Hot!How to add static route through L2TP/IPSec into a Mikrotik subnet?

Author
kraze
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/25 02:47:12
  • Status: offline
2020/05/25 02:55:56 (permalink)
0

How to add static route through L2TP/IPSec into a Mikrotik subnet?

Hello. Current situation:
 
Fortiage FG60E (192.168.0.1) is a Windows-like L2TP/IPSec VPN server (interface name is "localVPN") to which all remote clients connect as well as providing an access to local physical clients.
VPN address for FG60E is 192.168.100.130
Currently Mikrotik hEX (192.168.10.1) is connected to it remotely through VPN and has a 192.168.100.131 address. On Mikrotik I've added a static route which leads into 192.168.0.0/24 through 192.168.100.130 and it works well, all local hardware to Fortigate is available to everything remote behind Mikrotik through its 192.168.0.0 range.
 
However I also want remote hardware behind Mikrotik (on a 192.168.10.0 network) being accessible by local computers in the main 192.168.0.0 network
 
However when adding a static route on Fortigate it isn't possible to just set it as "192.168.10.0/255.255.255.0" through "192.168.100.131" because FortiOS says there's no such gateway available - and the only other option is to set "192.168.10.0/255.255.255.0" route through the above-mentioned "localVPN" interface - however it doesn't seem to work.
 
Is there any other way to do it?
#1

10 Replies Related Threads

    oliverthom707
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/11 00:21:27
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/08/11 00:53:08 (permalink)
    0
     I also want remote hardware behind Mikrotik (on a 192.168.10.0 network) being accessible by local computers in the main 192.168.0.0 network
    #2
    evince
    Bronze Member
    • Total Posts : 50
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/03/31 00:16:38
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 04:42:16 (permalink)
    0
    Hello, same problem for me, is there any solution please?
     
    Thank you in advance,
    #3
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 05:08:34 (permalink)
    0
    just use the vpn interface as gateway interface and don't enter any gateway ip address.
    Then this route will make all traffic that goes to the subnet behind mikrotik go through your vpn.
    Then the Mikrotek will have to take care for further routing AND reverse path.
    Also don't forget about the neccessary policies to allow the trafic to flow :)
    #4
    evince
    Bronze Member
    • Total Posts : 50
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/03/31 00:16:38
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 05:23:58 (permalink)
    0
    Hello sw2090,
     
    Thank you for your response. I need to add an ip instead of gateway interface as i have many l2tp tunnels.
     
    So for me 10.30.15.0/24 should be routed through 10.10.10.2 and 192.168.199.0/24 should be routed through 10.10.10.3. Policies have been created dynamicaly.
     
    thank you for your help
    #5
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 05:32:52 (permalink)
    0
    I don't currently use L2TP but I have various IPSec Tunnels and I just use the tunel interface for routing and do not enter any gateway ip. Works fine here.
     
    Usally every single IPSec is threated as an interface on a FGT. I think it may be the same for L2TP.
    #6
    evince
    Bronze Member
    • Total Posts : 50
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/03/31 00:16:38
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 05:37:02 (permalink)
    0
    Unfortunately Fortigate creates an unique interrface for the L2TP server, so i need to choose the correct gateway address. I'll open a ticket on fortinet portal.
     
    Thank you for your help :)
    #7
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 05:43:12 (permalink)
    0
    hm didn't know that. I only had one l2tp on my FGT ever.
    Or ist just like ipsec dial in tunnels? Those also have one tunne interface into which you dial in.
    There is only on runtine an interface for the concurrent connections.
    In this case I'd run into the same problem.
     
    #8
    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 07:03:45 (permalink)
    0
    I highly doubt you can do what your trying. L2TP over ipsec is for a "user dialup", why don't you just use a pure ipsec-tunnel and set a interface address and defined static routes?
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #9
    evince
    Bronze Member
    • Total Posts : 50
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/03/31 00:16:38
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 07:16:26 (permalink)
    0
    Hello emnoc. I already have an ipsec tunnel, but the Internet line is currently down. So im trying to establish another tunnel through 4G modem, and with this solution i cannot establish an ipsec tunnel :(
    #10
    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: How to add static route through L2TP/IPSec into a Mikrotik subnet? 2020/10/28 09:01:52 (permalink)
    0
    And why? The 4g is blocking traffic ?  You could also maybe use the fortigate as a dialup client if the far end is supporting dialup service.
     
    e.g ( fgt 2 fgt  but the concept would be the same regardless if the dialup-server was a juniper,strongswan,asa,etc.....)
     
    http://socpuppet.blogspot.com/2019/10/fortigate-dialup-vpn-ipsec-from-2nd.html
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #11
    Jump to:
    © 2020 APG vNext Commercial Version 5.5