I have a problem with working L2TP/IPSec connection between MikroTik routers.
Portmap(Port forwarding) do not work properly when I connect from ROUTER-1 to TCP port of ROUTER-2.
Example: XNMP(Jabber) client from 192.168.6.2 behind NAT of ROUTER-1 is connecting to external(WAN)IP 1.1.1.1 of ROUTER-2 to port 5222 which forwarded by ROUTER-2 to internal IP address 192.168.5.14:5222. In this case it seems that couple of packages is received but connection is not established properly.
Portmapping works fine if IPSec policy is disabled. RDP works fine in any cases.
I've attached a scheme, I hope it helps to understand.
Where should I look to debug?
Thank you!
Here is some config on server side:Code: Select all
# aug/31/2016 15:07:55 by RouterOS 6.36
# software id = TCL9-KDSJ
#
/interface l2tp-server
add comment=HOME name=vpn-home user=vpn-home
add comment=TAE-BC name=vpn-tae user=vpn-tae-bc
/ip pool
add name=vpn-client-pool ranges=192.168.63.0/25
/ppp profile
add change-tcp-mss=yes name=l2tp-branch-profile
/ppp secret
add local-address=10.10.10.1 name=vpn-tae-bc password=L2TPforTAE profile=\
l2tp-branch-profile remote-address=10.10.10.2 service=l2tp
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-cilent-profile enabled=yes
/ip address
add address=1.1.1.1/28 comment=ISP1-SiNet interface=eth1-isp1 \
network=1.1.1.0
add address=192.168.5.1/24 comment=Local-Users interface=ether5-LAN network=\
192.168.5.0
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid log-prefix=""
add action=accept chain=input comment="Permit ICMP" log-prefix="" protocol=\
icmp
add action=reject chain=forward comment="Block Social Network" \
dst-address-list=socialnetList log-prefix=SOCIAL- protocol=tcp \
reject-with=tcp-reset src-address-list=!socialnet-allow
add action=accept chain=input comment=\
"Permit established, related connections" connection-state=\
established,related log-prefix=""
add action=accept chain=input comment="Permit L2TP-IPSec" log-prefix="" port=\
1701,500,4500 protocol=udp src-address-list=!L2TP/IPSec-deny
add action=accept chain=input comment="Permit L2TP-IPSec" log-prefix="" \
protocol=ipsec-esp src-address-list=!L2TP/IPSec-deny
add action=accept chain=input comment="Permit OSPF" in-interface=all-ppp \
log-prefix="" protocol=ospf
add action=drop chain=input comment="Drop other connection" connection-state=\
new in-interface=!ether5-LAN log-prefix=""
add action=drop chain=forward comment="Block Torrent" log-prefix="" p2p=\
all-p2p src-address-list=!torrent-allow
add action=drop chain=forward comment="Block Torrent" content="info_hash=" \
dst-port=2710,80 in-interface=ether5-LAN log-prefix="" protocol=tcp \
src-address-list=!torrent-allow
add action=drop chain=forward comment="Block Torrent" content=d1:ad2:id20: \
dst-port=1025-65535 in-interface=ether5-LAN log-prefix="" packet-size=\
95-190 protocol=udp src-address-list=!torrent-allow
/ip firewall nat
add action=dst-nat chain=dstnat comment=XNMP dst-address=1.1.1.1 \
dst-port=5222 log=yes log-prefix=JABBER- protocol=tcp to-addresses=\
192.168.5.14 to-ports=5222
add action=masquerade chain=srcnat comment=NAT-Users log-prefix="" \
src-address=192.168.5.0/24 src-address-list=!noNAT
/ip ipsec policy
add comment=TAE-BC dst-address=3.3.3.3/32 sa-dst-address=\
3.3.3.3 sa-src-address=1.1.1.1 src-address=\
1.1.1.1/32
/ip ipsec peer
add address=3.3.3.3/32 comment=TAE-BC enc-algorithm=aes-256 \
exchange-mode=main-l2tp generate-policy=port-override nat-traversal=no \
secret=IPSecSharedforTAEBC
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
Code: Select all
# aug/31/2016 16:11:50 by RouterOS 6.36
# software id = EPLZ-IKNU
#
/interface l2tp-client
add allow=mschap2 connect-to=1.1.1.1 disabled=no mrru=1600 name=\
VPN-Main-Office password=L2TPforTAE user=vpn-tae-bc
/ip address
add address=192.168.6.1/24 comment=LAN interface=ether5 network=192.168.6.0
add address=3.3.3.3/17 interface=eth1-isp1 network=3.3.3.0
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid log-prefix=""
add action=accept chain=input comment="Permit ICMP" log-prefix="" protocol=\
icmp
add action=reject chain=forward comment="Block Social Network" disabled=yes \
dst-address-list=socialnetList log-prefix=SOCIAL- protocol=tcp \
reject-with=tcp-reset src-address-list=!socialnet-allow
add action=accept chain=input comment=\
"Permit established, related connections" connection-state=\
established,related log-prefix=""
add action=accept chain=input comment="Permit Management" dst-port=8291 \
log-prefix="" protocol=tcp
add action=accept chain=input comment="Permit OSPF" in-interface=all-ppp \
log-prefix="" protocol=ospf
add action=drop chain=input comment="Drop other connection" connection-state=\
new in-interface=!ether5 log-prefix=""
add action=drop chain=forward comment="Block Torrent" log-prefix="" p2p=\
all-p2p src-address-list=!torrent-allow
add action=drop chain=forward comment="Block Torrent" content=d1:ad2:id20: \
dst-port=1025-65535 in-interface=ether5 log-prefix="" packet-size=95-190 \
protocol=udp src-address-list=!torrent-allow
add action=drop chain=forward comment="Block Torrent" content="info_hash=" \
dst-port=2710,80 in-interface=ether5 log-prefix="" protocol=tcp \
src-address-list=!torrent-allow
/ip firewall nat
add action=netmap chain=dstnat comment=DVR dst-address=3.3.3.3 \
dst-port=34567 log=yes log-prefix="DVR - " protocol=tcp to-addresses=\
192.168.6.30 to-ports=34567
add action=masquerade chain=srcnat comment=NAT.old log-prefix="" \
out-interface=eth1-isp1 src-address=192.168.6.0/24 src-address-list=\
!noNAT
/ip ipsec policy
add dst-address=1.1.1.1/32 sa-dst-address=1.1.1.1 \
sa-src-address=3.3.3.3 src-address=3.3.3.3/32
/ip ipsec peer
add address=1.1.1.1/32 enc-algorithm=aes-256 nat-traversal=no \
passive=yes secret=IPSecSharedforTAEBC send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
Looks like connection is established, but anyway it don't work.: Client side looks like: Connection established - connection error every 35 seconds