hello
i have the following problems
the vpn connection is estabilished, i can ping from side 1 to side 2 but i dont can ping from side 2 to side 1.
i must first ping from side 1 to side 2 then it works.
the next problem is on each side packets are missing.
any idea
thanks
-
-
tholderbaum
newbie
- Posts: 38
- Joined:
- Location: Tampa, Florida
- Contact:
Re: VPN IPSEC
This code is my standard VPN setup: It is a bit different than yours. Try it out, and see how it works for you.
Comment: This proposal works for most devices.
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TPVPN_Proposal pfs-group=\
none
Comment: Setup VPN Pool
/ip pool
add name=Default_VPN_Pool ranges=172.16.254.2-172.16.254.254
Comment: This sets up your L2TP Profile and pool
/ppp profile
add change-tcp-mss=yes dns-server=***Set your Local DNS Server here*** local-address=\
172.16.254.1 name=VPN-L2TP/IPSEC remote-address=Default_VPN_Pool
Sets up L2TP and IPsec
/interface l2tp-server server
set default-profile=VPN-L2TP/IPSEC enabled=yes ipsec-secret=\
***INSERT KEY Here*** use-ipsec=yes
Comment: This defines DHCP information for your VPN subnet.
/ip dhcp-server network
add address=172.16.254.0/24 dns-server=**Internal DNS** \
gateway=172.16.254.1 netmask=24
Comment: This creates a list of the internal subnets for your network, Essentially, your VPN subnet is a seperate network. This means that there is no need for NAT because all traffic is routed. This also allows us to write rules to cover multiple subnets in the filter list.
/ip firewall address-list
add address=**YourInternalSubnet** list=Internal_Subnets
add address=172.16.254.0/24 list=Internal_Subnets
Comment: Add Filter Rules
/ip firewall filter
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=ipsec-esp
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=ipsec-ah
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=gre
add chain=input comment="Permit IPSec" dst-port=\
1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=forward comment=\
"Allow Traffic from Internal Subnets <--> Internal Subnets" dst-address-list=\
Internal_Subnetst src-address-list=Internal_Subnets
add action=accept chain=forward comment=\
"Allow Internal Subnets to Internet" out-interface=ether1 src-address-list=\
Internal_Subnets
Comment: Add users
/ppp secret
add name=test password=test1234 profile=VPN-L2TP/IPSEC service=l2tp
Comment: This proposal works for most devices.
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TPVPN_Proposal pfs-group=\
none
Comment: Setup VPN Pool
/ip pool
add name=Default_VPN_Pool ranges=172.16.254.2-172.16.254.254
Comment: This sets up your L2TP Profile and pool
/ppp profile
add change-tcp-mss=yes dns-server=***Set your Local DNS Server here*** local-address=\
172.16.254.1 name=VPN-L2TP/IPSEC remote-address=Default_VPN_Pool
Sets up L2TP and IPsec
/interface l2tp-server server
set default-profile=VPN-L2TP/IPSEC enabled=yes ipsec-secret=\
***INSERT KEY Here*** use-ipsec=yes
Comment: This defines DHCP information for your VPN subnet.
/ip dhcp-server network
add address=172.16.254.0/24 dns-server=**Internal DNS** \
gateway=172.16.254.1 netmask=24
Comment: This creates a list of the internal subnets for your network, Essentially, your VPN subnet is a seperate network. This means that there is no need for NAT because all traffic is routed. This also allows us to write rules to cover multiple subnets in the filter list.
/ip firewall address-list
add address=**YourInternalSubnet** list=Internal_Subnets
add address=172.16.254.0/24 list=Internal_Subnets
Comment: Add Filter Rules
/ip firewall filter
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=ipsec-esp
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=ipsec-ah
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=gre
add chain=input comment="Permit IPSec" dst-port=\
1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=forward comment=\
"Allow Traffic from Internal Subnets <--> Internal Subnets" dst-address-list=\
Internal_Subnetst src-address-list=Internal_Subnets
add action=accept chain=forward comment=\
"Allow Internal Subnets to Internet" out-interface=ether1 src-address-list=\
Internal_Subnets
Comment: Add users
/ppp secret
add name=test password=test1234 profile=VPN-L2TP/IPSEC service=l2tp
-
-
tholderbaum
newbie
- Posts: 38
- Joined:
- Location: Tampa, Florida
- Contact:
Re: VPN IPSEC
I can help you with that. I just need to understand if it is a tunnel between two Mikrotiks or between a mikrotik and something else.
Re: VPN IPSEC
Hello
Yes i should be a tunnel between 2 RB 3011
Thanks
Yes i should be a tunnel between 2 RB 3011
Thanks
Re: VPN IPSEC
Hello. I had the same problem with two RB3011. In my case a fw rule on both RB was missing.
Allow Protocol 50 Input.
Gesendet von meinem HUAWEI NXT-L29 mit Tapatalk
Allow Protocol 50 Input.
Gesendet von meinem HUAWEI NXT-L29 mit Tapatalk
Who is online
Users browsing this forum: No registered users and 18 guests