L2TP/IPSec VPN 服务器是 Mikrotik 路由器,具有以下防火墙配置:
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; VPN L2TP port 500
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=500
2 ;;; VPN L2TP port 1701
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=1701
3 ;;; VPN L2TP port 4500
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=4500
4 ;;; VPN L2TP IPSec
chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1
5 ;;; VPN L2TP AH
chain=input action=accept protocol=ipsec-ah in-interface=pppoe-out1
6 ;;; Allow all from VPN
chain=input action=accept src-address-type=local
7 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
8 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no
log-prefix=""
9 ;;; Drop SSH requests from outside
chain=input action=drop protocol=tcp in-interface=pppoe-out1
dst-port=22 log=no log-prefix=""
10 ;;; Drop Winbox connection from outside
chain=input action=drop protocol=tcp in-interface=pppoe-out1
dst-port=8291 log=no log-prefix=""
11 ;;; Drop UDP DNS requests from outside
chain=input action=drop protocol=udp in-interface=pppoe-out1
dst-port=53 log=no log-prefix=""
12 ;;; Drop TCP DNS requests from outside
chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix=""
13 ;;; Allow ping from outside
chain=input action=accept protocol=icmp dst-address=103.12.163.90
log=no log-prefix=""
14 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""
15 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""
16 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
17 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
18 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=pppoe-out1 log=no
log-prefix=""
1 ;;; HTTPS remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=900
protocol=tcp in-interface=pppoe-out1 dst-port=900 log=no log-prefix=""
2 ;;; HTTP remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443
protocol=tcp in-interface=pppoe-out1 dst-port=443 log=no log-prefix=""
3 ;;; HTTP remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80
protocol=tcp in-interface=pppoe-out1 dst-port=80 log=no log-prefix=""
4 ;;; Plex server remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=32400
protocol=tcp in-interface=pppoe-out1 dst-port=32400 log=no
log-prefix=""
5 ;;; HTTPS hairpin NAT
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443
protocol=tcp dst-address-type=local dst-port=443 log=no log-prefix=""
6 ;;; HTTP hairpin NAT
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80
protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix=""
7 ;;; HTTPS hairpin NAT
chain=srcnat action=masquerade to-addresses=10.0.0.2 protocol=tcp
src-address=10.0.0.0/24 dst-address=10.0.0.2 out-interface=bridge
dst-port=443 log=no log-prefix=""
8 ;;; HTTP hairpin NAT
chain=srcnat action=masquerade to-addresses=10.0.0.2 to-ports=80
protocol=tcp src-address=10.0.0.0/24 dst-address=10.0.0.2
out-interface=bridge dst-port=80 log=no log-prefix=""
现在奇怪的是,iOS 客户端可以连接到此 VPN 并访问本地网络和互联网,但 Windows 客户端只能访问本地网络而不能访问互联网(不知道其他平台是否如此,因为我现在无法访问)。我已经排除了 DNS 和路由问题,因为这些 Windows 客户端可以 ping 全局 IP 地址和域名,也可以tracert
。我遗漏了什么吗?我已经对许多 Mikrotik 路由器使用了相同的配置,有问题的路由器的共同点是 WAN 连接是 PPPoE:
/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah
/ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes
/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any
/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des