Good morning
i have a problem with vpns.
In my lan there are several vlans. I need vlan40 for a vpn tunnel with a remote office, i use vlan70 as a pc lan.
When the tunnel is active, in vlan70 it is not possible to establish a vpn connection.
The error is: "The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer."
How to solve this problem?
This is my config:
# mar/14/2023 13:55:57 by RouterOS 7.8
# software id = KY0P-YIRJ
#
# model = RB5009UG+S+
# serial number = EC190F3992F3
/interface bridge
add comment=Bridge igmp-snooping=yes multicast-querier=yes name=LAN-Bridge \
protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] advertise=1000M-full comment="Porta 4" \
disabled=yes l2mtu=9796 mtu=9796 name=LA-NAS3-1
set [ find default-name=ether5 ] advertise=1000M-full comment="Porta 5" \
l2mtu=9796 mtu=9796 name=LA-NAS3-2
set [ find default-name=ether6 ] advertise=1000M-full comment="Porta 6" \
l2mtu=9796 mtu=9796 name=LA-NAS3-3
set [ find default-name=ether3 ] advertise=1000M-full comment="Porta 3" \
l2mtu=9796 mtu=9796 name=LINK-ASUS-RT-WIFI
set [ find default-name=ether8 ] advertise=1000M-full comment="Porta 8" \
l2mtu=9796 mtu=9796 name=MGMT_PORT
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full comment=SFP+ \
l2mtu=9796 mtu=9796 name=TRUNK_RT5009-RT326 sfp-shutdown-temperature=70C
set [ find default-name=ether7 ] advertise=100M-full comment="Porta 7" l2mtu=\
9796 mtu=9796 name=TV
set [ find default-name=ether1 ] advertise=1000M-full comment="Porta 1" \
l2mtu=9796 mtu=9796 name=WAN-OUT
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-f\
ull,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" comment=\
"Porta 2 - Link con RT326 - Trunk" disabled=yes l2mtu=9796 mtu=9796 name=\
old_TRUNK_RT5009-RT326
/interface wireguard
add comment="WireGuard Interface VPN" listen-port=13231 mtu=9796 name=\
WIREGUARD1
/interface vlan
add comment="Vlan99 Gestione" interface=LAN-Bridge mtu=9792 name=MGMT_VLAN \
vlan-id=99
add comment="Vlan60 Nas e Tv" interface=LAN-Bridge mtu=9792 name=NAS-TV_VLAN \
vlan-id=60
add comment="Vlan70 Pc" interface=LAN-Bridge mtu=9792 name=PC_VLAN vlan-id=70
add comment="Vlan40 Bck from SS" interface=LAN-Bridge mtu=9792 name=SS_VLAN \
vlan-id=40
add interface=WAN-OUT mtu=9792 name=VLAN-TIM vlan-id=xxx
add comment="Vlan90 Voip" interface=LAN-Bridge mtu=9792 name=VOIP_VLAN \
vlan-id=90
add comment="Vlan80 WiFi" interface=LAN-Bridge mtu=9792 name=WIFI_VLAN \
vlan-id=80
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLAN-TIM name=WAN-TIM user=\
xxxxxx
/interface list
add name=WAN
add name=BASE
add name=VLAN
add comment="Trusted network interfaces (internal, clients vpn, etc)." name=\
InternalInterfaces
add comment="Untrusted network interfaces (internet, external etc)." name=\
ExternalInterfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
"Profile SS"
/ip ipsec peer
add address=xxxxxx/32 exchange-mode=ike2 local-address=yyyyyyy \
name=Peer-SS profile="Profile SS"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,aes-128-ctr,3des \
pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=\
Proposal-SS pfs-group=modp2048
/ip pool
add name=PC_POOL ranges=192.168.70.2-192.168.70.254
add name=NAS-TV_POOL ranges=192.168.60.2-192.168.60.254
add name=MGMT_POOL ranges=192.168.0.10-192.168.0.20
add name=WIFI_POOL ranges=192.168.80.2-192.168.80.254
add name=OVPN ranges=172.16.100.2-172.16.100.254
add name=VPN-IPSEC ranges=172.16.101.2-172.16.101.255
add name=VOIP_POOL ranges=192.168.90.2-192.168.90.254
add name=SS_POOL ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=PC_POOL interface=PC_VLAN lease-time=1d name=PC_DHCP
add address-pool=NAS-TV_POOL interface=NAS-TV_VLAN lease-time=1d name=\
NAS-TV_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN lease-time=1d name=MGMT_DHCP
add address-pool=WIFI_POOL interface=WIFI_VLAN lease-time=1d name=WIFI_DHCP
add address-pool=VOIP_POOL interface=VOIP_VLAN lease-time=1d name=VOIP_DHCP
add address-pool=SS_POOL interface=SS_VLAN lease-time=1d name=SS_DHCP
/ppp profile
add dns-server=172.16.100.1 local-address=OVPN name=OPEN_VPN remote-address=\
OVPN use-compression=no use-encryption=required
add change-tcp-mss=yes local-address=VPN-IPSEC name=L2TP_VPN remote-address=\
VPN-IPSEC use-ipv6=no
add dns-server=8.8.8.8 local-address=192.168.70.1 name=ipsec_vpn use-ipv6=no
/queue tree
add max-limit=1500M name=Download parent=LAN-Bridge priority=1 queue=default
add limit-at=10M max-limit=10M name=Download_pri_1 packet-mark=RTP_PACKET \
parent=Download priority=1 queue=default
add limit-at=4M max-limit=4M name=Download_pri_2 packet-mark=SIP_PACKET \
parent=Download priority=2 queue=default
add max-limit=1200M name=Download_pri_8 packet-mark=no-mark parent=Download \
queue=default
add max-limit=120M name=Upload parent=WAN-OUT queue=default
add limit-at=5M max-limit=5M name=Upload_pri_1 packet-mark=RTP_PACKET parent=\
Upload priority=1 queue=default
add limit-at=5M max-limit=5M name=Upload_pri_2 packet-mark=SIP_PACKET parent=\
Upload priority=2 queue=default
add max-limit=110M name=Upload_pri_8 packet-mark=no-mark parent=Upload queue=\
default
/interface bridge port
add bridge=LAN-Bridge comment=eth2 disabled=yes fast-leave=yes frame-types=\
admit-only-vlan-tagged interface=old_TRUNK_RT5009-RT326
add bridge=LAN-Bridge comment=eth3 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LINK-ASUS-RT-WIFI pvid=\
80
add bridge=LAN-Bridge comment=eth6 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LA-NAS3-3 pvid=40
add bridge=LAN-Bridge comment=eth4 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LA-NAS3-1 pvid=99
add bridge=LAN-Bridge comment=eth5 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LA-NAS3-2 pvid=40
add bridge=LAN-Bridge comment=eth7 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=TV pvid=60
add bridge=LAN-Bridge comment=eth8 fast-leave=yes interface=MGMT_PORT pvid=99
add bridge=LAN-Bridge comment=sfp+ fast-leave=yes frame-types=\
admit-only-vlan-tagged interface=TRUNK_RT5009-RT326
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=TV \
vlan-ids=60
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=70
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=LA-NAS3-1 \
vlan-ids=99
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=\
LINK-ASUS-RT-WIFI vlan-ids=80
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=90
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=\
LA-NAS3-2,LA-NAS3-3 vlan-ids=40
/interface l2tp-server server
set allow-fast-path=yes default-profile=ipsec_vpn use-ipsec=required
/interface list member
add interface=WAN-TIM list=WAN
add interface=MGMT_VLAN list=BASE
add interface=MGMT_VLAN list=VLAN
add interface=PC_VLAN list=VLAN
add interface=NAS-TV_VLAN list=VLAN
add interface=WIFI_VLAN list=VLAN
add interface=VOIP_VLAN list=VLAN
add interface=WIREGUARD1 list=VLAN
add interface=SS_VLAN list=VLAN
add disabled=yes interface=MGMT_VLAN list=InternalInterfaces
add disabled=yes interface=PC_VLAN list=InternalInterfaces
add disabled=yes interface=NAS-TV_VLAN list=InternalInterfaces
add disabled=yes interface=*14 list=InternalInterfaces
add disabled=yes interface=VOIP_VLAN list=InternalInterfaces
add disabled=yes interface=WIFI_VLAN list=InternalInterfaces
add disabled=yes interface=WIREGUARD1 list=InternalInterfaces
add disabled=yes interface=WAN-TIM list=ExternalInterfaces
/interface ovpn-server server
set auth=sha1 certificate=*3 cipher=aes256-cbc
/interface wireguard peers
add allowed-address=10.10.10.2/32 endpoint-port=13231 interface=WIREGUARD1 \
public-key="xxxxxxxxxxxxxxxx"
add allowed-address=10.10.10.3/32 endpoint-port=13232 interface=WIREGUARD1 \
public-key="xxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.0.1/24 interface=MGMT_VLAN network=192.168.0.0
add address=192.168.70.1/24 interface=PC_VLAN network=192.168.70.0
add address=192.168.80.1/24 interface=WIFI_VLAN network=192.168.80.0
add address=192.168.60.1/24 interface=NAS-TV_VLAN network=192.168.60.0
add address=192.168.90.1/24 interface=VOIP_VLAN network=192.168.90.0
add address=10.10.10.1/24 interface=WIREGUARD1 network=10.10.10.0
add address=192.168.40.1/24 interface=SS_VLAN network=192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.80.254 client-id=1:3c:7c:3f:db:77:b0 mac-address=\
3C:7C:3F:DB:77:B0 server=WIFI_DHCP
add address=192.168.70.253 client-id=1:0:1b:21:c2:8:ea mac-address=\
00:1B:21:C2:08:EA server=PC_DHCP
add address=192.168.70.252 client-id=1:0:1b:21:c2:4:66 mac-address=\
00:1B:21:C2:04:66 server=PC_DHCP
add address=192.168.80.241 client-id=1:38:b4:d3:d3:15:90 mac-address=\
38:B4:D3:D3:15:90 server=WIFI_DHCP
add address=192.168.80.239 mac-address=DC:4F:22:DF:D1:5B server=WIFI_DHCP
add address=192.168.80.231 mac-address=DC:4F:22:2A:1C:DC server=WIFI_DHCP
add address=192.168.80.234 mac-address=80:91:33:9A:B2:E6 server=WIFI_DHCP
add address=192.168.80.228 client-id=1:b8:27:eb:8:2e:3d mac-address=\
B8:27:EB:08:2E:3D server=WIFI_DHCP
/ip dhcp-server network
add address=172.16.100.0/24 comment=vpn dns-server=8.8.8.8 gateway=\
172.16.100.1 netmask=24
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.40.0/24 dns-server=192.168.0.1 gateway=192.168.40.1
add address=192.168.60.0/24 dns-server=192.168.0.1 gateway=192.168.60.1
add address=192.168.70.0/24 dns-server=192.168.0.1 gateway=192.168.70.1
add address=192.168.80.0/24 dns-server=192.168.0.1 gateway=192.168.80.1
add address=192.168.90.0/24 dns-server=192.168.0.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.0.1-192.168.0.254 list=allowed_to_router
add address=192.168.0.0/24 list=Sottoreti_Ammesse
add address=192.168.60.0/24 list=Sottoreti_Ammesse
add address=192.168.70.0/24 list=Sottoreti_Ammesse
add address=192.168.80.0/24 list=Sottoreti_Ammesse
add address=172.16.101.0/24 disabled=yes list=Sottoreti_Ammesse
add address=10.10.10.0/24 list=allowed_to_router
add address=192.168.60.0/24 list=AL-VLAN60
add address=192.168.70.0/24 list=AL-VLAN70
add address=192.168.90.0/24 list=AL-VLAN90
add address=192.168.0.0/24 list=AL-VLAN99
add address=192.168.0.0/24 list=Vlan80_Negate
add address=192.168.60.0/24 list=Vlan80_Negate
add address=192.168.70.0/24 list=Vlan80_Negate
add address=192.168.90.0/24 list=Vlan80_Negate
add address=192.168.80.0/24 list=AL-VLAN80
add address=192.168.40.0/24 list=AL-VLAN40
/ip firewall filter
add action=accept chain=input comment="Default Configuration" \
connection-state=established,related
add action=accept chain=forward comment=\
"IpSec policy out,ipsec (da portare in posizione 3)" ipsec-policy=\
out,ipsec
add action=drop chain=input comment="Chain: Input. Rule #1 \"Drop Invalid Pack\
et\": drop packets connection state: invalid." connection-state=invalid \
log-prefix=DROP_
add action=accept chain=input log-prefix=ALLOW_ src-address-list=\
allowed_to_router
add action=accept chain=input comment="Allow whitelisted-admin" \
in-interface-list=WAN log-prefix=ALLOW_WL_ src-address-list=\
whitelisted-admin
add action=accept chain=input log-prefix=IPSEC_ protocol=ipsec-esp
add action=accept chain=input dst-port=4500 log=yes log-prefix=L2tp_ \
protocol=udp
add action=accept chain=input dst-port=500 log=yes log-prefix=L2tp_ protocol=\
udp
add action=accept chain=input dst-port=1701 log=yes log-prefix=L2tp_ \
protocol=udp
add action=accept chain=input in-interface-list=WAN log=yes log-prefix=GRE_ \
protocol=gre
add action=accept chain=input comment=WireGuard dst-port=13231,13232 \
log-prefix=WireGuard_ protocol=udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" disabled=\
yes in-interface=MGMT_VLAN
add action=drop chain=input comment="Pacchetti scartati" log-prefix=\
drop_input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward protocol=gre
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=LAN-Bridge log-prefix=!public_from_LAN \
out-interface=!LAN-Bridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN-OUT log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
log-prefix=Jump_ protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=WAN-OUT \
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=LAN-Bridge \
log-prefix=LAN_!LAN src-address-list=!Sottoreti_Ammesse
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=mark-connection chain=forward dst-address=192.168.90.200 dst-port=\
4569,5060,5160 new-connection-mark=SIP_CONNECTION passthrough=yes \
protocol=udp
add action=mark-packet chain=forward connection-mark=SIP_CONNECTION \
new-packet-mark=SIP_PACKET passthrough=yes
add action=mark-connection chain=forward new-connection-mark=RTP_CONNECTION \
passthrough=yes port=10000-10050 protocol=udp
add action=mark-packet chain=forward connection-mark=RTP_CONNECTION \
new-packet-mark=RTP_PACKET passthrough=yes
add action=change-dscp chain=postrouting dst-address=192.168.90.200 new-dscp=\
46 out-interface=WAN-OUT packet-mark=RTP_PACKET passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.25.0/24 src-address=\
192.168.40.0/24
add action=accept chain=srcnat dst-address=192.168.40.0/24 src-address=\
192.168.25.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WIREGUARD1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.25.0/24 src-address=\
192.168.40.0/24
add action=notrack chain=prerouting dst-address=192.168.40.0/24 src-address=\
192.168.25.0/24
/ip firewall service-port
set sip ports=5060,5061,4569
set rtsp disabled=no
/ip ipsec identity
add peer=Peer-SS
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.25.0/24 peer=Peer-SS proposal=Proposal-SS \
src-address=192.168.40.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set www port=8081
set ssh port=22
set winbox port=8291
set api-ssl disabled=yes
/ppp secret
add name=VpnUser profile=OPEN_VPN service=ovpn
add name=Laptop profile=ipsec_vpn remote-address=192.168.70.100 service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system clock manual
set time-zone=+01:00
/system identity
set name="MikroTik RT5009"
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=ntp1.inrim.it
add address=ntp2.inrim.it
add address=time.inrim.it
add address=0.it.pool.ntp.org
/system package update
set channel=development
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes
/user settings
set minimum-password-length=10
Re: Vpn Error
Try putting your config in code blocks to shorten it. Highlight your text with them, the black square with white square brackets on the same line as BOLD, Underline etc.
-
-
HondaFireblade
just joined
- Posts: 5
- Joined:
Re: Vpn Error
# mar/14/2023 13:55:57 by RouterOS 7.8
# software id = KY0P-YIRJ
#
# model = RB5009UG+S+
# serial number =xxxxxxxxxxx
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="Profile SS"
/ip ipsec peer
add address=xxxxxx/32 exchange-mode=ike2 local-address=yyyyyyy name=Peer-SS profile="Profile SS"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,aes-128-ctr,3des pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=Proposal-SS pfs-group=modp2048
/interface l2tp-server server
set allow-fast-path=yes default-profile=ipsec_vpn use-ipsec=required
/ip address
add address=192.168.0.1/24 interface=MGMT_VLAN network=192.168.0.0
add address=192.168.70.1/24 interface=PC_VLAN network=192.168.70.0
add address=192.168.80.1/24 interface=WIFI_VLAN network=192.168.80.0
add address=192.168.60.1/24 interface=NAS-TV_VLAN network=192.168.60.0
add address=192.168.90.1/24 interface=VOIP_VLAN network=192.168.90.0
add address=10.10.10.1/24 interface=WIREGUARD1 network=10.10.10.0
add address=192.168.40.1/24 interface=SS_VLAN network=192.168.40.0
/ip firewall filter
add action=accept chain=input comment="Default Configuration" connection-state=established,related
add action=accept chain=forward comment="IpSec policy out,ipsec (da portare in posizione 3)" ipsec-policy=out,ipsec
add action=drop chain=input comment="Chain: Input. Rule #1 \"Drop Invalid Packet\": drop packets connection state: invalid." connection-state=invalid
add action=accept chain=input log-prefix=ALLOW_ src-address-list=allowed_to_router
add action=accept chain=input comment="Allow whitelisted-admin" in-interface-list=WAN log-prefix=ALLOW_WL_ src-address-list=whitelisted-admin
add action=accept chain=input log-prefix=IPSEC_ protocol=ipsec-esp
add action=accept chain=input dst-port=4500 log=yes log-prefix=L2tp_ protocol=udp
add action=accept chain=input dst-port=500 log=yes log-prefix=L2tp_ protocol=udp
add action=accept chain=input dst-port=1701 log=yes log-prefix=L2tp_ protocol=udp
add action=accept chain=input in-interface-list=WAN log=yes log-prefix=GRE_ protocol=gre
add action=accept chain=input comment=WireGuard dst-port=13231,13232 log-prefix=WireGuard_ protocol=udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="Pacchetti scartati" log-prefix=drop_input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward protocol=gre
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=LAN-Bridge log-prefix=!public_from_LAN out-interface=!LAN-Bridge
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=WAN-OUT log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp log-prefix=Jump_ protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=WAN-OUT log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=LAN-Bridge log-prefix=LAN_!LAN src-address-list=!Sottoreti_Ammesse
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=mark-connection chain=forward dst-address=192.168.90.200 dst-port=4569,5060,5160 new-connection-mark=SIP_CONNECTION passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=SIP_CONNECTION new-packet-mark=SIP_PACKET passthrough=yes
add action=mark-connection chain=forward new-connection-mark=RTP_CONNECTION passthrough=yes port=10000-10050 protocol=udp
add action=mark-packet chain=forward connection-mark=RTP_CONNECTION new-packet-mark=RTP_PACKET passthrough=yes
add action=change-dscp chain=postrouting dst-address=192.168.90.200 new-dscp=46 out-interface=WAN-OUT packet-mark=RTP_PACKET passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.25.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WIREGUARD1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.25.0/24 src-address=192.168.40.0/24
add action=notrack chain=prerouting dst-address=192.168.40.0/24 src-address=192.168.25.0/24
/ip ipsec identity
add peer=Peer-SS
/ip ipsec policy
add dst-address=192.168.25.0/24 peer=Peer-SS proposal=Proposal-SS src-address=192.168.40.0/24 tunnel=yes
/ppp secret
add name=VpnUser profile=OPEN_VPN service=ovpn
add name=Laptop profile=ipsec_vpn remote-address=192.168.70.100 service=l2tp
# software id = KY0P-YIRJ
#
# model = RB5009UG+S+
# serial number =xxxxxxxxxxx
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="Profile SS"
/ip ipsec peer
add address=xxxxxx/32 exchange-mode=ike2 local-address=yyyyyyy name=Peer-SS profile="Profile SS"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,aes-128-ctr,3des pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=Proposal-SS pfs-group=modp2048
/interface l2tp-server server
set allow-fast-path=yes default-profile=ipsec_vpn use-ipsec=required
/ip address
add address=192.168.0.1/24 interface=MGMT_VLAN network=192.168.0.0
add address=192.168.70.1/24 interface=PC_VLAN network=192.168.70.0
add address=192.168.80.1/24 interface=WIFI_VLAN network=192.168.80.0
add address=192.168.60.1/24 interface=NAS-TV_VLAN network=192.168.60.0
add address=192.168.90.1/24 interface=VOIP_VLAN network=192.168.90.0
add address=10.10.10.1/24 interface=WIREGUARD1 network=10.10.10.0
add address=192.168.40.1/24 interface=SS_VLAN network=192.168.40.0
/ip firewall filter
add action=accept chain=input comment="Default Configuration" connection-state=established,related
add action=accept chain=forward comment="IpSec policy out,ipsec (da portare in posizione 3)" ipsec-policy=out,ipsec
add action=drop chain=input comment="Chain: Input. Rule #1 \"Drop Invalid Packet\": drop packets connection state: invalid." connection-state=invalid
add action=accept chain=input log-prefix=ALLOW_ src-address-list=allowed_to_router
add action=accept chain=input comment="Allow whitelisted-admin" in-interface-list=WAN log-prefix=ALLOW_WL_ src-address-list=whitelisted-admin
add action=accept chain=input log-prefix=IPSEC_ protocol=ipsec-esp
add action=accept chain=input dst-port=4500 log=yes log-prefix=L2tp_ protocol=udp
add action=accept chain=input dst-port=500 log=yes log-prefix=L2tp_ protocol=udp
add action=accept chain=input dst-port=1701 log=yes log-prefix=L2tp_ protocol=udp
add action=accept chain=input in-interface-list=WAN log=yes log-prefix=GRE_ protocol=gre
add action=accept chain=input comment=WireGuard dst-port=13231,13232 log-prefix=WireGuard_ protocol=udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="Pacchetti scartati" log-prefix=drop_input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward protocol=gre
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=LAN-Bridge log-prefix=!public_from_LAN out-interface=!LAN-Bridge
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=WAN-OUT log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp log-prefix=Jump_ protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=WAN-OUT log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=LAN-Bridge log-prefix=LAN_!LAN src-address-list=!Sottoreti_Ammesse
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=mark-connection chain=forward dst-address=192.168.90.200 dst-port=4569,5060,5160 new-connection-mark=SIP_CONNECTION passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=SIP_CONNECTION new-packet-mark=SIP_PACKET passthrough=yes
add action=mark-connection chain=forward new-connection-mark=RTP_CONNECTION passthrough=yes port=10000-10050 protocol=udp
add action=mark-packet chain=forward connection-mark=RTP_CONNECTION new-packet-mark=RTP_PACKET passthrough=yes
add action=change-dscp chain=postrouting dst-address=192.168.90.200 new-dscp=46 out-interface=WAN-OUT packet-mark=RTP_PACKET passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.25.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WIREGUARD1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.25.0/24 src-address=192.168.40.0/24
add action=notrack chain=prerouting dst-address=192.168.40.0/24 src-address=192.168.25.0/24
/ip ipsec identity
add peer=Peer-SS
/ip ipsec policy
add dst-address=192.168.25.0/24 peer=Peer-SS proposal=Proposal-SS src-address=192.168.40.0/24 tunnel=yes
/ppp secret
add name=VpnUser profile=OPEN_VPN service=ovpn
add name=Laptop profile=ipsec_vpn remote-address=192.168.70.100 service=l2tp
Re: Vpn Error
Are you able to make the L2TP VPN connection when the tunnel is not active?