My problem is on creating a VPN for remote client with protocol L2TP+IPsec:
I have 2 ISP with Public Static IP Address configurated on Load Balancing with port forwarding and work perfectly...now I need connect to my network with the vpn, but I tried to configure the vpn, when I connect on the log I see: "no soutable proposal found".
This is my complete configuration of RB:
Code: Select all
# nov/08/2021 12:04:24 by RouterOS 6.49
# software id = 141D-UNJZ
#
# model = RB4011iGS+
# serial number =
/interface bridge
add name=Main_Bridge
/interface ethernet
set [ find default-name=ether1 ] name=XX
set [ find default-name=ether2 ] name=XX
set [ find default-name=ether3 ] arp=proxy-arp name=XX
set [ find default-name=ether4 ] arp=proxy-arp name=XX
set [ find default-name=ether5 ] arp=local-proxy-arp name=XX
set [ find default-name=ether6 ] arp=proxy-arp name=XX
set [ find default-name=ether7 ] disabled=yes name=XX
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=Ether2_Eolo_Fabrizio name=PPPoE_Eolo_XX user=----------
add add-default-route=yes disabled=no interface=Ether1_Eolo_Giada name=PPPoE_Eolo_XXGiada user=-------------------
/interface vlan
add interface=Main_Bridge name=Vlan_ospiti vlan-id=10
add interface=Main_Bridge name=vlan_IoT vlan-id=20
add interface=Main_Bridge name=vlan_emulazione_suore vlan-id=1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=IOT
add name=NOI
add name=OSPITI
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=XX name=XX
/ip ipsec peer
# This entry is unreachable
add name=l2tpserver passive=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=aes-256,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=8h
/ip pool
add name=Pool_Privato ranges=10.10.10.100-10.10.10.200
add name=Pool_vlan_ospiti ranges=10.20.20.2-10.20.20.30
add name=Pool_vlan_IoT ranges=10.30.30.2-10.30.30.14
add name=Pool_vlan_suoore ranges=192.168.1.2-192.168.1.10
/ip dhcp-server
add address-pool=Pool_Privato disabled=no interface=Main_Bridge lease-time=7h name=dhcp_main
add address-pool=Pool_vlan_IoT disabled=no interface=vlan_IoT lease-time=10h name=vlan_IoT
add address-pool=Pool_vlan_ospiti disabled=no interface=Vlan_ospiti name=Vlan_ospiti
/ppp profile
add dns-server=1.1.1.1 local-address=10.10.10.47 name=ipsec_vpn
/queue tree
add name=queue1 parent=Ether4_LAN_Pipoli
/queue interface
set Ether3_LAN_Fatidico queue=ethernet-default
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=Main_Bridge interface=Ether2XX
add bridge=Main_Bridge interface=Ether4XX
add bridge=Main_Bridge interface=Ether5XX
add bridge=Main_Bridge interface=Ether6XX
add bridge=Main_Bridge interface=Ether7_PiHole
add bridge=Main_Bridge interface=ether8
add bridge=Main_Bridge interface=ether9
add bridge=Main_Bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes use-ipsec=required
/interface list member
add interface=PPPoE_ list=WAN
add interface=PPPoE_o list=WAN
/ip address
add address=10.10.10.1/24 interface=Main_Bridge network=10.10.10.0
add address=10.20.20.1/27 interface=Vlan_ospiti network=10.20.20.0
add address=10.30.30.1/28 interface=vlan_IoT network=10.30.30.0
add address=192.168.1.0/24 interface=vlan_emulazione_suore network=192.168.1.0
/ip dhcp-server lease
add address=10.30.30.13 client-id=1:60:23:a4:7d:fa:11 mac-address=60:23:A4:7D:FA:11 server=vlan_IoT
add address=10.10.10.108 client-id=1:64:f2:fb:1f:78:c9 mac-address=64:F2:FB:1F:78:C9 server=dhcp_main
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220,8.8.8.8,8.8.4.4 gateway=10.10.10.1
add address=10.20.20.0/27 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.20.1 netmask=27 ntp-server=193.204.114.232
add address=10.30.30.0/28 dns-server=1.1.1.1,208.67.220.220 gateway=10.30.30.1 netmask=28 ntp-server=193.204.114.232
/ip dns
set servers=1.1.1.1,208.67.222.222,1.0.0.1,208.67.220.220,8.8.8.8,8.8.4.4
/ip address
add address=128.xxxxx list="eolo giada"
add address=128.xxxxx list="eolo fabrizio"
/ip firewall filter
add action=drop chain=input comment="Drop DNS brute force Giada" dst-port=53 in-interface=PPPoE_Eolo_Giada protocol=udp
add action=drop chain=input comment="Drop DNS brute force Giada" dst-port=53 in-interface=PPPoE_Eolo_Giada protocol=tcp
add action=drop chain=input comment="Drop DNS brute force Fabrizio" dst-port=53 in-interface=PPPoE_Eolo_Fabrizio protocol=udp
add action=drop chain=input comment="Drop DNS brute force Fabrizio" dst-port=53 in-interface=PPPoE_Eolo_Fabrizio protocol=tcp
add action=drop chain=forward comment="Blocco TikTok" content=tiktok dst-port=80,443 protocol=tcp
add action=drop chain=forward comment="Blocco TikTok" dst-address-list="Tik Tok" src-address-list="Tik Tok"
add action=drop chain=forward comment="Blocco TOR" dst-address-list=TOR dst-port=80,443 protocol=tcp src-address-list=TOR src-port=80,443
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.20.20.0/27 src-address=10.10.10.0/24
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.30.30.0/28 src-address=10.10.10.0/24
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.30.30.0/28 src-address=10.20.20.0/27
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.20.20.0/27 src-address=10.30.30.0/28
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.10.10.0/24 src-address=10.30.30.0/28
add action=drop chain=forward comment="Blocco tra 2 vlan" dst-address=10.10.10.0/24 src-address=10.20.20.0/27
add action=drop chain=input disabled=yes in-interface-list=WAN
add action=drop chain=input dst-address=10.20.20.1 dst-port=17489 in-bridge-port-list=IOT log=yes protocol=tcp src-address=10.20.20.0/27 src-port=17489
add action=drop chain=forward dst-address=10.20.20.1 dst-port=17489 in-bridge-port-list=IOT protocol=tcp src-port=17489
add action=accept chain=input in-interface=Ether1_Eolo_Giada log=yes protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=Ether1_Eolo_Giada log=yes protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Main_Bridge new-connection-mark=PPPoE_Wan1_XX passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Main_Bridge new-connection-mark=PPPoE_Wan2_XX passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-connection chain=forward connection-state=new in-interface=PPPoE_Eolo_XX new-connection-mark=port_forward_wan1 passthrough=no
add action=mark-connection chain=forward connection-state=new in-interface=PPPoE_Eolo_XX new-connection-mark=port_forward_wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=PPPoE_Wan2_Fabrizio in-interface=Main_Bridge new-routing-mark=to_PPPoE_XX passthrough=no
add action=mark-routing chain=prerouting connection-mark=PPPoE_Wan1_Giada in-interface=Main_Bridge new-routing-mark=to_PPPoE_XX passthrough=no
add action=accept chain=prerouting in-interface=PPPoE_Eolo_XX
add action=accept chain=prerouting in-interface=PPPoE_Eolo_XX
add action=mark-routing chain=output connection-mark=PPPoE_Wan1_Giada new-routing-mark=to_PPPoE_XX passthrough=yes src-address-list=""
add action=mark-routing chain=output connection-mark=PPPoE_Wan2_Fabrizio new-routing-mark=to_PPPoE_XX passthrough=yes src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE_Eolo_XX
add action=masquerade chain=srcnat out-interface=PPPoE_Eolo_XX
add action=masquerade chain=srcnat dst-address=10.10.10.0/24 log=yes
/ip ipsec identity
add generate-policy=port-override peer=l2tpserver
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add comment="PCC Wan1" distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add comment=Wan1 distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add check-gateway=ping comment="PCC Wan2" distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add comment=Wan2 distance=1 gateway=PPPoE_Eolo_XX routing-mark=to_PPPoE_XX
add comment=Wan1 distance=1 gateway=PPPoE_Eolo_XX
add comment=Wan2 distance=1 gateway=PPPoE_Eolo_XX
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=XX
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip upnp
set show-dummy-rule=no
/ppp secret
add name=assomev profile=ipsec_vpn remote-address=10.10.10.46 service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Pipolis
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.105
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server mac-winbox
set allowed-interface-list=NOI
Where is the problem ??
Thank you