Community discussions

 
User avatar
urbanmiles
just joined
Topic Author
Posts: 8
Joined: Thu Dec 08, 2016 6:28 am

CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Fri Jun 07, 2019 1:18 pm

Hi guys!

Newbie here in VPN configuration.
I would like to implement the network diagram I attached here using EOIP over L2TP with IPSEC.

Everything is connected, but I can only ping the following...
1. FROM REMOTE SITE (STATIC PUBLIC IP)
-- I can ping the Office LAN Network devices

2. FROM THE OFFICE SITE (DYNAMIC PUBLIC IP -I used IP Cloud here)

--- I can only ping the bridge IP of the Remote Site which is 192.168.88.2
--- I CANNOT ping the devices inside the LAN of the Remote Site

What seems to be wrong or missing in my configuration?
TIA!

SERVER SIDE CONFIG
# jun/07/2019 17:53:44 by RouterOS 6.44.3

# model = RB750Gr3

/interface bridge
add admin-mac=//restricted// auto-mac=no name=bridge1 protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps

/interface eoip
add allow-fast-path=no ipsec-secret=eoip123 local-address=172.16.0.1 \
    mac-address=//restricted// name=eoip-tunnel1 remote-address=172.16.0.2 \
    tunnel-id=10

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge1 name=defconf

/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=eoip-tunnel1

/ip neighbor discovery-settings
set discover-interface-list=discover

/interface l2tp-server server
set enabled=yes ipsec-secret=passipsec use-ipsec=required

/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox

/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static
add address=192.168.88.1 name=router.lan

/ip firewall filter
add action=accept chain=input dst-port=500,4500,1701 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none

/ppp secret
add local-address=172.16.0.1 name=user1 password=leandro profile=\
    default-encryption remote-address=172.16.0.2 service=l2tp

/system clock
set time-zone-name=Asia/Manila

/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no

/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
CLIENT SIDE CONFIGURATION
# jun/07/2019 17:59:36 by RouterOS 6.44.3
# software id = V75V-51GG
#
# model = RB750Gr3

/interface bridge
add admin-mac=//RESTRICTED// auto-mac=no name=bridge
/interface l2tp-client
add connect-to=1.1.1.1 disabled=no ipsec-secret=\
    passipsec name=l2tp-out1 password=leandro use-ipsec=yes user=user1
/interface eoip
add allow-fast-path=no ipsec-secret=eoip123 local-address=172.16.0.2 \
    mac-address=//RESTRICTED// name=eoip-tunnel1 remote-address=172.16.0.1 \
    tunnel-id=10

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=eoip-tunnel1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0

/ip cloud
set ddns-enabled=yes

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static
add address=192.168.88.1 name=router.lan

/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN


/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none

/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Manila
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
Last edited by urbanmiles on Sat Jun 08, 2019 2:55 am, edited 1 time in total.
 
tdw
Member Candidate
Member Candidate
Posts: 118
Joined: Sat May 05, 2018 11:55 am

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sat Jun 08, 2019 12:53 am

The configurations are missing some important configuration details, so you may have misunderstood what local-address and remote-address do - they are the address the EoIP packets originate from and are sent to, typically the WAN IP of the two Mikrotiks. In the diagram you also have clients 192.168.88.x addresses, but the bridge and LAN addresses are 192.168.0.x

EoIP over L2TP over IPsec is unnecessary if both WAN addresses are fixed as you can use EoIP over IPsec directly.
 
User avatar
urbanmiles
just joined
Topic Author
Posts: 8
Joined: Thu Dec 08, 2016 6:28 am

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sat Jun 08, 2019 3:13 am

Hi TDW,

Thanks for the response.

Please disregard the 192.168.0.2/24 For the bridge IP, in the actual script I posted it is reqlly 192.168.88.2/24 , I just cannot revise the image I am offsite right now..

For the Public IPs, Main office site uses Static Ip and Remote site uses Dynamic so I used IP cloud in the remote site. I added this info in my original post.

For the EOIP, I used the same Local and remote addresses that I used for the Secrets in the L2TP interface, that is:

AT MAIN OFFICE:
— Local IP for secret used in L2TP interface: 172.16.0.1
— Remote IP for secret used in L2TP interface:
172.16.0.2

— Local IP used in EOIP interface:
172.16.0.1
— Remote IP used in EOIP interface:
172.16.0.2

AT REMOTE OFFICE:
— Local IP for secret used in L2TP interface: 172.16.0.2
— Remote IP for secret used in L2TP interface:
172.16.0.1

— Local IP used in EOIP interface:
172.16.0.2
— Remote IP used in EOIP interface:
172.16.0.1

I followed a reference material that implements EOIP over L2TP/IPSEC for this, I will post it here also.

From the Remote Office LAN, I can already ping the Main Office router and the devices inside its LAN,

From the Main Office LAN, I can only ping the Remote Office router but not the devices inside its LAN

I was thinking, if I am missing a Routing config that will let my ping from the Main Office to reach the LAN devices of Remote Office.

Or a firewall policy is blocking the ping — but I tried disabling all my firewall policies except for the ones related to VPN, but still no luck..
 
mistry7
Forum Guru
Forum Guru
Posts: 1218
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sat Jun 08, 2019 5:15 am

This Konfig is more Then Worse....

Why L2TP If you Are yousing EOIp Instead ? ( you can do IPSec with eoip directly)
And for dyn. IPs there Are other ways, like DynDNS and scripts
But EOIP over the Internet will end in MTU Problems

Why you don’t yousing L2tp for Bridging?

https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)
 
User avatar
urbanmiles
just joined
Topic Author
Posts: 8
Joined: Thu Dec 08, 2016 6:28 am

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sat Jun 08, 2019 9:45 am

Yeah and I am a newbie seeking some help. Clearly, your english is worse than my config. Thanks anyway. ✌🏽
 
mistry7
Forum Guru
Forum Guru
Posts: 1218
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sat Jun 08, 2019 3:06 pm

Yeah and I am a newbie seeking some help. Clearly, your english is worse than my config. Thanks anyway. ✌🏽
This is more about a smartphone and a non english auto correction
 
tdw
Member Candidate
Member Candidate
Posts: 118
Joined: Sat May 05, 2018 11:55 am

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sat Jun 08, 2019 3:33 pm

From the Remote Office LAN, I can already ping the Main Office router and the devices inside its LAN,

From the Main Office LAN, I can only ping the Remote Office router but not the devices inside its LAN

I was thinking, if I am missing a Routing config that will let my ping from the Main Office to reach the LAN devices of Remote Office.

Or a firewall policy is blocking the ping — but I tried disabling all my firewall policies except for the ones related to VPN, but still no luck..
If you can ping 192.168.88.2 from the main office, there shouldn't be anything stopping you pinging 192.168.88.104 , etc. at the remote office, routing and IP firewalls do not play a part as it is layer 2 bridged traffic.

Are all of the MAC addresses on the bridges and EoIP tunnels unique?
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sat Jun 08, 2019 6:38 pm

My five cents - does /interface eoip print show the EoIP tunnel interfaces as running at both ends? Why I ask - if the L2TP tunnel is not yet active at the moment when the EoIP tunnel sends its first transport packet, the transport packet takes the default route via WAN and thus creates a src-nated connection in connection tracking. When the L2TP tunnel comes up later, the further transport packets are sent via the L2TP tunnel but still get src-nated by the connection tracking, so the remote end sees them as coming from a wrong address and ignores them.

So if the EoIP tunnels are not running, I guess the above is the reason, and you can check this using /ip firewall connection print detail where protocol~"gre" and srcnat. If it shows a connection, you'll see its reply-dst-address to be the one of your WAN.

Other than that, @mistry7 is right that you are wasting MTU on the task (let alone the expressive wording, I'm also not always as calm as now ;) ). As you use a Mikrotik device on both ends, and you don't use VLANs, you can use the L2TP connection itself for bridging, you don't need to use EoIP for the purpose. To do so, it is enough to set the bridge attribute of the /ppp profile referred to by interface l2tp-client at client side and by /ppp secret at server side to the name of a local bridge to connect the interface to. This way, the L2TP connection creates two tunnels in parallel, an L2 one between the bridges, and another L3 one as usually.

So unless you need to use VLANs on the L2 tunnel or have some other reason to use EoIP rather than L2TP's bridge mode, go that way. If you insist on EoIP, come back for advice how to deal with the startup order issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
urbanmiles
just joined
Topic Author
Posts: 8
Joined: Thu Dec 08, 2016 6:28 am

Re: CANNOT PING MAIN OFFICE LAN DEVICES USING EOIP OVER L2TP WITH IPSEC

Sun Jun 09, 2019 2:11 pm

Thanks a lot tdw and sindy! Will surely try these info you’d provided ... will update here for the results... 🙏🏽🙂

Who is online

Users browsing this forum: No registered users and 34 guests