Hi

v6.6 on CCR and 1100AHx2

From PC Host 192.168.0.166
When L2TP is up. Web browsing, ping trace OK via tunnel out of CCR
From PC Host 192.168.0.166
When IPSec is up with L2TP ping and trace fine out via CCR, web Browsing hangs and does not work

I have an LT2P IPSec VPN from Office to data Centre.

Currently its:-

Office - external IP 81.138.69.10
1100AHx2 - NAT 192.168.0.0/24 1 host PC 192.168.0.166

Data Centre - external IP 46.17.219.249
CCR Router

192.168.0.0/24 [office] ext 81.138.69.10 ---------L2TP IPSec Over Broadband---------- 46.17.219.249 CCR ---Upstreams
host 192.168.0166

LT2P comes up and I can ping and trace from the Office router to and out of the CCR to the web
I can also ping trace from the 192.168.0.166 host to the CCR and out to the web and when I do "what is my IP" I get the IP I was allocated from the CCR so all good. Allocation is 46.17.223.254

When I bring IPSec up I can ping and trace from the 192.168.0.166 host PC but the web page hangs and I can't surf the web.

so ignoring LT2P as I think that's correct. (but may be wrong)

What Have I missed on IPSec? or have I missed NAT rules for hosts.

routes on office router

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 46.17.223.1 0 ----- route sent by L2TP so when its up goes via CCR
1 S 0.0.0.0/0 81.138.69.14 1 ---- default broadband route not used when L2TP is up
2 A S 46.17.219.249/32 81.138.69.14 1 -------- /32 static route for broadband to ext int on CCR
3 ADC 46.17.223.1/32 46.17.223.254 l2tp-out1 0 ---------- IP from CCR for L2TP
4 ADC 81.138.69.8/29 81.138.69.10 ether1 0 router interface
5 ADC 192.168.0.0/24 192.168.0.166 ether1 0 int for NAT hosts internal

Office Router

address=46.17.219.249/32 passive=no port=500 auth-method=pre-shared-key
secret="REMOVED" generate-policy=port-override exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5

remote peers
0 local-address=81.138.69.10 remote-address=46.17.219.249 state=established

side=responder established=2m11s

policy
0 src-address=192.168.0.166/32 src-port=any dst-address=46.17.219.249/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=81.138.69.10
sa-dst-address=46.17.219.249 proposal=default priority=0

1 D src-address=46.17.219.249/32 src-port=any dst-address=81.138.69.10/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=46.17.219.249
sa-dst-address=81.138.69.10 priority=2

installed-sa

0 E spi=0x6A5E485 src-address=46.17.219.249 dst-address=81.138.69.10
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="REMOVED"
enc-key="REMOVED"
addtime=nov/29/2013 21:07:43 expires-in=28m51s add-lifetime=24m/30m
current-bytes=3883

1 E spi=0xF4D8455 src-address=81.138.69.10 dst-address=46.17.219.249
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="REMOVED"
enc-key="REMOVED"
addtime=nov/29/2013 21:07:43 expires-in=28m51s add-lifetime=24m/30m
current-bytes=4195

proposal
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=none

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade

1 chain=dstnat action=accept

[admin@cloudcore2] /ip ipsec remote-peers> print
0 local-address=46.17.219.249 remote-address=81.138.69.10 state=established
side=responder established=37m39s


I can ping and trace with IPSec UP but no web browsing, Ping and trace go out over L2TP and IPSec out of CCR to Google

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1 4 ms 3 ms 1 ms 192.168.0.166
2 23 ms 20 ms 21 ms 46.17.223.1 ********* CCR IP *************
3 21 ms 25 ms 24 ms vl433-nodemax-vrrp-b.jump.net.uk [194.153.169.15
4]
4 * * * Request timed out.
5 26 ms 23 ms 22 ms ae-52-52.csw2.London1.Level3.net [4.69.139.120]

6 35 ms 22 ms 24 ms ae-231-3607.edge4.London1.Level3.net [4.69.166.2
5]
7 43 ms 21 ms 26 ms 209.85.244.246
8 24 ms 21 ms 22 ms 209.85.255.76
9 51 ms 26 ms 51 ms 209.85.253.196
10 33 ms 28 ms 29 ms 66.249.95.173
11 28 ms 36 ms 33 ms 209.85.251.231
12 * * * Request timed out.
13 28 ms 30 ms * google-public-dns-a.google.com [8.8.8.8]
14 30 ms 31 ms 28 ms google-public-dns-a.google.com [8.8.8.8]

CCR Router

L2TP
route sent is 0.0.0.0/0 46.17.223.1 0

policy
admin@cloudcore2] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 src-address=46.17.219.249/32 src-port=any dst-address=81.138.69.10
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=46.17.219.249
sa-dst-address=81.138.69.10 proposal=default priority=0

peer
0 address=81.138.69.10/32 passive=no port=500 auth-method=pre-shared-key
secret="REMOVED" generate-policy=port-override exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5

installed sa
[admin@cloudcore2] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x6A5E485 src-address=46.17.219.249 dst-address=81.138.69.10
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="REMOVED"
enc-key="REMOVED"
addtime=nov/29/2013 21:07:42 expires-in=16m11s add-lifetime=24m/30m
current-bytes=64003

1 E spi=0xF4D8455 src-address=81.138.69.10 dst-address=46.17.219.249
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="REMOVED"
enc-key="REMOVED"
addtime=nov/29/2013 21:07:42 expires-in=16m11s add-lifetime=24m/30m
current-bytes=20877

I am unable to web browse from 192.168.0.166 PC what have I done wrong, my guess its policy but may be NAT rules?

I am confused....

Thanks

Tony

Hi Tony. Sounds like possibly an MTU issue but did you ever get this resolved? We also use Jump as one of our peers in THN so maybe I could replicate the fault?