thank you for reaction. I will try to explain my problem more...U need to explane a bit more. Maybe with your config.
196 ;;; L2TP/IPSec VPN na router
chain=input action=accept protocol=udp in-interface=eth01.WAN
dst-port=500
197 chain=output action=accept protocol=udp out-interface=eth01.WAN
src-port=500
198 chain=input action=accept protocol=udp in-interface=eth01.WAN
dst-port=1701
199 chain=output action=accept protocol=udp out-interface=eth01.WAN
src-port=1701
200 chain=input action=accept protocol=udp in-interface=eth01.WAN
dst-port=4500
201 chain=output action=accept protocol=udp out-interface=eth01.WAN
src-port=4500
;;; L2TP VPN
address=0.0.0.0/0 port=500 auth-method=pre-shared-key
secret="supersecretpassword" generate-policy=yes
exchange-mode=main send-initial-contact=no nat-traversal=yes
my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
name="L2TP/IPSec VPN" auth-algorithms=sha1 enc-algorithms=3des
lifetime=1d pfs-group=modp1024
yes, there is posibility to turn on only one server and users are dynamicI think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)
Ok, I will try your config, but I have openvpn config too in our routers and it is same.yes, there is posibility to turn on only one server and users are dynamicI think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)
no, every user have his own secret
I think there will be some problem with IPSec, not L2TP
Thank you.Ok, I will try your config, but I have openvpn config too in our routers and it is same.
There are in the secret IPs of user: local and remote.
If you have secrets separately for users then you need to add local and remote IP pair and you have to use /30 (255.255.255.252) mask!! (eg. ...0 is net, ... 1 is local, ...2 is remote, ...3 is broadcast)
And you can use ...5 ...6 but you can not use ...11 ...12 pair... and more.
(You didn't copy/paste to here secret config.)
and ppp secrets are on this profile0 * name="default" local-address=192.168.1.1 remote-address=LAN use-mpls=default use-compression=yes use-vj-compression=yes use-encryption=required only-one=no change-tcp-mss=yes rate-limit=10m/10m dns-server=192.168.1.10 wins-server=192.168.1.10
v5.14 on RB1100AHx2What is your ROS version??
NAT travelsal"nat-traversal=yes "
Why?
and where is this?
add action=accept chain=input disabled=no protocol=ipsec-esp in-interface=eth01.WAN;
(ip protocol 50 for ESP)
Thank you so very much. This worked perfectly for me!!! Been wanting to get L2TP working instead of PPTP. Now I can disable PPTP connections.Ok, you are right!
Need NAT-T for NATed user.
But I don't understand your all config because I tested today with my 1100AH (ROS 5.14) and I needed this:
mod: I tested with: win7, winXP and Android phone are working well.
1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled
2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp
3.
/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes
4. ipsec peer
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no
5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024
6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100
7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24
Thanks for your reply.Please check assigned IPs for userA and userB.
Do you use pool for local and remote IP assignements?
Solutions:
1. you assign from pool but you need set for local and remote too!! (you can not give fix IP for local and dynamic for remote! because /30 mask)
2. you give fix IP for local and remote too ( you have to calculate IP address exactly for /30 mask!)
and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
this is what I need to solve. I got plenty of users on one remote LAN (with 1 public IP) and only the firs one is able to connect, others are screwedand how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
I dont think I need to create interface for every user when they are created dynamicaly by default1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled
Yes I have this, every user have its own secret2. (you need separate secret /user)
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=l2tp-test\
password=gizi123 profile=profile1 routes="" service=l2tp
I have configured profile for VPN/ppp profile
add change-tcp-mss=default local-address=l2tp-pool name=profile1 only-one=default\
remote-address=l2tp-pool use-compression=yes use-encryption=yes use-ipv6=no\
use-mpls=default use-vj-compression=yes
I have hanged from main to main-l2tp and see what will happen/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=\
1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=giziipsec \
send-initial-contact=no
I came to this5. (because if you use generated ipsec policy then it will use default proposal)
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
3des,aes-128,aes-192,aes-256 lifetime=30m name=default pfs-group=modp1024
Why VPN user cannot get IP from same server as locally connected user ? I see no diference6. ip pool for IP assignments (not DHCP-server what you wrote)
/ip pool
add name=l2tp-pool ranges=192.168.99.2-192.168.99.100
[/quote]7. firewall rules
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input connection-state=new disabled=no dst-port=500 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="l2tp test" connection-state=new disabled=no src-address=192.168.99.0/24
I think this is your problem. You have to try from other IPs and not from same.this is what I need to solve. I got plenty of users on one remote LAN (with 1 public IP) and only the firs one is able to connect, others are screwedand how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP.
(I tested it)
eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP
Yes, may be you are right but I think because you have to give user name in l2tp-server therefore you need l2tp-server for each user separately.I dont think I need to create interface for every user when they are created dynamicaly by default1. (you need separate l2tp-server /user with user-name)
/interface l2tp-server
add disabled=no name=l2tp-in1 user=l2tp-test
/interface l2tp-server server
set authentication=mschap2 default-profile=profile1 enabled=yes\
max-mru=1460 max-mtu=1460 mrru=disabled
precisely, you hit it, this is all I talking about all the time.I am the same, I can't have two connections from the same public IP address even if I create an L2TP server for each user.
This is a problem for me as you can't always guarantee where remote workers will be, there are times they may both be in the same place needing to connect back to the office. It works fine from separate public IP's.
This has never been an issue with L2TP on other routers I have used.
There must be a solution.
Ok, but this is not problem of the mikrotik!
I had about 60 VPN users and they are offten on the same remote LAN and need to connect to office, but they cant...
so there is no solution to solve this behavior ? I didnt find any clean OpenVPN client with easy use, I have gourmet usersOk, but this is not problem of the mikrotik!
This is a property of ipsec.
a solution: use openvpn
PPTP is nice and clean, but not as safe as I would expectOk thanks but Open VPN isn't an option to me as there is no iPad / iPhone client.
PPTP is the only other option.
Why can not you use openvpn w/ tcp?Someone should rename this topic to a more meaningful name.
Anyhow, same problem here with L2TP/IPSec and multiple clients behind one public IP. Is there really no solution or workaround?
OpenVPN w/ mikrotik isn't a solution since UDP support is missing; PPTP on the other hand isn't secure.