Community discussions

MikroTik App
 
dtv2
just joined
Topic Author
Posts: 3
Joined: Thu Dec 08, 2022 1:19 am

Configure l2tp vpn

Thu Dec 08, 2022 12:05 pm

Hello , im new to mikrotik , im trying to setup an vpn l2tp client , vpn is connected but my pc is not inside my vpn, anyone can help me what im messing?
here is my config
[admin@MikroTik] > export compact 
# dec/08/2022 09:59:34 by RouterOS 6.49.7
# software id = VU60-AJH4
#
# model = RB941-2nD
# serial number = XXXXXXXXXXXXX
/interface bridge
add admin-mac=48:8F:5A:DC:E1:35 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-DCE139 wireless-protocol=802.11
/interface l2tp-client
add connect-to=167.99.134.34 disabled=no keepalive-timeout=disabled name=l2tp-out1 password=XXXXX use-peer-dns=yes user=vpnkeep.com-XXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=208.67.222.222 name=OpenDNS1
add address=208.67.220.220 name=OpenDNS2
add address=8.8.8.8 name=Google1
add address=8.8.4.4 name=Google2
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=l2tpvpn passthrough=yes src-address=192.168.89.2-192.168.89.255
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=l2tp-out1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip route
add distance=1 gateway=l2tp-out1 routing-mark=l2tpvpn
/ppp secret
add name=XXX
/system clock
set time-zone-name=Europe/Lisbon
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
VPN Rx never get any incoming packets only transmitting Tx packets.Any help in this will be appreciated.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Configure l2tp vpn

Sat Dec 10, 2022 9:36 pm

I'm not sure I understand the description well. Please confirm whether I get it right:
  • the VPN client on your PC connects to the hAP lite, which acts as a VPN server, and gets an address from the 192.168.89.x range
  • the hAP lite itself connects as a client to some remote L2TP server
  • you expect the PC to talk to some servers acessible via that remote L2TP server but it cannot do so
If so, it seems to me as an issue with the remote server, or an issue with overlapping IP subnets - what address does the remote L2TP server assign to the hAP, and what address does the DHCP client on ether1 get? Your configuration seems fine to me, all the critical bits are there - the additional routing table, the mangle rule assigning a routing-mark, the src-nat rule making the connections seem to come from the hAP lite itself, no filter rule blocking the forwarding from your VPN client to your L2TP server. So depending on what kind of L2TP server it is, there may be a TTL check in play, causing packets with a "wrong" TTL to be dropped - what happens if you ping the remote destination via the tunnel from the hAP mini itself (/ping x.x.x.x routing-table=l2tpvpn)?
 
dtv2
just joined
Topic Author
Posts: 3
Joined: Thu Dec 08, 2022 1:19 am

Re: Configure l2tp vpn

Sun Dec 11, 2022 12:08 pm

thanks for your answer.
No, vpn cliente is configured on the router, and a want all my devices conneted on this router pass throug it.
Yes the hAP lite itself connects as a client to some remote L2TP server.
When l2tp connected i got:
Local Address 192.168.89.1
Remote Address 172.18.0.1
my pc is 192.168.88.254
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Configure l2tp vpn

Sun Dec 11, 2022 12:42 pm

When l2tp connected i got:
Local Address 192.168.89.1
Ah, now I can see where the mistake is. Instead of creating a custom /ppp profile item for each use, you've modified the default-encryption one and configured local-address=192.168.89.1 in it. So the L2TP client, which also uses this profile unless told otherwise, tells the server it wants to use this address during the IPCP negotiation, and the server accepts it but there is no routing towards 192.168.89.1 at the server side. So add a copy of the default-encryption profile under some other name, unset the local-address and remote-address in the default-encryption profile, and tell the servers (l2tp,pptp,sstp) to use the newly created profile. Or vice versa, unset the local-address and remote-address in the newly created profile, and tell the /interface l2tp-client to use it. As a result, you'll get an address from the server's pool to which the server can route traffic.

Also, the nat rule action=masquerade chain=srcnat out-interface=l2tp-out1 is sufficient and it shadows the action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24 one, so you can remove the latter.

Other than that, the MPPE used as PPP's embedded encryption is quite weak from today's perspective. For SSTP (which uses TLS with AES) and IPsec-encrypted L2TP, there is no point in using MPPE in addition to the outer encryption so you can use /ppp profile items with use-encryption=no for them. PPTP is plain insecure so I'd highly recommend to just disable the server. And I would also highly recommend to use IPsec-encrypted L2TP towards the server if the server supports it an if its purpose is not just to provide a public IP to your hAP lite. If no encryption is required on this path, you can take the other extreme and save CPU by using a profile with use-encryption=no.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Configure l2tp vpn

Sun Dec 11, 2022 12:54 pm

... also, your action=mark-routing rule matches on the range for VPN clients; if you want that also LAN clients were routed via the L2TP server tunnel, you have to add another such rule matching on src-address=192.168.88.2-192.168.88.255 or use an address-list.
 
dtv2
just joined
Topic Author
Posts: 3
Joined: Thu Dec 08, 2022 1:19 am

Re: Configure l2tp vpn

Sun Dec 11, 2022 2:24 pm

@sindy
can you email me at dtv2@sapo.pt

Who is online

Users browsing this forum: 0xAA55, Maxfadeev699, mszru and 36 guests