Community discussions

 
csalcedo
newbie
Topic Author
Posts: 42
Joined: Fri Jan 22, 2016 8:09 pm
Location: Santiago Chile

L2TP/IPSEC tunnel from windows split tunnel issue

Thu Jun 14, 2018 6:15 pm

Hi Guys,
I have created a l2tp/ipsec tunnel from a windows 10 client (using native windows client).
It works fine except that what I would like is that only the trafic destined for the remote networks pases over the tunnel.
At his point all trafic is routed to the remote MT.
Can someone point out where my problem is please... Thanks

here is my config:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=proposal1
/ip pool
add name=default-dhcp ranges=192.168.88.105-192.168.88.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=Default
/interface l2tp-server server
set enabled=yes ipsec-secret=X.X.X use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=X.X.X.186/29 interface=ether1 network=X.X.X.184
/ip firewall filter
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment= "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=X.X.X.185
/ppp secret
add local-address=192.168.188.1 name=YYYYY password=X.X.X remote-address=192.168.188.46 service=l2tp
add local-address=192.168.188.1 name=XXXXX password=X.X.X remote-address=192.168.188.47 service=l2tp
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: L2TP/IPSEC tunnel from windows split tunnel issue  [SOLVED]

Thu Jun 14, 2018 8:42 pm

It's client-side configuration. It's buried in properties of VPN connection, in IPv4 settings, where you have to uncheck "use remote gateway" (or something like that, I don't have English Windows). Then there's another option for class-based route, which can add route to private subnet based on address the client gets from server (/24 for 192.168.x.x, /8 for 10.x.x.x, ...). If you need route also to another subnet, Windows 10 support this:
Add-VpnConnectionRoute -ConnectionName "<connection name>" -DestinationPrefix <remote subnet>/<mask> -PassThru
I didn't personally test it with all types of VPN, only IKEv2, but it should probably work.
 
csalcedo
newbie
Topic Author
Posts: 42
Joined: Fri Jan 22, 2016 8:09 pm
Location: Santiago Chile

Re: L2TP/IPSEC tunnel from windows split tunnel issue

Thu Jun 14, 2018 10:20 pm

Thanks Sob
Worked like a charm .

Go to network connection
properties of the vpn connection
Select ipv4 properties
Advanced
unselect "Use default gateway on remote network"

If you configured your l2tp addresses in the same range as the remote network you are golden.
If it different then you need to add some persistent routes in windows (route add -P x.x.x.x mask x.x.x.x x.x.x.x)
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: L2TP/IPSEC tunnel from windows split tunnel issue

Fri Jun 15, 2018 12:35 am

The Add-VpnConnectionRoute command I posted should work instead of persistent route, and it should be better, because it's tied only to this specific VPN connection.
 
csalcedo
newbie
Topic Author
Posts: 42
Joined: Fri Jan 22, 2016 8:09 pm
Location: Santiago Chile

Re: L2TP/IPSEC tunnel from windows split tunnel issue

Fri Jun 15, 2018 12:51 am

Yes you are correct...
Just another way to do it but you are right its better with your method

Who is online

Users browsing this forum: Markut, mkx and 44 guests