Community discussions

MikroTik App
 
tecnofaber
just joined
Topic Author
Posts: 2
Joined: Mon Nov 23, 2020 9:52 pm

VPN L2TP+IPsec with Load Balancing

Mon Nov 08, 2021 1:14 pm

Hi everyone, I have a RB4011iGS+ with FW 6.49.

My problem is on creating a VPN for remote client with protocol L2TP+IPsec:

I have 2 ISP with Public Static IP Address configurated on Load Balancing with port forwarding and work perfectly...now I need connect to my network with the vpn, but I tried to configure the vpn, when I connect on the log I see: "no soutable proposal found".

This is my complete configuration of RB:
# nov/08/2021 12:04:24 by RouterOS 6.49
# software id = 141D-UNJZ
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add name=Main_Bridge
/interface ethernet
set [ find default-name=ether1 ] name=XX
set [ find default-name=ether2 ] name=XX
set [ find default-name=ether3 ] arp=proxy-arp name=XX
set [ find default-name=ether4 ] arp=proxy-arp name=XX
set [ find default-name=ether5 ] arp=local-proxy-arp name=XX
set [ find default-name=ether6 ] arp=proxy-arp name=XX
set [ find default-name=ether7 ] disabled=yes name=XX
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=Ether2_Eolo_Fabrizio name=PPPoE_Eolo_XX user=----------
add add-default-route=yes disabled=no interface=Ether1_Eolo_Giada name=PPPoE_Eolo_XXGiada user=-------------------
/interface vlan
add interface=Main_Bridge name=Vlan_ospiti vlan-id=10
add interface=Main_Bridge name=vlan_IoT vlan-id=20
add interface=Main_Bridge name=vlan_emulazione_suore vlan-id=1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=IOT
add name=NOI
add name=OSPITI
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=XX name=XX
/ip ipsec peer
# This entry is unreachable
add name=l2tpserver passive=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=aes-256,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=8h
/ip pool
add name=Pool_Privato ranges=10.10.10.100-10.10.10.200
add name=Pool_vlan_ospiti ranges=10.20.20.2-10.20.20.30
add name=Pool_vlan_IoT ranges=10.30.30.2-10.30.30.14
add name=Pool_vlan_suoore ranges=192.168.1.2-192.168.1.10
/ip dhcp-server
add address-pool=Pool_Privato disabled=no interface=Main_Bridge lease-time=7h name=dhcp_main
add address-pool=Pool_vlan_IoT disabled=no interface=vlan_IoT lease-time=10h name=vlan_IoT
add address-pool=Pool_vlan_ospiti disabled=no interface=Vlan_ospiti name=Vlan_ospiti
/ppp profile
add dns-server=1.1.1.1 local-address=10.10.10.47 name=ipsec_vpn
/queue tree
add name=queue1 parent=Ether4_LAN_Pipoli
/queue interface
set Ether3_LAN_Fatidico queue=ethernet-default
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=Main_Bridge interface=Ether2XX
add bridge=Main_Bridge interface=Ether4XX
add bridge=Main_Bridge interface=Ether5XX
add bridge=Main_Bridge interface=Ether6XX
add bridge=Main_Bridge interface=Ether7_PiHole
add bridge=Main_Bridge interface=ether8
add bridge=Main_Bridge interface=ether9
add bridge=Main_Bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes use-ipsec=required
/interface list member
add interface=PPPoE_ list=WAN
add interface=PPPoE_o list=WAN
/ip address
add address=10.10.10.1/24 interface=Main_Bridge network=10.10.10.0
add address=10.20.20.1/27 interface=Vlan_ospiti network=10.20.20.0
add address=10.30.30.1/28 interface=vlan_IoT network=10.30.30.0
add address=192.168.1.0/24 interface=vlan_emulazione_suore network=192.168.1.0
/ip dhcp-server lease
add address=10.30.30.13 client-id=1:60:23:a4:7d:fa:11 mac-address=60:23:A4:7D:FA:11 server=vlan_IoT
add address=10.10.10.108 client-id=1:64:f2:fb:1f:78:c9 mac-address=64:F2:FB:1F:78:C9 server=dhcp_main
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220,8.8.8.8,8.8.4.4 gateway=10.10.10.1
add address=10.20.20.0/27 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.20.1 netmask=27 ntp-server=193.204.114.232
add address=10.30.30.0/28 dns-server=1.1.1.1,208.67.220.220 gateway=10.30.30.1 netmask=28 ntp-server=193.204.114.232
/ip dns
set servers=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220,8.8.8.8,8.8.4.4
/ip address
add address=128.xxxxx list="eolo giada"
add address=128.xxxxx list="eolo fabrizio"
/ip firewall filter
add action=drop chain=input comment="Drop DNS brute force Giada" dst-port=53 in-interface=PPPoE_Eolo_Giada protocol=udp
add action=drop chain=input comment="Drop DNS brute force Giada" dst-port=53 in-interface=PPPoE_Eolo_Giada protocol=tcp
add action=drop chain=input comment="Drop DNS brute force Fabrizio" dst-port=53 in-interface=PPPoE_Eolo_Fabrizio protocol=udp
add action=drop chain=input comment="Drop DNS brute force Fabrizio" dst-port=53 in-interface=PPPoE_Eolo_Fabrizio protocol=tcp
add action=drop chain=forward comment="Blocco TikTok" content=tiktok dst-port=80,443 protocol=tcp
add action=drop chain=forward comment="Blocco TikTok" dst-address-list="Tik Tok" src-address-list="Tik Tok"
add action=drop chain=forward comment="Blocco TOR" dst-address-list=TOR dst-port=80,443 protocol=tcp src-address-list=TOR src-port=80,443
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.20.20.0/27 src-address=10.10.10.0/24
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.30.30.0/28 src-address=10.10.10.0/24
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.30.30.0/28 src-address=10.20.20.0/27
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.20.20.0/27 src-address=10.30.30.0/28
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.10.10.0/24 src-address=10.30.30.0/28
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.10.10.0/24 src-address=10.20.20.0/27
add action=drop chain=input disabled=yes in-interface-list=WAN
add action=drop chain=input dst-address=10.20.20.1 dst-port=17489 in-bridge-port-list=IOT log=yes protocol=tcp src-address=10.20.20.0/27 src-port=17489
add action=drop chain=forward dst-address=10.20.20.1 dst-port=17489 in-bridge-port-list=IOT protocol=tcp src-port=17489
add action=accept chain=input in-interface=Ether1_Eolo_Giada log=yes protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=Ether1_Eolo_Giada log=yes protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Main_Bridge new-connection-mark=PPPoE_Wan1_XX passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Main_Bridge new-connection-mark=PPPoE_Wan2_XX passthrough=yes per-connection-classifier=\
    both-addresses:2/1
add action=mark-connection chain=forward connection-state=new in-interface=PPPoE_Eolo_XX new-connection-mark=port_forward_wan1 passthrough=no
add action=mark-connection chain=forward connection-state=new in-interface=PPPoE_Eolo_XX new-connection-mark=port_forward_wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=PPPoE_Wan2_Fabrizio in-interface=Main_Bridge new-routing-mark=to_PPPoE_XX passthrough=no
add action=mark-routing chain=prerouting connection-mark=PPPoE_Wan1_Giada in-interface=Main_Bridge new-routing-mark=to_PPPoE_XX passthrough=no
add action=accept chain=prerouting in-interface=PPPoE_Eolo_XX
add action=accept chain=prerouting in-interface=PPPoE_Eolo_XX
add action=mark-routing chain=output connection-mark=PPPoE_Wan1_Giada new-routing-mark=to_PPPoE_XX passthrough=yes src-address-list=""
add action=mark-routing chain=output connection-mark=PPPoE_Wan2_Fabrizio new-routing-mark=to_PPPoE_XX passthrough=yes src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE_Eolo_XX
add action=masquerade chain=srcnat out-interface=PPPoE_Eolo_XX
add action=masquerade chain=srcnat dst-address=10.10.10.0/24 log=yes

/ip ipsec identity
add generate-policy=port-override peer=l2tpserver
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add comment="PCC Wan1" distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add comment=Wan1 distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add check-gateway=ping comment="PCC Wan2" distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add comment=Wan2 distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add comment=Wan1 distance=1 gateway=PPPoE_Eolo_XX
add comment=Wan2 distance=1 gateway=PPPoE_Eolo_XX

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=XX
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip upnp
set show-dummy-rule=no
/ppp secret
add name=assomev profile=ipsec_vpn remote-address=10.10.10.46 service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Pipolis
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.105
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server mac-winbox
set allowed-interface-list=NOI
I tried to connect on vpn with a client Windows 10, I set the security of VPN with all protocol

Where is the problem ??

Thank you
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], xrlls and 98 guests