Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

L2TP/IPSEC

Post Reply
 
mrtiks
just joined
Topic Author
Posts: 2
Joined: Tue Jun 12, 2018 8:43 am

L2TP/IPSEC

Fri Jul 09, 2021 5:33 am

I have two ISPs on ether 1 and ether 2, each of them have different Public IP, I have set up an L2TP/IPSEC VPN server but only one of the public IP is available for the clients to connect, the ether 1 (ISP 1) must be down for the ether 2 (ISP 2) to able to accept VPN clients, but I want that both of the Public IP can cater VPN at any given time, do you guys have any idea on how to do this? Thanks!
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1957
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: L2TP/IPSEC

Fri Jul 09, 2021 9:11 am

Can you please share your config?
/export hide-sensitive file=anythingyoulike

I have no clue if the VPN service is prohibited to a single interface...
Top
 
mrtiks
just joined
Topic Author
Posts: 2
Joined: Tue Jun 12, 2018 8:43 am

Re: L2TP/IPSEC

Fri Jul 09, 2021 10:41 am

/ip ipsec profile
add dh-group=modp1024 dpd-interval=3m20s dpd-maximum-failures=20 \
enc-algorithm=aes-256,3des name=profile2
/ip ipsec peer
# This entry is unreachable
add name=peer33 passive=yes profile=profile2
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,3des lifetime=0s name=proposal11 pfs-group=\
none
/ip pool
add name=dhcp_pool0 ranges=192.168.11.50-192.168.11.254
add name=vpn_pool1 ranges=172.8.99.2-172.8.99.254
add name=vpn_pool2 ranges=172.9.99.2-172.9.99.254
/ppp profile
add change-tcp-mss=yes dns-server=1.1.1.1 local-address=6.7.8.17 name=\
profile1 only-one=no remote-address=vpn_pool1 use-encryption=required
add local-address=7.3.6.3 name=profile2 remote-address=vpn_pool2
add change-tcp-mss=yes dns-server=1.1.1.1 local-address=6.7.10.17 name=\
profile3 only-one=no remote-address=vpn_pool2 use-encryption=required
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=profile1 enabled=yes \
keepalive-timeout=disabled max-mru=1480 max-mtu=1480 use-ipsec=yes
/interface pptp-server server
set default-profile=profile2
/ip address
add address=Isp1PublicIP interface=ether1 network=gatewayisp1
add address=Isp2PublicIP interface=ether2 network=gatewayisp2
/ip dhcp-client
add add-default-route=no disabled=no interface=ether8
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=172.8.99.0/24 list="VPN Users"
add address=10.0.101.0/24 list=Cloud
add address=192.168.200.0/22 list=200pips
add address=192.168.21.0/24 list=21pips
add address=someip list="ABU IP"
add address=someip list="ABU IP"
add address=someip list="ABU IP"
add address=192.168.1.0/24 list=APPpips
add address=172.9.99.0/24 list="VPN GlobeUsers"
/ip firewall filter
add action=drop chain=input protocol=icmp src-address-list="!ABU IP"
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=forward disabled=yes dst-address-list=Cloud \
src-address-list="VPN Users"
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=Cloud out-interface=\
ether8 src-address-list="VPN Users"
add action=masquerade chain=srcnat dst-address-list=Cloud out-interface=\
ether8 routing-mark=VPN_GLOBE src-address-list="VPN GlobeUsers"
add action=masquerade chain=srcnat dst-address-list=21pips out-interface=\
ether8 src-address-list="VPN Users"
add action=masquerade chain=srcnat dst-address-list=21pips out-interface=\
ether8 routing-mark=VPN_GLOBE src-address-list="VPN GlobeUsers"
add action=masquerade chain=srcnat dst-address-list=200pips out-interface=\
ether8 src-address-list="VPN Users"
add action=masquerade chain=srcnat dst-address-list=200pips out-interface=\
ether8 routing-mark=VPN_GLOBE src-address-list="VPN GlobeUsers"
add action=masquerade chain=srcnat dst-address-list=APPpips out-interface=\
ether8 src-address-list="VPN Users"
add action=masquerade chain=srcnat dst-address-list=APPpips out-interface=\
ether8 routing-mark=VPN_GLOBE src-address-list="VPN GlobeUsers"
add action=masquerade chain=srcnat src-address-list="VPN Users"
add action=masquerade chain=srcnat routing-mark=VPN_GLOBE src-address-list=\
"VPN GlobeUsers"
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add generate-policy=port-override peer=peer33
/ip ipsec policy
add proposal=proposal11 template=yes
/ip route
add distance=1 gateway=GatewayIsp1 routing-mark=VPN_GLOBE
add distance=1 gateway=GatewayIsp2
add distance=1 dst-address=10.0.101.0/24 gateway=192.168.200.1
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.200.118
add distance=1 dst-address=192.168.21.0/24 gateway=192.168.200.1
add distance=1 dst-address=192.168.170.0/24 gateway=192.168.200.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8825
set api-ssl disabled=yes
/ppp secret
#I removed some users
add name=vpn_abu profile=profile1 service=l2tp
add name=csc profile=profile1 service=l2tp
add name=abu_alsons profile=profile3 service=l2tp
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=ABU-VPN
/system logging
add topics=firewall
/system ntp client
set enabled=yes primary-ntp=121.58.193.100
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=user-manager
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 42 guests
  4. RouterOS
  5. Beginner Basics