Community discussions

MikroTik App
 
DarkNate
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Fri Jun 26, 2020 4:37 pm

Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 6:32 pm

So I have two ISPs, both are a member of "WAN" interface lists in Interface>List.

I have ExpressVPN configured with LT2P+IPSec with NAT/Policy Routing for LAN and it works as expected.

But by default RouterOS picks the shortest route to establish the tunnel and that's WAN1. I've tried with mangle to force LT2P tunnel over WAN2 but it simply does nothing and keeps using shortest route aka WAN1. Any ideas on how to work-around this?

Also, the freshly created LT2P client is now added to "WAN" interface lists as I think it makes more sense than putting it on "LAN" as it is a VPN over WAN where LAN traffic goes through the VPN, hence acting as WAN itself. Maybe this is wrong though?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1140
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface  [SOLVED]

Wed Dec 23, 2020 6:51 pm

1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.
 
DarkNate
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 7:21 pm

1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.
ExpressVPN does not support static server IPs. They use DDNS based hostnames and the IPs change in every session. It is a commercial VPN after all.

Any workaround?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1140
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:24 pm

src-address :)
 
DarkNate
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:33 pm

src-address :)
Just what exactly do I use for the src-address in LT2P client? Both my WANs are dynamic IPs over PPPoE.

I tried using something random/unused like "192.168.3.1" but that resulted in errors
phase1 negotiation failed due to send error. 192.168.3.1[500]<=>45.56.157.40[500] 2bf06a1def2a7095:0000000000000000
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1140
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:41 pm

Two possibilities:
1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work.
2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes.

Anyway, try to make it work with you current dynamiс WAN address first.
 
DarkNate
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:51 pm

Two possibilities:
1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work.
2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes.

Anyway, try to make it work with you current dynamiс WAN address first.
I already have load balancing in place. Any way to intercept the LT2P initial connection/handshake using Mangle/Mark connection rules instead? That would simplify this issue greatly.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1140
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 10:17 pm

You can try, if it's the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don't see in what way is it simpler.
 
DarkNate
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Thu Dec 24, 2020 9:16 am

You can try, if it's the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don't see in what way is it simpler.
Yeah, so I went with the null-bridge method, it works!

Basically, I created a null-bridge, then in IP>Address List I added a non-existent network IP and a single static IP, and used said IP for the LT2P client.

1. I used "lookup" instead of "lookup only" in IP>Routes to give it redundancy/failover which works relatively well but not that "fast" in switching between the available tables, it takes some time, any workarounds?
2. But how does this null-bridge/non-existent network/static address work though? I would like to understand it fundamentally.
3. Also, I set the VPN client as "WAN" instead of "LAN" in their interface list to get treated accordingly by the firewall filters, that's logical, right?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1140
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Thu Dec 24, 2020 11:03 am

1) You can create second l2tp-tunnel through the second wan connection the same way and revert to lookup-only-in-table for both of them: switching routes between two tunnels will be much faster than rebuilding the tunnel. Especially if OSFP + BFD can be used on top of that.
2) You need this address for two things - to choose the right route from the very packet creation and creating a valid ipsec policy.
Some random address works because it will be src-nated anyway, and assigning it any interface makes it valid.
Loopback-bridge is just as good a place for it as any other, with the addition that it won't interfere with the behaviour of other interfaces. And does not depend on them to be working.
3) That is totally up to you and depends on what is located on the other side of the tunnel.

Who is online

Users browsing this forum: No registered users and 82 guests