Can you post the export of yourI worked before, and yes there have been some mikrotik updates since I did this in January/February 2018, but must have missed something, do anyone know what is missing ?
/ip firewall nat
/ip firewall natCan you post the export of yourI worked before, and yes there have been some mikrotik updates since I did this in January/February 2018, but must have missed something, do anyone know what is missing ?rules?Code: Select all/ip firewall nat
Is that all? You've written that you have several subnets there, and you only src-nat packets sent from a single source address. Does that mean that none of the devices in your LANs has access to internet or that they do not access internet via this Mikrotik but via some other path?Can you post the export of yourI worked before, and yes there have been some mikrotik updates since I did this in January/February 2018, but must have missed something, do anyone know what is missing ?rules?Code: Select all/ip firewall nat
Code: Select all/ip firewall nat add action=src-nat chain=srcnat comment="vm1 IIS" log-prefix=rev-proxy-return out-interface=vlan112 src-address=172.16.1.130 to-addresses=\ XXX.XXX.XXX.XXX add action=dst-nat chain=dstnat comment="vm1 IIS" dst-address=XXX.XXX.XXX.XXX dst-port=80 in-interface=vlan112 log-prefix=http-req \ protocol=tcp to-addresses=172.16.1.130 to-ports=80 add action=dst-nat chain=dstnat comment="vm1 IIS" dst-address=XXX.XXX.XXX.XXX dst-port=443 in-interface=vlan112 log-prefix=https-req \ protocol=tcp to-addresses=172.16.1.130 to-ports=443
/ip ipsec policy print
Yes that is all there is.Is that all? You've written that you have several subnets there, and you only src-nat packets sent from a single source address. Does that mean that none of the devices in your LANs has access to internet or that they do not access internet via this Mikrotik but via some other path?Can you post the export of yourI worked before, and yes there have been some mikrotik updates since I did this in January/February 2018, but must have missed something, do anyone know what is missing ?rules?Code: Select all/ip firewall nat
Code: Select all/ip firewall nat add action=src-nat chain=srcnat comment="vm1 IIS" log-prefix=rev-proxy-return out-interface=vlan112 src-address=172.16.1.130 to-addresses=\ XXX.XXX.XXX.XXX add action=dst-nat chain=dstnat comment="vm1 IIS" dst-address=XXX.XXX.XXX.XXX dst-port=80 in-interface=vlan112 log-prefix=http-req \ protocol=tcp to-addresses=172.16.1.130 to-ports=80 add action=dst-nat chain=dstnat comment="vm1 IIS" dst-address=XXX.XXX.XXX.XXX dst-port=443 in-interface=vlan112 log-prefix=https-req \ protocol=tcp to-addresses=172.16.1.130 to-ports=443
While the WIndows machine is connected, how doeslook like (replace public IPs with x.x.x.x)?Code: Select all/ip ipsec policy print
In that case, do all the other devices have a route to 10.10.30.0/24 pointing to this Mikrotik on which the IKEv2 is running? As you say that 172.16.1.0/24 and 192.168.2.0/24 are local subnets of this Mikrotik but the defaut routes of devices in these subnets are other Mikrotiks, then how do the devices know that for 10.10.30.0/24, they should use this Mikrotik exceptionally?Correct, all devices in subnet 172.16.1.0/24 and 192.168.2.0/24, except the reverse proxy 172.16.1.130, routes all traffic to other mikrotik devices.
Only 172.16.1.130 uses this mikrotik device as default gateway(172.16.1.129).
Okey that it could be, they do not know that off course , I will add a route to 10.10.30.0/24 in the other mikrotik devices and we will see what happens.In that case, do all the other devices have a route to 10.10.30.0/24 pointing to this Mikrotik on which the IKEv2 is running? As you say that 172.16.1.0/24 and 192.168.2.0/24 are local subnets of this Mikrotik but the defaut routes of devices in these subnets are other Mikrotiks, then how do the devices know that for 10.10.30.0/24, they should use this Mikrotik exceptionally?Correct, all devices in subnet 172.16.1.0/24 and 192.168.2.0/24, except the reverse proxy 172.16.1.130, routes all traffic to other mikrotik devices.
Only 172.16.1.130 uses this mikrotik device as default gateway(172.16.1.129).
Okey that it could be, they do not know that off course , I will add a route to 10.10.30.0/24 in the other mikrotik devices and we will see what happens.In that case, do all the other devices have a route to 10.10.30.0/24 pointing to this Mikrotik on which the IKEv2 is running? As you say that 172.16.1.0/24 and 192.168.2.0/24 are local subnets of this Mikrotik but the defaut routes of devices in these subnets are other Mikrotiks, then how do the devices know that for 10.10.30.0/24, they should use this Mikrotik exceptionally?Correct, all devices in subnet 172.16.1.0/24 and 192.168.2.0/24, except the reverse proxy 172.16.1.130, routes all traffic to other mikrotik devices.
Only 172.16.1.130 uses this mikrotik device as default gateway(172.16.1.129).
I begun adding a toute to 10.10.30.0/24 to 172.16.1.129 in the reverse proxy (microsoft Server 2016) with ip address 172.16.1.130, because it had 10.0.0.0/8 pointing to another router. But it did not work, it is eventually because the new route (10.10.30.0/24) ended up after 10.0.0.0/8. I will investigate how to change the order in the routing table, if possible.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.1.129 172.16.1.130 276
10.0.0.0 255.0.0.0 172.16.1.1 172.16.1.130 21
10.10.30.0 255.255.255.0 172.16.1.129 172.16.1.130 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.0.0.0 255.0.0.0 172.16.1.1 172.16.1.130 21
172.16.1.0 255.255.255.0 On-link 172.16.1.130 276
172.16.1.130 255.255.255.255 On-link 172.16.1.130 276
172.16.1.255 255.255.255.255 On-link 172.16.1.130 276
192.0.0.0 255.0.0.0 172.16.1.1 172.16.1.130 21
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 172.16.1.130 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 172.16.1.130 276
===========================================================================
I'm afraid it is not the reason. If you have a look, 0.0.0.0/0 is "before" the 10.0.0.0/8 and still doesn't override it. The route table is always searched through for best match, i.e. longest mask, regardless the order of the items and regardless the metric value - the metric value is only important when several routes with the same mask length match.Okey that it could be, they do not know that off course , I will add a route to 10.10.30.0/24 in the other mikrotik devices and we will see what happens.In that case, do all the other devices have a route to 10.10.30.0/24 pointing to this Mikrotik on which the IKEv2 is running? As you say that 172.16.1.0/24 and 192.168.2.0/24 are local subnets of this Mikrotik but the defaut routes of devices in these subnets are other Mikrotiks, then how do the devices know that for 10.10.30.0/24, they should use this Mikrotik exceptionally?Correct, all devices in subnet 172.16.1.0/24 and 192.168.2.0/24, except the reverse proxy 172.16.1.130, routes all traffic to other mikrotik devices.
Only 172.16.1.130 uses this mikrotik device as default gateway(172.16.1.129).
I begun adding a toute to 10.10.30.0/24 to 172.16.1.129 in the reverse proxy (microsoft Server 2016) with ip address 172.16.1.130, because it had 10.0.0.0/8 pointing to another router. But it did not work, it is eventually because the new route (10.10.30.0/24) ended up after 10.0.0.0/8. I will investigate how to change the order in the routing table, if possible.
/ip firewall nat
add action=accept chain=srcnat comment="exception from src-nat for the proxy" out-interface=vlan112 src-address=172.16.1.130 dst-address=10.10.30.0/24 place-before=0
It did not work either...I'm afraid it is not the reason. If you have a look, 0.0.0.0/0 is "before" the 10.0.0.0/8 and still doesn't override it. The route table is always searched through for best match, i.e. longest mask, regardless the order of the items and regardless the metric value - the metric value is only important when several routes with the same mask length match.Okey that it could be, they do not know that off course , I will add a route to 10.10.30.0/24 in the other mikrotik devices and we will see what happens.In that case, do all the other devices have a route to 10.10.30.0/24 pointing to this Mikrotik on which the IKEv2 is running? As you say that 172.16.1.0/24 and 192.168.2.0/24 are local subnets of this Mikrotik but the defaut routes of devices in these subnets are other Mikrotiks, then how do the devices know that for 10.10.30.0/24, they should use this Mikrotik exceptionally?Correct, all devices in subnet 172.16.1.0/24 and 192.168.2.0/24, except the reverse proxy 172.16.1.130, routes all traffic to other mikrotik devices.
Only 172.16.1.130 uses this mikrotik device as default gateway(172.16.1.129).
I begun adding a toute to 10.10.30.0/24 to 172.16.1.129 in the reverse proxy (microsoft Server 2016) with ip address 172.16.1.130, because it had 10.0.0.0/8 pointing to another router. But it did not work, it is eventually because the new route (10.10.30.0/24) ended up after 10.0.0.0/8. I will investigate how to change the order in the routing table, if possible.
However, you've chosen for the test the only device for which the src-nat rule in this Mikrotik exists, which may interfere with the IPsec policy operation. Please try to do the following:and check whether you can reach the 172.16.1.130 from the VPN client when this additional rule exists.Code: Select all/ip firewall nat add action=accept chain=srcnat comment="exception from src-nat for the proxy" out-interface=vlan112 src-address=172.16.1.130 dst-address=10.10.30.0/24 place-before=0
If Microsoft firewall is active on a device, it does not respond to pings. Can this be the reason?It did not work either...
It is a default installed microsoft server with firewall opened for standard ports whilst adding the roles like rdp, iis, and we can login to it using remote desktop from elsewhere, except the ikev2 vpn tunnel, and yes, the firewall stops ping.If Microsoft firewall is active on a device, it does not respond to pings. Can this be the reason?It did not work either...
If not, let's try a brute force approach - choose some device and tell it that the Mikrotik acting as VPN server is its default gateway.
and? Has it made that server's RDP accessible via the VPN or not?Okey, the reverse proxy (windows server) has mikrotik vpn server as its default gateway.IPv4 Route Table.
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.1.129 172.16.1.130 276
10.0.0.0 255.0.0.0 172.16.1.1 172.16.1.130 21
10.10.30.0 255.255.255.0 172.16.1.129 172.16.1.130 21
--cut--
/ip firewall nat print
/ip firewall nat print stats
Nope, it is not reachable via vpn.and? Has it made that server's RDP accessible via the VPN or not?Okey, the reverse proxy (windows server) has mikrotik vpn server as its default gateway.IPv4 Route Table.
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.1.129 172.16.1.130 276
10.0.0.0 255.0.0.0 172.16.1.1 172.16.1.130 21
10.10.30.0 255.255.255.0 172.16.1.129 172.16.1.130 21
--cut--
What doandCode: Select all/ip firewall nat print
show?Code: Select all/ip firewall nat print stats
The most important columns (bytes, packets matched) are missing.[admin@MikroTik] > ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION
0 ;;; exception from src-nat for the proxy
srcnat accept
1 ;;; vm1 IIS
srcnat src-nat
2 ;;; vm1 IIS
dstnat dst-nat
3 ;;; vm1 IIS
dstnat dst-nat
Sorry, trying againThe most important columns (bytes, packets matched) are missing.[admin@MikroTik] > ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION
0 ;;; exception from src-nat for the proxy
srcnat accept
1 ;;; vm1 IIS
srcnat src-nat
2 ;;; vm1 IIS
dstnat dst-nat
3 ;;; vm1 IIS
dstnat dst-nat
Okay, so the packets from the 172.16.1.130 were not routed via vlan112, so the src-nat on them was not the issue.Sorry, trying againThe most important columns (bytes, packets matched) are missing.[admin@MikroTik] > ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION
0 ;;; exception from src-nat for the proxy
srcnat accept
1 ;;; vm1 IIS
srcnat src-nat
2 ;;; vm1 IIS
dstnat dst-nat
3 ;;; vm1 IIS
dstnat dst-nat
[admin@MikroTik] > ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 ;;; exception from src-nat for the proxy
srcnat accept 0 0
1 ;;; vm1 IIS
srcnat src-nat 70 412 1 136
2 ;;; vm1 IIS
dstnat dst-nat 17 516 339
3 ;;; vm1 IIS
dstnat dst-nat 4 592 111
/ip firewall filter add chain=forward dst-address=10.10.30.0/24 action=passthrough
Still no joy, neither is there any bytes or packets on the forward chain rule or the nat rule.Okay, so the packets from the 172.16.1.130 were not routed via vlan112, so the src-nat on them was not the issue.Sorry, trying againThe most important columns (bytes, packets matched) are missing.[admin@MikroTik] > ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION
0 ;;; exception from src-nat for the proxy
srcnat accept
1 ;;; vm1 IIS
srcnat src-nat
2 ;;; vm1 IIS
dstnat dst-nat
3 ;;; vm1 IIS
dstnat dst-nat
[admin@MikroTik] > ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 ;;; exception from src-nat for the proxy
srcnat accept 0 0
1 ;;; vm1 IIS
srcnat src-nat 70 412 1 136
2 ;;; vm1 IIS
dstnat dst-nat 17 516 339
3 ;;; vm1 IIS
dstnat dst-nat 4 592 111
If you add a ruleabove all the rules in this chain and try the RDP to the proxy, will this rule's counters show any packets? If yes, the response packets from the proxy do come, otherwise they don't.Code: Select all/ip firewall filter add chain=forward dst-address=10.10.30.0/24 action=passthrough
Ok, so try to place that rule to chain prerouting of table mangle and check again.Still no joy, neither is there any bytes or packets on the forward chain rule or the nat rule.
No joy, neither is there any bytes or packages counted up.Ok, so try to place that rule to chain prerouting of table mangle and check again.Still no joy, neither is there any bytes or packets on the forward chain rule or the nat rule.
No joy, neither is there any bytes or packages counted up.
/ip firewall filter export
Here the firewall filter rules comes:No joy, neither is there any bytes or packages counted up., please.Code: Select all/ip firewall filter export
I have a suspicion.
Here the firewall filter rules comes:No joy, neither is there any bytes or packages counted up., please.Code: Select all/ip firewall filter export
I have a suspicion.
/ip firewall filter
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=10m chain=input comment="Port scanners to list" \
protocol=tcp psd=21,3s,3,1 src-address-list=!niceones
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=10m chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp psd=21,3s,3,1 src-address-list=!niceones tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=10m chain=input comment="SYN/FIN scan" protocol=\
tcp psd=21,3s,3,1 src-address-list=!niceones tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=10m chain=input comment="SYN/RST scan" psd=\
21,3s,3,1 src-address-list=!niceones tcp-flags=""
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=10m chain=input comment="FIN/PSH/URG scan" \
protocol=tcp psd=21,3s,3,1 src-address-list=!niceones tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=10m chain=input comment="ALL/ALL scan" protocol=\
tcp psd=21,3s,3,1 src-address-list=!niceones tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=10m chain=input comment="NMAP NULL scan" \
protocol=tcp psd=21,3s,3,1 src-address-list=!niceones tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Port Scanners" in-interface=vlan112 src-address-list=port-scanners
add action=passthrough chain=forward dst-address=10.10.30.0/24
add action=jump chain=forward comment="ANY spammer drop" connection-state=new jump-target=block-ddos src-address-list=!niceones
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1d chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1d chain=block-ddos
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward disabled=yes dst-address=0.0.0.0/0 src-address=10.10.30.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.30.0/24 src-address=0.0.0.0/0
add action=accept chain=input comment=dns dst-port=53 protocol=udp src-address-list=niceones
add action=accept chain=input comment=dns dst-port=53 protocol=tcp src-address-list=niceones
add action=accept chain=input comment=mail dst-port=25 protocol=tcp src-address-list=niceones
add action=log chain=input comment="ssh, winbox, web" disabled=yes dst-port=80,443,999,8291 in-interface=vlan112 protocol=tcp
add action=accept chain=input comment="ssh, winbox, web" dst-port=80,443,999,8291 in-interface=vlan112 protocol=tcp
add action=accept chain=input comment="l2tp, winbox-mac" dst-port=500,1701,4500,5678 in-interface=vlan112 protocol=udp
add action=accept chain=input disabled=yes log=yes log-prefix=niceones src-address-list=niceones
add action=accept chain=input comment="default configuration ping" protocol=icmp src-address-list=niceones
add action=accept chain=input comment="default configuration established" connection-state=established in-interface=vlan112 \
log-prefix=established
add action=accept chain=input comment="default configuration related" connection-state=related in-interface=vlan112
add action=log chain=input comment="default configuration" disabled=yes in-interface=vlan112 log-prefix="firewall drop"
add action=drop chain=input comment="default configuration" in-interface=vlan112
Then I made a discovery on the windows 10 client side !
I added a bridge in the vpn router and added to it ip address 10.10.30.130,
I could ping it from the windows 10 client with the connected vpn tunnel.
Still on windows 10 client I tried to ping the vpn router ip address 172.16.1.129, it failed off course, like before.
After that I went back to the windows 10 client, checking routes:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.211.55.1 10.211.55.3 25
10.0.0.0 255.0.0.0 On-link 10.10.30.124 26
10.10.30.124 255.255.255.255 On-link 10.10.30.124 281
10.211.55.0 255.255.255.0 On-link 10.211.55.3 281
10.211.55.3 255.255.255.255 On-link 10.211.55.3 281
10.211.55.255 255.255.255.255 On-link 10.211.55.3 281
10.255.255.255 255.255.255.255 On-link 10.10.30.124 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 169.254.229.67 281
169.254.229.67 255.255.255.255 On-link 169.254.229.67 281
169.254.255.255 255.255.255.255 On-link 169.254.229.67 281
194.218.206.131 255.255.255.255 10.211.55.1 10.211.55.3 26
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 169.254.229.67 281
224.0.0.0 240.0.0.0 On-link 10.211.55.3 281
224.0.0.0 240.0.0.0 On-link 10.10.30.124 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 169.254.229.67 281
255.255.255.255 255.255.255.255 On-link 10.211.55.3 281
255.255.255.255 255.255.255.255 On-link 10.10.30.124 281
===========================================================================
If there is not any IP magics engaged I can not see that the windows 10 client has any route telling where 172.16.1.0/24 is.
So I as user admin added routes in the windows 10 client:
c:\> route add 172.16.1.0 mask 255.255.255.0 10.10.30.124
c:\> ping 172.16.1.129
Pinging 172.16.1.129 with 32 bytes of data:
Reply from 172.16.1.129: bytes=32 time=63ms TTL=64
Reply from 172.16.1.129: bytes=32 time=75ms TTL=64
Reply from 172.16.1.129: bytes=32 time=74ms TTL=64
Reply from 172.16.1.129: bytes=32 time=61ms TTL=64
Ping statistics for 172.16.1.129:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 61ms, Maximum = 75ms, Average = 68ms
Now remote desktop to 172.16.1.130, 172.16.1.132 and so on now works as they should.
Bringing down the vpn tunnel also clears the routing table, bringing it up and you have to add routes to 172.16.1.0/24 as admin to make it work.
To verify it still work I removed the bridge and bridge ip address 10.10.30.130, also the nat and mangle rule and the firewall forward rule.
And it still works, just you manually add that route in the windows 10 client.
That raises the question, why has windows 10 not added the routes or what is missing in the magics ?
Why are these two rules disabled?Here the firewall filter rules comes:
/ip firewall filter
...
add action=accept chain=forward disabled=yes dst-address=0.0.0.0/0 src-address=10.10.30.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.30.0/24 src-address=0.0.0.0/0
action=accept
ipsec-policy=in,ipsec
/ip firewall filter chain=input
/ip firewall filter chain=forward
The magics should have been in theThen I made a discovery on the windows 10 client side !
I added a bridge in the vpn router and added to it ip address 10.10.30.130,
I could ping it from the windows 10 client with the connected vpn tunnel.
Still on windows 10 client I tried to ping the vpn router ip address 172.16.1.129, it failed off course, like before.
After that I went back to the windows 10 client, checking routes:
Code: Select allIPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 10.0.0.0 255.0.0.0 On-link 10.10.30.124 26 10.10.30.124 255.255.255.255 On-link 10.10.30.124 281 10.255.255.255 255.255.255.255 On-link 10.10.30.124 281 224.0.0.0 240.0.0.0 On-link 10.10.30.124 281 255.255.255.255 255.255.255.255 On-link 10.10.30.124 281 ===========================================================================
If there is not any IP magics engaged I can not see that the windows 10 client has any route telling where 172.16.1.0/24 is.
That raises the question, why has windows 10 not added the routes or what is missing in the magics ?
/ip ipsec mode-config
1 DA src-address=0.0.0.0/0 src-port=any dst-address=10.10.30.126/32 dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=XXX.XXX.XXX.XXX sa-dst-address=YYY.YYY.YYY.YYY proposal=default ph2-count=1
/ip ipsec mode-config set [find name=cfg1] split-include=10.0.0.0/8,172.16.0.0/12
Having no idea what happens under the hood of Windows, I can only suggest you to use theThe thread become long.
The two firewall rules I first added but they did not make any difference so I disabled them during all tests here and there.
/ip firewall filter
...
add action=accept chain=forward disabled=yes dst-address=0.0.0.0/0 src-address=10.10.30.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.30.0/24 src-address=0.0.0.0/0
I had the two submets in the mode-config from the beginning, but it did not make any differences, also mikrotik write in documentation windows does ignore the setttings.
I realise this windows support vary, on server 2016 it worked perfectly, windows 10 does not.
netmap
Add-VpnConnectionRoute -ConnectionName "<connection name>" -DestinationPrefix <remote subnet>/<mask> -PassThru
That sounds dangerous, not just annoying, to me to see this in the logs and still have the connection established for the users. I may be wrong but I'm afraid that it indicates that your L2TP server settings say "use-ipsec=yes" instead of "use-ipsec=required", therefore the L2TP tunnel is established even though the IPsec transport securing it has failed to establish.For some users I got lots of this in the log files:
19:28:27 ipsec,error no proposal chosen
As far I know, the tunnel works for the user, at least he told me so, but what is this and can it harm in some way, and how can I fix it ?
annoying to have in logs.
Hmm the l2tp server is disabled. I don't get it the I connect my tunnel, so maybe there is something weird with one users windows vpn configuration, have to check that out.That sounds dangerous, not just annoying, to me to see this in the logs and still have the connection established for the users. I may be wrong but I'm afraid that it indicates that your L2TP server settings say "use-ipsec=yes" instead of "use-ipsec=required", therefore the L2TP tunnel is established even though the IPsec transport securing it has failed to establish.For some users I got lots of this in the log files:
19:28:27 ipsec,error no proposal chosen
As far I know, the tunnel works for the user, at least he told me so, but what is this and can it harm in some way, and how can I fix it ?
annoying to have in logs.
The softer explanation why the clients connect successfully although no proposal has been chosen could be that the client retries with a different proposal if the initial attempt has failed but that seems unlikely to me.
Sorry, doing several times at a time is never good. I've forgotten that you don't use L2TP/IPsec but plain IPsec so the L2TP catch came immediately to my mind. Ignore that idea.Hmm the l2tp server is disabled. I don't get it the I connect my tunnel, so maybe there is something weird with one users windows vpn configuration, have to check that out.
/system logging set [find topics=ipsec] topics=ipsec,!packet
OK, I was too brief, I try that from time to time and it always causes more bad than goodCode: Select allipsec,error no proposal chosen
ipsec,error no propsal chosen