Community discussions

MikroTik App
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

EoIP + L2TP + IPSEC MTU issue

Sat Sep 24, 2022 6:04 pm

Hi everyone,

I'm having some issue with (probably) MTU settings in site-2-site connection and L2TP connection to one site.

here's config

SiteA:
/interface bridge
add admin-mac=9E:B9:9C:3F:B0:E7 auto-mac=no name=br_100_mgmt
add admin-mac=08:55:31:0D:C8:F5 auto-mac=no name=br_200_home
add admin-mac=D4:CA:6D:CC:78:8D auto-mac=no name=br_500_guests
/interface ethernet
set [ find default-name=ether1 ] comment=wan
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] comment=vanaheim
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=helheim
set [ find default-name=sfp1 ] disabled=yes mac-address=08:55:31:0D:C8:F4
/interface eoip
add allow-fast-path=no clamp-tcp-mss=no local-address=SiteA_IP mac-address=02:C2:F8:F6:60:B4 name=eoip-bifrost remote-address=SiteB_IP tunnel-id=0
/interface vlan
add interface=ether3 name=guests_500_e3 vlan-id=500
add interface=ether5 name=guests_500_e5 vlan-id=500
add interface=ether3 name=home_200_e3 vlan-id=200
add interface=ether5 name=home_200_e5 vlan-id=200
add interface=ether3 name=mgmt_100_e3 vlan-id=100
add interface=ether5 name=mgmt_100_e5 vlan-id=100
add interface=eoip-bifrost name=mgmt_100_eoip vlan-id=100
/interface list
add name=internal
add name=external
add comment="nilfheim wifi" name=nilfheim-wifi
add comment="helheim wifi" name=helheim-wifi
add comment="2GHz networks" name=home-2g
add comment="5GHz networks" name=home-5g
add name=jotunheim-wifi
add name=home-wifi
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether3 trusted=yes
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether4 trusted=yes
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether5 trusted=yes
add bridge=br_200_home disabled=yes interface=ether2
add bridge=br_500_guests interface=guests_500_e3
add bridge=br_500_guests interface=guests_500_e5
add bridge=br_100_mgmt interface=mgmt_100_e3
add bridge=br_100_mgmt interface=mgmt_100_e5
add bridge=br_200_home interface=home_200_e3
add bridge=br_200_home interface=home_200_e5
add bridge=br_100_mgmt interface=mgmt_100_eoip
/interface detect-internet
set detect-interface-list=external internet-interface-list=external lan-interface-list=internal wan-interface-list=external
/interface l2tp-server server
set authentication=mschap2 max-mru=1300 max-mtu=1300 mrru=1504 use-ipsec=yes
/interface list member
add interface=sfp1 list=external
add interface=br_200_home list=internal
add interface=br_500_guests list=internal
add interface=lte1 list=external
add interface=ether1 list=external
add interface=br_100_mgmt list=internal
add interface=eoip-bifrost list=internal
add interface=mgmt_100_eoip list=internal
SiteB:
/interface bridge
add admin-mac=02:D7:9A:B1:0E:44 auto-mac=no name=br_mgmt
add mtu=1416 name=br_vpn
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full disable-running-check=no loop-protect=on name=ether-wan
/interface l2tp-client
add connect-to=77.237.23.33 name=l2tp-home profile=bidged use-ipsec=yes user=bifrost
/interface eoip
add allow-fast-path=no clamp-tcp-mss=no local-address=SiteB_IP mac-address=02:33:90:D4:AD:8A name=eoip-valhalla remote-address=SiteA_ip tunnel-id=0
/interface vlan
add interface=eoip-valhalla mtu=1416 name=mgmt_100_eoip vlan-id=100
/interface list
add name=internal
add name=external
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br_mgmt interface=mgmt_100_eoip
/interface bridge vlan
add bridge=br_mgmt tagged=mgmt_100_eoip untagged=br_mgmt vlan-ids=100
/interface detect-internet
set detect-interface-list=external internet-interface-list=external lan-interface-list=internal wan-interface-list=external
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1300 max-mtu=1300 mrru=1504 use-ipsec=yes
/interface list member
add interface=ether-wan list=external
add interface=veth-home list=internal
add interface=veth-guests list=internal
add interface=veth-pihole list=internal
add interface=eoip-valhalla list=internal
add interface=br_mgmt list=internal
add interface=mgmt_100_eoip list=internal
when I set up L2TP+IPsec connection to SiteA, I cannot get access via SSH to SiteB. I see in "firewall>connections" that SSH have "syn sent" "syn received" but connection dies.
on the other hand, when I run L2tp to SiteB, there is no issue with SSH/Winbox to devices on SiteA.

what's more, if I add more L2TP connections to SiteA (RB from dynamic IP's, road warriors), I cannot access them from L2TP from SiteA.
setting road warriors to connect to SiteB and connecting myself to SiteB via L2tp - works like a charm.

any tip/idea what could go wrong ? I've tried with TCP MSS on and off, but no luck :/
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EoIP + L2TP + IPSEC MTU issue

Sat Sep 24, 2022 8:47 pm

The configuration exports only show what you assume to be relevant - I can see no traces of firewall rules, but as you bothered to obfuscate the public IPs, I assume you do care about security so you do have some firewall rules in place. Since the /ppp secret table is missing completely, nor there is any /ip pool, I assume a lot more is missing in the exports. So without a crystal ball no one can find the real causes of your issues.

The TCP MSS manipulating rules are normally only necessary to work around blocking of ICMP traffic, which prevents PMTUD from working properly.

Is the EoIP tunnel indeed a plaintext one or you have removed also the IPsec configuration before posting the exports? Since you only interconnect two VLANs, you may use BCP over L2TP rather than EoIP, so you would have no MTU issues on the inter-site link even if the path between the sites has problems with fragmented packets.
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: EoIP + L2TP + IPSEC MTU issue

Sun Sep 25, 2022 11:03 am

Hi Sindy,

you're perfectly right, should have thought about exporting more info. guess I've spend too much time on thinking why there is issue with connection.. my apologies :)

below export from siteA:
/ip ipsec policy group
add name=road_warriors
/ip ipsec profile
add name=road_warriors
/ip ipsec peer
add exchange-mode=ike2 name=road_warriors passive=yes profile=road_warriors send-initial-contact=no
/ip ipsec proposal
add name=road_warriors
/ip pool
add name=guest_dhcp_pool ranges=192.168.100.1-192.168.100.20
add name=home_dhcp_pool ranges=192.168.0.100-192.168.0.110
add name=mgmt_dhcp_pool ranges=10.10.10.1-10.10.10.20
add name=vpn_pool ranges=192.168.101.1-192.168.101.10
/ip dhcp-server
add address-pool=home_dhcp_pool interface=br_200_home lease-time=30m name=dhcp_home_server
add address-pool=guest_dhcp_pool interface=br_500_guests name=dhcp_guest_server
add address-pool=mgmt_dhcp_pool interface=br_100_mgmt name=dhcp_mgmt_server
/ip address
add address=192.168.0.252/24 interface=br_200_home network=192.168.0.0
add address=192.168.100.252/24 interface=br_500_guests network=192.168.100.0
add address=10.10.10.252/24 interface=br_100_mgmt network=10.10.10.0
add address=192.168.101.252/24 interface=br_vpn network=192.168.101.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=256 max-concurrent-tcp-sessions=40 servers=45.90.28.247,45.90.30.247
/ip firewall address-list
add address=192.168.0.4 list=lte
add address=192.168.0.3 list=lte
add address=192.168.0.1 list=lte
add address=192.168.0.2 list=lte
add address=192.168.0.7 list=lte
add address=192.168.0.58 list=lte
add address=192.168.0.8 list=lte
add address=192.168.0.57 list=lte
add address=192.168.0.202 list=lte
add address=135.125.232.100 list=secure
add address=10.10.10.0/24 list=private
add address=192.168.0.0/24 list=private
add address=192.168.101.0/24 list=private
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=accept chain=forward comment="cust: qnap download" connection-state=established,related dst-address=192.168.0.100
add action=accept chain=forward comment="cust: qnap upload" connection-state=established,related src-address=192.168.0.100
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="cust: accept from trusted devices" in-interface=ether1 protocol=tcp src-address-list=secure src-port=22,8291
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="defconf: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="defconf: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="defconf: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="defconf: allow IPsec NAT" dst-port=4500 log=yes log-prefix=pass-ipsec protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="cust: drop access for guests to main network" dst-address-list=private in-interface=br_500_guests
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="cust: masquerade for main link" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="cust: masquerade for backup link" ipsec-policy=out,none out-interface=lte1 src-address-list=lte
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER_ipsec comment=beowulf generate-policy=port-strict match-by=certificate mode-config=road_warriors peer=road_warriors policy-template-group=\
    road_warriors remote-certificate=client_ipsec_beowulf remote-id=ignore
add auth-method=digital-signature certificate=SERVER_ipsec comment=hekate generate-policy=port-strict match-by=certificate mode-config=road_warriors peer=road_warriors policy-template-group=\
    road_warriors remote-certificate=client_ipsec_hekate remote-id=ignore
/ip ipsec mode-config
add address-pool=*4 name=road_warriors
/ip ipsec policy
add group=road_warriors proposal=road_warriors template=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=40
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=77.237.23.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl address=0.0.0.0/0
/ip smb
set interfaces=br_200_home
/ip ssh
set always-allow-password-login=yes forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=br_200_home type=internal
/ppp profile
set *0 change-tcp-mss=default
add bridge=br_100_mgmt bridge-learning=yes interface-list=LAN name=bridged
add bridge-learning=yes interface-list=LAN local-address=192.168.101.21 name=clients remote-address=vpn_pool
set *FFFFFFFE change-tcp-mss=default
/ppp secret
add name=fenrir profile=bridged service=l2tp
add name=bifrost profile=bridged service=l2tp
add name=guest profile=bridged service=l2tp
add name=beowulf profile=clients service=l2tp
/interface bridge
add admin-mac=9E:B9:9C:3F:B0:E7 auto-mac=no name=br_100_mgmt
add admin-mac=08:55:31:0D:C8:F5 auto-mac=no name=br_200_home
add admin-mac=D4:CA:6D:CC:78:8D auto-mac=no name=br_500_guests
add admin-mac=72:A1:ED:3D:8F:EC auto-mac=no name=br_vpn
/interface ethernet
set [ find default-name=ether1 ] comment=wan
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] comment=vanaheim
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=helheim
set [ find default-name=sfp1 ] disabled=yes mac-address=08:55:31:0D:C8:F4
/interface eoip
add allow-fast-path=no clamp-tcp-mss=no local-address=77.237.23.33 mac-address=02:C2:F8:F6:60:B4 name=eoip-bifrost remote-address=135.125.232.100 tunnel-id=0
/interface vlan
add interface=ether3 name=guests_500_e3 vlan-id=500
add interface=ether5 name=guests_500_e5 vlan-id=500
add interface=ether3 name=home_200_e3 vlan-id=200
add interface=ether5 name=home_200_e5 vlan-id=200
add interface=ether3 name=mgmt_100_e3 vlan-id=100
add interface=ether5 name=mgmt_100_e5 vlan-id=100
add interface=eoip-bifrost name=mgmt_100_eoip vlan-id=100
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether3 trusted=yes
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether4 trusted=yes
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether5 trusted=yes
add bridge=br_200_home disabled=yes interface=ether2
add bridge=br_500_guests interface=guests_500_e3
add bridge=br_500_guests interface=guests_500_e5
add bridge=br_100_mgmt interface=mgmt_100_e3
add bridge=br_100_mgmt interface=mgmt_100_e5
add bridge=br_200_home interface=home_200_e3
add bridge=br_200_home interface=home_200_e5
add bridge=br_100_mgmt interface=mgmt_100_eoip
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=sfp1 list=WAN
add interface=br_200_home list=LAN
add interface=br_500_guests list=LAN
add interface=lte1 list=WAN
add interface=ether1 list=WAN
add interface=br_100_mgmt list=LAN
add interface=eoip-bifrost list=LAN
add interface=mgmt_100_eoip list=LAN
add interface=br_vpn list=LAN
siteB:
/ip ipsec policy group
add name=road_warriors
/ip ipsec profile
add enc-algorithm=aes-128 name=road_warriors
/ip ipsec peer
add exchange-mode=ike2 name=road_warriors passive=yes profile=road_warriors send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc name=road_warriors
/ip pool
add name=vpn_pool ranges=192.168.101.1-192.168.101.10
/ip ipsec mode-config
add address-pool=vpn_pool name=road_warriors
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=yes
/ip dhcp-client
add !dhcp-options interface=ether-wan use-peer-dns=no
add add-default-route=no interface=br_mgmt
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=77.237.23.33 list=secure
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=100
/ip settings
set max-neighbor-entries=8192
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept from known devices" in-interface=ether-wan protocol=tcp src-address-list=secure src-port=22,8291
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="cust: allow L2TP VPN" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log=yes log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="cust: allow from VPN" src-address=192.168.101.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="typical masquarade" out-interface=ether-wan
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER_ipsec comment=beowulf@bifrost.dev generate-policy=port-strict match-by=certificate mode-config=road_warriors peer=road_warriors \
    policy-template-group=road_warriors remote-certificate=client_ipsec_beowulf remote-id=ignore
/ip ipsec policy
add group=road_warriors proposal=road_warriors template=yes
/ip service
set telnet disabled=yes
set www address=77.237.23.33/32,192.168.0.0/24,172.16.0.0/24 disabled=yes
set www-ssl certificate=SERVER_www_bifrost
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both strong-crypto=yes
/ppp profile
set *0 change-tcp-mss=default
add bridge=br_mgmt bridge-learning=yes interface-list=LAN name=bidged
set *FFFFFFFE change-tcp-mss=default interface-list=LAN
/interface bridge
add admin-mac=02:D7:9A:B1:0E:44 auto-mac=no name=br_mgmt
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full disable-running-check=no loop-protect=on name=ether-wan
/interface eoip
add allow-fast-path=no clamp-tcp-mss=no local-address=135.125.232.100 mac-address=02:33:90:D4:AD:8A name=eoip-valhalla remote-address=77.237.23.33 tunnel-id=0
/interface veth
add address=192.168.100.180/24 gateway=192.168.100.252 name=veth-guests
add address=192.168.0.180/24 gateway=192.168.0.252 name=veth-home
add address=192.168.100.191/24 gateway=192.168.100.252 name=veth-pihole
/interface vlan
add interface=eoip-valhalla mtu=1416 name=mgmt_100_eoip vlan-id=100
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br_mgmt interface=mgmt_100_eoip
/interface bridge vlan
add bridge=br_mgmt tagged=mgmt_100_eoip untagged=br_mgmt vlan-ids=100
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=ether-wan list=WAN
add interface=veth-home list=LAN
add interface=veth-guests list=LAN
add interface=veth-pihole list=LAN
add interface=eoip-valhalla list=LAN
add interface=br_mgmt list=LAN
add interface=mgmt_100_eoip list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate="Bifrost CA"
EoIP connection between sites is using IPSEC, hide-sensitive is just cutting off this part. currently I'm running only one VLAN via EOIP, but would like to add more there, hence choice of EoIP

Edit: site to site connection works fine. But if I log in via L2TP from i.e phone (client Beowulf) there is no chance for me to ssh to siteB
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: EoIP + L2TP + IPSEC MTU issue

Mon Sep 26, 2022 5:38 pm

I've temporary switched to L2TP+BCP, but still no luck:
/tool/sniffer/quick interface=mgmt  ip-protocol=tcp port=ssh ip-address=192.168.101.9
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE  TIME    NUM  DIR  SRC-MAC            DST-MAC            SRC-ADDRESS           DST-ADDRESS           PROTOCOL  SIZE  CPU
mgmt       12.799    1  <-   9E:B9:9C:3F:B0:E7  2A:B1:9E:AF:BE:5C  192.168.101.9:62538   10.10.10.10:22 (ssh)  ip:tcp      78    0
mgmt       12.799    2  ->   2A:B1:9E:AF:BE:5C  9E:B9:9C:3F:B0:E7  10.10.10.10:22 (ssh)  192.168.101.9:62538   ip:tcp      74    0
mgmt       13.808    3  ->   2A:B1:9E:AF:BE:5C  9E:B9:9C:3F:B0:E7  10.10.10.10:22 (ssh)  192.168.101.9:62538   ip:tcp      74    0
mgmt       15.888    4  ->   2A:B1:9E:AF:BE:5C  9E:B9:9C:3F:B0:E7  10.10.10.10:22 (ssh)  192.168.101.9:62538   ip:tcp      74    0
mgmt       19.968    5  ->   2A:B1:9E:AF:BE:5C  9E:B9:9C:3F:B0:E7  10.10.10.10:22 (ssh)  192.168.101.9:62538   ip:tcp      74    0
mgmt       28.448    6  ->   2A:B1:9E:AF:BE:5C  9E:B9:9C:3F:B0:E7  10.10.10.10:22 (ssh)  192.168.101.9:62538   ip:tcp      74    0
mgmt       45.088    7  ->   2A:B1:9E:AF:BE:5C  9E:B9:9C:3F:B0:E7  10.10.10.10:22 (ssh)  192.168.101.9:62538   ip:tcp      74    0
mgmt       87.127    8  <-   9E:B9:9C:3F:B0:E7  2A:B1:9E:AF:BE:5C  192.168.101.9:62538   10.10.10.10:22 (ssh)  ip:tcp      54    0
10.10.10.10 is SiteB, 192.168.101.9 is RoadWarrior client (LTE cell phone)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EoIP + L2TP + IPSEC MTU issue

Tue Sep 27, 2022 10:48 pm

I don't get it. You've left all public addresses in the configuration exports, but you have removed own private addresses... You haven't even written at which of the routers the sniff you've posted has been taken, and there is no interface named mgmt (as seen in the sniff) in either of the two configurations.

The sniff indicates that the SSH client's SYN gets through (as the SSH server responds with SYN,ACK); the client never confirms reception of the SYN,ACK by its own ACK, but as it doesn't re-send the SYN, it suggests that it did receive the SYN,ACK. So that's definitely not an MTU issue as the TCP session hasn't even reached the stage where large packets would be sent. No idea whether it is an issue of L3 HW forwarding as you haven't stated what device models we talk about...
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: EoIP + L2TP + IPSEC MTU issue

Thu Sep 29, 2022 5:33 pm

Hi Sindy,

I haven't stripped any internal network addresses O_o.

anyway, just to have all information in one spot:

Site_A (valhalla):
# sep/29/2022 16:16:49 by RouterOS 7.5
# software id = CKQB-FCBE
#
# model = RB760iGS
# serial number = A36A0D0B008A
add client-to-client-forwarding=yes local-forwarding=yes name=guests vlan-id=500 vlan-mode=use-tag
/interface bridge
add admin-mac=9E:B9:9C:3F:B0:E7 auto-mac=no name=br_100_mgmt
add admin-mac=08:55:31:0D:C8:F5 auto-mac=no name=br_200_home
add admin-mac=D4:CA:6D:CC:78:8D auto-mac=no name=br_500_guests
/interface ethernet
set [ find default-name=ether1 ] comment=wan
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] comment=vanaheim
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=helheim
set [ find default-name=sfp1 ] disabled=yes mac-address=08:55:31:0D:C8:F4
/interface eoip
add allow-fast-path=no local-address=77.237.23.33 mac-address=02:C2:F8:F6:60:B4 name=eoip-bifrost remote-address=135.125.232.100 tunnel-id=0
/interface vlan
add interface=eoip-bifrost name=guest_500_eoip vlan-id=500
add interface=ether3 name=guests_500_e3 vlan-id=500
add interface=ether5 name=guests_500_e5 vlan-id=500
add interface=ether3 name=home_200_e3 vlan-id=200
add interface=ether5 name=home_200_e5 vlan-id=200
add interface=eoip-bifrost name=home_200_eoip vlan-id=200
add interface=ether3 name=mgmt_100_e3 vlan-id=100
add interface=ether5 name=mgmt_100_e5 vlan-id=100
add interface=eoip-bifrost name=mgmt_100_eoip vlan-id=100
/disk
set sd1 disabled=no
set sd1-part1 disabled=no name=sdcard
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=172.168.0.232 name=bifrost
/ip ipsec policy group
add name=road_warriors
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=road_warriors
/ip ipsec peer
add exchange-mode=ike2 name=road_warriors passive=yes profile=road_warriors
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=road_warriors
/ip pool
add name=guest_dhcp_pool ranges=192.168.100.1-192.168.100.20
add name=home_dhcp_pool ranges=192.168.0.100-192.168.0.110
add name=mgmt_dhcp_pool ranges=10.10.10.1-10.10.10.20
add name=vpn_pool ranges=172.168.0.1-172.168.0.100
/ip dhcp-server
add address-pool=home_dhcp_pool interface=br_200_home lease-time=30m name=dhcp_home_server
add address-pool=guest_dhcp_pool interface=br_500_guests name=dhcp_guest_server
add address-pool=mgmt_dhcp_pool interface=br_100_mgmt name=dhcp_mgmt_server
/ip ipsec mode-config
add address-pool=vpn_pool name=road_warriors
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=usb1 parity=none stop-bits=1
set 1 name=serial0
/ppp profile
set *0 change-tcp-mss=default
add bridge=br_100_mgmt bridge-learning=yes change-tcp-mss=yes interface-list=LAN name=bridged
add bridge-learning=yes change-tcp-mss=yes interface-list=LAN local-address=192.168.101.10 name=clients remote-address=192.168.101.9 use-ipv6=default
set *FFFFFFFE change-tcp-mss=default
/queue simple
add limit-at=30M/400M max-limit=30M/400M name=qnap-queue target=192.168.0.100/32
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2 out-filter-chain=private redistribute="" router-id=10.10.10.252 routing-table=main
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] encryption-protocol=AES
/system logging action
set 3 remote=192.168.0.200 src-address=192.168.0.252 syslog-facility=auth
/user group
add name=Users policy=local,telnet,ftp,read,write,test,winbox,password,sensitive,!ssh,!reboot,!policy,!web,!sniff,!api,!romon,!dude,!rest-api
/interface bridge port
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether3 trusted=yes
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether4 trusted=yes
add bridge=br_200_home disabled=yes ingress-filtering=no interface=ether5 trusted=yes
add bridge=br_200_home disabled=yes interface=ether2
add bridge=br_500_guests interface=guests_500_e3
add bridge=br_500_guests interface=guests_500_e5
add bridge=br_100_mgmt interface=mgmt_100_e3
add bridge=br_100_mgmt interface=mgmt_100_e5
add bridge=br_200_home interface=home_200_e3
add bridge=br_200_home interface=home_200_e5
add bridge=br_200_home interface=home_200_eoip
add bridge=br_500_guests interface=guest_500_eoip
add bridge=br_100_mgmt interface=mgmt_100_eoip
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=clients enabled=yes max-mru=1300 max-mtu=1300 mrru=1504 use-ipsec=yes
/interface list member
add interface=sfp1 list=WAN
add interface=br_200_home list=LAN
add interface=br_500_guests list=LAN
add interface=lte1 list=WAN
add interface=ether1 list=WAN
add interface=br_100_mgmt list=LAN
add interface=eoip-bifrost list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.252/24 interface=br_200_home network=192.168.0.0
add address=192.168.100.252/24 interface=br_500_guests network=192.168.100.0
add address=10.10.10.252/24 interface=br_100_mgmt network=10.10.10.0
add address=192.168.101.1/30 disabled=yes interface=gre-bifrost network=192.168.101.0
add address=192.168.101.5/30 disabled=yes interface=gre-guest network=192.168.101.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no
add default-route-distance=2 interface=lte1 use-peer-dns=no
/ip dhcp-server
add address-pool=vpn_pool disabled=yes interface=*CA name=vpn_dhcp
/ip dhcp-server alert
add disabled=no interface=br_200_home
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.252
add address=192.168.0.0/24 caps-manager=192.168.0.252 comment=main dns-server=192.168.0.252 gateway=192.168.0.252 netmask=24 ntp-server=192.168.0.252
add address=192.168.0.4/32 comment=work dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.252 netmask=24
add address=192.168.100.0/24 comment=guests dns-server=94.140.14.49,94.140.14.59 gateway=192.168.100.252 netmask=24
add address=192.168.101.0/24 gateway=192.168.101.252
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=256 max-concurrent-tcp-sessions=40 servers=45.90.28.247,45.90.30.247
/ip dns static
add address=10.10.10.232 name=bifrost
add address=192.168.0.100 name=nas
add address=192.168.0.111 name=midgard
add address=10.10.10.123 name=muspelheim
add address=192.168.0.200 name=alfheim
add address=192.168.0.202 name=heimdall
add address=10.10.10.222 name=nilfheim
add address=10.10.10.234 name=helheim
add address=10.10.10.242 name=vanaheim
add address=10.10.10.252 name=valhalla
add address=172.168.1.252 name=fenrir
/ip firewall address-list
add address=192.168.0.4 list=lte
add address=192.168.0.3 list=lte
add address=192.168.0.1 list=lte
add address=192.168.0.2 list=lte
add address=192.168.0.7 list=lte
add address=192.168.0.58 list=lte
add address=192.168.0.8 list=lte
add address=192.168.0.57 list=lte
add address=192.168.0.202 list=lte
add address=135.125.232.100 list=secure
add address=10.10.10.0/24 list=private
add address=192.168.0.0/24 list=private
add address=192.168.101.0/24 disabled=yes list=private
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=accept chain=forward comment="cust: qnap download" connection-state=established,related dst-address=192.168.0.100
add action=accept chain=forward comment="cust: qnap upload" connection-state=established,related src-address=192.168.0.100
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="cust: allow VPN" src-address=172.168.0.0/24
add action=accept chain=input comment="cust: accept from trusted devices" dst-port=22,8291 in-interface=ether1 protocol=tcp src-address-list=secure
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="defconf: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="defconf: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="defconf: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="defconf: allow IPsec NAT" dst-port=4500 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="cust: drop access for guests to main network" dst-address-list=private in-interface=br_500_guests
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="cust: masquerade for main link" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="cust: masquerade for backup link" ipsec-policy=out,none out-interface=lte1 src-address-list=lte
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER_ipsec comment=beowulf generate-policy=port-strict match-by=certificate mode-config=road_warriors peer=road_warriors policy-template-group=\
    road_warriors remote-certificate=client_ipsec_beowulf remote-id=ignore
add auth-method=digital-signature certificate=SERVER_ipsec comment=hekate generate-policy=port-strict match-by=certificate mode-config=road_warriors peer=road_warriors policy-template-group=\
    road_warriors remote-certificate=client_ipsec_hekate remote-id=ignore
add generate-policy=port-override mode-config=bifrost peer=road_warriors policy-template-group=road_warriors
/ip ipsec policy
add group=road_warriors proposal=road_warriors template=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=40
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=77.237.23.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl address=0.0.0.0/0
/ip smb
set interfaces=br_200_home
/ip ssh
set always-allow-password-login=yes forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=br_200_home type=internal
/ppp secret
add name=fenrir profile=bridged service=l2tp
add name=bifrost profile=bridged service=l2tp
add name=guest profile=bridged service=l2tp
add name=beowulf profile=clients service=l2tp
/radius incoming
set accept=yes
/routing ospf interface-template
add area=backbone-v2 disabled=no networks=10.10.10.0/24
add area=backbone-v2 disabled=no networks=192.168.0.0/24
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=valhalla
/system logging
add action=remote topics=warning
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add disabled=yes topics=debug,l2tp,ppp
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes
/system ntp client servers
add address=195.46.37.22
add address=91.212.242.20
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no ping-timeout=3m watchdog-timer=no
/tool bandwidth-server
set enabled=no
set address=smtp.gmail.com from=system@valhalla port=587 tls=starttls user=system.notyfikator
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.0.0/24 interface=ether1
add allow-address=192.168.0.0/24 interface=br_200_home
add allow-address=192.168.0.0/24 interface=br_100_mgmt
add allow-address=192.168.0.0/24 interface=br_500_guests
/tool graphing queue
add allow-address=192.168.0.0/24 simple-queue=qnap-queue
/tool graphing resource
add allow-address=192.168.0.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Site_B (bifrost, CHR):
# sep/29/2022 16:22:53 by RouterOS 7.5
# software id = 
#
/interface bridge
add admin-mac=02:D7:9A:B1:0E:44 auto-mac=no ingress-filtering=no name=br_vlans pvid=100 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full disable-running-check=no loop-protect=on name=ether-wan
/interface eoip
add allow-fast-path=no local-address=135.125.232.100 mac-address=02:33:90:D4:AD:8A mtu=1416 name=eoip-valhalla remote-address=77.237.23.33 tunnel-id=0
/interface veth
add address=192.168.100.180/24 gateway=192.168.100.252 name=veth-guests
add address=192.168.0.180/24 gateway=192.168.0.252 name=veth-home
add address=192.168.100.191/24 gateway=192.168.100.252 name=veth-pihole
/container mounts
add dst=/opt/adguardhome/work/data name=adguardhome_data src=/container/adguardhome
add dst=/opt/adguardhome/conf/ name=adguardhome_conf src=/container/adguardhome
add dst=/opt/adguardhome/work/ name=adguardhome_work src=/container/adguardhome
add dst=/etc/pihole name=etc_pihole src=/disk1/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/disk1/etc-dnsmasq.d
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=road_warriors responder=no
/ip ipsec policy group
add name=road_warriors
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=road_warriors
/ip ipsec peer
add address=77.237.23.33/32 disabled=yes exchange-mode=ike2 name=road_warrior profile=road_warriors
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=road_warriors
/ip pool
add name=vpn_pool ranges=172.168.0.1-172.168.0.20
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 change-tcp-mss=default
set *FFFFFFFE change-tcp-mss=default interface-list=LAN
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2 redistribute="" router-id=10.10.10.232
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] encryption-protocol=AES
/system logging action
set 3 bsd-syslog=yes remote=192.168.0.200 src-address=172.16.0.252 syslog-facility=auth
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/certificate settings
set crl-download=yes crl-use=yes
/container
add interface=veth-guests mounts=adguardhome_data,adguardhome_conf,adguardhome_work root-dir=container/adguardhome workdir=/opt/adguardhome/work
add envlist=pihole_envs interface=veth-pihole mounts=etc_pihole,dnsmasq_pihole root-dir=disk1/pihole
add interface=veth-home
/container config
set registry-url=https://registry-1.docker.io
/container envs
add key=TZ name=pihole_envs value=Europe/Warsaw
add key=WEBPASSWORD name=pihole_envs value=mysecurepassword
add key=DNSMASQ_USER name=pihole_envs value=root
/interface bridge port
add bridge=br_vlans interface=veth-guests pvid=500
add bridge=br_vlans interface=veth-pihole pvid=500
add bridge=br_vlans interface=veth-home pvid=200
add bridge=br_vlans interface=eoip-valhalla
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=100
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=br_vlans tagged=eoip-valhalla untagged=br_vlans vlan-ids=100
add bridge=br_vlans tagged=eoip-valhalla untagged=veth-home vlan-ids=200
add bridge=br_vlans tagged=eoip-valhalla untagged=veth-guests,veth-pihole vlan-ids=500
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1300 max-mtu=1300 mrru=1504 use-ipsec=yes
/interface list member
add interface=ether-wan list=WAN
add interface=eoip-valhalla list=LAN
add interface=br_vlans list=LAN
add interface=gre-valhalla list=LAN
add interface=veth-guests list=LAN
add interface=veth-home list=LAN
add interface=veth-pihole list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate="Bifrost CA"
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=yes
/ip dhcp-client
add !dhcp-options interface=ether-wan use-peer-dns=no
add add-default-route=no interface=br_vlans
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.242 name=vanaheim
add address=192.168.0.232 name=jotunheim
add address=192.168.0.222 name=nilfheim
add address=192.168.0.234 name=helheim
add address=192.168.0.212 name=yggdrasil
add address=192.168.0.252 name=valhalla
/ip firewall address-list
add address=77.237.23.33 list=secure
add address=192.168.0.0/24 list=private
add address=10.10.10.0/24 list=private
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,new,untracked
add action=accept chain=input comment="defconf: accept from known devices" dst-port=22,8291 in-interface=ether-wan protocol=tcp src-address-list=secure src-port=""
add action=accept chain=forward comment="cust: allow from VPN" src-address=172.168.0.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: allow L2TP VPN" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log=yes log-prefix=pass-ipsec protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="typical masquarade" out-interface=ether-wan
/ip ipsec identity
add disabled=yes generate-policy=port-strict mode-config=road_warriors peer=road_warrior policy-template-group=road_warriors
/ip ipsec policy
add group=road_warriors proposal=road_warriors template=yes
/ip route
add disabled=no distance=1 dst-address=192.168.101.0/24 gateway=10.10.10.252%br_vlans pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set www address=77.237.23.33/32,192.168.0.0/24,172.16.0.0/24 disabled=yes
set www-ssl certificate=SERVER_www_bifrost
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both strong-crypto=yes
/ppp secret
add disabled=yes name=guest profile=bidged service=l2tp
add name=beowulf profile=clients service=l2tp
/routing ospf interface-template
add area=backbone-v2 disabled=no networks=10.10.10.0/24
add area=backbone-v2 disabled=no networks=192.168.101.0/24
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=bifrost
/system logging
add action=remote topics=account
add action=remote topics=critical
add action=remote topics=info
add action=remote topics=warning
add action=remote topics=error
add disabled=yes topics=l2tp,debug,ppp
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.86.14.67
add address=91.212.242.20
while trying to SSH from L2TP road warrior (interface l2tp-beowulf-1) to site_b (10.10.10.232) I get timeout.

sniff shows below connections:

site_A:
/tool/sniffer/quick port=ssh ip-address=192.168.101.9
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE         TIME    NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS            DST-ADDRESS            PROTOCOL  SIZE  CPU
mgmt_100_eoip     18.093   34  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44        192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      74    1
eoip-bifrost      18.093   35  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44   100  192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      78    1
eoip-bifrost      25.816   36  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    3
mgmt_100_eoip     25.816   37  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    3
br_100_mgmt       25.816   38  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    3
<l2tp-beowulf-1>  34.207   39  <-                                               192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      60    1
br_100_mgmt       34.207   40  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44        192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      74    1
mgmt_100_eoip     34.207   41  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44        192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      74    1
eoip-bifrost      34.207   42  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44   100  192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      78    1
eoip-bifrost      34.233   43  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    3
mgmt_100_eoip     34.233   44  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    3
br_100_mgmt       34.233   45  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    3
<l2tp-beowulf-1>  34.234   46  ->                                               10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      60    3
eoip-bifrost      50.775   47  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    3
mgmt_100_eoip     50.775   48  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    3
br_100_mgmt       50.775   49  <-   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    3
<l2tp-beowulf-1>  66.732   50  <-                                               192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      60    1
br_100_mgmt       66.732   51  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44        192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      74    1
mgmt_100_eoip     66.732   52  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44        192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      74    1
eoip-bifrost      66.732   53  ->   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44   100  192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      78    1
site_B:
br_vlans       12.365    2  <-   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44        192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      74    0
br_vlans       12.365    3  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    0
eoip-valhalla  12.365    4  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    0
br_vlans       13.443    5  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    0
eoip-valhalla  13.443    6  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    0
br_vlans       15.523    7  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    0
eoip-valhalla  15.523    8  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    0
br_vlans       19.603    9  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    0
eoip-valhalla  19.603   10  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    0
br_vlans       28.243   11  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    0
eoip-valhalla  28.243   12  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    0
eoip-valhalla  36.661   13  <-   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44   100  192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      78    0
br_vlans       36.661   14  <-   9E:B9:9C:3F:B0:E7  02:D7:9A:B1:0E:44        192.168.101.9:60756    10.10.10.232:22 (ssh)  ip:tcp      74    0
br_vlans       36.661   15  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    0
eoip-valhalla  36.661   16  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    0
br_vlans       53.203   17  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7        10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      74    0
eoip-valhalla  53.203   18  ->   02:D7:9A:B1:0E:44  9E:B9:9C:3F:B0:E7   100  10.10.10.232:22 (ssh)  192.168.101.9:60756    ip:tcp      78    0
so seems that communication is passing from Site_A to Site_B but then on some point being dropped ? rejected ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EoIP + L2TP + IPSEC MTU issue

Thu Sep 29, 2022 7:48 pm

I haven't stripped any internal network addresses O_o.
OK, it did not come to my mind that the router at Site B might get its LAN side address from an external DHCP server.

so seems that communication is passing from Site_A to Site_B but then on some point being dropped ? rejected ?
What I can see is that at Site_A the SYN packet arrives from the L2TP client and some response to it arrives from Site_B back to Site_A and gets sent to the L2TP client. So I am surprised that the SSH client at the L2TP client says "timeout" - if the response was a RST packet, the SSH client should report an error immediately, if it was a SYN,ACK the client should respond with ACK. None of these happens.

So sniff to file and use Wireshark to see what is actually coming back from 10.10.10.232.

Who is online

Users browsing this forum: akakua, cyrq, Energizer, jahieulislam, rogerioqueiroz, synchro, tdw, tjanas94 and 81 guests