OK, so I have set up a S2S IPsec VPN over L2TP. I have a central site and have two branches.
Central site can access everything on the remote branch sites.
Remote branch sites can reach and access central site.
Remote branches can not "talk" to each other.
I am using static routes and all routes are inputed in every router:
What am I missing?
Thank you all in advance.
Re: S2S problem
An exported config would be a good start:
export file=anynameyouwish
export file=anynameyouwish
Re: S2S problem
emunt please stop, this is not a guessing game. we provide advice based on facts/evidence.
Cat is bang on, we need to see the config to ascertain potential problem area(s).
A config is integrated and thus needs to be seen from the 'whole' perspective.
Cat is bang on, we need to see the config to ascertain potential problem area(s).
A config is integrated and thus needs to be seen from the 'whole' perspective.
Re: S2S problem
Hi, sorry for not getting back to you.
export from central router:
export from REMOTE-1
export from REMOTE-2
export from REMOTE-3
I know there is a lot, but if someone would help me out I would really appreciate it 
export from central router:
Code: Select all
# model = CCR2004-16G-2S+
/interface bridge
add dhcp-snooping=yes name=LAN-bridge port-cost-mode=short
add name=dockers port-cost-mode=short
/interface l2tp-server
add name=REMOTE-3_L2TP
add name=REMOTE-1_L2TP
add name=REMOTE-2_L2TP
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des pfs-group=modp2048
/ip pool
add name=dhcp_pool1-LAN ranges=192.168.1.20-192.168.1.98
add name=VPN-L2TP-POOL ranges=10.100.100.10-10.100.100.100
/ppp profile
add dns-server=192.168.1.2 local-address=10.100.100.1 name=VPN-L2TP remote-address=VPN-L2TP-POOL use-encryption=required use-ipv6=no
/interface bridge port
add bridge=LAN-bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether7 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether8 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether9 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether10 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether11 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether12 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether13 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether14 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether15 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=ether16 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=LAN-bridge interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip address
add address=192.168.1.2/24 interface=LAN-bridge network=192.168.1.0
add address=192.168.2.2/24 disabled=yes interface=sfp-sfpplus1 network=192.168.2.0
/ip dhcp-server network
add address=10.0.100.0/24 dns-server=192.168.1.2 gateway=10.0.100.1
add address=10.0.200.0/24 dns-server=1.1.1.1 gateway=10.0.200.1
add address=10.10.10.0/24 dns-server=1.1.1.1 gateway=10.10.10.1
add address=192.168.1.0/24 dns-server=192.168.1.2 gateway=192.168.1.2 ntp-server=192.168.1.2
add address=192.168.101.0/24 dns-server=1.1.1.1 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes query-server-timeout=5s query-total-timeout=15s servers=192.168.1.2
set allow-remote-requests=yes query-server-timeout=5s query-total-timeout=15s servers=1.1.1.1
/ip firewall address-list
add address=192.168.1.0/24 comment="LAN+WIFI mreza" list=DNS_Accept
add address=192.168.10.0/24 comment=VIKSA_LAN list=DNS_Accept
add address=192.168.11.0/24 comment=VIKSA_LTE list=DNS_Accept
add address=8.8.8.8 comment="Add DNS Server to this List" list=DNS_Accept
add address=1.1.1.1 comment="Add DNS Server to this List" list=DNS_Accept
add address=192.168.10.0/24 list=Dozvoljeni_subneti
add address=192.168.11.0/24 list=Dozvoljeni_subneti
add address=192.168.1.0/24 list=Dozvoljeni_subneti
add address=192.168.101.0/24 list=Dozvoljeni_subneti
add address=acme-v02.api.letsencrypt.org list=LETSENCRYPT
add address=acme-staging-v02.api.letsencrypt.org comment=acme-v02.api.letsencrypt.org list=LETSENCRYPT
add address=letsencrypt.org comment=acme-v02.api.letsencrypt.org list=LETSENCRYPT
add address=192.168.0.0/24 list=Dozvoljeni_subneti
/ip firewall filter
add action=accept chain=forward dst-address=172.17.0.0/24 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=172.17.0.0/24
add action=drop chain=input comment="Invalid connection drop" connection-state=invalid
add action=drop chain=forward comment="Invalid connection drop" connection-state=invalid
add action=accept chain=forward in-interface=REMOTE-3_L2TP src-address=192.168.10.0/24
add action=accept chain=input in-interface=REMOTE-3_L2TP src-address=192.168.10.0/24
add action=accept chain=forward in-interface=REMOTE-2_L2TP src-address=172.16.16.0/24
add action=accept chain=input in-interface=REMOTE-2_L2TP src-address=172.16.16.0/24
add action=accept chain=forward in-interface=REMOTE-1_L2TP src-address=192.168.0.100
add action=accept chain=input in-interface=REMOTE-1_L2TP src-address=192.168.0.100
add action=accept chain=forward in-interface=REMOTE-1_L2TP src-address=192.168.0.11
add action=accept chain=input in-interface=REMOTE-1_L2TP src-address=192.168.0.11
add action=drop chain=forward in-interface=REMOTE-1_L2TP src-address=192.168.0.0/24
add action=drop chain=input in-interface=REMOTE-1_L2TP src-address=192.168.0.0/24
add action=accept chain=input comment="L2TP/IPsec ALLOW" dst-port=500,1701,4500 in-interface=LAN-bridge protocol=udp
add action=accept chain=input comment="ALLOW PING LAN" in-interface=LAN-bridge protocol=icmp
add action=accept chain=input comment="ALLOW NTP IN LAN" dst-port=123 in-interface=LAN-bridge protocol=udp
add action=accept chain=input comment="Established connection allow" connection-state=established,related,untracked
add action=accept chain=forward comment="Established connection allow" connection-state=established
add action=accept chain=input comment="Related connection allow" connection-state=related
add action=drop chain=input
/ip firewall mangle
add action=mark-connection chain=forward comment=SIP connection-state=new dst-port=5060 new-connection-mark=SIP-connection passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="3CX tunnel" connection-state=new dst-port=5090 new-connection-mark=3CX-tunnel-connection passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=RTP connection-state=new dst-port=9000-10999 new-connection-mark=RTP-connection passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=SIP connection-mark=SIP-connection new-packet-mark=SIP passthrough=yes
add action=mark-packet chain=forward comment="3CX tunnel" connection-mark=3CX-tunnel-connection log-prefix="3CX-tunnel: " new-packet-mark=3CX-tunnel passthrough=yes
add action=mark-packet chain=forward comment=RTP connection-mark=RTP-connection new-packet-mark=RTP passthrough=yes
add action=change-dscp chain=postrouting comment="DSCP za RTP" log-prefix="change DSCP: " new-dscp=46 packet-mark=RTP passthrough=yes
add action=change-dscp chain=postrouting comment="DSCP za SIP" log-prefix="change DSCP: " new-dscp=46 packet-mark=SIP passthrough=yes
add action=change-dscp chain=postrouting comment="DSCP za 3CX tunnel" log-prefix="change DSCP: " new-dscp=46 packet-mark=3CX-tunnel passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for L2TP/IPsec" out-interface=LAN-bridge src-address=10.100.100.10-10.100.100.100
add action=masquerade chain=srcnat comment=INTERNET out-interface=LAN-bridge src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=REMOTE-2 dst-address=192.168.10.2-192.168.10.254 out-interface=REMOTE-3_L2TP src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=REMOTE-2 dst-address=192.168.11.0/24 out-interface=REMOTE-3_L2TP src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="HAIRPIN NAT GENERAL LAN" dst-address=192.168.1.0/24 out-interface=LAN-bridge src-address=192.168.1.0/24
/ip route
add disabled=no dst-address=172.16.16.0/24 gateway=REMOTE-2_L2TP
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=REMOTE-1_L2TP pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=REMOTE-3_L2TP routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.11.0/24 gateway=REMOTE-3_L2TP routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10Code: Select all
# model = RB2011UiAS-2HnD
/interface bridge
add arp=proxy-arp fast-forward=no name=BRIDGE_LAN_+_WIFI port-cost-mode=short
/interface l2tp-client
add allow=mschap2 connect-to=xxxxxxxxxxxxxxxxx disabled=no max-mru=1400 max-mtu=1400 name=S2S-L2TP use-ipsec=yes user=REMOTE-1_L2TP
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des pfs-group=modp2048
/ppp profile
add dns-server=192.168.0.11 local-address=10.100.100.1 name=VPN-L2TP-POOL remote-address=VPN-L2TP-POOL use-encryption=required
/interface bridge port
add bridge=BRIDGE_LAN_+_WIFI ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI hw=no ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI hw=no ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI hw=no ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI hw=no ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI hw=no ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI hw=no ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_LAN_+_WIFI ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=VPN-L2TP-POOL enabled=yes use-ipsec=yes
/ip address
add address=192.168.0.11/24 interface=BRIDGE_LAN_+_WIFI network=192.168.0.0
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.100.100.0/24 dns-server=192.168.0.11 gateway=10.100.100.1 ntp-server=192.168.0.11
add address=192.168.0.0/24 dns-server=192.168.0.11 gateway=192.168.0.11 ntp-server=192.168.0.11
/ip dns
set query-server-timeout=5s query-total-timeout=15s servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.100.100.0/24 list=DNS_Accept
add address=192.168.0.0/23 list=DNS_Accept
add address=1.1.1.1 comment="Add DNS Server to this List" list=DNS_Accept
add address=8.8.8.8 comment="Add DNS Server to this List" list=DNS_Accept
/ip firewall filter
add action=drop chain=forward comment="INVALID DROP" connection-state=invalid
add action=drop chain=input comment="INVALID DROP" connection-state=invalid
add action=accept chain=forward dst-address=192.168.0.0/24 in-interface=all-ppp src-address=10.100.100.10-10.100.100.30
add action=accept chain=forward dst-address=10.100.100.10-10.100.100.30 out-interface=all-ppp src-address=192.168.0.0/24
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward in-interface=S2S-L2TP
add action=accept chain=forward out-interface=S2S-L2TP
add action=accept chain=input in-interface=S2S-L2TP
add action=accept chain=forward out-interface=S2S-L2TP
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=10.0.0.0/8
add action=drop chain=input dst-address=192.168.0.0/24 src-address=10.0.0.0/8
add action=drop chain=forward src-address=172.16.0.0/12
add action=drop chain=input src-address=172.16.0.0/12
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=10.10.10.0/24
add action=drop chain=forward dst-address=!192.168.0.0/24 src-address=10.10.10.0/24
add action=accept chain=input dst-port=53 in-interface=BRIDGE_LAN_+_WIFI protocol=udp
add action=accept chain=input dst-port=53 in-interface=all-ppp protocol=udp
add action=drop chain=input dst-port=53 protocol=udp
add action=accept chain=input in-interface=BRIDGE_LAN_+_WIFI protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input protocol=udp src-port=15252
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=established
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes src-address=10.100.100.10-10.100.100.100
add action=masquerade chain=srcnat disabled=yes src-address=192.168.0.0/24
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=S2S-L2TP
add disabled=no dst-address=10.100.100.0/24 gateway=S2S-L2TP
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.254 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.10.0/24 gateway=S2S-L2TP routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.16.16.0/24 gateway=S2S-L2TP routing-table=main suppress-hw-offload=noexport from REMOTE-2
Code: Select all
# model = RB951Ui-2nD
/interface bridge
add fast-forward=no name=LAN+WIFI port-cost-mode=short
/interface l2tp-client
add allow=mschap2 connect-to=xxxxxxxxxxxxxxxxx disabled=no name=L2TP-interface use-ipsec=yes user=REMOTE-2_L2TP
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1492 name=T-COM user=xxxxxxxxxxxxxxxxxx
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des pfs-group=modp2048
/ip pool
add name="LAN+WIFI POOL" ranges=172.16.16.20-172.16.16.254
/ip dhcp-server
add address-pool="LAN+WIFI POOL" authoritative=after-2sec-delay interface=LAN+WIFI lease-time=10h name=DHCP
/interface bridge port
add bridge=LAN+WIFI ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=LAN+WIFI ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=LAN+WIFI ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=LAN+WIFI ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=LAN+WIFI ingress-filtering=no interface=WIFI-IVAMONT internal-path-cost=10 path-cost=10
/ip address
add address=172.16.16.1/24 interface=LAN+WIFI network=172.16.16.0
/ip dhcp-server network
add address=172.16.16.0/24 dns-server=172.16.16.1,8.8.8.8,208.67.222.222 gateway=172.16.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=8.8.8.8 comment="Add DNS Server to this List" list=DNS_Accept
add address=1.1.1.1 comment="Add DNS Server to this List" list=DNS_Accept
/ip firewall filter
add action=drop chain=forward comment="Invalid connection drop" connection-state=invalid
add action=drop chain=input comment="Invalid connection drop" connection-state=invalid
add action=drop chain=input dst-port=53 in-interface=T-COM protocol=udp
add action=drop chain=input dst-port=53 in-interface=T-COM protocol=tcp
add action=accept chain=input comment="ALLOW DNS from LAN" dst-port=53 in-interface=LAN+WIFI protocol=udp
add action=accept chain=input in-interface=L2TP-interface
add action=accept chain=forward in-interface=L2TP-interface
add chain=input in-interface=T-COM protocol=udp src-port=15252
add chain=input comment="Established connection allow" connection-state=established
add chain=input comment="Related connection allow" connection-state=related
add action=drop chain=input comment="Drop sve"
/ip firewall nat
add action=masquerade chain=srcnat comment=MASKARADA out-interface=T-COM
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=L2TP-interface
add disabled=no dst-address=10.100.100.0/24 gateway=L2TP-interface
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=192.168.1.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Code: Select all
# model = RB3011UiAS
/interface bridge
add name=LAN_BRIDGE port-cost-mode=short
/interface l2tp-client
add allow=mschap2 connect-to=xxxxxxxxxxx disabled=no max-mru=1400 max-mtu=1400 name=L2TP-interface use-ipsec=yes user=REMOTE-3_L2TP
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des pfs-group=modp2048
/ip pool
add name=dhcp_pool0 ranges=192.168.10.11-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN_BRIDGE lease-time=10m name=dhcp1
/interface bridge port
add bridge=LAN_BRIDGE interface=ether2 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether3 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether4 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether5 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether6 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether7 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether8 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether9 internal-path-cost=10 path-cost=10
add bridge=LAN_BRIDGE interface=ether10 internal-path-cost=10 path-cost=10
/interface l2tp-server server
set use-ipsec=yes
/ip address
add address=192.168.10.1/24 interface=LAN_BRIDGE network=192.168.10.0
add address=192.168.11.2/24 interface=ether1 network=192.168.11.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=192.168.10.0/24 list=allowed_subnets
add address=192.168.1.0/24 list=allowed_subnets
add address=192.168.101.0/24 list=allowed_subnets
/ip firewall filter
add action=drop chain=forward comment="Invalid connection drop" connection-state=invalid
add action=drop chain=input comment="Invalid connection drop" connection-state=invalid
add action=accept chain=input comment=ALLOW-input_LAN-bridge in-interface=LAN_BRIDGE
add action=accept chain=forward comment="ALLOW ALL FROM L2TP" in-interface=L2TP-interface src-address=192.168.1.0/24
add action=accept chain=input comment="ALLOW ALL FROM L2TP" in-interface=L2TP-interface src-address=192.168.1.0/24
add chain=input comment="Established connection allow" connection-state=established
add chain=input comment="Related connection allow" connection-state=related
add action=drop chain=input comment="Drop sve"
/ip firewall mangle
add action=change-ttl chain=postrouting disabled=yes new-ttl=set:66 out-interface=ether1 passthrough=yes protocol=!icmp
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether7 src-address=192.168.10.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.10 src-address=192.168.10.11-192.168.10.254
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.11.0/24
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=L2TP-interface routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.101.1/24 gateway=L2TP-interface routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.11.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.17.0.0/24 gateway=L2TP-interface routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.16.16.0/24 gateway=192.168.1.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=L2TP-interface pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10