Community discussions

MUM Europe 2020
 
mike19
just joined
Topic Author
Posts: 5
Joined: Sat Jun 09, 2018 8:10 am

VPN and Route Problem

Wed Nov 27, 2019 10:30 am

I have an RB4011 (200.10) connected in VPN to other sites and to some remote users. Some VPNs are l2tp on MT and others are authenticated on an internal OpenVPN server (210.30).
The clients inside the LAN (200.X) can reach the locations connected in openvpn (there is a static route for each location 13.0 / 14.0 etc) while from the other VPNs(on MT) and from the RB4011(internal ping) I cannot reach the OpenVPN locations).
The l2tp VPNs are regularly accessed by the other l2tp VPNs
In the future all OpenVPN VPNs will be moved to L2TP and managed by RB4011

Image
# nov/27/2019 09:32:52 by RouterOS 6.45.7

/interface bridge
add admin-mac=74:4D:28:86:5E:0C auto-mac=no comment=defconf name=bridge-lan
add name=bridge-ovpn
add name=bridge-voip
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.200.120-192.168.200.190
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.201.50-192.168.201.80
add name=dhcp_pool3 ranges=192.168.210.50-192.168.210.80
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan name=defconf
add address-pool=dhcp_pool2 disabled=no interface=bridge-voip name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=bridge-ovpn name=dhcp2
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=sfp-sfpplus1
add bridge=bridge-lan interface=ether4
add bridge=bridge-ovpn interface=ether5
add bridge=bridge-voip interface=ether6
add bridge=bridge-voip interface=ether7
add bridge=bridge-voip interface=ether8
add bridge=bridge-voip interface=ether9
add bridge=bridge-voip interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes ipsec-secret=Mn7HfXml use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-voip list=LAN
add interface=bridge-ovpn list=LAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.200.10/24 comment="BRIDGE LAN" interface=ether2 network=\
    192.168.200.0
add address=192.168.117.1/24 comment="WAN PRIVATE" interface=ether1 network=\
    192.168.117.0
add address=XXX.XXX.XXX.XX/24 comment="WAN PUBLIC SNAT" interface=ether1 \
    network=XXX.XXX.XXX.0
add address=192.168.201.10/24 comment="BRIDGE VOIP" interface=bridge-voip \
    network=192.168.201.0
add address=192.168.210.10/24 comment="BRIDGE OVPN" interface=bridge-ovpn \
    network=192.168.210.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.200.0/24 comment=defconf gateway=192.168.200.10 netmask=\
    24
add address=192.168.201.0/24 gateway=192.168.201.10
add address=192.168.210.0/24 gateway=192.168.210.10
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.200.10 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp \
    src-address=192.168.200.0/24
add action=accept chain=input comment="allow OPENVPN" dst-port=1195 protocol=\
    udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN to-addresses=109.205.109.62
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="OpenVPN Server" dst-port=1195 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.210.30 to-ports=\
    1195
/ip route
add distance=1 gateway=192.168.117.254
add distance=1 dst-address=192.168.13.0/24 gateway=192.168.210.30
add distance=1 dst-address=192.168.14.0/24 gateway=192.168.210.30
add distance=1 dst-address=192.168.15.0/24 gateway=192.168.210.30
add distance=1 dst-address=192.168.16.0/24 gateway=192.168.210.30
add distance=1 dst-address=192.168.17.0/24 gateway=192.168.210.30
add distance=1 dst-address=192.168.19.0/24 gateway=192.168.210.30
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add comment=CONFIGURATION name=BBBBBB password=BBBBBB profile=\
    default-encryption service=l2tp
add comment=USER name=AAAAAA password=NEVw4HeN profile=default-encryption \
    service=l2tp
add comment=SITE name=CCCC password=CCCC profile=\
    default-encryption routes=192.168.20.0/24 service=l2tp
add comment=SITE name=DDDDD password=DDDDD profile=\
    default-encryption routes=192.168.21.0/24 service=l2tp
/system ntp client
set enabled=yes primary-ntp=31.14.133.122 secondary-ntp=85.199.214.99
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by mike19 on Wed Nov 27, 2019 10:19 pm, edited 4 times in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VPN and Route Problem

Wed Nov 27, 2019 7:27 pm

Am confused...
A diagram always help...
 
mike19
just joined
Topic Author
Posts: 5
Joined: Sat Jun 09, 2018 8:10 am

Re: VPN and Route Problem

Wed Nov 27, 2019 10:46 pm

added Diagram
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VPN and Route Problem

Wed Nov 27, 2019 11:52 pm

You do not have access, because for example, at the remote-site, when you want to access the 13.0/24 network, that router does not know how to get there. So you should add routes for that network with gateway the vpn connection with the 4011...
from the RB4011(internal ping) I cannot reach the OpenVPN locations).
Seems like a routing problem as well
 
mike19
just joined
Topic Author
Posts: 5
Joined: Sat Jun 09, 2018 8:10 am

Re: VPN and Route Problem

Thu Nov 28, 2019 9:56 am

What I don't understand is that when I connect in VPN (l2tp) with Windows and I make tun tracert towards for example 13.1 I see that the traffic arrives at 210.30 but does not answer, the same thing from the internal ping of the RB4011 (200.10) from internal client (200.X) all work fine
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN and Route Problem

Sat Nov 30, 2019 6:04 pm

Does the OpenVPN's kernel routing table have 192.168.210.10 as a gateway for the subnets from which the 4011 assigns addresses to its L2TP clients? If you ping from the 4011 itself, the source address of the packets is 192.168.210.10 which is in the OpenVPN server's connected subnet so the backward route is there automatically; if you e.g. send the whole 192.168.0.0/16 to the OpenVPN TAP in the OpenVPN server's kernel routing table, there is no wonder that the server doesn't send the responses towards the addresses of L2TP clients to the 4011.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mike19
just joined
Topic Author
Posts: 5
Joined: Sat Jun 09, 2018 8:10 am

Re: VPN and Route Problem

Mon Dec 02, 2019 6:17 pm

Solved. The problem was in the OpenVPN server configuration file where 89.0 was not specified
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VPN and Route Problem

Mon Dec 02, 2019 7:07 pm

Solved. The problem was in the OpenVPN server configuration file where 89.0 was not specified
Whois 89.0 ?
 
mike19
just joined
Topic Author
Posts: 5
Joined: Sat Jun 09, 2018 8:10 am

Re: VPN and Route Problem

Mon Dec 09, 2019 10:13 am

/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
89.0 is the subnet for the VPN L2TP(MT)

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 82 guests