Page 1 of 1

Q: VPN L2TP/IPSec

Posted: Wed Mar 07, 2012 10:32 am
by Krusty
Hello,

i need little help with L2TP/IPSec VNP. ere is what is going...

I got working VPN on ROS, which is on Public IP and two clients on same LAN on remote location.
One client is able to connect and the second isnt, is it possible to resolve this in some way ?

thank you for reply

Re: Q: VPN L2TP/IPSec

Posted: Thu Mar 08, 2012 4:14 pm
by Krusty
nobody ? :/

Re: Q: VPN L2TP/IPSec

Posted: Mon Mar 12, 2012 4:55 pm
by Krusty
somebody must know something about this :)

Re: Q: VPN L2TP/IPSec

Posted: Mon Mar 12, 2012 6:06 pm
by samsung172
U need to explane a bit more. Maybe with your config.

Re: Q: VPN L2TP/IPSec

Posted: Tue Mar 13, 2012 10:39 am
by Krusty
U need to explane a bit more. Maybe with your config.
thank you for reaction. I will try to explain my problem more...

Im trying to use L2TP/IPSec VPN. For now I have router with public IP and working VPN server, configured by several manuals to work with windows.... but the problem is this.

When a client try to connect to VPN server, everything work fine, VPN is established and network is reachable. But if there is another client on the same remote network and he try to connect to VPN server, the connection will fail, because there is established connection and remote peer for the first client with same IP. even if first client disconects and second try to connect, he fails (because of remote peer on the router with same IP)

Is it possible to resole this in some way ?

here is config I use:
Firewall rules:
196   ;;; L2TP/IPSec VPN na router
     chain=input action=accept protocol=udp in-interface=eth01.WAN 
     dst-port=500 
197   chain=output action=accept protocol=udp out-interface=eth01.WAN 
     src-port=500 
198   chain=input action=accept protocol=udp in-interface=eth01.WAN 
     dst-port=1701 
199   chain=output action=accept protocol=udp out-interface=eth01.WAN 
     src-port=1701 
200   chain=input action=accept protocol=udp in-interface=eth01.WAN 
     dst-port=4500 
201   chain=output action=accept protocol=udp out-interface=eth01.WAN 
     src-port=4500 
IPSec rules:
;;; L2TP VPN
     address=0.0.0.0/0 port=500 auth-method=pre-shared-key 
     secret="supersecretpassword" generate-policy=yes 
     exchange-mode=main send-initial-contact=no nat-traversal=yes 
     my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 
IPSec proposal:
 name="L2TP/IPSec VPN" auth-algorithms=sha1 enc-algorithms=3des 
      lifetime=1d pfs-group=modp1024 

Re: Q: VPN L2TP/IPSec

Posted: Thu Mar 22, 2012 3:08 pm
by Krusty
still nobody ?

Re: Q: VPN L2TP/IPSec

Posted: Sat Mar 24, 2012 9:32 pm
by xpkiller
I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)

Re: Q: VPN L2TP/IPSec

Posted: Mon Mar 26, 2012 9:36 am
by Krusty
I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)
yes, there is posibility to turn on only one server and users are dynamic
no, every user have his own secret

I think there will be some problem with IPSec, not L2TP

Re: Q: VPN L2TP/IPSec

Posted: Mon Apr 02, 2012 4:59 pm
by Krusty
nobody ? :)

Re: Q: VPN L2TP/IPSec

Posted: Thu Apr 05, 2012 4:22 pm
by Krusty
Come on guys

Re: Q: VPN L2TP/IPSec

Posted: Thu Apr 05, 2012 11:56 pm
by xpkiller
I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)
yes, there is posibility to turn on only one server and users are dynamic
no, every user have his own secret

I think there will be some problem with IPSec, not L2TP
Ok, I will try your config, but I have openvpn config too in our routers and it is same.
There are in the secret IPs of user: local and remote.
If you have secrets separately for users then you need to add local and remote IP pair and you have to use /30 (255.255.255.252) mask!! (eg. ...0 is net, ... 1 is local, ...2 is remote, ...3 is broadcast)
And you can use ...5 ...6 but you can not use ...11 ...12 pair... and more.
(You didn't copy/paste to here secret config.)

Re: Q: VPN L2TP/IPSec

Posted: Fri Apr 06, 2012 12:02 am
by xpkiller
What is your ROS version??

Re: Q: VPN L2TP/IPSec

Posted: Fri Apr 06, 2012 12:26 am
by xpkiller
"nat-traversal=yes "
Why?

and where is this?
add action=accept chain=input disabled=no protocol=ipsec-esp in-interface=eth01.WAN;
(ip protocol 50 for ESP)

Re: Q: VPN L2TP/IPSec

Posted: Fri Apr 06, 2012 9:16 am
by Krusty
Ok, I will try your config, but I have openvpn config too in our routers and it is same.
There are in the secret IPs of user: local and remote.
If you have secrets separately for users then you need to add local and remote IP pair and you have to use /30 (255.255.255.252) mask!! (eg. ...0 is net, ... 1 is local, ...2 is remote, ...3 is broadcast)
And you can use ...5 ...6 but you can not use ...11 ...12 pair... and more.
(You didn't copy/paste to here secret config.)
Thank you.
users have IPs from DHCP server, only local address are manualy entered (on the router side)

this is ppp profile config
0 * name="default" local-address=192.168.1.1 remote-address=LAN use-mpls=default use-compression=yes use-vj-compression=yes use-encryption=required only-one=no change-tcp-mss=yes rate-limit=10m/10m dns-server=192.168.1.10 wins-server=192.168.1.10
and ppp secrets are on this profile
What is your ROS version??
v5.14 on RB1100AHx2
"nat-traversal=yes "
Why?

and where is this?
add action=accept chain=input disabled=no protocol=ipsec-esp in-interface=eth01.WAN;
(ip protocol 50 for ESP)
NAT travelsal
because almost every user conecting from behind some NATed network

ipsec-esp
I had this rule in firewall, but it wasnt used in any way (there were no packet flow) so I deleted it and it works without it

Re: Q: VPN L2TP/IPSec

Posted: Fri Apr 06, 2012 8:03 pm
by xpkiller
Ok, you are right!
Need NAT-T for NATed user.
But I don't understand your all config because I tested today with my 1100AH (ROS 5.14) and I needed this:

mod: I tested with: win7, winXP and Android phone are working well.

1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled

2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp

3.
/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes

4. ipsec peer
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no

5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024

6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100

7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24

Re: Q: VPN L2TP/IPSec

Posted: Sat Apr 07, 2012 9:13 pm
by harvey
Ok, you are right!
Need NAT-T for NATed user.
But I don't understand your all config because I tested today with my 1100AH (ROS 5.14) and I needed this:

mod: I tested with: win7, winXP and Android phone are working well.

1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled

2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp

3.
/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes

4. ipsec peer
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no

5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024

6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100

7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24
Thank you so very much. This worked perfectly for me!!! Been wanting to get L2TP working instead of PPTP. Now I can disable PPTP connections.

Re: Q: VPN L2TP/IPSec

Posted: Sun Apr 08, 2012 1:19 am
by harvey
Further question, following your instructions worked well. However.....

If I create a new 'secret' for a new user and they try to simultaneously connect at the same time they can but one user will lose network access.

I have also created a new l2tp server interface and mapped the new user to it and the same thing still happens.

Specifics:-

User A connects to VPN. User A pings device on remote network. Device ping responds OK.
User B connects to VPN. User A can no longer ping that device but User B can.
User A will no longer have access to any device on remote network until they disconnect and reconnect.

Any advice?

Re: Q: VPN L2TP/IPSec

Posted: Sun Apr 08, 2012 12:18 pm
by xpkiller
Please check assigned IPs for userA and userB.
Do you use pool for local and remote IP assignements?
Solutions:
1. you assign from pool but you need set for local and remote too!! (you can not give fix IP for local and dynamic for remote! because /30 mask)
2. you give fix IP for local and remote too ( you have to calculate IP address exactly for /30 mask!)

and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP

Re: Q: VPN L2TP/IPSec

Posted: Sun Apr 08, 2012 8:19 pm
by harvey
Please check assigned IPs for userA and userB.
Do you use pool for local and remote IP assignements?
Solutions:
1. you assign from pool but you need set for local and remote too!! (you can not give fix IP for local and dynamic for remote! because /30 mask)
2. you give fix IP for local and remote too ( you have to calculate IP address exactly for /30 mask!)

and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
Thanks for your reply.

The only difference was under the ipsec peer setup I used exchange-mode=main instead of exchange-mode=main-l2tp as the version on my mikrotik was 5.6 and did not support main-l2tp. I upgraded to 5.14 and changed it to use main-l2tp and it appears to be working ok now.

Thanks for your help.

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 9:22 am
by Krusty
Hi,

thank you for your exhausive explanation :) however, I have problem you described above
and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
this is what I need to solve. I got plenty of users on one remote LAN (with 1 public IP) and only the firs one is able to connect, others are screwed :)
1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled
I dont think I need to create interface for every user when they are created dynamicaly by default
2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp
Yes I have this, every user have its own secret
/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes
I have configured profile for VPN
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no
I have hanged from main to main-l2tp and see what will happen
5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024
I came to this :)
6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100
Why VPN user cannot get IP from same server as locally connected user ? I see no diference
7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24
[/quote]
As i sad before, I had rule for protocol=ipsec-esp, but there wasnt any packet flow, so I deleted it, I will add it again ans see what will happen


by the way thank you for your time

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 12:53 pm
by xpkiller
and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
this is what I need to solve. I got plenty of users on one remote LAN (with 1 public IP) and only the firs one is able to connect, others are screwed :)
I think this is your problem. You have to try from other IPs and not from same.
1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled
I dont think I need to create interface for every user when they are created dynamicaly by default
Yes, may be you are right but I think because you have to give user name in l2tp-server therefore you need l2tp-server for each user separately.

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 1:41 pm
by harvey
I am the same, I can't have two connections from the same public IP address even if I create an L2TP server for each user.

This is a problem for me as you can't always guarantee where remote workers will be, there are times they may both be in the same place needing to connect back to the office. It works fine from separate public IP's.

This has never been an issue with L2TP on other routers I have used.

There must be a solution.

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 2:48 pm
by Krusty
I am the same, I can't have two connections from the same public IP address even if I create an L2TP server for each user.

This is a problem for me as you can't always guarantee where remote workers will be, there are times they may both be in the same place needing to connect back to the office. It works fine from separate public IP's.

This has never been an issue with L2TP on other routers I have used.

There must be a solution.
precisely, you hit it, this is all I talking about all the time.

I had about 60 VPN users and they are offten on the same remote LAN and need to connect to office, but they cant...

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 4:35 pm
by xpkiller

I had about 60 VPN users and they are offten on the same remote LAN and need to connect to office, but they cant...
Ok, but this is not problem of the mikrotik!
This is a property of ipsec.
a solution: use openvpn

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 4:46 pm
by harvey
Ok thanks but Open VPN isn't an option to me as there is no iPad / iPhone client.

PPTP is the only other option.

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 4:54 pm
by Krusty
Ok, but this is not problem of the mikrotik!
This is a property of ipsec.
a solution: use openvpn
so there is no solution to solve this behavior ? I didnt find any clean OpenVPN client with easy use, I have gourmet users :)
Ok thanks but Open VPN isn't an option to me as there is no iPad / iPhone client.

PPTP is the only other option.
PPTP is nice and clean, but not as safe as I would expect

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 10, 2012 4:58 pm
by harvey
I agree about the PPTP thats why I have avoided it so far.

Re: Q: VPN L2TP/IPSec

Posted: Tue Apr 24, 2012 11:58 pm
by xpkiller
Don't use i- pad/phone.. use Linux/Android.. ;)

so you can chose a simple client for openvpn: http://openvpn.net/index.php/open-source.html it is working well.
(and Linux knows openvpn basically)

Re: Q: VPN L2TP/IPSec

Posted: Mon May 07, 2012 12:11 am
by _saik0
Someone should rename this topic to a more meaningful name.

Anyhow, same problem here with L2TP/IPSec and multiple clients behind one public IP. Is there really no solution or workaround?

OpenVPN w/ mikrotik isn't a solution since UDP support is missing; PPTP on the other hand isn't secure.

Re: Q: VPN L2TP/IPSec

Posted: Thu May 10, 2012 12:51 am
by xpkiller
Someone should rename this topic to a more meaningful name.

Anyhow, same problem here with L2TP/IPSec and multiple clients behind one public IP. Is there really no solution or workaround?

OpenVPN w/ mikrotik isn't a solution since UDP support is missing; PPTP on the other hand isn't secure.
Why can not you use openvpn w/ tcp?
Openvpn client (for win... and Linux) is support it.

Re: Q: VPN L2TP/IPSec

Posted: Thu Aug 28, 2014 7:50 am
by tasc45
I am having a similar issue. I have a VoIP phone connecting remotely to a pbx server behind a mikrotik router.( connects via open ports on the firewall) The phone operates fine until I vpn to the remote network using my computer, which is on the same LAN as the phone. The minute i vpn the phone connection no longer works.

Once i disconnect from the vpn and reboot, the phone registers again without any problems.

My conclusion is because of the policy created, any traffic originating from that remote network connecting to the vpn with the same ip forces priority to the vpn connection and ignores any other connections for the same IP address. . How to i tell the router to allow firewall connections and vpn connections from the same remote IP address at the same time?