L2TP VPN + IPIP Tunnel connectivity

acte28 · Sat Mar 13, 2021 11:13 am

Hi everyone,

So I'm having a strange issue with L2TP VPN config alongside an IP Tunnel configured to a second site with an identical router.

I'd like to allow VPN users to reach IPs at our second site (10.1.x.x) via the IPIP tunnel.

Right now, based on the posted configs, VPN users can only access IPs located under 10.0.x.x. If they try to reach 10.1.x.x, the connection fails. VPN users are assigned 192.168.10.1 -> 192.168.10.126.

Users on the LAN have no issues to reach IPs between both sites.

I was thinking that VPN users being on a separate network (192.168) might explain why they can't connect to the other site, so I modified the IP range give to VPN users, e.g. 10.0.9.2-10.0.9.127. When this happens, VPN users can then+only+ reach (10.1.x.x) at the second site, and can no longer reach IPs at (10.0.x.x)

Thank you so much for your help!

First office config (10.0.x.x)

# mar/13/2021 17:50:21 by RouterOS 6.47.4
# software id = M4JN-1399
#
# model = CCR2004-1G-12S+2XS

/interface bridge
add name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=nuroWAN speed=10Gbps
set [ find default-name=sfp-sfpplus1 ] name=portLAN01
/interface ipip
add allow-fast-path=no local-address=x.x.x.x name=iptunnel-office01 \
    remote-address=x.x.x.x
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.2.100-10.0.2.254
add name=ldapvpn ranges=192.168.10.1-192.168.10.126
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=dhcp1
/ppp profile
add dns-server=10.0.0.1 incoming-filter="" interface-list=LAN local-address=\
    10.0.0.1 name=ldap-vpn outgoing-filter="" remote-address=ldapvpn \
    use-encryption=required
/snmp community
add addresses=::/0 name=Devices
/interface bridge port
add bridge=bridge-LAN interface=portLAN01
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ldap-vpn enabled=yes \
    use-ipsec=required
/interface list member
add interface=nuroWAN list=WAN
add interface=bridge-LAN list=LAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.0.1/16 interface=portLAN01 network=10.0.0.0
add address=172.22.22.1/30 interface=iptunnel-office01 network=172.22.22.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=nuroWAN
/ip dhcp-server network
add address=10.0.0.0/16 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=16 \
    ntp-server=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=\
    x.x.x.x,y.y.y.y,8.8.8.8,8.8.4.4

/ip firewall address-list
add address=192.168.10.1-192.168.10.126 list=OutVpn
/ip firewall filter
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting connection-limit=100,32 \
    dst-address-type="" dst-limit=1,5,dst-address/1m40s hotspot="" limit=\
    1,5:packet new-routing-mark=VpnRoute passthrough=no psd=21,3s,3,1 \
    src-address=192.168.10.1-192.168.10.126 src-address-type="" tcp-flags=""
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!10.0.0.0/16 out-interface=\
    nuroWAN src-address=10.0.0.0/16
add action=src-nat chain=srcnat dst-address=10.0.0.1 src-address=\
    192.168.10.1-192.168.10.126 src-address-list=OutVpn to-addresses=10.0.0.1
add action=masquerade chain=srcnat out-interface=nuroWAN
/ip route
add check-gateway=ping distance=1 gateway=nuroWAN routing-mark=VpnRoute
add distance=1 dst-address=10.1.0.0/16 gateway=172.22.22.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp profile
set *FFFFFFFE dns-server=10.0.0.1 local-address=10.1.0.0 remote-address=*2
/ppp secret
add local-address=10.0.3.227 name=vpn
add name=vpn_test profile=default-encryption
add address=10.0.5.79 domain=derp service=ppp src-address=10.0.0.1
/snmp
set location=server_room trap-community=DerpDevices trap-target=10.0.5.21 \
    trap-version=2
/system identity
set name=router

Second office config (10.1.x.x)

# mar/13/2021 18:08:58 by RouterOS 6.46.6
# software id = 7MLL-0CTB
#
# model = CCR2004-1G-12S+2XS

/interface bridge
add name=local_bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=a@a.com
/interface ipip
add allow-fast-path=no local-address=x.x.x.x name=ipip-tunnel-office02 \
    remote-address=x.x.x.x
/interface list
add name=LAN-Devices
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.1.2.100-10.1.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local_bridge name=dhcp1
/interface bridge port
add bridge=local_bridge interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN-Devices
/interface list member
add interface=sfp-sfpplus1 list=LAN-Devices
/ip address
add address=10.1.0.1/16 interface=local_bridge network=10.1.0.0
add address=172.22.22.2/30 interface=ipip-tunnel-office02 network=172.22.22.0
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.0.1 gateway=10.1.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.1.1.2 list=wifirouter
add address=10.1.0.0/16 list=internal_FW
/ip firewall filter
add action=accept chain=input comment="accept established, related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=pppoe-out1 \
    protocol=icmp
add action=accept chain=input comment="allow ssh" in-interface=pppoe-out1 \
    port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    pppoe-out1
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established, related" connection-state=\
    established,related
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip route
add distance=1 dst-address=10.0.0.0/16 gateway=172.22.22.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.1.0.0/16,169.254.0.0/16
set api disabled=yes
set winbox address=10.1.0.0/16,169.254.0.0/16
set api-ssl disabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN-Devices
/tool mac-server mac-winbox
set allowed-interface-list=LAN-Devices

acte28 · Sun Mar 14, 2021 11:33 am

anyone? would it be better to post this question under 'general' or another area?

acte28 · Thu Mar 18, 2021 7:02 am

sharing the solution - a route needed to be set up on the second router in order to direct the traffic back to the initial VPN access, provided by the first router.

From Mikrotik support:

I suspect the issue is with the returning traffic. You have to either set up NAT or add static route for the VPN network on the other side of the tunnel as well. For example, a VPN client sends traffic:
192.168.10.2 to 10.1.0.2
The traffic is successfully sent over the tunnel and to the destination host, however the returning packet:
10.1.0.2 to 192.168.10.2

L2TP VPN + IPIP Tunnel connectivity

L2TP VPN + IPIP Tunnel connectivity

Re: L2TP VPN + IPIP Tunnel connectivity

Re: L2TP VPN + IPIP Tunnel connectivity (solved)

Who is online