L2TP+IPSec Client behind NAT

Darqqa · January 22, 2018, 2:27pm

Greetings.

I’d like to get your help.
RouterOS: 6.41 (tried on 6.40.4 before).

We have a central office where we have Huawei Edge router, which has L2TP+IPSec server on.
Also we have branch offices, which have MikroTik routers as edge devices. Some branches have public addresses, some are connected behind ISP’s NAT and have “gray”, private IP addresses.

We have successfully configured L2TP+IPSec connection between CO and public BO, but now we are facing problem connecting other branch offices.
L2TP client without IPSec works fine behind the NAT, but as we turn on IPSec it stops working.

Related configuration with working L2TP+IPSec and public BO:

/interface l2tp-client
add allow=chap,mschap1,mschap2 comment=ERT1 connect-to=XXX.XXX.XXX.XXX
disabled=no ipsec-secret=KEY keepalive-timeout=disabled
max-mru=1500 max-mtu=1500 name=L2TP password=L2TP profile=L2TP_ppp
use-ipsec=yes user=l2tp_user
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des
/ppp profile
add name=L2TP_ppp use-compression=no use-encryption=yes use-mpls=no
set *FFFFFFFE use-encryption=default

On the problematic BO routers:
If we copy the dynamically created IPSec peer and uncheck the “Use IPSec” button in the L2TP-Client interface, then we start receiving error “No address provided”.
If we change the “Exchange Mode” to IKE2, then we stop getting any messages related to IPSec in the log (but L2TP w/o IPsec works).

Is it possible to resolve? What could be the problem?

Thanks.

emils · January 23, 2018, 6:58am

L2TP/IPsec is limited to only one peer behind NAT. It is suggested to use IKEv2 for such occasions.

Darqqa · January 23, 2018, 11:27am

Is there any configuration guide, how to configure IKE2?

We’ve tried copying the dynamic IPSec peer as static, and changing “Exchange mode” to IKE2 like this
/ip ipsec peer
add address=XXX.XXX.XXX.XXX/32 enc-algorithm=aes-256,aes-192,aes-128,3des
exchange-mode=ike2 generate-policy=port-strict secret=KEY
And turning off IPSec in the L2TP-client interface options.

After this the L2TP tunnel sets up without IPSec: no installed-SA and no log messages.

Thanks!

mrz · January 23, 2018, 11:30am

You need policy too to match L2TP traffic. But note that L2TP over IKE2 will not work with Windows, Ios or other vendor clients.

Darqqa · January 23, 2018, 12:51pm

Thanks for the note, but no application clients will be present, only MikroTik-s.

Any example of such policy? We’ve added a policy (copied from dynamic):

/ip ipsec policy export
add dst-address=XXX.XXX.XXX.XXX/32 dst-port=1701 protocol=udp src-address=
192.168.1.220/32 src-port=1701
/ip ipsec policy print
1 A src-address=192.168.1.220/32 src-port=1701 dst-address=XXX.XXX.XXX.XXX/32
dst-port=1701 protocol=udp action=encrypt level=require
ipsec-protocols=esp tunnel=no proposal=default ph2-count=1
Where XXX.XXX.XXX.XXX is public address of CO edge

Depending on these lines, how should they look like?
Is the ip ipsec peer entry correct?

Thanks!

mrz · January 23, 2018, 1:15pm

add dst-address=XXX.XXX.XXX.XXX/32 dst-port=1701 protocol=udp src-address=
192.168.1.220/32 src-port=1701 tunnel=yes
sa-dst-address=XXX.XXX.XXX.XXX sa-src-address=192.168.1.220

sindy · January 24, 2018, 9:20pm

I still don’t exactly understand why? The IPsec peer dynamically generated by l2tp-server configuration with use-ipsec=required has nat traversal support set to “yes”, and the L2TP is tunnelled over ESP which itself is tunnelled over UDP, so there is no port-less protocol to be handled by the client-side NAT device and if two clients are behind the same public address, one of them should get one pair of ports (500’, 4500’) on the public address and the other one should get another pair (500",4500"). So where does the “single client per public IP” limitation come from, given that the user identification and authentication takes place inside L2TP?

evince · January 25, 2018, 2:25pm

+1

emils · January 26, 2018, 7:02am

IPsec ESP is port-less. You still need to somehow know which client uses which port to match it with correct spi.

sindy · January 26, 2018, 8:09am

So after “unpacking” ESP from UDP, the remote UDP port is not used along with the IP address to distinguish between the clients? And while NAT-T extension to IKEv1 does not address this, IKEv2 does?

emils · January 26, 2018, 8:25am

That is correct. It is not a matter of IKEv1 or IKEv2. It is the ESP Transport mode (which is used by L2TP) that is not working well with NAT.

dakotabcn · November 27, 2018, 2:56pm

Hello
Is there any solution to this problem? I have several clients that use laptops and connect from the same network and with L2TP / IPSEC they can not connect, at the moment I have solved it with PPTP, I have tried to implement IKEv2 but it is costing me to leave it operational

sindy · November 27, 2018, 3:48pm

Yes, there is, but it can cause a headache.

Other than that, what exactly means

? Could you say the same using other words?

Because IKEv2 does work with Windows embedded VPN client, and it doesn’t suffer from the “auto-disconnect after 8 hours” problem, and chances are good that in a few RouterOS releases you’ll be finally able to push a route list to the client.

pisarz · February 28, 2019, 8:20am

Hi,
To allow multiple l2tp connection from one ip try to change option Caller ID Type from “ipaddress” to “number” in ppp>l2tp server

sindy · February 28, 2019, 2:32pm

That doesn’t help. The problem is not to identify the client but to deliver the L2TP transport packet to the right one when the server sees both as if they had the same IP address and both use the same UDP port (or don’t use a port in the traffic selector at all depending on client implementation). See a detailed explanation here.