Apparently the answer is yes but i’m highly skeptical. Since everything i’ve tried doesn’t work. I’m a bit hesitant to post a config because i’ve tried lots of different variations i’ve read about and nothing has worked. At present i’m getting
“[IP] failed to pre-process ph2 packet”
“[IP] peer sent packet for dead phase2”
“[IP] peer sent packet for dead phase2”
over and over
Can someone post a working config of both a server and a client so that I can copy/paste it in and verify it actually works?
I removed all my existing ipsec/l2tp config and put that in, doesn’t work. Same messages as above
I’m running latest version of routerOS on both
Note that the peers are automatically generated, and it always has NAT traversal on. I’m doing this on 2 internet facing routers so they don’t need NAT traversal, does it matter if its left on?
Seems to be a bug in WinBox
I’m not exactly sure what steps would replicate the issue, but I noticed WinBox did not reflect what was shown in the terminal. I would untick IPSec in Winbox but it would remain in effect. I noticed this after just trying to fall back to L2TP alone and it still didn’t work
Whatever was the original reason, I went through the config and manually removed everything in the terminal, then readded it through WinBox and now it is working. But it’s only working between MikroTik’s. Windows clients can’t seem to authenticate. Are there any differences with Windows 10?
Mikrotik is great peace of hardware, but IMHO, running L2TP/IPSEC on it is not the best idea. Belief me I’ve tried.
You should be aware that L2TP/IPSEC in Mikrotik has major limitation - only one tunnel via NAT is possible.
Nowdays, if you want secure VPN connection, you should use certificates to auth and/or encrypt the traffic.
If speed is less important than security, use SSTP (yes, it’s TCP tunnel).
Mikrotik’s implementation (incompatibile with others) allow to use certs on both sides of tunnel.
If speed is the most important thing, consider to use pure L2TP tunnel (UDP).
I have it working both from a win 7/8/10 client and by EOIP tunnel between 2 Mikrotiks.
I don’t use certs, just passwords.
How would I know if my tunnel is not secure?
I log into the router and add my temporary WAN IP to the input firewall rules when I’m on the road so no one
can scan my router and see my L2TP server, at least I don’t think they can see it.
I have multiple ipsec/l2tp sessions to other MikroTik’s (i’m using the tunnels for management purposes)
Though… I have pptp also enabled for quick and dirty windows access (couldn’t be assed with certificates until I know the direction we’re going with it)
Doesn’t seem to work, it did work perfectly fine. Is it not possible with l2tp/ipsec going at the same time?
Several of us on the team here have been fighting with this. We need a method for admins to be able to connect into Mikrotiks from the road and telecommuting and now OSX only supports L2TP/IPSEC.
The config linked to above has clear errors in it, and must not have been actually tested. We’ve tried building our own config but it is not coming easy.
I’ll reiterate the original question, does this actually work? If so, what is the correct config on the Mikrotik to support OSX clients?
Well, there is an issue with the MikroTik software when you use the simple configuration with L2TP server and
automatically generated IPsec peer. It sets the Peer definition to “port-strict” and this fails when the server is
accessed via 2 layers of NAT as is often happening for mobile users these days. The UDP port number gets
translated and the Peer definition then forbids this traffic so the Phase2 negotiation fails.
This can be fixed by setting up the L2TP server without IPsec, and defining the IPsec peer manually with
the setting “port-override”. It then works, but you cannot use the same server from different clients behind
the same NAT. This could bite you when you have a group of mobile users all at the same provider.
The peer is defined similar to this:
/ip ipsec peer
add enc-algorithm=aes-128 generate-policy=port-override local-address=1.2.3.4 passive=yes secret=yoursecret
(of course enter your own local address and secret info)