I have a question regarding VPN solutions offered by Mikrotik.
I am currently working with a small company, that needs simple (working on Android and Win10) solution for VPN. (if it's somehow important - mobiles from Samsung, models S10 and S20). All users are Road Warrior.
The office has public IP address, and currently I have implemented L2TP VPN with IPSEC for them, but we have some issues with that. For a few days now, I have many tickets from different people, that VPN is inaccessible - it just don't want to connect any user. At the same time, I have been trying to connect both from PC and mobile - and none of them connected.
I have enabled full logging of IPSEC and l2tp at the moment, with export to NAS, so hopefully if it will happen again, I will have plenty of logs from that situation. For now, I can't access the site, so our solution is reboot. After reboot everything gets back to normal.
Our setup: Mikrotik hAP ac^2, with some firewall rules, running 6.47.7, with updated all packages and firmware.
Would really love any hint regarding solution.
My current important parts of config, obfuscated, below.
Code: Select all
/ip pool
add name=VPN ranges=172.16.yy.yy-172.16.yy.yy
/ppp profile
add change-tcp-mss=yes comment="VPN MT" dns-server=172.16.xx.xx local-address=VPN name="VPN MT" remote-address=VPN use-encryption=yes
/interface l2tp-server server
set authentication=mschap2 default-profile="VPN MT" enabled=yes use-ipsec=required
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Accept allowed to router" src-address-list=allowed_to_router
add action=add-src-to-address-list address-list=VPN address-list-timeout=20s chain=input comment="port 500 for VPN - list" dst-port=500 protocol=udp
add action=accept chain=input comment="port 500 for VPN" dst-port=500 protocol=udp
add action=add-src-to-address-list address-list=Step2_VPN address-list-timeout=30s chain=input comment="port 4500 for VPN" dst-port=4500 protocol=udp src-address-list=VPN
add action=accept chain=input comment="port 4500 for VPN" dst-port=4500 protocol=udp src-address-list=VPN
add action=add-src-to-address-list address-list=VPN_5min address-list-timeout=5m chain=input comment="port 1701 for VPN" dst-port=1701 protocol=udp src-address-list=Step2_VPN
add action=accept chain=input comment="port 1701 for VPN" dst-port=1701 protocol=udp src-address-list=Step2_VPN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN log-prefix=drop_!lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop all the rest" log-prefix=drop
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip route
add comment="route for vpn server" distance=1 dst-address=172.16.x.x/x gateway=172.16.x.x
/ppp secret
add local-address=172.16.x.x1 name=user1 profile="VPN MT" service=l2tp
add local-address=172.16.x.x2 name=user2 profile="VPN MT" service=l2tp
add local-address=172.16.x.x3 name=user1mob profile="VPN MT" service=l2tp
add local-address=172.16.x.x4 name=user2mob profile="VPN MT" service=l2tp
add local-address=172.16.x.x5 name=user3 profile="VPN MT" service=l2tp
add local-address=172.16.x.x6 name=user3mob profile="VPN MT" service=l2tp
add local-address=172.16.x.x7 name=user4 profile="VPN MT" service=l2tp
Right now, I am thinking, what will be the best solution, and I have 3 ideas, don't know what to stick with:
Solution 1. This board. I have some problem in config that I don't see, and some good people here will show me, what I am doing wrong/what should be changed.
Solution 2. Add some scripting in /ppp profile to restart /interface l2tp-server each time the user disconnects (in /ppp profile on-down)
Solution 3. Switch to some other VPN solution, that I haven't tried yet.
Any help will be much appreciated.