Page 1 of 1

CHR VPN server on AWS not reaching VPC

Posted: Sun Feb 10, 2019 9:33 pm
by en1gm4
Has anyone got a CHR working as a VPN server on AWS?

We have one that connects our office (RB4011) to AWS (CHR) Via an ipsec tunnel
We've managed to get traffic flowing well from the office ( to our VPC ( ... after a little challenge getting MSS right!
We also managed to get the L2TP+Ipsec server running on the CHR to allow remote workers to connect in.

Remote users are getting addresses in the 10.100.1.x range just fine and can see the office computers
However, they cannot connect to anything on the VPC.
The CHR can ping the VPC hosts just fine and users in the office have no problem going through that same CHR to get to VPC hosts

Any thoughts on what we are doing wrong? (and is this the right bit of the forum to post in?)

Re: CHR VPN server on AWS not reaching VPC

Posted: Wed Feb 20, 2019 7:11 am
by JesusR
You try add a NAT for remote Users. Please post your config.

Re: CHR VPN server on AWS not reaching VPC

Posted: Tue Mar 05, 2019 6:27 pm
by en1gm4
sorry, i did not seem to get a notifcation for this one

the config is pretty simple so far... I suspect I'm doing something very dumb
# mar/05/2019 16:16:30 by RouterOS 6.43.12
# software id = 
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp
/interface l2tp-server
add name=l2tp-server user=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256 dpd-maximum-failures=3 \
    enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256
add dpd-maximum-failures=3 name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc \
    lifetime=1h name=vpc-aws
add auth-algorithms=sha256,sha1 enc-algorithms=aes-128-cbc,3des lifetime=1h \
/ip pool
add name=VPN_dhcp_pool ranges=
/ip dhcp-server
add address-pool=VPN_dhcp_pool disabled=no interface=ether1 name=dhcp1
/ppp profile
add change-tcp-mss=yes comment="road warrior profile" dns-server=\, local-address= name=AWS_VPN only-one=no \
    remote-address=VPN_dhcp_pool use-compression=yes use-encryption=required
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 enabled=yes ipsec-secret=secret \
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address= dns-server=,, domain=\ gateway=
/ip dns
set servers=,
/ip firewall nat
add action=accept chain=srcnat dst-address= src-address=\
add action=accept chain=srcnat dst-address= src-address=\
/ip ipsec peer
add address= compatibility-options=skip-peer-id-validation \
add address= compatibility-options=skip-peer-id-validation \
add address= exchange-mode=main-l2tp generate-policy=port-override \
    passive=yes profile=RoadWarrior secret=RWPassword \
/ip ipsec policy
set 0 proposal=ipsec
add dst-address= proposal=vpc-aws sa-dst-address= \
    sa-src-address= src-address= tunnel=yes
add disabled=yes dst-address= proposal=vpc-aws sa-dst-address=\ sa-src-address= src-address= \
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=user1 password=userpasswd profile=AWS_VPN service=l2tp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system identity
set name=irevpc-subnet1-chr
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=

Re: CHR VPN server on AWS not reaching VPC

Posted: Mon Mar 25, 2019 10:00 pm
by en1gm4
well, i've not made a lot of progress, but in case anyone sees this that has more clues that me ;)

I used tcpdump on a VPC instance and confirmed that packets are making it to the server, but for some reason packets are not making it back.
it confuses me that I can reach devices another hop away (in the office) just fine but the CHR is not able to route packets back to a dial-in user coming into the CHR.

Sounds like it might be an ARP thing, but proxy-arp is enabled on eth1 on the CHR and the CHR clearly knows how to get packets back to the vpn user from another network
am i being stupid here?

Re: CHR VPN server on AWS not reaching VPC

Posted: Thu Mar 28, 2019 12:00 am
by en1gm4
in case anyone is still looking at this I could use some thinking from someone with AWS+ CHR experience

still using tcpdump (my new best friend) . it appears that the packets from my dialin users are getting to the VPC instance but rather than send the reply (in this case a ping) back to the CHR using the mac address the ping request came from, the host is sending the reply to the mac address of the amazon gateway on would be the default route for hosts as most traffic goes to the internet that way.

this feels like it must be a simple thing we have missed. where am I being stupid here?
gut feel is it might be in the VPC route tables...

Re: CHR VPN server on AWS not reaching VPC (solved)  [SOLVED]

Posted: Thu Mar 28, 2019 7:46 pm
by en1gm4
just to close this out for future readers.

in the end we moved the pool range off of the VPC subnet and meticulously tracked the data flow
we needed some careful checking and fixing of security groups (we have too many that built up over time) and VPC subnet route tables
AWS routing is a bit of a challenge if you are used to seeing info from linux or windows. Very powerful but different.
in the end, after much work the CHR is doing the job and should be a flexible platform for the future.