I have an interesting scenario I'm curious if I can work through. My ISP
(cable company) provides me with a /28 of IP addresses. I have them
assigned to an x86 Mikrotik router (router1) that does firewalling, VPN,
connection tracking, etc for our company network. It's on an older
version of ROS (6.7)
One of those IPs is set aside (not assigned to an interface on router1)
for a lab network I have in my office for testing things. This device is
an RB750 (router2). It connects to router1 via PPPoE on a private VLAN
to obtain that IP address and assign it to the "WAN" interface. For the
most part, this seems to have allowed me to avoid any double or triple
NAT scenarios and I've been able to utilize it for simple VPNs (PPTP)
and an 6to4 tunnel to HE. This one is running the latest version of ROS.
I've been experimenting with L2TP over IPsec and have had moderate
success (especially with the ease at which you can enable IPSec on
tunnels now). Everything works as expected when connections are
initiated INSIDE router1's realm (IE not over the internet). I can
establish my L2TP tunnel and the IPSec policies are created as expected.
I have found, however that this connection does not work when coming
from the internet. Digging through the log, I can see "tunnel xx
received no replies, disconnecting" on the L2TP side of things and not
seeing anything obvious (to me anyway) within IPsec. I have "accept"
rules in both firewall/filter and firewall/mangle to try to avoid
anything being filtered. I have also been able to successfully establish
an L2TP/IPsec vpn connection to router1 over the internet.
Not sure what's causing the problem here, but I'm curious if connection
tracking on router1 might be the issue? I thought with the PPPoE
connection assigning one of my public IPs it may avoid the issue, but
maybe not? I can see the connections being tracked in router1.
Assuming everything I wrote made ANY sense whatsoever, anyone have ideas
as to what I could try?
--
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS