Community discussions

MikroTik App
 
User avatar
dmemmer
just joined
Topic Author
Posts: 3
Joined: Thu Nov 17, 2022 10:58 pm

L2TP VPN Config Issue

Fri Nov 25, 2022 5:12 pm

I am trying to set up a L2TP w/ IPSec VPN server on my hAPac router, to allow a couple of remote Windows 10 machines to connect to my LAN and access shared network drives. The Windows 10 PCs are able to connect to the VPN fine, and ping the gateway IP of 192.168.88.1, but are unable to ping or access any other network devices. I have verified that firewall rules are not the issue by briefly disabling them, and observed no change. I have tried RouterOS 6.48.6, 6.49.7, and 7.6.

Here are the relevant lines from my config:

/ppp profile
add bridge=bridge local-address=192.168.88.1 name=vpn_Test remote-address=\
default-dhcp

/ip cloud
set ddns-enabled=yes

/interface l2tp-server server
set default-profile=vpn_Test enabled=yes ipsec-secret=0102030405 use-ipsec=\
yes

/ip firewall filter
add action=accept chain=input comment=VPN dst-port=1701,500,4500 protocol=udp

/ppp secret
add name=test password=0102030405 profile=vpn_Test service=l2tp

Is there something I am missing?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: L2TP VPN Config Issue

Sat Nov 26, 2022 1:08 am

 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: L2TP VPN Config Issue

Sat Nov 26, 2022 2:31 am

Is there something I am missing?
Yeah, all the other relevant lines. ;) But quick guess, missing proxy ARP on LAN interface, maybe?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: L2TP VPN Config Issue

Sat Nov 26, 2022 6:23 am

I would use wireguard...............
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN Config Issue

Sat Nov 26, 2022 9:54 am

While @Sob's analysis & advice is the most useful one (if you knew that setting arp=proxy-arp on the LAN interface was necessary, you would have included that into the "relevant part" of the configuration to post, wouldn't you?), there is another catch with L2TP/IPsec - to allow multiple Windows or Android clients to connect from behind the same public IP address, you need a complicated workaround.

On the other hand, if you don't insist on keeping the default settings on Windows side or on keeping the LAN subnet, you can make it work without the arp=proxy-arp setting - by default, Windows add a route via the tunnel to a destination subnet that matches to the traditional (A, B, C) class of the address assigned by the server. If it is 192.168.x.y, the route will be to 192.168.x.0/24, so if the LAN subnet is 192.168.x.0/24 too, you need the arp=proxy-arp because from the point of view of the hosts in the LAN, 192.168.x.y is in the same subnet so they try to send data to it directly rather than via gateway. But if you reduce the LAN subnet to 192.168.x.0/25 and give the L2TP clients addresses from 192.168.x.128/25, the LAN hosts will look for a gateway when sending to 192.168.x.128/25, but Windows will still add a route to the whole 192.168.x.0/24.

If a /25 subnet is too small for your LAN, you can use 172.x.y.z (16<=x<=31). In this case, the Windows will add a route to the whole 172.x.0.0/12, so you can have much more addresses in the LAN (even organized into multiple subnets) and still not use arp=proxy-arp.

And if you use non-default settings, you can link a list of routes to the Window's miniport using powershell, rather than let them add the single class-based route. Windows also support getting a route list via DHCPINFORM message and Option 249, but RouterOS only supports this method for IKEv2, not for L2TP/IPsec.
 
User avatar
dmemmer
just joined
Topic Author
Posts: 3
Joined: Thu Nov 17, 2022 10:58 pm

Re: L2TP VPN Config Issue

Sun Nov 27, 2022 1:30 am

Thanks for the replies.

I didn't include the rest of the config, as it is all default configuration (save for WiFi security profiles). Didn't seem relevant.

I will try what sindy has suggested, and reply if I am still having issues.
 
fakeusername2022
newbie
Posts: 38
Joined: Sun Aug 14, 2022 4:36 pm

Re: L2TP VPN Config Issue

Sun Nov 27, 2022 2:14 am

find proxy-arp in this wiki topic https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP and read the section and lines above it:
 
User avatar
dmemmer
just joined
Topic Author
Posts: 3
Joined: Thu Nov 17, 2022 10:58 pm

Re: L2TP VPN Config Issue

Tue Nov 29, 2022 6:02 pm

The proxy-arp setting on my LAN bridge was the setting I was missing. After making that one change, things are working as expected.

Thanks all.

Who is online

Users browsing this forum: BinaryTB, Bing [Bot], Google [Bot], GoogleOther [Bot] and 67 guests