Community discussions

MikroTik App
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 3:42 am

Hi! I would kindly ask for some help in order to force my MTik L2TP/IPsec client to use specific (lte2) interface in dual wan configuration (lte1 & lte2).
I want that my mtik l2tp/ipsec client when connects to my mtik l2tp/ipsec server uses lte2 gateway (192.168.51.1)

My config that does not work for l2tp/ipsec but for example works (slightly changed) for pptp client is:
Code:Select all
/ip firewall address-list add address=my.server.ddns.address list=adressddns /ip firewall mangle add action=mark-routing chain=output dst-address-list=adressddns new-routing-mark=markforl2tp passthrough=no /ip route add distance=1 gateway=192.168.8.1 (lte1) add distance=1 gateway=192.168.51.1 routing-mark=markforl2tp (lte2)
我可以see that ipsec peer is always established through lte1 gateway (192.168.8.1). Only solution is to disable default gateway lte1 and then the l2tp/ipsec client successfully establish connection through lte2 gateway.
How can I force ipsec client to use lte2 interface instead lte1?
Top
用户头像
JohnTRIVOLTA
Member
Member
Posts: 305
加入: Sun Dec 25, 2016 2:05 pm
Location:BG/Sofia

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 1:08 pm

Аdd route rule this IP ipsec client address to look in markforl2tp routing table !
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 3:18 pm

Tnx very much @JohnTRIVOLTA !
Can you please be more specific? My apologies but I am not expert and although I understand in general what you are meaning, I am not sure what exactly should I do. After searching the forum yesterday, I tried to do something in that sense, but obviously wrong as I did not succeed. Can you please suggest some general command?
Top
用户头像
JohnTRIVOLTA
Member
Member
Posts: 305
加入: Sun Dec 25, 2016 2:05 pm
Location:BG/Sofia

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 3:39 pm

Just add this rule : replace X.X.X.X with ipsec client ip address
/ip r rule add src-address=X.X.X.X table=markforl2tp action=lookup
/ip fi nat add chain=srcnat src-address=X.X.X.X action=masquerade out-interface=lte2 place-before=0
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 4:18 pm

Tnx!
In the meanwhile I have tried with
Code:Select all
/ip route rule add action=lookup interface=l2tp-client table=markforl2tp
but with NO sucess. EDIT: It is obvious that this doesn't work because l2tp is established after the ipsec so this doesn't make sense.

I will try yours now and report. Can you please say what ip shoud I put under "src-address=X.X.X.X" ?
Private ip of the lte2 interface, private ip that the l2tp client will get from the server when connection is established (I don't think so) ? Sorry for dumb question!

EDIT: I am seeing what you said but I am not sure what ip is the one, so that's the reason I am asking. Apologies once more
Top
用户头像
JohnTRIVOLTA
Member
Member
Posts: 305
加入: Sun Dec 25, 2016 2:05 pm
Location:BG/Sofia

Re: L2TP/IPsec client routing through specific interface in dual WAN system

2021年7月27日星期二5:03点

Ipsec is between public addresses ! If the client receives a dynamic ip address /some l2tp client private ip/ you put the whole network plus the interface as you added in the rule !
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 5:50 pm

Uh, yes.
My MTik is RB951G with two LTE usb dongles that assign private IPs (dhcp) to the Mtiks lte interfaces. So mtik lte1 interface has private IP 192.168.8.100 and lte2 has 192.168.51.238.
Corresponding routes:
Code:Select all
/ip route add comment="LTE2 for l2tp ipsec client" distance=1 gateway=192.168.51.1 routing-mark=markforl2tp add comment="LTE1" distance=1 gateway=192.168.8.1 add comment="LTE2" distance=2 gateway=192.168.51.1
are defined and everything works baside the thing that I want to force mtik l2tp/ipsec client to go exclusively through lte2 interface. When the l2tp client is enabled, the ipsec always goes through lte1 interface so ipsec active peer has local ip 192.168.51.238 and remote ip is the public ip of the server. In that situation l2tp can not be established over lte2 as ipsec is established over lte1 so it hangs. If I completly disable gateway 192.168.8.1 over lte1 interface, leaving only lte2 gateway enabled everything works perfectly.
EDIT: Similarly, if I completely disable gateway 192.168.51.1 over lte2 interface again everything works.

What should I do to accomplish what you said that "the whole network plus the interface is in the rule" ?
Top
用户头像
JohnTRIVOLTA
Member
Member
Posts: 305
加入: Sun Dec 25, 2016 2:05 pm
Location:BG/Sofia

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 6:18 pm

The traffic comes out through the lte 1 interface because it looks in the main routing table .
.....
Snat rule ?
/ip fi nat add chain=srcnat src-address=X.X.X.X24 action=masquerade out-interface=lte2
Yes, the route rule must be :
/ip route rule add action=lookup interface=l2tp-client table=markforl2tp src-address=X.X.X.X/24
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 6:44 pm

Src nat I already have.
When I add the rule
Code:Select all
/ip route rule add action=lookup interface=l2tp-client table=markforl2tp src-address=192.168.51.0/24
it still establishes ipsec connection over lte1 interface.
It is like ipsec is not part of the l2tp-client interface. Ipsec establishes over lte1 and the l2tp tunnel can not establishe over lte2. Something is missing that could force ipsec to go through lte2 interface.
What else could I try?

EDIT: How the router decides from what ip the ipsec connection is going to be initiated?
Can I maybe try with ip 0.0.0.0/0 ? : seems crazy
Code:Select all
/ip route rule add action=lookup interface=l2tp-client table=markforl2tp src-address=0.0.0.0/0
Or maybe 192.168.0.0/16 ?
What would that be?
Top
用户头像
JohnTRIVOLTA
Member
Member
Posts: 305
加入: Sun Dec 25, 2016 2:05 pm
Location:BG/Sofia

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 7:55 pm

Now I understand exactly what you want. I thought you want the l2tp client as it is connected through lte1, the traffic to the public space to go through lte2 and the rules are for such a setup !
If you want to use lte2 as a server, then you have to mark the incoming traffic with the same mark, to allow the corresponding input ports if they are not.
/ip fi m add chain=prerouting in-interface=lte2 action=mark-routing routing-mark=markforl2tp
add these rules too:
/ip fi nat add chain=srcnat src-address=X.X.X.X24 action=masquerade out-interface=lte2
/ip route rule add action=lookup interface=l2tp-client table=markforl2tp src-address=X.X.X.X/24

X.X.X.X/24 this is local, private l2tp network not private WAN LTE addresses!
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 8:28 pm

Hi!
Maybe I am not clear. I will try to be as simple as possble. I have remote mtik l2tp/ipsec server with public ip (that public ip is dynamic so I am using ddns on it) and I want to connect to it from my RB951G (rb951g is l2tp/ipsec client) that has two WANs - usb lte modems (lte1 and lte2). I "simpy" want that l2tp/ipsec connection from client to remote server is going through lte2 interface while all other regular traffic (wlan clients, ether clients...) goes through lte1 interface. That is it.
I do not want to use lte2 as server. Server is already configured. I want that mtik rb951 client connects to server using lte2 as interface
Top
用户头像
JohnTRIVOLTA
Member
Member
Posts: 305
加入: Sun Dec 25, 2016 2:05 pm
Location:BG/Sofia

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Tue Jul 27, 2021 9:41 pm

Hi!
Maybe I am not clear. I will try to be as simple as possble. I have remote mtik l2tp/ipsec server with public ip (that public ip is dynamic so I am using ddns on it) and I want to connect to it from my RB951G (rb951g is l2tp/ipsec client) that has two WANs - usb lte modems (lte1 and lte2). I "simpy" want that l2tp/ipsec connection from client to remote server is going through lte2 interface while all other regular traffic (wlan clients, ether clients...) goes through lte1 interface. That is it.
I do not want to use lte2 as server. Server is already configured. I want that mtik rb951 client connects to server using lte2 as interface
Oh, now i understand :) Hmm, the router use main routing table. Set lte1 last resort route with distance=2 to activate lte2 last resort route. Make another routing table for other local networks to use lte1 !
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Wed Jul 28, 2021 1:14 am

Oh, now i understand :)
:-) tnx for your help and time!
Hmm, the router use main routing table.
So, it seams that ipsec can not get routing mark and then be policy routed.? Is this the expected behaviour or a bug, or...? It seams strange such a behavior.
Set lte1 last resort route with distance=2 to activate lte2 last resort route. Make another routing table for other local networks to use lte1 !
How to do that? Should I mangle mark-routing all other traffic with some other routing mark? Is that going to be an overkill for the router?
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system

Wed Jul 28, 2021 2:02 am

I have found some kind of workaround.
If I add a dedicated route with dst-address= IP of the l2tp/ipsec server (in my case it is a dynamic public IP address) than everything works and also there is no more need to mangle anything with mark-routing. Example:
Code:Select all
/ip route add comment="route through LTE2 for l2tp ipsec client towards server" distance=1 dst-address=IP_of_the_server/32 gateway=192.168.51.1
但是,总有一些但是…问题是:-)that since the server has dynamic public ip it changes every 24h so I need to modify this route once a day entering new IP for "dst-address=" parameter. Can I get some help how to make a script that will modify this route once the ip of the server changes.
Top
用户头像
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
加入: Sat Dec 20, 2008 2:33 am
Location:Croatia, Europe

Re: L2TP/IPsec client routing through specific interface in dual WAN system[SOLVED]

Wed Jul 28, 2021 11:57 am

How the router decides from what ip the ipsec connection is going to be initiated?
在回答自己的问题,I have found the missing setting that resolved the unwanted behaviour and now the l2tp/ipsec client always uses lte2 to connect to server. The thing that was necessary in addition to my initial configuration presented in the first post was to explicitly specify the src-address parameter in the interface l2tp-client. It was necessary to add private ip address of the lte2 interface as src-address of the l2tp-client.
Code:Select all
/interface l2tp-client add connect-to=my.server.ddns.address ipsec-secret=mysecret name=l2tp-client src-address=192.168.51.238 password=mypassword profile=myprofile use-ipsec=yes user=myusername

Thank you @JohnTRIVOLTA for spending your time and sharing your knowledge in solving this puzzle. It was a pleasure
Top

Who is online

Users browsing this forum:andrek,atejani,Bing [Bot],CrashOverride1,karlisi,LearningLinux,Minions70,perrycharltonand 37 guests

Baidu
map