Hey Forum
I worked on this issue for hours and finally find the solution and want to share it.
I have three client machines here in my home lan behind a NAT / Router.
Then we have CCR1016-12G Router (routerOS v7.1) in the office which terminates these road warrior clients with l2tp/ipsec and Wireguard:
The Wireguard clients can ping destinations in the corp. network until the l2tp client connects as well.
The l2tp client works just fine but all Wireguard clients can’t get any packe through since the l2tp client is connected.
Solution / Root cause:
I changed the IPSEC Identity > Generate Policy from “port override” to “port strict”.
The manual: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Allow this peer to establish SA for non-existing policies.
Such policies are created dynamically for the lifetime of SA.
Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer’s IP address is not known at the configuration time.
- no - do not generate policies;
port-override > - generate policies and force policy to use >>> any port <<< (> old behavior> );
port-strict > - use ports from peer’s proposal, which should match peer’s policy.
Can someone explain the difference and use case for each option?
I remember that we set this for a reason, probably because Windows clients?
I found this: https://itimagination.com/mikrotik-l2tp-ipsec-dedicated-vpn-appliance-setup/
As a note, there is an optional setting in the L2TP VPN protocol, > that using a Strict Port setting> , allows clients to select a different UDP port once a connection is established, rather than being hard-coded to UDP1701. In practice, it works on Macs/Linux, and > does not work on Windows clients> . I’ve had 5x OSX devices connect from the same source IP without issue. I’ve had 1x Windows, and 5x OSX devices connect without issue. The moment you have a second Windows L2TP client attempt to connection, the previous connection will be kicked.
What’s the fix if you’ve got a lot of Windows clients sharing the same Source IP? — use different source IPs (cell-phone hotspot), or configure an IKEv2 VPN Server, rather than a L2TP VPN Server. I am currently writing a detailed IKEv2 Mikrotik VPN guide at the moment.
@mrz writes: http://forum.mikrotik.com/t/l2tp-ipsec-client-behind-nat/115845/1
You need policy too to match L2TP traffic. But note that L2TP over IKE2 will not work with Windows, Ios or other vendor clients.
Does this mean if I want to access 172.17.10.0/22 from my L2TP Clients I have to build dedicated IPSEC Policy?
Many thanks and best regards, Flo.