I am trying to configure L2TP/IPsec server on MT. It is intended for road warriors with Windows 7 for connection to office LAN from various places with unknown and dynamic IP addresses and behind NAT.
The sample configuration looks like this:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=
30m name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no
dpd-interval=30s dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main-l2tp
generate-policy=yes hash-algorithm=sha1 lifetime=1d my-id-user-fqdn=“” nat-traversal=
yes port=500 secret=*********** send-initial-contact=yes
I have two routers on which this config works fine, always, without exception so far.
On other routers, always or most of the time (!?) the policy gets generated with client’s LOCAL address, while SA and Remote Peers have client’s PUBLIC address - hence, the connection does not happen.
I can’t figure out why this happens. I can tell (after hours of experimenting) that it does not depend on RouterOS used (5.14, 5.20, 5.24), routers, or clients. I did find some threads describing the same problem year ago, but no solution has been posted.
Does anyone have the same problem, and did anyone find a solution?