Community discussions

MikroTik App
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

L2TP IPSEC site to site behind NAT  [SOLVED]

Sun Apr 25, 2021 7:58 am

Hello all,
I don't know if this post is duplicated and apologies for this. I have created my LT2P/IPSEC site to site VPN but I am having some problem. I have attached the topology.

Both mikrotik router are behind the NAT (ISP modem). Both ISP modem cannot be moved in bridge. The VPN is up and stable. I have created the route pointing the L2TP gateway, the mangle on the L2TP client to mark the traffic and route to the correct gateway. from both pc I am able to ping the LAN gateway, but not able to ping each other. from the client side I traced google and I see the traffic is correctly going thru the tunnel, but if I open a webpage I can't navigate.

here below the config exported:

Client
[admin@client] > export hide-sensitive terse
# apr/25/2021 06:22:54 by RouterOS 6.48.2
# software id = ZEM8-8FIV
#
# model = 951G-2HnD
/interface bridge add name=local
/interface ethernet set [ find default-name=ether1 ] name=LAN_eth1
/interface ethernet set [ find default-name=ether2 ] disabled=yes
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface ethernet set [ find default-name=ether5 ] name=toNetGear5
/interface l2tp-client add allow=pap,chap connect-to=1.1.1.1 disabled=no keepalive-timeout=disabled name=toServer use-ipsec=yes use-peer-dns=yes user=username
/ip ipsec profile set [ find default=yes ] enc-algorithm=aes-128
/ip pool add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge port add bridge=local interface=LAN_eth1
/interface bridge port add bridge=local interface=ether3
/ip address add address=192.168.0.2/24 interface=toNetGear5 network=192.168.0.0
/ip address add address=192.168.99.1/24 interface=local network=192.168.99.0
/ip dhcp-server network add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip dns set servers=8.8.8.8
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=0.0.0.0/0 new-routing-mark=toVPN passthrough=no src-address=192.168.99.2-192.168.99.254
/ip firewall nat add action=masquerade chain=srcnat out-interface=toServer
/ip firewall nat add action=masquerade chain=srcnat out-interface=toNetGear5
/ip route add check-gateway=ping distance=1 gateway=172.16.200.1 routing-mark=toVPN
/ip route add check-gateway=ping distance=1 gateway=192.168.0.1
/ip route add distance=1 dst-address=192.168.1.0/28 gateway=172.16.200.1
/ip route add distance=1 dst-address=192.168.88.0/24 gateway=172.16.200.1 scope=10

Server
[admin@server] > export hide-sensitive terse
# apr/25/2021 06:27:38 by RouterOS 6.48.2
# software id = C6WF-88AR
#
# model = RB750Gr3

/interface bridge add name=local
/interface ethernet set [ find default-name=ether3 ] disabled=yes
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface ethernet set [ find default-name=ether5 ] disabled=yes
/ip ipsec profile set [ find default=yes ] enc-algorithm=aes-128
/ip pool add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge port add bridge=local interface=ether2
/interface l2tp-server server set authentication=pap,chap enabled=yes keepalive-timeout=disabled use-ipsec=yes
/ip address add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip address add address=192.168.1.8/28 interface=ether1 network=192.168.1.0
/ip dhcp-server network add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip dns set servers=8.8.8.8
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/ip route add distance=1 gateway=192.168.1.1
/ip route add distance=1 dst-address=192.168.0.0/24 gateway=172.16.200.2
/ip route add distance=1 dst-address=192.168.99.0/24 gateway=172.16.200.2
/ppp secret add local-address=172.16.200.1 name=username remote-address=172.16.200.2 service=l2tp
Thank you for your help
You do not have the required permissions to view the files attached to this post.
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Tue Apr 27, 2021 3:41 am

Any ideas?
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: L2TP IPSEC site to site behind NAT

Tue Apr 27, 2021 4:13 am

In IP -> IPsec, is the traverse-nat option enabled in IPsec settings?
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Tue Apr 27, 2021 6:40 am

In IP -> IPsec, is the traverse-nat option enabled in IPsec settings?
I think in this RouterOS version 6.48.2 isn't present
[admin@client] /system routerboard> print
       routerboard: yes
             model: 951G-2HnD
     serial-number: 557E04F3583F
     firmware-type: ar9344
  factory-firmware: 3.19
  current-firmware: 6.48.2
  upgrade-firmware: 6.48.2
  
[admin@server] /system routerboard> print
       routerboard: yes
        board-name: hEX
             model: RB750Gr3
          revision: r4
     serial-number: CC210D814309
     firmware-type: mt7621L
  factory-firmware: 6.47.4
  current-firmware: 6.48.2
  upgrade-firmware: 6.48.2

 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: L2TP IPSEC site to site behind NAT

Tue Apr 27, 2021 12:19 pm

To be able to connect to an L2TP IPSec server behind NAT, you need to open:

To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 5500.
To allow L2TP traffic, open UDP 1701.

Are all this open?
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Tue Apr 27, 2021 2:55 pm

To be able to connect to an L2TP IPSec server behind NAT, you need to open:

To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 5500.
To allow L2TP traffic, open UDP 1701.

Are all this open?
Yes, IPsec L2TP tunnel is up and stable. From the host on 192.168.88.0/24 I am able to ping the gateway of the host 192.168.99.0.24 and viceversa.

1) first problem I cannot ping host to host.Traceroute from host is stopping to the tunnel IP ( I tested from both side)

2) second problem, I want to reach internet from the host 192.168.99.0/24 through the tunnel, so the public IP should be 1.1.1.1. I cannot open any internet pages but if I try to ping 8.8.8.8 is responding, plus if I trace it I see that the traffic is correctly going through the tunnel.

I am currently thinking to some asymmetric routing but I spent the last three days and I cannot figure out what is going on.😩😩😩

All ports are open on both ISP modem (1710 50 51 4500) plus I add the Mikrotik IP to the ISP DMZ 😅

Thanks
 
DeJoe
newbie
Posts: 33
Joined: Thu May 31, 2018 4:26 pm

Re: L2TP IPSEC site to site behind NAT

Fri Apr 30, 2021 8:46 pm

Hi,

I think the problem is in:
/ip route add check-gateway=ping distance=1 gateway=172.16.200.1 routing-mark=toVPN
/ip route add check-gateway=ping distance=1 gateway=192.168.0.1
/ip route add distance=1 dst-address=192.168.1.0/28 gateway=172.16.200.1
/ip route add distance=1 dst-address=192.168.88.0/24 gateway=172.16.200.1 scope=10

I experienced in the past that routes are not used, if the gateway is an ip-address of a VPN-Endpoint. Maybe try to use tunnel interface instead.

Maybe try to update configuration like this:
/ip route add check-gateway=ping distance=1 gateway=toServer routing-mark=toVPN
/ip route add check-gateway=ping distance=1 gateway=192.168.0.1
/ip route add distance=1 dst-address=192.168.1.0/28 gateway=toServer
/ip route add distance=1 dst-address=192.168.88.0/24 gateway=toServer scope=10


Configure the Server Mikrotik the same way.
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Fri Apr 30, 2021 10:55 pm

Hi,

I think the problem is in:
/ip route add check-gateway=ping distance=1 gateway=172.16.200.1 routing-mark=toVPN
/ip route add check-gateway=ping distance=1 gateway=192.168.0.1
/ip route add distance=1 dst-address=192.168.1.0/28 gateway=172.16.200.1
/ip route add distance=1 dst-address=192.168.88.0/24 gateway=172.16.200.1 scope=10

I experienced in the past that routes are not used, if the gateway is an ip-address of a VPN-Endpoint. Maybe try to use tunnel interface instead.

Maybe try to update configuration like this:
/ip route add check-gateway=ping distance=1 gateway=toServer routing-mark=toVPN
/ip route add check-gateway=ping distance=1 gateway=192.168.0.1
/ip route add distance=1 dst-address=192.168.1.0/28 gateway=toServer
/ip route add distance=1 dst-address=192.168.88.0/24 gateway=toServer scope=10


Configure the Server Mikrotik the same way.
Thank you DeJoe, I will try as you suggested. The reason why I used as next-hop the IP instead of the tunnel interface is because if the VPN will flap for some reason the router will flushed out the route from his routing table. But for sure I will try and I will let you know.

Many thanks
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Fri May 07, 2021 9:33 am

Let's post some other information.

I tried to use the tunnel interface as next-hop (as DeJoe suggested) however is the same.

The L2TP server seems to be fine. I tested with a spare Windows laptop connected via LTE and I was able to establish the VPN and the traffic was passing through the tunnel. I received the public IP address of the server on my windows laptop. All fine. This test was aside from the Mikrotik client router.

But again everything connected to the Mikrotik client can't navigate even if the L2TP tunnel is up. If I trace Google or another website from the Mikrotik client sourcing the subnet 192.168.99.0/24 I see the traffic going correctly thru the tunnel... meaning also the mangle rule is working.

Any ideas?
 
DeJoe
newbie
Posts: 33
Joined: Thu May 31, 2018 4:26 pm

Re: L2TP IPSEC site to site behind NAT

Fri May 07, 2021 6:10 pm

Can you ping 192.168.99.1 from 192.168.88.1 ?
Can you ping 192.168.88.1 from a client in 192.168.99.0/24 ?
Can you ping 192.168.99.1 from a client in 192.168.88.0/24 ?
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Sat May 08, 2021 10:47 am

Can you ping 192.168.99.1 from 192.168.88.1 ?
Can you ping 192.168.88.1 from a client in 192.168.99.0/24 ?
Can you ping 192.168.99.1 from a client in 192.168.88.0/24 ?
Yes DeJoe..from the host on the subnet 192.168.88.0/24 I can ping the gateway 192.168.99.1 and viceversa but cannot ping host to host.
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Tue May 11, 2021 12:03 am

So guys after several days and attempts on this I found finally the problem. Nothing wrong on the configuration of both Mikrotik. The problem is on the ISP of the Mikrotik client. The ISP is using a WiMAX technology. The ISP modem on the picture with the IP 192.168.0.1 is connected to the ISP antenna...so basically the Mikrotik is behind 2 NAT (ISP modem and ISP antenna). What basically I did to discover that the problem is with the ISP ? I turned on hotspot WiFi in my phone and I bind with the Mikrotik client so basically I used my phone as gateway. The L2TP IPsec was successful established and I wa able to navigate and the traffic was going thru the tunnel as per design. So I suspect some problem with the returning traffic or asymmetric traffic.
Thanks all
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP IPSEC site to site behind NAT

Tue May 11, 2021 12:37 am

In my experience, to make double-NAT (and other obscure NAT situations) working you need to relax the checking of port numbers in IPsec.
Assuming that you have made the L2TP server with default IPsec settings, note down what entries it has created under IP->IPsec for that, then remove the IPsec from the L2TP server and re-create these entries manually.
However, on the Identities tab, in this entry select "port override" instead of the "port strict" that was there when the entry is auto-created.
That usually solves it.
Make sure your firewall accepts UDP port 1701 incoming traffic (on the MikroTik) only with IPsec policy in:ipsec (on the Advanced tab).
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Tue May 11, 2021 6:14 pm

In my experience, to make double-NAT (and other obscure NAT situations) working you need to relax the checking of port numbers in IPsec.
Assuming that you have made the L2TP server with default IPsec settings, note down what entries it has created under IP->IPsec for that, then remove the IPsec from the L2TP server and re-create these entries manually.
However, on the Identities tab, in this entry select "port override" instead of the "port strict" that was there when the entry is auto-created.
That usually solves it.
Make sure your firewall accepts UDP port 1701 incoming traffic (on the MikroTik) only with IPsec policy in:ipsec (on the Advanced tab).
Well pe1chl, the IPsec was established and the UDPs ports were opens. No issues with the server, only in the client side. So traffic was passing through the tunnel but I was able to ping and trace Google from the hosts behind the L2TP client but I wasn't able to navigate with all browsers. So definitely no issues with the ports.
 
DeJoe
newbie
Posts: 33
Joined: Thu May 31, 2018 4:26 pm

Re: L2TP IPSEC site to site behind NAT

Fri May 14, 2021 5:42 pm

Well pe1chl, the IPsec was established and the UDPs ports were opens. No issues with the server, only in the client side. So traffic was passing through the tunnel but I was able to ping and trace Google from the hosts behind the L2TP client but I wasn't able to navigate with all browsers. So definitely no issues with the ports.
If the tunnel is up and working, the ports are ok and double NAT has nothing to do with it. If pinging route to router works but the clients are not reachable from site to site, the problem is most likely related to a routing problem or firewall.

If you can, you could post your complete config. Hide the sensitive values, please. Maybe we find the issue.

Greetings.
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Mon May 17, 2021 7:40 pm

Well pe1chl, the IPsec was established and the UDPs ports were opens. No issues with the server, only in the client side. So traffic was passing through the tunnel but I was able to ping and trace Google from the hosts behind the L2TP client but I wasn't able to navigate with all browsers. So definitely no issues with the ports.
If the tunnel is up and working, the ports are ok and double NAT has nothing to do with it. If pinging route to router works but the clients are not reachable from site to site, the problem is most likely related to a routing problem or firewall.

If you can, you could post your complete config. Hide the sensitive values, please. Maybe we find the issue.

Greetings.
Hey DeJoe thanks for your reply. The config is already in the post above. When I say NAT, I am not speaking only about the ports but the ability to translate the private ip address to a public one ...so I think the problem could be on the provider network. When I do the normal traceroute to Google I see the first hop is my gateway 192.168.0.1 second hop is the private ip of my antenna ISP and third hop is a IP my pubblic IP address.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: L2TP IPSEC site to site behind NAT

Mon May 17, 2021 7:46 pm

If you see two private ip in the traceroute, you normally have two nat.
 
unam83
just joined
Topic Author
Posts: 18
Joined: Sun Apr 25, 2021 6:51 am

Re: L2TP IPSEC site to site behind NAT

Mon May 17, 2021 10:30 pm

If you see two private ip in the traceroute, you normally have two nat.
Correct ... that's I said :D

Who is online

Users browsing this forum: ItchyAnkle, menyarito and 91 guests