It seems (I could be wrong) that the tunnel is running on the Mikrotik, but when the computer sends packets over the tunnel (I see the Tx on the interface have activity) there is nothing that comes back (the Rx is always 0).
This is my simple configuration:
Code: Select all
/interface l2tp-client
add connect-to=gupsters.ddns.net disabled=no ipsec-secret=XXX name=\
sfo_vpn password=XXX use-ipsec=yes user=XXX
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!local \
new-routing-mark=to_sfo_vpn passthrough=yes src-address=10.10.3.155
/ip route
add check-gateway=ping distance=1 gateway=sfo_vpn routing-mark=to_sfo_vpn
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
# ignore other specialized NAT forwards
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 X ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
2 X ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
3 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
4 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
5 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
6 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
7 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
8 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
9 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
10 ;;; For L2TP/IPSec
chain=input action=accept protocol=udp port=1701,500,4500
11 X ;;; For L2TP/IPSec
chain=input action=accept protocol=ipsec-esp
12 chain=input action=accept in-interface=all-ppp log=no log-prefix=""
13 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
Code: Select all
Local Address 192.168.10.2
Remote Address 10.255.255.0
