Community discussions

MikroTik App
just joined
Topic Author
Posts: 8
Joined: Mon Mar 25, 2013 8:06 pm

L2TP Site2Site Tunnel with IPSec and default Route through Tunnel

Mon Jul 13, 2015 4:25 pm

Hey Guys,

i'm freakig out with our new CCR1009 Setup. I'm trying to Setup the following for about 8 Hrs. now...

Central Office Site:
IP Spaces: 192.168.xx.0/21,, 10.xx.xx.xx - None of the Networks is Overlapping
Network Gateway: 192.168.xx.251
CCR1009 LAN Address (for Example): 192.168.xx.215 (Same as Gateway)
CCR1009 WAN Address (for example):
L2TP Tunnel IP:

Branch Office Site:
IP Spaces: 192.168.y.0/24, 192.168.yyy.0/24 (not Overlapping with Central Office Subnets)
Network Gateway and CCR1009 LAN Address: 192.168.y.251
CCR1009 WAN Address: dynamic
L2TP Tunnel IP:

IPSec Rules exists from every local Subnet to the other Site. (e.g. From 192.168.y.0/24 to 192.168.xx.0/21) The Proposal Settings are also right (many times checked).

The Internet Access (for the Branch Office Clients) should be only available through the Central Office Site's Internet Access (So through the Tunnel). The Internet Traffic doesn't need to be Encrypted with IPSec.

Now my Problem: Every Host on the LOCAL Network is reachable from the Branch Office Clients, but there is no way to access the Internet. Any Traceroute ends on the Central Office CCR1009.

My Routing Table on the Central Office Site:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address= gateway=192.168.xx.251 gateway-status=192.168.xx.251 reachable via  ether1-LAN distance=1 scope=30 target-scope=10 

 2 A S  dst-address=192.168.y.0/24 reachable via  CGN_HES1 distance=1 scope=30 target-scope=10 

 6 A S  dst-address= gateway= gateway-status= reachable via  ether7-WAN distance=1 scope=30 target-scope=10 

 7 ADC  dst-address= pref-src= gateway=ether7-WAN gateway-status=ether7-WAN reachable distance=0 scope=10 

 8 ADC gateway=CGN_HES1 gateway-status=CGN_HES1 reachable distance=0 scope=10 
Do you have ANY Idea why that shouldn't work? On the Branch Office Router i've checked the Option to Add Default Route on the L2TP Client Screen so that every Traffic should go through the Tunnel.

If you need more Input please tell - the IP Adresses are Xed Out for Security Reasons (sorry).


Who is online

Users browsing this forum: anav, nostrax1 and 121 guests