Hello Forum, ..
I have MT CC router that serves other Mikrotik routers for a Site to Site Layer2 VPN connection with L2TP and IPSec.
The server is ROS 7.4.1
I recently added a new client that has ROS 7.7 / 7.8.
The setup process is scripted, which means a .rsc file is generated, and once uploaded to the client router is run in its terminal.
The client script runs successfully, and all settings seem to appear correctly. Both the server and the clients seems to indicate that the connection is fine.
- the server has the client in it's active peers
- the client has the server in its active peers
Both logs say that the connection is estabilished, there is uptime ...
So the L2TP / IPSec connection seems to be fine.
The host serves each client with a network 10.10.X.x
Where X is a unique number. On that virtual lan address range the host router has x 1 and the client router has x 2.
Now there are 7 clients connected, they all work fine ROS 7.1 ..7.4
But the recently added client - despite the active connection - can not ping the server, and the server can not ping the client.
I checked all relevant settings up and down and they are all identical with the working clients, the only difference is the number X and the naming.
Firewall rules are also identical, and they are mostly like the default rules. There are no special NAT rules, and simple firewall rules can be disabled - doesn't change anything.
Routes seem to be fine, I don't see anything that would prevent the expected traffic flow.
Traceroute cannot reach the remote host. Pinging, even with the interface specified gives 100% packet loss for the VPN.
I'm out of ideas.
I can not find any configuration issues, they seem to align with the working clients.
I can only suspect something in the firmware, or the hardware, but have no tools to pinpoint the problem.
Anyone have any ideas?
Re: VPN network troubleshooting ideas needed
I did a test to answer the question if this is a server or client related issue.
Tried two devices.
- hAP ac lite with ROS 7.8
- RB2011iL-RM ROS 7.6
Both reset to the default configuration.
Loaded the same configuration file on both devices, and added a user with a password, reproducing the same software configuration.
hAP ac lite - not pinging the server despite active peer
RB2011iL - pinging the server through the active peer
Tried two devices.
- hAP ac lite with ROS 7.8
- RB2011iL-RM ROS 7.6
Both reset to the default configuration.
Loaded the same configuration file on both devices, and added a user with a password, reproducing the same software configuration.
hAP ac lite - not pinging the server despite active peer
RB2011iL - pinging the server through the active peer
Re: VPN network troubleshooting ideas needed
Upgraded the RB2011iL-RM to ROS 7.8 - and the VPN is now broken on it as well.
So I think there was a change in ROS 7.6 to 7.7 that breaks the configuration.
So I think there was a change in ROS 7.6 to 7.7 that breaks the configuration.
Re: VPN network troubleshooting ideas needed
An example configuration.
The matching client
Code: Select all
#vpn-host
/interface bridge add name=hangmaffia_vpn_nemdebar_bridge arp=enabled comment="SITE-TO_SITE Layer2 VPN"
/ppp profile add name=hangmaffia_vpn_nemdebar bridge=hangmaffia_vpn_nemdebar_bridge comment="SITE-TO-SITE Layer2 VPN"
/ppp secret add name=@nemdebar password=password profile=hangmaffia_vpn_nemdebar comment="nemdebar (10.10.52.x)"
/interface vlan add interface=fx_connector_bridge name=vlan-@nemdebar vlan-id=52
/interface bridge port add bridge=hangmaffia_vpn_nemdebar_bridge interface=vlan-@nemdebar
/ip address add address=10.10.52.1/24 comment=@nemdebar interface=hangmaffia_vpn_nemdebar_bridge network=10.10.52.0
/ip pool add name=pool@nemdebar ranges=10.10.52.10-10.10.52.100
/ip dhcp-server add address-pool=pool@nemdebar disabled=no interface=hangmaffia_vpn_nemdebar_bridge name=@nemdebar
/ip dhcp-server network add address=10.10.52.0/24 comment=hangmaffia_vpn_nemdebar gateway=10.10.52.1Code: Select all
#vpn-client
/interface bridge add name=hangmaffia_vpn arp=proxy-arp
/interface bridge port remove [find interface="ether2"]
/interface bridge port remove [find interface="ether3"]
/interface bridge port add bridge=hangmaffia_vpn interface=ether2
/interface bridge port add bridge=hangmaffia_vpn interface=ether3
/ppp profile add name=hangmaffia_vpn bridge=hangmaffia_vpn comment="SITE-TO-SITE Layer2 VPN"
/interface l2tp-client add connect-to=my.public.ip disabled=no ipsec-secret=ipsec-password keepalive-timeout=disabled mrru=1600 name=l2tp-hangmaffia password=password profile=hangmaffia_vpn use-ipsec=yes user=@nemdebar
/ip address add address=10.10.52.2/24 comment=local-bridge-address interface=hangmaffia_vpn network=10.10.52.0Who is online
Users browsing this forum: Bing [Bot], pfturner and 39 guests