP
so it does not appear on the network either.
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Sat Jan 21, 2017 2:41 pm

now i set a dsnat in mikrotik :
1    chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp 
      dst-port=500 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp 
      dst-port=4500 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp 
      dst-port=1701 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=ipsec-esp 
      log=no log-prefix="" 

 


192.168.20.10 is my internet iterface behind firewall
but when is see log , only port 500 will be dsnat and other port do not dsnat
mik4.jpg
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6252
Joined: Mon Jun 08, 2015 12:09 pm

Re: problem with passing l2tp port and protocol from mikrotik

Sat Jan 21, 2017 4:58 pm

That probably means your IPsec router is not correctly configured and never passes Phase1.
And again, there is no port 1701 traffic to match and probably no ESP either, depending on your config.
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Sun Jan 22, 2017 7:45 am

this is my config :
Firewall-->Filter Rules :
 0 XI  chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 1 XI  chain=input action=accept protocol=udp dst-port=1701 log=yes log-prefix="" 

 2 XI  chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 

 3 XI  chain=input action=accept protocol=ipsec-esp log=yes log-prefix="" 
Firewall-->Nat :
1 XI  chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp 
      dst-port=500 log=no log-prefix="" 

 2 XI  chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp 
      dst-port=4500 log=no log-prefix="" 

 3 XI  chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp 
      dst-port=1701 log=no log-prefix="" 

 4 XI  chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=ipsec-esp 
      log=no log-prefix="" 

IP-->IP Sec -->Policies :
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
IP-->IP sec-->peers :
   address=0.0.0.0/0 local-address=:: passive=no port=500 
      auth-method=pre-shared-key secret="*********" generate-policy=port-strict 
      policy-template-group=default exchange-mode=main-l2tp 
      send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=disable-dpd 
      dpd-maximum-failures=5 
IP-->IPsec-->Proposal:
0  * name="default" auth-algorithms=sha1 
      enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m 
      pfs-group=modp1024 

 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Sun Jan 22, 2017 2:40 pm

my config is base on mikrotik doc .
is there any problem in my config ?
what can i do for this problem?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6252
Joined: Mon Jun 08, 2015 12:09 pm

Re: problem with passing l2tp port and protocol from mikrotik

Sun Jan 22, 2017 3:13 pm

The documentation you used probably was for another scenario.
Also, you probably need to draw a picture that shows what your exact setup is and what you want to connect to what.
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Sun Jan 22, 2017 3:25 pm

picture from my scenario or picture from my config?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6252
Joined: Mon Jun 08, 2015 12:09 pm

Re: problem with passing l2tp port and protocol from mikrotik

Sun Jan 22, 2017 3:34 pm

A picture that shows how the components are interconnected and what communicates with what.
For example, where is your firewall in that picture and which side of the MikroTik is connected to it.
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Mon Jan 23, 2017 8:50 am

this is my scenario .
clients in external via internet wants to connect to server network . the modem is bridge in mikrotik A .
Mikrotik A is connected to Mikrotik B by wireless Antenna .
Mikrotik B is behind Firewall server .
there is vpn server in firewall server .

i config ip sec and firewall in mikrotik A .
You do not have the required permissions to view the files attached to this post.
Last edited by softc on Mon Jan 23, 2017 12:53 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6252
Joined: Mon Jun 08, 2015 12:09 pm

Re: problem with passing l2tp port and protocol from mikrotik

Mon Jan 23, 2017 10:54 am

Ah ok that is much clearer!
May I ask why you don't operate the two MikroTik AP's in bridge mode?
And when you use routing mode, why do you use NAT?
There should be no reason to use NAT inside your internal network (the two MikroTik routers and the firewall).
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Mon Jan 23, 2017 12:47 pm

your idea is that i bridge mikrotiks and make a ppoe connection in my firewall server(Kerio Control) ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6252
Joined: Mon Jun 08, 2015 12:09 pm

Re: problem with passing l2tp port and protocol from mikrotik

Mon Jan 23, 2017 1:16 pm

I give up. You keep coming with new information that is crucial to your network design.
I would have to re-think the entire design every time, I leave that to you.
 
busla
just joined
Posts: 17
Joined: Tue Nov 08, 2016 12:35 pm
Location: Russia, Saint Petersburg

Re: problem with passing l2tp port and protocol from mikrotik

Tue Jan 24, 2017 1:47 pm

but how can i pass through my vpn port and protocol from mikrotik ?
l2tp uses random free UDP port at both sides
see RFC 2662, section 8.1:
L2TP uses the registered UDP port 1701 [RFC1700]. The entire L2TP
packet, including payload and L2TP header, is sent within a UDP
datagram. The initiator of an L2TP tunnel picks an available source
UDP port (which may or may not be 1701), and sends to the desired
destination address at port 1701. The recipient picks a free port on
its own system (which may or may not be 1701), and sends its reply to
the initiator's UDP port and address, setting its own source port to
the free port it found.
So, you must pass trough all UDP traffic.
 
softc
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2017 8:01 am

Re: problem with passing l2tp port and protocol from mikrotik

Tue Jan 24, 2017 3:43 pm

it means first i have to add a role to trraffic rule for accept all udp trrffic and then add a nat for all udp trraffic?
is this true :
 chain=input action=accept protocol=udp  log=no log-prefix="" 
 
  chain=dstnat action=dst-nat to-addresses=192.168.20.10 protocol=udp 
       log=no log-prefix="" 

Who is online

Users browsing this forum: No registered users and 45 guests