Multiple Dynamic IP clients can't connect to RB IPSEC Server
Posted: Tue Jun 05, 2012 3:41 am
Hi,
I have the IPSEC VPN server setup as per the wiki with two dynamic Routerboard clients (clients with dynamic IPs) connecting back to the router. If either one by themselves connect, things are fine. If I enable both Peer profiles (both having their address set to 0.0.0.0/0) only one of them successfully connects. If I set the dynamically assigned IP address of the problem peer in the server Peer Profile in IPSEC (replacing the 0.0.0.0/0), both peers connect fine. Oddly enough, its always the same peer that has the problem, no matter which connects first.
Having a quick read of the RFCs (a real quick read!) it would seem that the source IP address somehow makes up part of the authentication (or encryption?) packets. Since the client that is having problems is a PPPoE client (from their ISPs perspective), while the other client is a cable modem customer (straight dynamic/dhcp client) I suspect the problem is that the dynamic IP received over PPPoE is not making it into the clients IPSEC session properly.
I've posted another issue related to OpenVPN and PPPoE here:
http://forum.mikrotik.com/viewtopic.php?f=2&t=62251
Although the problems are dissimilar, the symptom clients are both PPPoE - and I'm starting to wonder if there is not some nasty bugs related to PPPoE clients and VPNs in general in ROS that need some squashing! Anyone else seeing this behaviour?
Thanks,
-Rob
I have the IPSEC VPN server setup as per the wiki with two dynamic Routerboard clients (clients with dynamic IPs) connecting back to the router. If either one by themselves connect, things are fine. If I enable both Peer profiles (both having their address set to 0.0.0.0/0) only one of them successfully connects. If I set the dynamically assigned IP address of the problem peer in the server Peer Profile in IPSEC (replacing the 0.0.0.0/0), both peers connect fine. Oddly enough, its always the same peer that has the problem, no matter which connects first.
Having a quick read of the RFCs (a real quick read!) it would seem that the source IP address somehow makes up part of the authentication (or encryption?) packets. Since the client that is having problems is a PPPoE client (from their ISPs perspective), while the other client is a cable modem customer (straight dynamic/dhcp client) I suspect the problem is that the dynamic IP received over PPPoE is not making it into the clients IPSEC session properly.
I've posted another issue related to OpenVPN and PPPoE here:
http://forum.mikrotik.com/viewtopic.php?f=2&t=62251
Although the problems are dissimilar, the symptom clients are both PPPoE - and I'm starting to wonder if there is not some nasty bugs related to PPPoE clients and VPNs in general in ROS that need some squashing! Anyone else seeing this behaviour?
Thanks,
-Rob
