Page 1 of 1
HELP with L2TP/IPsec
Posted: Fri Jan 24, 2014 9:19 pm
by vomus
Hi!
I am trying to configure an L2TP/IPsec connection between my Mikrotik and an Android phone. Reading
http://wiki.mikrotik.com/wiki/MikroTik_ ... IPSec/L2TP on the wiki seemed like a rather straightforward setup which I followed.
Everything went fine and I even connected to my router. However, I could net reach any IP-address from my internal LAN except the router itself (10.161.0.1). I attach the routing table of what appeared after the client connected.
Can anyone help, please?
Re: HELP with L2TP/IPsec
Posted: Sat Jan 25, 2014 12:31 am
by lambert
What is the version of your RouterOS?
Re: HELP with L2TP/IPsec
Posted: Sat Jan 25, 2014 1:39 am
by efaden
Post your exports
Sent from my SCH-I545 using Tapatalk
Re: HELP with L2TP/IPsec
Posted: Sat Jan 25, 2014 7:15 am
by vomus
Post your exports
Sent from my SCH-I545 using Tapatalk
The version is 6.7 and firewall exports are below
# jan/25/2014 09:13:24 by RouterOS 6.7
# software id = R9KJ-T416
#
/ip firewall filter
add chain=input comment="Allow Established connections" connection-state=established
add chain=forward connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input comment="Allow connections from inside LAN" in-interface=!Rostelecom-PPPoE src-address=10.161.0.0/16
add action=log chain=input comment="Log VPN activity" dst-port=1701,500,4500 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input comment="Open L2TP/IPsec connections" connection-state=new dst-port=1701 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input connection-state=new dst-port=500 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=Rostelecom-PPPoE protocol=udp
add chain=input in-interface=Rostelecom-PPPoE protocol=ipsec-ah
add chain=input in-interface=Rostelecom-PPPoE protocol=ipsec-esp
add action=drop chain=input comment="Block repetitive SSH tries for 5 days" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=5d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Allow only 10 incorrect FTP logons per minute" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="Drop the rest"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=Rostelecom-PPPoE src-address=10.161.0.0/16
Re: HELP with L2TP/IPsec
Posted: Sun Jan 26, 2014 12:36 am
by rjscomms
Hello,
just a quick thought, do you have proxy-arp enabled on the interface facing your internal network?
Have a look at the wiki page for PPTP and it describes it there. I believe it is still applicable in your case.
Re: HELP with L2TP/IPsec
Posted: Sun Jan 26, 2014 12:22 pm
by vomus
Hello,
just a quick thought, do you have proxy-arp enabled on the interface facing your internal network?
Have a look at the wiki page for PPTP and it describes it there. I believe it is still applicable in your case.
Hi! It worked! Thanks. How come none has corrected an IPsec wiki page...
Re: HELP with L2TP/IPsec
Posted: Mon Jan 27, 2014 1:17 am
by rjscomms
Glad it worked for you.
I think they have not updated the wiki page for l2tp/ipsec because the proxy-arp feature is not directly related to l2tp/ipsec as such.