iPhone L2TP Issues

AdamT77 · April 25, 2024, 11:32am

I am working on a complex config on another router, for simplicity I have setup a new router with the utmost basic config for a L2TP server.

I can connect to the VPN using my Mac and iPhone and can get traffic through to most websites (MacBook works fine). However when I try and load google and some other sites from the iPhone – they do not load. I’m pretty sure this is MTU issue and I have tried changing the values aswell as added some mangle rules but still cannot get Google.com to load only on the iPhone. (Tested with Safari/Chrome) (Other things act strange aswell like the Apple AppStore won’t load (‘no connection error’)

Scenario:
iPhone over Cellular 5G > Mikrotik L2TP = Google Does not work / AppStore does not load / other sites like Netflix work.
MacBook > Tethered to iPhone (over 5G) > L2TP Established via MacBook to Mikrotik Router = Google Works, no issues

Working from the Internal LAN, Google works for iPhone and there’s no issues, so it’s something related when L2TP is added into the mix. Tried dropping MTU to 1280 on the L2TP but this did not help and did not break anything so reverted back to default.

I am assuming that the MacBook is better handling the MTU vs the iPhone, any suggestions?

This is the whole config:

/interface ethernet
set [ find default-name=ether5 ] name=SWITCH
set [ find default-name=ether1 ] name=WAN

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc

/ppp profile
set *0 dns-server=1.1.1.1 local-address=192.168.6.1 remote-address=192.168.6.10

/interface l2tp-server server
set enabled=yes ipsec-secret=secretkey123456 max-mru=1450 max-mtu=1450 use-ipsec=yes

/ip address
add address=192.168.6.1/24 interface=SWITCH network=192.168.6.0

/ip dhcp-client
add interface=WAN

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.6.0/24

/ip ipsec policy
add group=*3 proposal=*1 template=yes

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.6.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ppp secret
add name=username password=password

AdamT77 · April 26, 2024, 1:25pm

Despite this being an issue for months across 2 different sites, performing the troubleshooting in my original post and replicating the issue on a router with a basic config, this issue suddenly resolved itself.

alexauch01 · August 6, 2024, 3:31pm

Could you share your config ? I have exactly the same problem and ran exactly the same process but I can’t figure it out

polyfaces · September 9, 2024, 6:59am

I encountered similar issue as OP. After connecting L2TP VPN to my mikrotik device using my iPhone, all the Google websites are not accessible while some other websites/internal websites can be accessed.

I have done some packet capture using the packet sniffer. It seems that those inaccessible websites are all supporting QUIC protocol (UDP443). I can see that the iPhone can successfully communicate with Google server [UDP port 443] bidirectionally. However, I also notice that the iPhone will also send a TCP 443 request to Google server and the iPhone suddenly reset the connection (illustrated as below).

iPhone → SYN → Google Server [TCP 443]
iPhone ← SYN, ACK ← Google Server [TCP 443]
iPhone → RST → Google Server [TCP 443]

I don’t know very much about QUIC protocol, but the behavior is very weird.

When I add the following firewall rule for blocking all QUIC protocol, then the issue is resolved.

/ip/firewall/filter/add chain=forward action=drop protocol=udp in-interface=<l2tp-interface> dst-port=443

tinodj · January 22, 2025, 12:45pm

I encountered similar issue as OP. After connecting L2TP VPN to my mikrotik device using my iPhone, all the Google websites are not accessible while some other websites/internal websites can be accessed.

I have done some packet capture using the packet sniffer. It seems that those inaccessible websites are all supporting QUIC protocol (UDP443). I can see that the iPhone can successfully communicate with Google server [UDP port 443] bidirectionally. However, I also notice that the iPhone will also send a TCP 443 request to Google server and the iPhone suddenly reset the connection (illustrated as below).

iPhone → SYN → Google Server [TCP 443]
iPhone ← SYN, ACK ← Google Server [TCP 443]
iPhone → RST → Google Server [TCP 443]

I don’t know very much about QUIC protocol, but the behavior is very weird.

When I add the following firewall rule for blocking all QUIC protocol, then the issue is resolved.
/ip/firewall/filter/add chain=forward action=drop protocol=udp in-interface=<l2tp-interface> dst-port=443

Thank you ! This helped me as well !

ujohnny · August 17, 2025, 8:50pm

Had exactly the same issue with QUIC/RST for l2tp/ipsec iPhone clients. The issue is not mikrotik-only, had it with other vendors as well. Finally managed to dump traffic, find RST/QUIC issues and found this thread by

iphone cellular vpn “quic” reset

Huge thanks for the hint. I wonder why QUIC to HTTPS fallback does not work with VPN, but it’s probably a question to Apple. Also there are ICMPs with dst unreachable (port unreachable) in the same UDP stream with faulty QUIC setup where dst is google/etc server and port is 443.