Community discussions

MikroTik App
 
TikYAN
just joined
Topic Author
Posts: 8
Joined: Tue Feb 09, 2021 3:12 pm

L2TP with IPsec - Traffic pass only if initial Traffic from remote Site

Thu Jul 29, 2021 6:07 pm

Hi tik'users.

on a Remote Site we have an RB4011 with v6.48.3 running. This Router has no static public IP, but some remote workers need access to this Network.
In our Datacenter we use CHR as VM (same Version) which is the Dial-in Destination for the Remote Workers and the Remote-Site is Connected via L2TP and IPSEC.

The Dial-in from the Remote's RB4011 (initiator) to the CHR in the Datacenter (Responder) works perfect!
And the OpenVPN Server on the CHR for the remote Workers too!

If the Router on the Remote Site was restarted or disconnected, the L2TP Tunnel and IPsec SA's get up and running, but no traffic could pass until i ping some destinations from the Remote Site to the Datacenter. Is this a known issue and is there an Workaround?

The Problem is, on the Remote Site is no "active" Traffic/Connections to the Datacenter Network, so i had manually login to a device and ping some random IP's from the Datacenter. Then Traffic will be passed in both directions.

Thanks for any kind of hints.
If it's necessary, i could share the configs...

YAN
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP with IPsec - Traffic pass only if initial Traffic from remote Site

Sat Jul 31, 2021 3:25 pm

Thanks for any kind of hints.
If it's necessary, i could share the configs...
At "any kind of hint" level: look closely at the firewall rules at the 4011.

The thing is that the default firewall rules of older RouterOS versions say (very simplified) "drop anything that comes from WAN, except if it is a response", whereas those of newer RouterOS versions say "drop anything that does not come from LAN, except if it is a response".

When you upgrade RouterOS, the existing configuration is kept, unless you explicitly ask for it to be replaced by a default one. So the actual firewall rules depend on the history of the device, not on the currently running RouterOS version.

So with contemporary default firewall rules in place, unless you've created dedicated rules for the traffic coming in via the L2TP interface, or unless you've added that interface to the interface list named LAN, your firewall is dropping the incoming requests from the L2TP interface because it's "not LAN". If you don't use the default firewall rules but your own ones, no one can suggest anything more detailed unless you follow the hint in my automatic signature just below.

Just disabling all firewall rules is a very bad idea even for a short time - the filth from the network is incredibly fast to squat in.
 
TikYAN
just joined
Topic Author
Posts: 8
Joined: Tue Feb 09, 2021 3:12 pm

Re: L2TP with IPsec - Traffic pass only if initial Traffic from remote Site

Fri Aug 06, 2021 5:36 pm

Hi Sindy,

thank you for your reply.
i will doublecheck the firewall rules! I setup the Wiki Firewall Recommendations... so it could be possible that all "WAN" Traffic will be dropped, except responses.

i'll keep you updated.

Best Regards,
YAN

Who is online

Users browsing this forum: Bing [Bot], johnson73, loloski and 92 guests