Community discussions

MikroTik App
 
User avatar
vader7071
newbie
Topic Author
Posts: 38
Joined: Tue Jan 07, 2014 9:44 pm

L2TP/IPSec VPN - Remote device connects, cannot access internet

Wed Mar 25, 2020 7:45 pm

I have followed quite a few tutorials and read up on how to create an L2TP/IPSec VPN connection to my router. Currently, I am using an RB951 routerboard.

Desired Result:
I am trying to connect my Samsung Note 8 to my home network for VPN access so my home firewall rules will be in effect at all times on my device.

Current status:
My Note 8 will connect to my home network. I can see the connection inside WinBox. As long as I am not connected to the VPN, the Note 8 can access the internet. However, when I connect to the VPN, I cannot access the internet.

I am lost at what may be the cause. I have exported my configuration and pasted below. I may have included too much information, but I want to ensure questions can be answered.

Thank you in advance for your help.
# mar/25/2020 11:49:20 by RouterOS 6.46.2
#
# model = 951G-2HnD

/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridge1

/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] name=ether2-WAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN

/interface l2tp-server
add name=L2TP/IPSec_VPN user=********

/ip ipsec policy group
set [ find default=yes ] name=L2TP/IPSec_VPN

/ip ipsec profile
add enc-algorithm=aes-256,aes-128,3des name=L2TP/IPSec_VPN

/ip ipsec proposal
set [ find default=yes ] comment="2020-03-25 L2TP/IPSEC VPN" enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=1h

/ip pool
add name=dhcp_pool1 ranges=192.168.15.100-192.168.15.150
add comment="2020-03-25 VPN Pool" name=VPN ranges=192.168.16.151-192.168.16.175

/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=3d name=dhcp1

/ip ipsec mode-config
add address-pool=VPN name=VPN system-dns=no

/ppp profile
add change-tcp-mss=yes comment="2020-03-25 L2TP/IPSec VPN Access" dns-server=8.8.8.8 local-address=192.168.15.255 name=L2TP-Profile remote-address=VPN use-encryption=yes use-upnp=yes
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.15.254 remote-address=VPN

/interface bridge port
add bridge=bridge1 hw=no interface=ether3-LAN
add bridge=bridge1 hw=no interface=ether4-LAN
add bridge=bridge1 hw=no interface=ether1-LAN
add bridge=bridge1 hw=no interface=ether5-LAN
add bridge=bridge1 interface=wlan1

/interface bridge settings
set use-ip-firewall=yes

/ip neighbor discovery-settings
set discover-interface-list=discover

/interface detect-internet
set detect-interface-list=all

/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes ipsec-secret=******** keepalive-timeout=disabled max-mru=1460 max-mtu=1460 use-ipsec=yes

/interface list member
add interface=ether4-LAN list=discover
add interface=ether3-LAN list=discover
add interface=ether2-WAN list=discover
add interface=ether1-LAN list=discover
add interface=bridge1 list=discover
add interface=ether5-LAN list=discover
add interface=ether4-LAN list=WAN
add interface=ether3-LAN list=LAN
add interface=ether2-WAN list=LAN
add interface=ether1-LAN list=LAN
add interface=ether5-LAN list=LAN
add interface=wlan1 list=LAN

/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN-IN enabled=yes max-mru=1460 max-mtu=1460

/interface sstp-server server
set default-profile=default-encryption

/ip address
add address=192.168.15.1/24 interface=ether3-LAN network=192.168.15.0
add address=192.168.15.1/24 interface=bridge1 network=192.168.15.0
add address=192.168.16.1/24 interface=bridge1 network=192.168.16.0

/ip dhcp-client
add disabled=no interface=ether2-WAN use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=192.168.15.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.15.1 netmask=24

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,6.6.6.6

/ip dns static
add address=192.168.15.1 name=router.lan

/ip firewall address-list
add address=192.168.15.0/24 list=internal
add address=192.168.16.0/24 list=internal
add address=192.168.10.0/24 list=private
add address=192.168.100.0/24 list=private
add address=192.168.16.0/24 comment="2020-03-25 L2TP/IPSec VPN" list=L2TP/IPSec_VPN

/ip firewall filter
add action=fasttrack-connection chain=forward comment="L2TP/IPSEC VPN Fasttrack non IPSEC" connection-mark=!ipsec connection-state=established,related
add action=fasttrack-connection chain=forward comment="Fasttrack Accept" connection-state=established,related
add action=accept chain=forward comment="Fasttrack Bypass" connection-state=established,related
add action=accept chain=inbound comment="Accept established connections" connection-state=established
add action=accept chain=input comment="2020-03-25 PPTP VPN" dst-port=1723 protocol=tcp
add action=drop chain=inbound comment="Drop invalid" connection-state=invalid
add action=drop chain=inbound comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="LoginIncorrect Tarpitting" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=accept chain=inbound comment="SSH for secure shell" dst-port=22 protocol=tcp src-address-list=private
add action=drop chain=forward comment="drop excessive icmp traffic for 12 hours" protocol=icmp src-address-list=icmp-attack
add action=drop chain=inbound comment="Drop excess icmp" protocol=icmp
add action=reject chain=inbound reject-with=icmp-admin-prohibited src-address-list=ssh_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=accept chain=inbound comment="allow private addresses for ssh" dst-port=22 protocol=tcp src-address-list=private
add action=accept chain=forward comment="allow smtp-bypass list to create multiple sessions" dst-port=25 protocol=tcp src-address-list=smtp-bypass
add action=drop chain=forward comment="drop smtp traffic marked as spam" dst-port=25 protocol=tcp src-address-list=spam-block
add action=accept chain=inbound comment="Internal traffic can do what it wants." src-address-list=private
add action=accept chain=output comment="Allow everything out"

/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack - L2TP IPSEC" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack - L2TP IPSEC" ipsec-policy=in,ipsec new-connection-mark=ipsec

/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=!private src-address-list=internal

/ip ipsec identity
# can't add identity to dynamic peer
add generate-policy=port-override peer=l2tp-in-server remote-id=ignore secret=**********

/ip ipsec policy
set 0 comment="2020-03-25 L2TP/IPSec VPN" dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip route
add disabled=yes distance=1 gateway=ether2-WAN
add distance=1 dst-address=192.168.15.0/24 gateway=ether2-WAN

/ppp secret
add comment="2020-03-25 Chris VPN Profile" name=****** password=****** profile=L2TP-Profile service=l2tp
--
And now I shall close on the subject by quoting Ronald Reagan - who, shortly after taking a bullet, was heard to quip "Ow! Ow! Ow!"

Who is online

Users browsing this forum: andriys, arxdust, bpolat, eworm, gkk, IlCarletto, ingdaka, jamrobe and 172 guests