Two EOIP tunnels and traffic problem

peinamuertos · Fri May 10, 2019 12:20 am

Hi there,
I set up two EOIP tunnels using one bridge for both. Different users, different IPs... everything works fine... separately. If I turn on both tunnels, the traffic only is transmitted from the second one. The first one has no outgoing traffic. What am I doing wrong?
Attached You can find a simple draw of my connections schema. And sorry for my basic english!

Cheers
Rubén

sindy · Fri May 10, 2019 9:58 am

It should work fine but the information on the drawing is insufficient to suggest what might be wrong, so post the configuration of all three machines following the hint in my automatic signature and the output of /interface eoip print detail, /interface bridge print detail, and /interface bridge host print when both tunnels are up.

peinamuertos · Fri May 10, 2019 10:45 am

Hi again,
Thanks for your help.

PPTP Server config

# may/10/2019 08:10:11 by RouterOS 6.44.3
# software id = CTWP-R4CL
#
# model = RouterBOARD 941-2nD
# serial number = 8CE5081EF3C1
/interface bridge
add admin-mac=CC:2D:E0:64:D3:89 auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-YARARA \
wireless-protocol=802.11
/interface eoip
add local-address=192.168.88.200 mac-address=02:42:62:50:21:C8 name=\
eoip-tunnel1 remote-address=192.168.88.201 tunnel-id=0
add !keepalive local-address=192.168.88.240 mac-address=02:1E:1F:F9:7F:53 name=\
eoip-tunnel2 remote-address=192.168.88.241 tunnel-id=666
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******* \
wpa2-pre-shared-key=*******
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=PPTP-Pool ranges=192.168.1.125-192.168.1.150
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge interface=eoip-tunnel1
add bridge=bridge interface=eoip-tunnel2
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
add address=192.168.1.4/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip dns static
add address=192.168.1.4 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=yes \
src-address=192.168.88.2-192.168.88.254
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.1.1
add disabled=yes distance=1 dst-address=239.0.2.0/32 gateway=bridge
/ppp secret
add local-address=192.168.88.210 name=username1 password=***** \
remote-address=192.168.88.211 service=pptp
add local-address=192.168.88.200 name=eoipuser1 password=******** remote-address=\
192.168.88.201 service=pptp
add local-address=192.168.88.240 name=eoipuser2 password=******** remote-address=\
192.168.88.241 service=pptp

EOIP Tunnel Client 1

# may/10/2019 09:19:04 by RouterOS 6.44.3
# software id = TRE9-T0ST
#
# model = RouterBOARD 941-2nD
# serial number = 8CE508EEA453
/interface bridge
add admin-mac=CC:2D:E0:64:96:9F auto-mac=no comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pptp-client
add connect-to=pptp.server.address disabled=no keepalive-timeout=disabled name=pptp-out1 password=****** user=eoipuser1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=spain disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge ssid=MikroTik-SS \
wireless-protocol=802.11
/interface eoip
add !keepalive local-address=192.168.88.201 mac-address=02:38:92:53:EE:25 name=eoip-tunnel1 remote-address=192.168.88.200 tunnel-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=PcEERGbn wpa2-pre-shared-key=*******
/ip pool
add name=dhcp ranges=192.168.66.10-192.168.66.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=eoip-tunnel1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.66.1/24 comment=defconf interface=ether2 network=192.168.66.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.66.0/24 comment=defconf gateway=192.168.66.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.66.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.0.1
add distance=1 dst-address=172.26.22.0/32 gateway=pptp-out1
add distance=1 dst-address=172.26.23.0/32 gateway=pptp-out1
add distance=1 dst-address=239.0.2.0/32 gateway=eoip-tunnel1
/ppp secret
add name=userppp password=********

EOIP Client 2

# may/10/2019 09:23:06 by RouterOS 6.44.3
# software id = DGM8-J1KA
#
# model = RB941-2nD
# serial number = 93710A80B802
/interface bridge
add admin-mac=CC:2D:E0:64:96:9F auto-mac=no comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:9E
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:9F
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:A0
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:A1
/interface wirelessN
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik
/interface eoip
add !keepalive local-address=192.168.88.241 mac-address=02:38:92:53:EE:25 name=eoiptunnel1 remote-address=192.168.88.240 tunnel-id=666
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=***** wpa2-pre-shared-key=*******
/ip pool
add name=dhcp ranges=192.168.77.10-192.168.77.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface pptp-client
add connect-to=pptp.server.address disabled=no keepalive-timeout=disabled name=PPTP-client1 password=******* profile=default user=eoipuser2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=eoiptunnel1
add bridge=bridge comment=defconf disabled=yes interface=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wlan2 list=WAN
/ip address
add address=192.168.77.1/24 comment=defconf interface=ether1 network=192.168.77.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=wlan2
/ip dhcp-server network
add address=192.168.77.0/24 comment=defconf gateway=192.168.77.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.77.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=172.26.22.0/32 gateway=PPTP-client1
add distance=1 dst-address=172.26.23.0/32 gateway=PPTP-client1
add distance=1 dst-address=239.0.2.0/32 gateway=eoiptunnel1

Interface configs

[admin@MikroTik] /interface eoip>> /interface eoip print detail
Flags: X - disabled, R - running
0 R name="eoip-tunnel1" mtu=auto actual-mtu=1408 l2mtu=65535 mac-address=02:42:62:50:21:C8 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=192.168.88.200 remote-address=192.168.88.201 tunnel-id=0 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes

1 R name="eoip-tunnel2" mtu=auto actual-mtu=1408 l2mtu=65535 mac-address=02:1E:1F:F9:7F:53 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=192.168.88.240 remote-address=192.168.88.241 tunnel-id=666 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes

[admin@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1408 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=CC:2D:E0:64:D3:89 protocol-mode=rstp fast-forward=yes igmp-snooping=yes multicast-router=temporary-query
multicast-querier=no startup-query-count=2 last-member-query-count=2 last-member-interval=1s membership-interval=4m20s querier-interval=4m15s query-interval=2m5s query-response-interval=10s
startup-query-interval=31s250ms igmp-version=2 auto-mac=no admin-mac=CC:2D:E0:64:D3:89 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no
dhcp-snooping=no

admin@MikroTik] > /interface bridge host print
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external
# MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE
0 D 00:26:86:00:00:00 ether1 bridge 6s
1 DL 02:1E:1F:F9:7F:53 eoip-tunnel2 bridge
2 D 02:38:92:53:EE:25 eoip-tunnel2 bridge 1s
3 DL 02:42:62:50:21:C8 eoip-tunnel1 bridge
4 D 2C:CC:44:34:B2:C9 ether1 bridge 6s
5 D 34:57:60:DB:35:A3 ether1 bridge 0s
6 D 3C:5C:C4:07:5A:43 ether1 bridge 6s
7 D 68:63:59:95:FF:DB ether1 bridge 27s
8 D 68:9A:87:54:56:90 ether1 bridge 6s
9 D 90:EF:68:3C:A9:67 eoip-tunnel2 bridge 3s
10 D AA:AA:AA:1B:45:C7 ether1 bridge 0s
11 D AA:AA:AA:1B:46:C7 ether1 bridge 0s
12 D BC:60:A7:DC:37:35 ether1 bridge 6s
13 D C4:95:00:AC:D5:BF ether1 bridge 6s
14 D CC:2D:E0:64:96:9F eoip-tunnel2 bridge 24s
15 DL CC:2D:E0:64:D3:88 ether1 bridge
16 DL CC:2D:E0:64:D3:89 bridge bridge

Again, thanks for your support

peinamuertos · Fri May 10, 2019 10:47 am

And sorry, I realized that IPs of my drawing are not correct. They are all in 192.168.88.x subnet.

Regards

sindy · Fri May 10, 2019 11:30 am

Could it be that both the PPTP clients are connected from behind the same public IP address? One of the problems with PPTP is that it uses GRE, and one of the problems with GRE is that it doesn't use the concept of ports so only a single GRE "session" can exist between two IP addresses, so if one of these two addresses belongs to a NAT device and there is more than one GRE endpoint behind it, only one of the GRE sessions works at a time. Some NATs let the private->public packets run for both sessions which might explain why the EoIP tunnels are both reported as up at the "PPTP server" machine.

peinamuertos · Fri May 10, 2019 12:56 pm

Yes, both eoiptunnels are connected trought the same public IP address to PPTP Mikrotik server... so, what can I do? Is there any way to avoid using another public IP? Maybe using another tunnel type?

Thanks!

sindy · Fri May 10, 2019 1:25 pm

PPTP is a security hole anyway, so use plain IKEv2 (L2TP encrypted using IPsec suffers from the same issue of multiple clients behind a NAT, even though the detailed reason is slightly different, and without encryption it is totally insecure).

peinamuertos · Fri May 10, 2019 2:57 pm

I know, but first I'd like to solve the main issue. So, no ideas for tunneling using same public internet IP?
Sorry, as you can see I'm a little newbie...

Thanks

sindy · Fri May 10, 2019 3:22 pm

The problem are not the EoIP tunnels themselves - they are just victims of the PPTP problem with NAT. So until you set up a VPN which a) does not use TCP as transport and b) does not have problems with two clients behind the same public IP, the EoIP won't work at both sites simultanously. And requirements a) and b) narrow the list to just two types of VPN out of those available on Mikrotik: L2TP without IPsec (so no encryption at all) and IKEv2.

peinamuertos · Fri May 10, 2019 9:22 pm

Well, I tried BCP bridging with l2tp interface and... the same issue. I don't know why the behaviour is just the same. As you can see, there's no EoIP tunneling and connections (separately) runs so fine. I'm just thinking that I'm missing something...
When both connections are running, one of them sends no packets

sindy · Fri May 10, 2019 9:37 pm

Have you set use-ipsec to yes and ipsec-secret in l2tp configuration?

sindy · Fri May 10, 2019 10:52 pm

Btw, there is one more issue in your configuration, but I don't think it explains the L2 tunnel behaviour. On the server, you have attached the /ip dhcp-client to ether1 and attached two /ip address to ether2 but at the same time you've made ether1 and ether2 member ports of /interface bridge named bridge. That's incorrect, elements of IP configuration cannot be attached to interfaces which are at the same time member ports of bridges, it causes weird errors. So you fix change this first of all.

Next, can you re-confirm again that your physical network topology looks like this?

ascii art code

                                                                                  ______________
                                   ____                    ______________        |              |
 ____________                     (    )                  |              |-------| VPN client 1 |
|            | public IP A       (      )     public IP B |              |       |______________|
| VPN server |------------------(        )----------------| WAN(NAT) LAN |        ______________
|____________|                   (______)                 |              |       |              |
                                                          |______________|-------| VPN client 2 |
                                                                                 |______________|

If so, the L2TP tunnels can only work for both clients if ipsec=yes is not used in the l2tp configuration.

McSee · Sat May 11, 2019 3:53 am

peinamuertos,
do you really have the same MAC address on both clients' bridges ?

sindy · Sat May 11, 2019 8:48 am

Worse than that, have you saved a backup on client 1 and loaded it on client 2? Because it's not only the admin-mac of the bridge, it's also that the MAC addresses of Ethernet ports are user-configured on client 2.

For bridging of external traffic this doesn't matter, but if you check the tunnel by sending data to the IP address of the bridge on the client device, the duplicity does matter.

And loading a backup of one device to another is prohibited in general, you have to export the configuration on one device and import it on the other one after editing out the duplicities from the script file. In your case, reset client 2 to defaults, export configuration from client 1 and import it to client 2 after making the necessary changes in it.

peinamuertos · Sat May 11, 2019 1:15 pm

Well,.. sorry. I told you... Newbie. Changed config and new MAC = all working under L2TP with IPsec

Thanks a lot to everyone!!!

jmvictoria · Tue May 12, 2020 5:23 pm

Hi @peinamuertos,

Sorry for this out off-topic question, but i see two ARPs in your previous message list with prefix "AA:AA:AA:1B" than i have been seeking for a time withou sucess ... If you know, could you tell me what they are?
The are currently appearing in home lan traffic analysis with a lot of bandwitdh use and it's frustating and annoying. I think they must be about internal PoE traffic repartitors or so on ... but can't find any information regarding it in Internet ...

Much thanks and sorry by the interrumption ...

10 D AA:AA:AA:1B:45:C7 ether1 bridge 0s
11 D AA:AA:AA:1B:46:C7 ether1 bridge 0s

Best regards!

JM

admin@MikroTik] > /interface bridge host print
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external
# MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE
0 D 00:26:86:00:00:00 ether1 bridge 6s
1 DL 02:1E:1F:F9:7F:53 eoip-tunnel2 bridge
2 D 02:38:92:53:EE:25 eoip-tunnel2 bridge 1s
3 DL 02:42:62:50:21:C8 eoip-tunnel1 bridge
4 D 2C:CC:44:34:B2:C9 ether1 bridge 6s
5 D 34:57:60:DB:35:A3 ether1 bridge 0s
6 D 3C:5C:C4:07:5A:43 ether1 bridge 6s
7 D 68:63:59:95:FF:DB ether1 bridge 27s
8 D 68:9A:87:54:56:90 ether1 bridge 6s
9 D 90:EF:68:3C:A9:67 eoip-tunnel2 bridge 3s
10 D AA:AA:AA:1B:45:C7 ether1 bridge 0s
11 D AA:AA:AA:1B:46:C7 ether1 bridge 0s
12 D BC:60:A7:DC:37:35 ether1 bridge 6s
13 D C4:95:00:AC:D5:BF ether1 bridge 6s
14 D CC:2D:E0:64:96:9F eoip-tunnel2 bridge 24s
15 DL CC:2D:E0:64:D3:88 ether1 bridge
16 DL CC:2D:E0:64:D3:89 bridge bridge

Again, thanks for your support

rass121 · Tue Mar 30, 2021 9:07 am

The problem are not the EoIP tunnels themselves - they are just victims of the PPTP problem with NAT. So until you set up a VPN which a) does not use TCP as transport and b) does not have problems with two clients behind the same public IP, the EoIP won't work at both sites simultanously. And requirements a) and b) narrow the list to just two types of VPN out of those available on Mikrotik: L2TP without IPsec (so no encryption at all) and IKEv2.

Hi Sindy, I have been studying your posts regarding L2TP IPSEC not allowing 2 or more users from the same public IP to have internet access, but I see you have written here that L2TP without encryption is able to have more than one device have internet access. Can you help me achieve this? I stopped my Non-encryption tunnels because when I used ipsec on my phone it would sever the connection and or stop internet ... But would it work if I use IKEv2 on my mobile and kept L2TP without encryption running at the same time? Can I have more that 1+ L2TP non encrypted tunnels working behind the same public IP and achieve NAT correctly out the box?

Security is not an issue speed is however.

Thanks in advance, I will meanwhile try to test.

sindy · Tue Mar 30, 2021 10:29 am

Yes, multiple bare L2TP clients can connect from behind the same NAT. And bare L2TP connections do not interfere with IKEv2 in any way.

The issue L2TP/IPsec has with NAT is caused by the fact that its standard requires use of transport mode of IPsec SA. If you don't use the dynamically generated IPsec configuration and manually set up your own one using tunnel mode of IPsec SA, you can use multiple IPsec-encrypted L2TP tunnels passing through the same NAT. But such setup is only possible with routers, not with phones; with PCs, there might be a way but I've never tested it, as it is much simpler to use IKEv2 on a PC than to set up this non-standard configuration.

rass121 · Thu Apr 01, 2021 12:55 pm

Yes, multiple bare L2TP clients can connect from behind the same NAT. And bare L2TP connections do not interfere with IKEv2 in any way.

The issue L2TP/IPsec has with NAT is caused by the fact that its standard requires use of transport mode of IPsec SA. If you don't use the dynamically generated IPsec configuration and manually set up your own one using tunnel mode of IPsec SA, you can use multiple IPsec-encrypted L2TP tunnels passing through the same NAT. But such setup is only possible with routers, not with phones; with PCs, there might be a way but I've never tested it, as it is much simpler to use IKEv2 on a PC than to set up this non-standard configuration.

Thank you Sindy, I will test this possible solution, a t the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously?

Just at the stage of configuring IKEv2 for laptop and phone users, I have managed to connect but just trying to push all traffic through the tunnel.

sindy · Thu Apr 01, 2021 1:14 pm

at the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously?

I don't know about any. But there were some issues with L2TP in one of recent RouterOS versions, check the release anouncement topics and the changelog for 6.47(.x) and 6.48(.x).

rass121 · Thu Apr 01, 2021 2:31 pm

at the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously?
I don't know about any. But there were some issues with L2TP in one of recent RouterOS versions, check the release anouncement topics and the changelog for 6.47(.x) and 6.48(.x).

Thanks I found this

*) l2tp - fixed multiple tunnel establishment from the same remote IP address (introduced in v6.47);

But I should be ok I am on the latest version RouterOS v6.48.1 (stable)

I will share my results once I test correctly.

rass121 · Fri Apr 02, 2021 11:41 am

at the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously?
I don't know about any. But there were some issues with L2TP in one of recent RouterOS versions, check the release anouncement topics and the changelog for 6.47(.x) and 6.48(.x).

Just to confirm I am able to establish more than 1 L2TP bare tunnels from the same WAN IP, thanks for your help. But Sindy I need to ask for your help once again as I am not sure why Mikrotik have not been willing to support me even though I was under the impression my new licence comes with help setting up...

I have followed this guide; https://mum.mikrotik.com//presentations ... 797375.pdf
I am trying to start a IKEv2 tunnel through RADIUS.
https://ibb.co/TYxF9T2
https://ibb.co/nksTC3K
https://ibb.co/fQF70Gt
However I cant establish the tunnel to the Mikrotik server, I have also included the screen shots of the logs, and idea what I could be doing wrong?

Thank you in advance.

sindy · Fri Apr 02, 2021 12:50 pm

I don't think Mikrotik support has enough manpower to provide individual configuration assistance even to first time users, that's a job for consultants or maybe distributors.

Here on the forum, please, don't refer to presentations or, even worse, videos. The time used to watch these can be used more efficiently. Instead, describe the actual goal and, where applicable, the environment, and provide the complete export of the current configuration which fails, minus sensitive data (see my automatic signature below regarding how to remove sensitive information without destroying the relationship between configuration objects).

For configurations and logs, do not use screenshots. The information density in screenshots is too low.

On the responder, run
/system logging add topics=ipsec,!packet
/system logging add topics=radius
/log print follow-only where topics~"ipsec|radius" file=ipsec-start-responder

If the initiator is a Mikrotik, do the same, except for radius.

Then make a connection attempt and once it fails, stop the /log print, download the file(s), and if you can't find the issue yourself in them, post them here, each between [code] and [/code] tags, or as text attachments to the post.

rass121 · Fri Apr 02, 2021 2:39 pm

Hi Sindy, I really appreciate this.

I couldn't spot anything that would help me solve the issue. but here are the log files and tried to follow your instructions the best I could.

Thanks again.

Ras

sindy · Fri Apr 02, 2021 2:45 pm

It has to be /export hide-sensitive file=any-name-you-prefer. The result of /system backup save cannot be read.

And the log seems to be cut short, is it really all?

rass121 · Fri Apr 02, 2021 2:51 pm

It has to be /export hide-sensitive file=any-name-you-prefer. The result of /system backup save cannot be read.

And the log seems to be cut short, is it really all?

Hi Sindy, is this better?

sindy · Fri Apr 02, 2021 3:44 pm

If the log is complete, it means the client did not respond to the last PDU (split into two packets), either because it didn't like it or because it did not receive it at all.

Misconfigurations I've spotted:

the presentation you refer to uses username&password authentication of the clients, but the eap-methods field did not fit to the slide showing the responder (server) configuration; it has to be set to eap-mschapv2 or maybe to eap-peap or eap-ttls. If no value is specified, it defaults to eap-tls, which means that the responder requests a certificate from the client (see the log: ipsec adding payload: CERTREQ)
the certificate item on the identity row must refer to an own certificate of the responder (server); in your case, you've placed there a list of CA and Client. None of these names sounds like a name of a server certificate to me.

The embedded VPN client of current Windows 10 has certain requirements to an IPsec server certificate in order that it would accept it:

it must be signed by a certification authority the client can track down to a trusted root CA (installed in the Trusted Root CAs folder of client's certificate store)
its Subject Alternative Name must contain the IP address to which the client is connecting, or an FQDN (DNS name) which the client can resolve to that IP address
its key-usage field must contain tls-server and maybe also ipsec-tunnel and/or ipsec-endsystem. Better use all three when creating the certificate. (These field and item names are ones used by Mikrotik; in fact, there are two distinct fields for key usages in the certificate, and the names of the individual items also vary depending on the operating system's conventions).

If it still doesn't work after you fix all that, provide a new export & log, and also sniff at the Windows machine using Wireshark while connecting.

BTW, you should have created a separate topic. We've got very far from the original theme of this one.