MikroTik

Community discussions
https://forum.mikrotik.com/

L2TP working like magic...

https://forum.mikrotik.com/viewtopic.php?t=100548

Page 1 of 1

L2TP working like magic...

Posted: Thu Sep 17, 2015 12:28 pm
by gradash
Help, i dont know what to do, if i connect from intranet to l2tp - all ok, even if i connect from phone's 3g - all ok.
But that's all, all other external users got that error, i don't understand, my 3g internet also external, but it works ! how ?...
Capture.JPG
Code: Select all
/interface bridge
add arp=proxy-arp name=LANWAN
/interface ethernet
set [ find default-name=ether1 ] comment=Lattelecom
set [ find default-name=ether2 ] comment=Telenet
set [ find default-name=ether3 ] comment=LAN
set [ find default-name=ether4 ] comment=WAN
/interface pptp-client
add connect-to=**.**.**.** mrru=1600 name=pptp-de password=\
    ********** user=**********
/ip neighbor discovery
set ether1 comment=Lattelecom
set ether2 comment=Telenet
set ether3 comment=LAN
set ether4 comment=WAN
/ip pool
add name=dhcp ranges=192.168.30.50-192.168.30.250
add name=l2tp-pool ranges=192.168.30.40-192.168.30.49
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LANWAN lease-time=1d name=DHCP
/ppp profile
add change-tcp-mss=yes dns-server=192.168.30.1 local-address=192.168.30.1 \
    name=L2TP remote-address=l2tp-pool
/snmp community
add addresses=0.0.0.0/0 name=nemo
/interface bridge port
add bridge=LANWAN interface=ether3
add bridge=LANWAN interface=ether4
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP enabled=yes ipsec-secret=\
    *****
/ip address
add address=**.**.**.**/29 interface=ether1 network=**.**.**.**
add address=**.**.**.**/30 interface=ether2 network=**.**.**.**
add address=192.168.30.1/23 interface=LANWAN network=192.168.30.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.30.0/23 dns-server=\
    192.168.30.35,**.**.**.**,**.**.**.**,8.8.8.8 domain=**.**.**.** \
    gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=**.**.**.**,**.**.**.**.10,8.8.8.8
/ip firewall address-list
add address=192.168.4.0/22 list=LocalNet
add address=192.168.30.0/23 list=LocalNet
add address=**.**.**.**/24 list=LocalNet
add address=192.168.0.0/23 list=LocalNet
add address=**.**.**.**/24 list=LocalNet
add address=192.168.30.177 list=VPN_DEVICES
add address=192.168.30.121 list=VPN_DEVICES
/ip firewall filter
add action=add-src-to-address-list address-list="DNS Flood" \
    address-list-timeout=1h chain=input comment="Anti DNS Flood" dst-port=53 \
    in-interface=ether1 protocol=udp
add action=add-src-to-address-list address-list="DNS Flood" \
    address-list-timeout=1h chain=input dst-port=53 in-interface=ether2 \
    protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp \
    src-address-list="DNS Flood"
add action=drop chain=input dst-port=53 in-interface=ether2 protocol=udp \
    src-address-list="DNS Flood"
add chain=forward comment="Allow all subnets" dst-address-list=LocalNet \
    src-address-list=LocalNet
add chain=input comment="Allow ping" protocol=icmp
add chain=forward protocol=icmp
add chain=input comment="Allow estabilished" connection-state=established
add chain=forward connection-state=established
add chain=input comment="Allow related" connection-state=related
add chain=forward connection-state=related
add chain=input comment="Allow UDP" protocol=udp
add chain=forward protocol=udp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input comment="Allow IKE" dst-port=500 protocol=udp
add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
/ip firewall mangle
add action=mark-connection chain=input dst-address=**.**.**.** \
    in-interface=ether1 new-connection-mark="LTC -> Input" src-address-list=\
    !LocalNet
add action=mark-connection chain=input dst-address=**.**.**.** \
    in-interface=ether2 new-connection-mark="TLN -> Input" src-address-list=\
    !LocalNet
add action=mark-routing chain=output connection-mark="LTC -> Input" \
    new-routing-mark="LTC <- output"
add action=mark-routing chain=output connection-mark="TLN -> Input" \
    new-routing-mark="TLN <- output"
add action=mark-routing chain=prerouting disabled=yes dst-address-list=\
    !LocalNet new-routing-mark=VPN_DEVICES passthrough=no src-address-list=\
    VPN_DEVICES
add action=mark-routing chain=prerouting dst-address-list=!LocalNet \
    new-routing-mark=LOCALPR passthrough=no src-address=192.168.30.0/23
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Masquerade out traffic Lattelecom" out-interface=ether1
add action=masquerade chain=srcnat comment="Masquerade out traffic Telenet" \
    out-interface=ether2
# pptp-de not ready
add action=masquerade chain=srcnat out-interface=pptp-de
add action=netmap chain=dstnat comment=\
    "NAT to web server at ***** PC" in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.30.121 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override \
    secret=**.**.**.**
/ip route
add distance=3 gateway=pptp-de routing-mark=VPN_DEVICES
add check-gateway=ping comment="ISP1 Gateway" distance=1 gateway=\
    **.**.**.**
add check-gateway=ping comment="ISP2 Gateway" distance=2 gateway=\
    **.**.**.**
add comment="AMS DC" distance=1 dst-address=**.**.**.**/23 gateway=\
    192.168.30.31
add comment="AMS VPN" distance=1 dst-address=**.**.**.**/24 gateway=\
    192.168.30.31
add comment="SPB OFFICE" distance=1 dst-address=192.168.0.0/23 gateway=\
    192.168.30.31
add comment="MSK OFFICE" distance=1 dst-address=192.168.4.0/22 gateway=\
    192.168.30.31
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LANWAN type=internal
add interface=ether1 type=external
add interface=ether2 type=external
/ppp secret
add local-address=192.168.30.1 name=***** password=***** profile=L2TP \
    service=l2tp
/snmp
set enabled=yes trap-community=nemo trap-version=2
/system clock
set time-zone-name=Europe/Riga
/system logging
add topics=pptp
add action=remote topics=dns
add topics=firewall
add topics=interface
add topics=event
add topics=ppp
add topics=pppoe
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR protected-routerboot=\
    disabled

Re: L2TP working like magic...

Posted: Tue Sep 22, 2015 8:41 am
by descartes
hi,

most likely your remote users have firewall between them and their device (PC or otherwise), check their firewall and see if there is anything like "allow IPSEC passthrough" and also allow all IPSEC related ports like UDP 500, 4500 as well as L2TP port 1701 UDP to be forwarded via the firewall.

Re: L2TP working like magic...

Posted: Thu Sep 24, 2015 11:15 am
by gradash
hi,

most likely your remote users have firewall between them and their device (PC or otherwise), check their firewall and see if there is anything like "allow IPSEC passthrough" and also allow all IPSEC related ports like UDP 500, 4500 as well as L2TP port 1701 UDP to be forwarded via the firewall.

just upgraded 6.27 -> 6.33rc11, - all started working :) same config..

Re: L2TP working like magic...

Posted: Thu Sep 24, 2015 5:07 pm
by descartes
Hi,

Good to hear that your issue is resolved.

We had exactly the same IPSEC error message on the server, as it turns out, we have disallowed incoming UDP Port 1701 (L2TP) on the client firewall, when we opened the port, the connection is working.

regards,
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/