I don't know if this post is duplicated and apologies for this. I have created my LT2P/IPSEC site to site VPN but I am having some problem. I have attached the topology.
Both mikrotik router are behind the NAT (ISP modem). Both ISP modem cannot be moved in bridge. The VPN is up and stable. I have created the route pointing the L2TP gateway, the mangle on the L2TP client to mark the traffic and route to the correct gateway. from both pc I am able to ping the LAN gateway, but not able to ping each other. from the client side I traced google and I see the traffic is correctly going thru the tunnel, but if I open a webpage I can't navigate.
here below the config exported:
Client
Code: Select all
[admin@client] > export hide-sensitive terse
# apr/25/2021 06:22:54 by RouterOS 6.48.2
# software id = ZEM8-8FIV
#
# model = 951G-2HnD
/interface bridge add name=local
/interface ethernet set [ find default-name=ether1 ] name=LAN_eth1
/interface ethernet set [ find default-name=ether2 ] disabled=yes
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface ethernet set [ find default-name=ether5 ] name=toNetGear5
/interface l2tp-client add allow=pap,chap connect-to=1.1.1.1 disabled=no keepalive-timeout=disabled name=toServer use-ipsec=yes use-peer-dns=yes user=username
/ip ipsec profile set [ find default=yes ] enc-algorithm=aes-128
/ip pool add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge port add bridge=local interface=LAN_eth1
/interface bridge port add bridge=local interface=ether3
/ip address add address=192.168.0.2/24 interface=toNetGear5 network=192.168.0.0
/ip address add address=192.168.99.1/24 interface=local network=192.168.99.0
/ip dhcp-server network add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip dns set servers=8.8.8.8
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=0.0.0.0/0 new-routing-mark=toVPN passthrough=no src-address=192.168.99.2-192.168.99.254
/ip firewall nat add action=masquerade chain=srcnat out-interface=toServer
/ip firewall nat add action=masquerade chain=srcnat out-interface=toNetGear5
/ip route add check-gateway=ping distance=1 gateway=172.16.200.1 routing-mark=toVPN
/ip route add check-gateway=ping distance=1 gateway=192.168.0.1
/ip route add distance=1 dst-address=192.168.1.0/28 gateway=172.16.200.1
/ip route add distance=1 dst-address=192.168.88.0/24 gateway=172.16.200.1 scope=10
Server
[admin@server] > export hide-sensitive terse
# apr/25/2021 06:27:38 by RouterOS 6.48.2
# software id = C6WF-88AR
#
# model = RB750Gr3
/interface bridge add name=local
/interface ethernet set [ find default-name=ether3 ] disabled=yes
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface ethernet set [ find default-name=ether5 ] disabled=yes
/ip ipsec profile set [ find default=yes ] enc-algorithm=aes-128
/ip pool add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge port add bridge=local interface=ether2
/interface l2tp-server server set authentication=pap,chap enabled=yes keepalive-timeout=disabled use-ipsec=yes
/ip address add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip address add address=192.168.1.8/28 interface=ether1 network=192.168.1.0
/ip dhcp-server network add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip dns set servers=8.8.8.8
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/ip route add distance=1 gateway=192.168.1.1
/ip route add distance=1 dst-address=192.168.0.0/24 gateway=172.16.200.2
/ip route add distance=1 dst-address=192.168.99.0/24 gateway=172.16.200.2
/ppp secret add local-address=172.16.200.1 name=username remote-address=172.16.200.2 service=l2tp