Page 1 of 1

L2TP/IPSEC client-to-client

Posted: Sun Oct 08, 2017 3:46 pm
by itonkov
Hello everyone!

I have the following setup:
Image

Connectivity to the clients 172.16.1.2 and 172.16.1.3 from the L2TP server (172.16.1.1) is working.
However there is no ping between 172.16.1.2 and 172.16.1.3.
The L2TP server is forwarding traffic from the VPN network (i.e. there is connectivity from 172.16.1.2 to the Internet via 172.16.1.1)


I know OpenVPN has a configuration directive called client-to-client that enables connectivity between individual clients.
Is there something similar in L2TP?
If not - can you recommend a workaround?
I tried adding a static route on 172.16.1.1 for 172.16.1.0/24, but it said that 172.16.1.1 is "unreachable".
I also looked up for setting up a bridge between the L2TP clients, but all articles I came across were about bridging the VPN and the local network.

Thanks,
Ivan.

Re: L2TP/IPSEC client-to-client  [SOLVED]

Posted: Sun Oct 08, 2017 4:57 pm
by JohnTRIVOLTA
try adding the routes:
for Router 2.2.2.2 - /ip route add dst-address=10.0.3.0/24 gateway=172.16.1.1 ,
for Router 3.3.3.3 - /ip route add dst-address=10.0.2.0/24 gateway=172.16.1.1

Re: L2TP/IPSEC client-to-client

Posted: Sun Oct 08, 2017 5:10 pm
by itonkov
Hello JohnTRIVOLTA and thanks for the reply,

I've added these rules but it did not resolve my problem.
I already had
/ip route add dst-address=10.0.1.0/24 gateway=172.16.1.1
on each of them, which did work as expected.
Furthermore I had
/ip route add dst-address=10.0.3.0/24 gateway=172.16.1.3
on 172.16.1.2 and
/ip route add dst-address=10.0.2.0/24 gateway=172.16.1.2
on 172.16.1.3, but since 172.16.1.2 cannot see 172.16.1.3, those rules did not work.

Ivan.

Re: L2TP/IPSEC client-to-client

Posted: Sun Oct 08, 2017 5:42 pm
by JohnTRIVOLTA
Pls write it in our forum http://www.mikrotik-bg.net to solve the problem !

P.S. Keep the Bulgarian tradition of putting a minus on a person who wants to help you, I was easier to explain the settings in our native language! Anyway, check the routes and see the firewall of the main router Ванчо !

Re: L2TP/IPSEC client-to-client

Posted: Mon Oct 09, 2017 3:09 am
by almdandi
Hey

I don't know exactly what you try to accomplish but i would recommend you a simple ipsec site 2 site tunnel from each site to the others. So all private networks are connected to each other. One important point in such a setup is to have different subnets on each site but as your diagram shows that's already done

Re: L2TP/IPSEC client-to-client

Posted: Mon Oct 09, 2017 11:18 am
by itonkov
Pls write it in our forum http://www.mikrotik-bg.net to solve the problem !

P.S. Keep the Bulgarian tradition of putting a minus on a person who wants to help you, I was easier to explain the settings in our native language! Anyway, check the routes and see the firewall of the main router Ванчо !
I have fiddled with the firewall and routes for quite some time but without any success. I'll check that again.

P.S.
There are two reasons for the minus:
1. If someone has the same issue as me, then he'll have to go to the Bulgarian forum, look up the new thread and then try to understand it. In the case of that person not speaking Bulgarian I find this quite difficult;
2. Having to create a separate account and a separate thread seemed like too much work given the fact that this forum has a much larger audience.
I thank you for your help, but I do not agree with redirecting to another forum and asking there as being a part of the solution.
Поздрави,
Иван.
Hey

I don't know exactly what you try to accomplish but i would recommend you a simple ipsec site 2 site tunnel from each site to the others. So all private networks are connected to each other. One important point in such a setup is to have different subnets on each site but as your diagram shows that's already done
Thanks for the reply, my main goal is to have the three subnets connected. I'd like to have a central point for the L2TP, since adding a fourth and fifth location would be much much easier this way compared to a 5 node mesh.

Re: L2TP/IPSEC client-to-client

Posted: Mon Oct 09, 2017 12:26 pm
by almdandi
Hey

How far did you got with your l2tp setup? Maybe a thing. Did you added a route back on each router? Maybe because you want to add more sites, you should consider to use a dynamic routing protocol.

Try this.

Router 172.16.1.1
/ip route add dst-address=10.0.2.0/24 gateway=172.16.1.2
/ip route add dst-address=10.0.3.0/24 gateway=172.16.1.3
Router 172.16.1.2
/ip route add dst-address=10.0.1.0/24 gateway=172.16.1.1
/ip route add dst-address=10.0.3.0/24 gateway=172.16.1.1
Router 172.16.1.3
/ip route add dst-address=10.0.1.0/24 gateway=172.16.1.1
/ip route add dst-address=10.0.2.0/24 gateway=172.16.1.1
As you already sayed 172.16.1.3 is not visibal for 172.16.1.2 because l2tp is a point to point connection with a /32 subnet. So for site 1 and site 2 the main router should be the gateway.
What you also can do later is to add the route dynamically with the routes field in the ppp secrets window.

A little side note. Using a central solution also have down sides. If the main router goes down, all sites a disconnected from each other. The main router needs to be mehr powerful because he's always involved. And obviously you need a better internet connection on the main site. I think it depends on your future plans. On how many site you really will have in the future . I think to configure 5 routers once is not too bad. Because mainly is copy paste work and changing the ip addresses.

Greetings
Luke

Re: L2TP/IPSEC client-to-client [SOLVED]

Posted: Mon Oct 09, 2017 1:55 pm
by itonkov
Hello Luke,

Thanks for the advice, I got it to work :-)

I already had those rules (or at least I thought I did), but I decided to break down the setup a bit more and assign 172.16.2.1 (on the main router) and 172.16.2.2 for office 2, 172.16.3.1 (again on the main router) and 172.16.3.2 for office 3. This allowed me to see more detail in the packet sniffer and I was able to consecutively ping each host on the route from Office 2 to 3.

By reverting the steps above I was able to have it working with 172.16.1.* addresses as initially intended.

I'm puzzled by what prevented it from working initially, but everything points at me :)

My thanks to everyone who participated in the discussion!

Re: L2TP/IPSEC client-to-client

Posted: Mon Oct 09, 2017 5:32 pm
by JohnTRIVOLTA
Pls write it in our forum http://www.mikrotik-bg.net to solve the problem !

P.S. Keep the Bulgarian tradition of putting a minus on a person who wants to help you, I was easier to explain the settings in our native language! Anyway, check the routes and see the firewall of the main router Ванчо !
I have fiddled with the firewall and routes for quite some time but without any success. I'll check that again.

P.S.
There are two reasons for the minus:
1. If someone has the same issue as me, then he'll have to go to the Bulgarian forum, look up the new thread and then try to understand it. In the case of that person not speaking Bulgarian I find this quite difficult;
2. Having to create a separate account and a separate thread seemed like too much work given the fact that this forum has a much larger audience.
I thank you for your help, but I do not agree with redirecting to another forum and asking there as being a part of the solution.
Поздрави,
Иван.
You put your reasons correctly and we would continue to discuss the topic here, and I did not understand why it was necessary to put a negative sign, what you wrote is no argument for its placement! Anyway, the important thing is that you have reached and reasoned the solution!
Поздрави
Ицо