Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VPN L2TP behind SXT LTE router

Post Reply
 
paul4
just joined
Topic Author
Posts: 10
Joined: Tue Mar 14, 2017 11:29 pm

VPN L2TP behind SXT LTE router

Thu Apr 13, 2023 5:52 pm

Hi all,

I have a SXT LTE router working as modem, with dhcp and it passes all trafic to my RB4011 main router. I have set up L2TP VPN but it doesn't work. Could you guys have a look at the config below?
SXT is 192.168.188.1
RB4011 172.16.0.1

I have a static WAN.

SXT-LTE
# apr/13/2023 16:46:32 by RouterOS 7.8
# software id = DDJX-IWRC
#
# model = LHGGM
# serial number = HDJ08Q60JD8
/ip address
add address=192.168.188.1/24 interface=LAN network=192.168.188.0
/ip dhcp-client
add comment=defconf disabled=yes interface=LAN
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=1.1.1.1 gateway=192.168.188.1
/ip firewall address-list
add address=172.16.0.2-172.16.0.90 list=allowed_to_router
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=5246,5247 protocol=udp
add action=accept chain=input comment=vpn dst-port=1701,500,4500 \
in-interface=lte1 log=yes protocol=udp
add action=accept chain=input comment=vpn dst-port=500 in-interface=lte1 log=\
yes protocol=udp
add action=accept chain=input comment=VPN in-interface=lte1 protocol=\
ipsec-esp
add action=accept chain=input comment=VPN in-interface=lte1 protocol=ipsec-ah
add action=accept chain=input comment="default config" connection-state=\
established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input connection-state=invalid,untracked disabled=yes
add action=drop chain=input dst-port=80 in-interface=lte1 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=500 log=yes protocol=udp \
to-addresses=192.168.188.254 to-ports=500
add action=masquerade chain=srcnat out-interface=lte1
/ip firewall service-port
set irc disabled=no
set rtsp disabled=no
/ip ipsec policy
set 0 disabled=yes

and my main router:

/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms="" enc-algorithms=aes-128-cbc \
lifetime=0s pfs-group=none
/ppp profile
add change-tcp-mss=yes dns-server=1.1.1.1 local-address=10.1.1.1 name=\
vpn_l2tp remote-address=VPN_L2TP session-timeout=8m use-encryption=yes \
use-ipv6=no
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=vpn_l2tp enabled=yes \
one-session-per-host=yes use-ipsec=yes
/ip address
add address=172.16.0.1/24 interface=bridge1 network=172.16.0.0
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=5246,5247 protocol=udp
add action=accept chain=input comment=vpn dst-port=500 log=yes protocol=udp
add action=accept chain=input in-interface=ether1-LTE protocol=ipsec-ah
add action=accept chain=input in-interface=ether1-LTE protocol=ipsec-esp
add action=accept chain=input comment="respond to icmp" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT L2TP" src-address=10.1.1.0/24
add action=accept chain=srcnat dst-address=10.1.1.0/24 src-address=\
172.16.0.0/24
add action=masquerade chain=srcnat out-interface=ether1-LTE
/ip route
add disabled=no dst-address=10.1.1.0/24 gateway=ether1-LTE routing-table=main \
suppress-hw-offload=no
/ppp secret
add local-address=10.1.1.21 name=xxxx profile=vpn_l2tp service=l2tp
add local-address=10.1.1.20 name=yyyy profile=vpn_l2tp service=l2tp
Top
Post Reply

Who is online

Users browsing this forum: pfturner and 45 guests
  4. RouterOS
  5. Beginner Basics