Community discussions

MikroTik App
  4. RouterOS
  5. General

HELP with L2TP/IPsec

Post Reply
 
vomus
just joined
Topic Author
Posts: 15
Joined: Tue Jan 21, 2014 3:32 pm

HELP with L2TP/IPsec

Fri Jan 24, 2014 9:19 pm

Hi!
I am trying to configure an L2TP/IPsec connection between my Mikrotik and an Android phone. Reading
http://wiki.mikrotik.com/wiki/MikroTik_ ... IPSec/L2TP on the wiki seemed like a rather straightforward setup which I followed.

Everything went fine and I even connected to my router. However, I could net reach any IP-address from my internal LAN except the router itself (10.161.0.1). I attach the routing table of what appeared after the client connected.

Can anyone help, please?
You do not have the required permissions to view the files attached to this post.
Top
 
lambert
Long time Member
Long time Member
Posts: 548
Joined: Fri Jul 23, 2010 1:09 am

Re: HELP with L2TP/IPsec

Sat Jan 25, 2014 12:31 am

What is the version of your RouterOS?
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: HELP with L2TP/IPsec

Sat Jan 25, 2014 1:39 am

Post your exports

Sent from my SCH-I545 using Tapatalk
Top
 
vomus
just joined
Topic Author
Posts: 15
Joined: Tue Jan 21, 2014 3:32 pm

Re: HELP with L2TP/IPsec

Sat Jan 25, 2014 7:15 am

Post your exports
Sent from my SCH-I545 using Tapatalk
The version is 6.7 and firewall exports are below
Code: Select all
# jan/25/2014 09:13:24 by RouterOS 6.7
# software id = R9KJ-T416
#
/ip firewall filter
add chain=input comment="Allow Established connections" connection-state=established
add chain=forward connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input comment="Allow connections from inside LAN" in-interface=!Rostelecom-PPPoE src-address=10.161.0.0/16
add action=log chain=input comment="Log VPN activity" dst-port=1701,500,4500 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input comment="Open L2TP/IPsec connections" connection-state=new dst-port=1701 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input connection-state=new dst-port=500 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input in-interface=Rostelecom-PPPoE protocol=ipsec-ah
add chain=input in-interface=Rostelecom-PPPoE protocol=ipsec-esp
add action=drop chain=input comment="Block repetitive SSH tries for 5 days" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=5d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
    ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
    ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
    ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Allow only 10 incorrect FTP logons per minute" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="Drop the rest"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=Rostelecom-PPPoE src-address=10.161.0.0/16
Top
 
rjscomms
Member Candidate
Member Candidate
Posts: 132
Joined: Fri Jan 28, 2011 12:22 pm

Re: HELP with L2TP/IPsec

Sun Jan 26, 2014 12:36 am

Hello,

just a quick thought, do you have proxy-arp enabled on the interface facing your internal network?

Have a look at the wiki page for PPTP and it describes it there. I believe it is still applicable in your case.
Top
 
vomus
just joined
Topic Author
Posts: 15
Joined: Tue Jan 21, 2014 3:32 pm

Re: HELP with L2TP/IPsec

Sun Jan 26, 2014 12:22 pm

Hello,
just a quick thought, do you have proxy-arp enabled on the interface facing your internal network?

Have a look at the wiki page for PPTP and it describes it there. I believe it is still applicable in your case.
Hi! It worked! Thanks. How come none has corrected an IPsec wiki page... :(
Top
 
rjscomms
Member Candidate
Member Candidate
Posts: 132
Joined: Fri Jan 28, 2011 12:22 pm

Re: HELP with L2TP/IPsec

Mon Jan 27, 2014 1:17 am

Glad it worked for you.

I think they have not updated the wiki page for l2tp/ipsec because the proxy-arp feature is not directly related to l2tp/ipsec as such.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 20 guests
  4. RouterOS
  5. General