I've set up a lab environment that connects two RB2011s in IPsec tunnel mode VPN. The two routers get their "WANs" from behind our office router as HDCP clients and it works flawlessly.
After this I wanted to try it out in a PPPoE environment (this would be the deployment scenario), so I made a PPPoE server out of a third Mikrotik router as a PPPoE concentrator, still behind our office LAN. Two interfaces on the PPPoE server are configured to give out IPs from two different pools (or at least two different remote IPs) to simulate two different PPPoE ISPs. Also the PPPoE server uses masquerading to our office router. The internet works flawlessly form my laptop and the RB2011s PPPoE clients, but I'm having issues with IPsec peers only reaching "message 1 sent" states on both sides. The peers on the two sides are continously resending phase1 packets until their negotioation timeout. The funny thing is the two routers can ping each others local and remote PPPoE IPs, and when they send a phase 1 packet there's a reply, but from their PPPoE remote address (not the local).
So on one side there's 'local <=> remote sending', but reply comes back originating from the remote IP 192.168.0.76 (which is the PPPoE remote IP/gateway):
Code: Select all
ipsec ipsec: sent phase1 packet 10.10.30.250[500]<=>10.10.10.250[500] 693c21d6f07ac1f8:0000000000000000
ipsec,debug ipsec: ===== received 460 bytes from 192.168.0.76[500] to 10.10.30.250[500]
IPSec then simply tells me that (obviously) it doesn't know a peer at 192.168.0.76, because it's waiting for reply from 10.10.10.250:
Code: Select all
ipsec ipsec: no IKEv1 peer config for 192.168.0.76
The same happens on the other router, but src-dst is of course in reverse. Now I might be doing this simulation setup the wrong way.
Does anybody have an idea how could I set up a more lifelike PPPoE concentrator scenario where I can simulate at least two PPPoE based ISPs?
Would IKE and IPSec even work with PPPoE at all? Could be just the Identity needs some fine tuning so Identity Protection can do it's job when using PPPoE as WAN?
Cheers and a Happy New Year,
Chris