IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

bitak · April 27, 2013, 4:11am

Hi,
is it possible to configure IPSec/L2TP VPN, when the Mikrotik router is behind NAT, but it is reachable by FQDN (all protocols and ports)?
I tried to add the hostname to my-id-user-fqdn field in ipsec peer configuration, but it still doesn’t work.

/ppp profile
add change-tcp-mss=yes dns-server=192.168.101.1 local-address=192.168.101.1 name=VPN_server_profile \
remote-address=vpn_pool_pokus

/ppp secret
add name=ppp_secret password=ppp_pass profile=VPN_server_profile service=l2tp

/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 my-id-user-fqdn=myrouter.mydomain.cz \
nat-traversal=yes secret=VPN_secret

/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input protocol=ipsec-esp
add chain=input protocol=gre
add chain=input comment="L2TP VPN" dst-port=500,4500,1701 protocol=udp src-port=""
add action=drop chain=input in-interface=wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan

Thanks for advice,
Jan

tomaskir · April 27, 2013, 10:05am

Do you mean L2TP/IPSec AC being behind NAT, or the L2TP/IPSec client being behind NAT?

bitak · April 27, 2013, 10:39am

L2TP/IPSec AC is behind NAT. Client is not an issue (I’m running the same config on another sites where Mikrotik is the gateway with public IP and it works fine regardless of whether a client is behind NAT).
I need to make VPN to Mikrotik gateway, which has private IP, all traffic to it is routed based on its FQDN. So it’s reachable from internet, but not by IP, but only by FQDN.

I also tried to setup PPTP VPN to it and it works, so it’s kinda strange for me why L2TP/IPSec not…

tomaskir · April 27, 2013, 12:48pm

Pure PPTP will work, that is not a problem.

IPSec will NOT work when the AC is behind NAT. As soon as you involve IPSec, the iniciator can be behind NAT, but the responder (the AC) has to have a public IP.

gazdi · August 15, 2013, 9:47pm

What is the solution when AC is behind NAT and has private IP ?
I’m having the same problem, the IPSEC VPN Server is behind the mikrotik RB450G.

tomaskir · August 15, 2013, 11:07pm

The AC can not be behind nat. Only the client can be behind NAT.

gazdi · August 16, 2013, 6:49am

Tomaskir see please what I wrote in the the other topic http://forum.mikrotik.com/t/ipsec-l2tp-issue/68761/1

Thanks

Leolo · August 21, 2013, 3:23pm

I understand that this is a limitation of Mikrotik devices, no?

Because Windows Server is perfectly capable of working with L2TP clients even when both (server and client) are behind NAT.

tomaskir · August 21, 2013, 3:24pm

Its a limitation of IPSec.

For pure L2TP, the AC can be behind NAT no problem. Not for L2TP/IPSec tho.

Leolo · August 21, 2013, 3:34pm

Mmm, then how does Windows Server manage to work?

I’d suppose that Microsoft is doing some trick to make it work. But I can assure you that I connect to several Windows 2003 Servers which are behind NAT (and I’m also behind a NAT)

I just have to tweak the registry a little bit:

http://support.microsoft.com/kb/926179

A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.

Regards.

tomaskir · August 21, 2013, 5:31pm

Oh yeah, with other vendors it can work, Cisco’s IPSec works with the AC being behind NAT as well.
They dont include the IP header src and dst addresses and a few more things into the IPSec checksum calculations, and therefore the packet doesnt go invalid when processes by the IPSec process.

With Mikrotik tho, I dont know of any way how to make it work.

mitzone · September 15, 2013, 6:51am

it works. I tested this with a win7 client. IPSEC is on a NAT-ed synology NAS. On mikrotik, fw UPD port 500, 1701 and 4500 to the IPSEC vpn server.

on windows client this also needs to be configured :

http://support.microsoft.com/kb/926179

set it to 2.

I just spent a few hours trying to figure this out. Hope this helps anyone who lands here searching for a fix.
Cheers.

tomaskir · September 16, 2013, 1:11am

As mentioned before, other vendors IPSec AC can be behind NAT (doesnt matter if NAT is a Mikrotik or not)

The point discussed in this topic was that a Mikrotik IPSec AC can not be behind NAT (no matter what the NAT vendor is)

K1w1user · September 24, 2013, 1:57am

I have two Mikrotik devices, x86 and RB1100AHX2 that currently use IPSEC Tunnel mode both behind Cisco Firewalls and using nat at both ends.

So it can be done with mikrotik ROS 6.3 in tunnel mode.

I’m still working on solving the transport mode option.

The policy sa-src-address should be the local outbound address before nat, and the sa-dst-address should be the firewall address that will be natted.
Nat traversal is set.

src-address=10.32.47.0/24 src-port=any dst-address=172.20.201.120/29
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.210.50
sa-dst-address=(remote-firewall) proposal=default priority=0

the outward facing address (nat destination) is 192.168.210.50

Andoniiiiii · December 23, 2013, 4:43pm

As I read here, it could be done, but I am trying and the negotiation for IPSec start but could not be stablished, my scheme:

Private LAN RB951G v6.7 ADSL ROUTER
192.168.0.1/24 -----> 192.168.0.220 192.168.1.220 192.168.1.1 213.56.122.xxx

The ADSL Router default DMZ is 192.168.1.220

I call 213.56.122.xxx from a road-warrior PC using PPTP mschapv2 and VPN works fine.

I try and try using L2TP with IPSec server on mkt and I must have something wrong or it is not posible, it fails on IPSec negotiaion.

It creates:

a Dinamic policy in IP SEC:

src-address=“Remote IP Public Address” src-port=any dst-address=213.56.122.xxx
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=NO sa-src-address==“Remote IP Public Address”
sa-dst-address=213.56.122.xxx proposal=default priority=2

Remote Peers:

Local Address: 192.168.1.220
Remote Address:=“Remote IP Public Address”
Side: Responder
Established: in time…

Installed SA:

Src Address: :=“Remote IP Public Address”
Dst Address: 192.168.1.220
…

Can tell me if will work with provided scheme?

Thanks in advance.

Unic · November 27, 2015, 8:26am

Hello,

i just want to know if its still not possible to have both sides behind a nat when you use L2TP/IPSEC with mikrotik, or is there now a possibility to create such a VPN-Connection.

I have seen that there are some changes on it lately (f.e. IPSEC Checkbox on L2TP Server)

Best Regards.

ik3umt · May 12, 2016, 8:24am

Quite old discussion , but I had the same problem , no way to make MT L2TP/IPSEC AC behind a nat , because the policy is created using public ip addresses, while SA are installed using MT AC WAN IP (but it is a private one anyway behind a NAT)

If you manually create a policy with MT WAN IP as source and remote client public ip (but it changes frequently , so useless) L2TP/IPSEC works like a charm !!!

Cisco does it , Microsoft does it, other brands do it,

I don’t know why Mikrotik cannot implement a way to create a dynamic policy with routerboard WAN interface IP as source for incoming L2TP/IPSEC (or 0.0.0.0/0) requests.
Is it impossible or not enough required by many to be implemented ??

Any answer from MT staff please ??

thank you very much.

P.S. It seems to me , the same issue is present when securing a GRE tunnel between MT devices both end behind a NAT -and- one of two with dynamic ISP ip address:
Again, when a policy is created dynamically by MT device behind NAT it uses wrong parameters thus fails.

With both static ISP address no problems as the policies are created manually the right way.

Can you confirm this ??

djace · May 26, 2016, 11:48am

Also interested in this, as my Mikrotik is behind NAT! I have no other choice as I am required to do PPPoE by my ISP and this consumes too many resources on the Mikrotik. In order to achieve the maximum line speeds (this is a symmetric 300mbps connection), I need to put in the ISP router in between to do PPPoE take this load off the Mikrotik server… Therefore, the Mikrotik ends up behind NAT.

It would be a bit ridiculous that we can achieve this by redirecting the L2TP/IPSec ports in the Mikrotik to a Linux or Windows server in the LAN, behind NAT, but we can’t do this directly on the Mikrotik.

ik3umt · June 2, 2016, 5:14pm

Is it an xDSL connection ?
I have no experience but I don’t think PPPoE client inside MT machine takes so much resources once PPPoE connection is established…
In one of my installations I have to do so, configure a cisco router as a straigth dsl modem (ATM and ethernet bridged together) and leave routerboard to do the PPPoE job in order to achieve the REAL public ip address right on the mikrotik WAN interface.

Other ISPs here furnish their own DSL router capable of telephone lines built-in as VoIP in their devices , so you loose this feature if router is replaced, all I can do is a transparent nat without any L2TP possibility if public IP is dynamic

kait · January 12, 2017, 6:47pm

Finally it is works on 6.38, thanks.