On 01/23/2014 11:33 PM, Scott Lambert wrote:
On Thu, Jan 23, 2014 at 11:09:16AM -0800, Kristian Hoffmann wrote:
Not sure if this applies to your configuration, but I recently ran into
the same symptom in two similar cases. The short version is, regardless
of what the config and logs say, the IPSec packets will have a source IP
of the pref-src value for the route matching the IPSec endpoint. Example...
/ip addr add address=1.2.3.4/24 interface=wan
/ip addr add address=2.2.2.2/32 interface=wan
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254
The pref-src for the default route will be 1.2.3.4, unless otherwise
specified.
If your remote endpoint connects to 2.2.2.2 to establish the IPSec SA,
the SA will come up and everything will look fine, but the the
L2TP/IPSec traffic will originate from the 1.2.3.4 address. Especially
if you're doing NAT-T, the router in front of the remote endpoint will
just drop the UDP packets because the connection tracking won't know
where they came from.
I'm fudging some of the details from because I'm a bit swamped and
pulling this from memory, but the underlying point is the same. If the
remote endpoint connects to 2.2.2.2, it won't work, and if you connect
to 1.2.3.4, it does.
We have a winner!!! Have to use the IP speaking OSPF or BGP in the
direction of the client. That makes things interesting with 8 paths
into router at the centrally located office. In the future, I will try
to remember "MikroTik IPsec VPN concentrators must be single-homed to be
useful."
Thank you!
Glad that made sense and helped. I wonder sometimes. ;-)
-Kristian
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
