Community discussions

MikroTik App
 
paulororke
newbie
Topic Author
Posts: 25
Joined: Wed Sep 21, 2016 1:16 am

Confused about L2TP and IPSec VPNs

Tue Jun 12, 2018 1:28 am

Hi all,

the more I read about site to site VPN tunnels the more confused I get. It seemed to me when first reading about VPNs that I just wanted to set up L2TP/IPSec but the more I read the less I understand.
Some tutorials say IPSec is all that is needed to create a tunnel, others L2TP only and more still both.

Can anyone clarify for me why one would use L2TP in preference to IPSec, visa versa or the combination of L2TP over IPSec?
Pages like these:
https://wiki.mikrotik.com/wiki/Manual:I ... sec_tunnel and this
https://wiki.mikrotik.com/wiki/Manual:I ... -Site_L2TP
have left me more confused than ever.

I could list the multitude of tutorials I have tried to follow but I have been spectacularly unsuccessful at creating a secure connection between two offices. I had very little trouble setting up PPTP connections from Windows 10 clients to connect to an office, Road Warrior style, but for some reason this is eluding me. My setup is very simple, essentially the same as in the Site-to-siteIPSec example above:
Image

If this example uses an IPSec tunnel why do others use an L2TP tunnel? What is the fundamental difference? Why would one choose one over the other?

It seems every tutorial or how-to does things a little differently and I am unable to get a coherent picture of what I actually need to do. It is rather embarrassing to have to admit this publicly but I need help understanding the fundamentals underpinning these set ups.

Can anyone recommend a guide for connecting 2 offices, each has an rb3011. Each has a fixed public IP on the WAN interface (ether1) and a 192.168.x.0/24 LAN on ether2. I need to be able to access any machine on 192.168.0.0/24 from any machine on 192.168.3.0/24.

I am happy to work through any example if someone wants to help me.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Tue Jun 12, 2018 6:06 am

If everything is fully static, go with simple IPSec tunnel (your first link), there's no need to complicate it with anything else.

What exactly doesn't work as expected?

Some common problems and solutions:

- If you have restrictive firewall in chain=input, make sure you allow udp/500 and ESP packets (protocol=ipsec-esp) from the other router.
- Make sure you exempt outgoing traffic to the other LAN from srcnat (it's in the example).
- Remember that traffic coming from pure-IPSec tunnel looks like if it's coming from internet, so if you block incoming connections (as you should), it will also block tunneled traffic. You can match this traffic using ipsec-policy=in,ipsec and allow it in forward chain.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Confused about L2TP and IPSec VPNs

Tue Jun 12, 2018 6:35 am

If you have public addresses on both sides, except site to site ipsec, you can also set ip ip tunnel , gre tunnel, eoip tunnel with ipsec and route the local networks through them ! Тhe settings of each of them are literally two clicks . See here - http://systemzone.net/mikrotik-site-to- ... ith-ipsec/ the settings are the same for any tunnel you choose!
 
paulororke
newbie
Topic Author
Posts: 25
Joined: Wed Sep 21, 2016 1:16 am

Re: Confused about L2TP and IPSec VPNs

Tue Jun 12, 2018 11:35 pm

Thanks guys,

I have the IPSec tunnel established using the default proposal (I've made it this far before....) and added what I think are the right firewall rules but still no ping across the WAN.

Office 1 - LAN 192.168.0.0/24
Policy
[...@trk-mtk-04] > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1  A  src-address=192.168.0.0/24 src-port=any dst-address=192.168.3.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<Office 1 WAN IP> sa-dst-address=<Office 2 WAN IP> proposal=default ph2-count=2
Peers
[...@trk-mtk-04] /ip ipsec peer> print 
Flags: X - disabled, D - dynamic, R - responder 
 0     address=<Office 2 WAN IP> auth-method=pre-shared-key secret="*************" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
Firewall Filter
[...@trk-mtk-04] /ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 
3    ;;; allow udp/500
      chain=input action=accept protocol=udp src-address=<Office 2 WAN IP> src-port=500 log=no log-prefix="" 
4    ;;; allow ESP packets
      chain=input action=accept src-address=<Office 2 WAN IP> log=no log-prefix="" ipsec-policy=in,ipsec 
5    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 
6    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 
7    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 
8    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
9    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
Firewall NAT
[...@trk-mtk-04] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
0    chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 
1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1
Firewall Raw
[RogerPhilAndDave@trk-mtk-04] /ip firewall raw> print 
Flags: X - disabled, I - invalid, D - dynamic 
0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 
1    ;;; bypass connection tracking
      chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.0.0/24 dst-address=192.168.3.0/24 
2    ;;; bypass connection tracking
      chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.3.0/24 dst-address=192.168.0.0/24

Office 2 - LAN 192.168.3.0/24

Policy
[...@trk-mtk-03] > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
1  A  src-address=192.168.3.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<Office 2 WAN IP> 
       sa-dst-address=<Office 1 WAN IP> proposal=default ph2-count=3

Peers
[...@trk-mtk-03] > /ip ipsec peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0     address=<Office 1 WAN IP> auth-method=pre-shared-key secret="************" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
Firewall Filter
[...@trk-mtk-03] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 
3    ;;; allow udp/500
      chain=input action=accept protocol=udp src-address=<Office 1 WAN IP> src-port=500 log=no log-prefix="" 
4    ;;; allow ESP packets
      chain=input action=accept src-address=<Office 1 WAN IP> log=no log-prefix="" ipsec-policy=in,ipsec 
5    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 
6    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 
7    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 
8    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
9    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
Firewall NAT
[...@trk-mtk-03] > ip firewall nat print    
Flags: X - disabled, I - invalid, D - dynamic 
0    chain=srcnat action=accept src-address=192.168.3.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 
1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1
Firewall Raw
[...@trk-mtk-03] > ip firewall raw print 
Flags: X - disabled, I - invalid, D - dynamic 
0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 
1    ;;; bypass connection tracking
      chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.3.0/24 dst-address=192.168.0.0/24 
2    ;;; bypass connection tracking
      chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.0.0/24 dst-address=192.168.3.0/24

So I have allowed ICMP on both WAN interfaces - I would expect to be able to ping both 192.168.0.1 and 1912.168.3.1 from both routers or hosts in each subnet.

What am I missing?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 12:12 am

I didn't study every detail, but:
3 ;;; allow udp/500
chain=input action=accept protocol=udp src-address=<Office 2 WAN IP> src-port=500 log=no log-prefix=""
You want dst-port=500.
4 ;;; allow ESP packets
chain=input action=accept src-address=<Office 2 WAN IP> log=no log-prefix="" ipsec-policy=in,ipsec
This is wrong, use protocol=ipsec-esp instead of ipsec-policy=in,ipsec here.

The above will make the tunnel connected.

To actually allow traffic between LANs, you have two options. If you don't need any filtering and want to allow everything, then follow what you started in "/ip firewall raw" and also allow "untracked" state in:
7 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
If you want some filtering, then remove action=notrack rules from "/ip firewall raw" and do what you need in "/ip firewall filter". Basic rule to allow traffic from tunnel is:
/ip firewall filter
add chain=forward ipsec-policy=in,ipsec action=accept
To allow only some addresses/ports, it's probably best to make a new chain for all traffic from tunnel and do the filtering there:
/ip firewall filter
add chain=forward ipsec-policy=in,ipsec action=jump jump-target=ipsec-in
add chain=ipsec-in dst-address=192.168.0.10 protocol=tcp dst-port=80 action=accept
add chain=ipsec-in dst-address=192.168.0.20 protocol=tcp dst-port=445 action=accept
add chain=ipsec-in action=reject
 
paulororke
newbie
Topic Author
Posts: 25
Joined: Wed Sep 21, 2016 1:16 am

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 12:58 am

Thanks Sob,

for now I want to allow all traffic between these networks. Once I have it working I may look into some filtering.

So now I have

Office 1 - LAN 192.168.0.0/24

Filter
[...@trk-mtk-04] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 
 3    ;;; allow udp/500
      chain=input action=accept protocol=udp src-address=<Office 2 WAN IP> dst-port=500 log=no log-prefix="" 
 4    ;;; allow ESP packets
      chain=input action=accept protocol=ipsec-esp src-address=<Office 2 WAN IP> log=no log-prefix="" 
 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 
 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 
 7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 
 8    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
 9    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1

Office 2 - LAN 192.168.3.0/24

Filter
[...@trk-mtk-03] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 
 3    ;;; allow udp/500
      chain=input action=accept protocol=udp src-address=<Office 1 WAN IP> dst-port=500 log=no log-prefix="" 
 4    ;;; allow ESP packets
      chain=input action=accept protocol=ipsec-esp src-address=<Office 1 WAN IP> log=no log-prefix="" 
 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 
 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 
 7    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
 8    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 
 9    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1

Sill no traffic between LANs but I feel like I am making progress at least...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 1:23 am

If you look around "/ip ipsec", does it look like it's working? Is there anything in "/ip ipsec remote-peers"? Any SAs in "/ip ipsec installed-sa"? If so, what about byte counters, do they increase?

And when testing directly from each router (e.g. with ping), remember that you have to set source address (router's address from local LAN range), otherwise the WAN address will be used instead as source, and it won't match the policy.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 6:26 am

Encrypted traffic between routers goes through a udp 4500 connection, and I do not see it allowed every router in filter rules!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 6:35 am

Only if there's NAT in the way. In this case there are public addresses on both sides, so it should be just regular ESP packets (protocol 50).
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 10:12 am


Firewall NAT
[...@trk-mtk-04] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
0    chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 
1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1
Is not this a NAT? Always the local network connections are encrypted on the UDP 4500 between the public addresses , when the LANs have access to the Internet with src-nat !? The first rule is NAT-T or bypass of src-nat for communication betwееn LANs?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 8:24 pm

Yes, this is NAT, but it has nothing to do with encrypted IPSec packets, those travel between public addresses of both routers and don't need any UDP encapsulation. It happens only when the whole router (or better, the device creating IPSec tunnel) is behing NAT.
 
paulororke
newbie
Topic Author
Posts: 25
Joined: Wed Sep 21, 2016 1:16 am

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 8:46 pm

Thanks again both of you, this has been a source of frustration for me for too long and I can't over state how pleased I am to be getting your help.
If you look around "/ip ipsec", does it look like it's working? Is there anything in "/ip ipsec remote-peers"? Any SAs in "/ip ipsec installed-sa"? If so, what about byte counters, do they increase?

I can see the SAs but the counters do not increase.

[...@trk-mtk-03] > /ip ipsec installed-sa print 
Flags: H - hw-aead, A - AH, E - ESP 
0  E spi=0xE9112E0 src-address=<Office 1 WAN IP> dst-address=<Office 2 WAN IP> state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
     auth-key="234fd...41443b" enc-key="5594...8cab9" add-lifetime=24m/30m replay=128 
1  E spi=0x1C79300 src-address=<Office 2 WAN IP> dst-address=<Office 1 WAN IP> state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="dd2d0...8e4f2e" enc-key="84e85...e5aef7" add-lifetime=24m/30m replay=128

I get essentially the same thing on the other side.

When testing directly from each router (e.g. with ping), remember that you have to set source address (router's address from local LAN range), otherwise the WAN address will be used instead as source, and it won't match the policy.

So I should be fine testing from a workstation on each LAN. That is what I will do so as to keep the routing simple and represents my desired outcome.


Speaking of which I do not have a route defined in /ip route. I was going to post it but it has all my live IPs in there and I don't know that it is secure to post that. I have multiple IPs (aliased) on ether1 - would the routing here be a possible issue? I had thought that the rules in ip firewall raw would deal with that but perhaps we don't know where to send the packets? I don't understand how, in this set up the routers know where to send packets destined for the other LAN.

Oh - and I did add port 4500 to the filter rule:

3    ;;; allow udp/500, 4500
      chain=input action=accept protocol=udp src-address=<Office 2 WAN IP> dst-port=500,4500 log=no log-prefix=""

Should it be here of in NAT? Also - I thought that adding the source IP would make it more secure - is that over kill?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 9:48 pm

Just some quick notes for now:

You don't need to add route to another subnet (*). In fact, you can't directly do that. It's the confusing thing about pure IPSec tunnels. What's where is controlled by policies. If there's packet going from 192.168.0.x to 192.168.3.x, it will come through firewall as such and everything will apply as usual (raw, prerouting, dstnat, filtering, srcnat, postrouting). So you need to make sure that your regular rules will let it pass. Finally, when the router is about to send it, IPSec kicks in, finds out that packet matches defined policy, snatches it away, encrypts it and then sends it to remote peer. The encrypted packet is then regular output from router, so it goes through output chain, srcnat and mangle postrouting.

The reverse happens on other side. First encrypted packet arrives, router must be able to receive it (so accept it in input chain, either as esp packet or encapsulated in udp/4500. After it's decrypted, it appears as regular incoming packet, same as if it came from internet. So again, your firewall must allow it. Which in your case should be done by making it untracked.

(*) There is one exception. I sometimes add unreachable routes for private networks (whole 192.168.0.0/16 and others), to prevent unused ones from leaking out to internet. This can break IPSec tunnels, because router won't have route to remote 192.168.x.0/24, so packet won't pass trough router and IPSec won't have any chance to take it. The solution, which I don't like too much, but I didn't find any better, is to add fake route to remote subnet. It doesn't really matter where it points to, no packet will ever go there (because IPSec will take it), it just needs to exist.

Try to experiment a little more. If you don't suceeed, I'll take another look at your whole config later. And I don't know what you mean by the last question.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 10:14 pm

I don't see this rules on the top of filter section on both routers too:
/ip firewall filter
add chain=forward action=accept place-before=1 src-address=192.168.0.0/24 dst-address=192.168.3.0/24 connection-state=established,related,untracked
add chain=forward action=accept place-before=1 src-address=192.168.3.0/24 dst-address=192.168.0.0/24 connection-state=established,related,untracked
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 10:47 pm

There's:
 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
So if the previous rules in "/ip firewall raw" are still in place, it's covered.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 11:26 pm

There's:
 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
So if the previous rules in "/ip firewall raw" are still in place, it's covered.
You are right, the rules already exist in RAW section !

p.s.
I remember that even with my setup of ipsec the routers could not ping each other, but the LANs could communicate each other ...
 
paulororke
newbie
Topic Author
Posts: 25
Joined: Wed Sep 21, 2016 1:16 am

Re: Confused about L2TP and IPSec VPNs

Wed Jun 13, 2018 11:57 pm

Thanks again for all the excellent input - I am learning a lot here...

I still can't get a ping from hosts on each side. Which settings should I post at this point? ie - what do you need to see? /ip firewall raw still has the following entries:

[...@trk-mtk-04] > /ip firewall raw print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 
 1    ;;; bypass connection tracking
      chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.0.0/24 dst-address=192.168.3.0/24 
 2    ;;; bypass connection tracking
      chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.3.0/24 dst-address=192.168.0.0/24

Regards that other question on the filter - don't worry about that - I didn't think that through completely.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Thu Jun 14, 2018 1:54 am

I remember that even with my setup of ipsec the routers could not ping each other, but the LANs could communicate each other ...
If you did just:
/ping address=<address in remote LAN>
then it won't work with most common config, because router chooses wrong source address not covered by IPSec policy, and IPSec has nothing to work with. Ping packets will just go via default route to internet, and get lost on the way. You need to do:
/ping address=<address in remote LAN> src-address=<router's LAN address covered by policy>
Back to current problem, something similar is probably happening here. But I went through posted configs and I just don't see it. If all SA counters stay at zero, there are no packets processed by IPSec. Try the ping from Office 1 and same (with swapped addresses) from Office 2:
/ping address=192.168.3.1 src-address=192.168.0.1
And if nothing else, then at least counter for outgoing SA should increase.
 
paulororke
newbie
Topic Author
Posts: 25
Joined: Wed Sep 21, 2016 1:16 am

Re: Confused about L2TP and IPSec VPNs

Thu Jun 14, 2018 3:27 am

Sob, this is very exciting for me:

From Router 1:
[...@trk-mtk-04] > ping 192.168.3.1                                
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                              
    0 192.168.3.1                                             timeout                                                                                                                                             
    1 192.168.3.1                                             timeout                                                                                                                                             
    2 192.168.3.1                                             timeout                                                                                                                                             
    sent=3 received=0 packet-loss=100% 

[...@trk-mtk-04] > ping address=192.168.3.1 src-address=192.168.0.1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                              
    0 192.168.3.1                                             timeout                                                                                                                                             
    1 192.168.3.1                                             timeout                                                                                                                                             
    2 192.168.3.1                                56  64 19ms 
    3 192.168.3.1                                56  64 20ms 
    4 192.168.3.1                                             timeout                                                                                                                                             
    5 192.168.3.1                                             timeout                                                                                                                                             
    6 192.168.3.1                                56  64 19ms 
    sent=7 received=3 packet-loss=57% min-rtt=19ms avg-rtt=19ms max-rtt=20ms
From Router 2:
[...@trk-mtk-03] > ping 192.168.0.1 
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                         
    0 192.168.0.1                                             timeout                                                                                                                        
    1 192.168.0.1                                             timeout                                                                                                                        
    2 192.168.0.1                                             timeout                                                                                                                        
    3 192.168.0.1                                             timeout                                                                                                                        
    sent=4 received=0 packet-loss=100% 

[...@trk-mtk-03] > ping address=192.168.0.1 src-address=192.168.3.1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                         
    0 192.168.0.1                                56  64 22ms 
    1 192.168.0.1                                56  64 29ms 
    2 192.168.0.1                                56  64 19ms 
    3 192.168.0.1                                56  64 19ms 
    sent=4 received=4 packet-loss=0% min-rtt=19ms avg-rtt=22ms max-rtt=29ms

From a workstation behind Router 1:
paul@paul-pc:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.213 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.155 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.213 ms
^C
--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2034ms
rtt min/avg/max/mdev = 0.155/0.193/0.213/0.031 ms


paul@paul-pc:~$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
^C
--- 192.168.3.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3068ms
From a workstation behind Router 2:
paul@paul-desktop:~$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.163 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.179 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=0.160 ms
^C
--- 192.168.3.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2050ms
rtt min/avg/max/mdev = 0.160/0.167/0.179/0.013 ms
paul@paul-desktop:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=2 ttl=63 time=21.5 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=63 time=23.3 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=63 time=19.6 ms
64 bytes from 192.168.0.1: icmp_seq=5 ttl=63 time=19.5 ms
^C
--- 192.168.0.1 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4022ms
rtt min/avg/max/mdev = 19.572/21.001/23.314/1.549 ms

Router 1 is located in Office 1 but is a text box specifically for setting this up. Once I am happy with the config I will repeat this on the production router in that office. Router 2 however is the only one in that (remote) office and interestingly has better performance. Do you think I can connect from Router 2 to 1 because it is the one initiating the tunnel or should i be ablwe to expect the same thing in both directions?

Paul
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Confused about L2TP and IPSec VPNs

Thu Jun 14, 2018 4:18 am

As I see, it looks like it works. Well, at least partially.

1) Pings from either router, without setting src-address, those were expected to fail.
2) Ping from Router 1 to Router 2 has horrible packet loss, but it's just 7 pings, so it's hard to make any conclusions.
3) Ping from workstation in LAN1 to Router 2 does not work, but it should and I don't see what could be blocking it. If you'd be pinging some PC in LAN2, I'd say it's firewall on that PC, but not here.

If both routers have public addresses, any of them must be able to initiate connection to the other. And once the tunnel is established, it doesn't matter which one was the initiator, traffic must go in both directions. And it does, if you get ping replies.

So for 3), check what exactly happens on Router 2, if ping requests arrive and if replies are sent back. You can use either Tools->Torch, or you can add logging rules at the beginning of respective chains, so prerouting and input for incoming and output and postrouting for outgoing. You have idea what should go through where, so go step by step and you'll find out where it doesn't do what you expect. I actually skipped one step, first you should be sure that packets came through Router 1 and were sent via tunnel to Router 2. I'm sure you'll find it.
 
paulororke
newbie
Topic Author
Posts: 25
Joined: Wed Sep 21, 2016 1:16 am

Re: Confused about L2TP and IPSec VPNs

Fri Jun 15, 2018 10:42 pm

And it works!!!

Thank you both for the hard work you put into helping me nail this.

Sob, you were right, the tunnel was fine, it was a case of PEBKAC. My local set up was a mess, I had made assumptions that were wrong. I cleaned up things locally and now I have a screaming fast permanent tunnel between offices that "just works".

Kudos and much gratitude to both of you.
 
jaytcsd
Member
Member
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: Confused about L2TP and IPSec VPNs

Sat Jun 23, 2018 7:48 am

What changes between the wiki article and what ended up working did you do?

Who is online

Users browsing this forum: 0xAA55, itvisionpk, SanchoHa and 45 guests