Hello,
I am pretty new with Mikrotik and hope that someone can help me with my topic, thanks in advance.
I would like to setup a VPN server on my RB2011 with L2TP/IPSec. When I try to connect from within my LAN with my iPhone, everything works as expected. When I try to access the VPN server over the Internet I can just see some messages in the Mikrotik log, but can not get a connection.
Messages from the Log:
....
tunnel 35 received no replies, disconnecting
tunnesl 35 entering state: dead
My Setup:
I have a FritzBox DSL Router for my internet connection. My Mikrotik is connected to a LAN port on the FritzBox. In the FritzBox I configured the IP-Adress of the RB2011 as exposed host. In that way I can reach it via the public IP Adress that is assigned to my FritzBox. For test reasons I have no firewall rules set up on the Mikrotik.
FritzBox IP-Adress: 192.168.0.1
Mikrotik IP-Adress: 192.168.0.2, GW and DNS point to the FritzBox.
/ip ipsec proposal
add enc-algorithms=aes-128-cbc,aes-256-cbc lifetime=8h name="L2TP Proposal" pfs-group=none
/ip pool
add name="OpenVPN Pool" ranges=10.0.0.2-10.0.0.10
add name="L2TP Pool" ranges=10.1.0.2-10.1.0.10
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=10.1.0.1 name="L2TP Profile" remote-address=\
"L2TP Pool"
/interface l2tp-server server
set authentication=mschap2 default-profile="L2TP Profile" enabled=yes
/interface ovpn-server server
set certificate=cert_2 enabled=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.0.2/24 interface=ether2 network=192.168.0.0
/ip dns
set servers=192.168.0.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override nat-traversal=yes secret
/ip route
add distance=1 gateway=192.168.0.1
/ip upnp
set allow-disable-external-interface=no
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
/ppp secret
add name=ppp1 password=1
add name=ppp2 password=2 profile="L2TP Profile" service=l2tp
/system clock
set time-zone-name=Europe/Berlin
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
/system ntp client
set enabled=yes primary-ntp=178.16.23.50 secondary-ntp=78.47.253.206
[admin@MikroTik] >
Re: VPN L2TP/IPsec connection works in LAN but not WAN
Did you get this solved? I'm new to MikroTik and struggling to get an OpenVPN connection built. You got further than I have but I'm wondering if you ever got it solved, and if so, what was wrong?
Re: VPN L2TP/IPsec connection works in LAN but not WAN
I gave up and sold the MikroTik stuff. To much time to invest to get things working.
Re: VPN L2TP/IPsec connection works in LAN but not WAN
I know what you mean. I've invested three days now in trying to get OpenVPN to work on one of their RB2011UiAS-2HnD-IN units. I could have done this in a min. or two with my old router. I still have zero success with this one. It -may- be the all powerful unit, but it -is- not easy to use. pfSense is so much easier. I should have gone that route I'm thinking.I gave up and sold the MikroTik stuff. To much time to invest to get things working.
Re: VPN L2TP/IPsec connection works in LAN but not WAN
My guess is that the OP had a firewall filter rules similar to :
This would have allowed all traffic in on any interface other than ether1-gateway. I think that's pretty much the default.
The OP could have added some rules between the connection-state=related and the drop rule:
Of course, the OP didn't show his ip firewall filter export, so this is all guesswork.
Code: Select all
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gatewayThe OP could have added some rules between the connection-state=related and the drop rule:
Code: Select all
/ip firewall filter
add chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add chain=input comment="IPSec ESP" protocol=ipsec-esp
add chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp