L2TP Client not connecting

rmuhammadali · October 26, 2023, 11:09am

Dear Members,
Please help me create the L2TP VPN with mikrotik and windows server.

L2TP Client is configured on Mikrotik,
Windows Server 2012 is configured as Routing & Remote Access Service

The VPN disconnected with log below

15:57:35 l2tp,ppp,info l2tp-WIN-VPN: initializing…
15:57:35 l2tp,ppp,info l2tp-WIN-VPN: connecting…
15:57:38 ipsec,info initiate new phase 1 (Identity Protection): 10.10.7.1[500]<=>10.10.7.2[500]
15:57:38 ipsec,info ISAKMP-SA established 10.10.7.1[500]-10.10.7.2[500] spi:a90aa846852f85e9:45719b3f1dba969e
15:58:02 l2tp,ppp,info l2tp-WIN-VPN: terminating… - session closed
15:58:02 l2tp,ppp,info l2tp-WIN-VPN: disconnected
15:58:03 ipsec,info ISAKMP-SA deleted 10.10.7.1[500]-10.10.7.2[500] spi:a90aa846852f85e9:45719b3f1dba969e rekey:1

Please suggest what is wrong.

Regards
RMAK

erlinden · October 26, 2023, 11:13am

Using Windows Server 2012 is wrong in itself…but I guest that is not the question.
How is the client configured?
And how is the server configured?

/export file=anynameyoulike

Make sure to remove serial and any other private information.

rmuhammadali · October 26, 2023, 11:20am

Export file.

oct/26/2023 16:13:54 by RouterOS 6.49.10

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-MGMT
set [ find default-name=ether7 ] name=ether7-RRAS
/interface l2tp-client
add connect-to=10.10.7.2 disabled=no ipsec-secret=1234567890 name=l2tp-WIN-VPN password=password use-ipsec=yes user=rmak
/interface pptp-client
add connect-to=10.10.7.2 name=pptp-WIN-VPN password=password user=rmak
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/interface list member
add interface=ether1-WAN list=WAN
add interface=ether2-MGMT list=LAN
/ip address
add address=10.1.1.1/30 interface=ether2-MGMT network=10.1.1.0
add address=172.16.16.22/24 interface=ether1-WAN network=172.16.16.0
add address=10.10.7.1/30 interface=ether7-RRAS network=10.10.7.0
/ip dhcp-client
add interface=ether1-WAN
/ip dns
set allow-remote-requests=yes servers=4.2.2.2,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="L2TP 7.2 Access Granted Primary" dst-port=500,4500,50 log=yes protocol=udp to-addresses=10.10.7.2
add action=dst-nat chain=dstnat comment="L2TP 7.2 Access Granted Primary" dst-port=1701 log=yes protocol=tcp to-addresses=10.10.7.2
add action=dst-nat chain=dstnat comment="PPTP 7.2 Access Granted Primary" dst-port=1723 log=yes protocol=tcp to-addresses=10.10.7.2
/ip route
add distance=1 gateway=172.16.16.1
/system identity
set name=MikroTik_Gateway

johnson73 · October 26, 2023, 1:52pm

Do you not have a firewall section for mikrotik at all?

If you want to connect to the windows server located behind the mikrotik, then we create an L2tp ipsec connection.
Good practice is use “default rules” which we supplement with a rule for 500.4500,1701 ports. We do not write this roll in the NAT section, but in “Input chain”. This is incoming traffic from outside.

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

How to configure L2tp ipsec itself? As an example- https://www.youtube.com/watch?v=WW2i5SVcPw4

rmuhammadali · October 27, 2023, 4:03am

Hi,
Mikrotik is working for outside client request with both L2TP and PPTP. The issue is when we need to connect Mikrotik L2TP Client with Windows RRAS, its givin error.

15:57:35 l2tp,ppp,info l2tp-WIN-VPN: initializing…
15:57:35 l2tp,ppp,info l2tp-WIN-VPN: connecting…
15:57:38 ipsec,info initiate new phase 1 (Identity Protection): 10.10.7.1[500]<=>10.10.7.2[500]
15:57:38 ipsec,info ISAKMP-SA established 10.10.7.1[500]-10.10.7.2[500] spi:a90aa846852f85e9:45719b3f1dba969e
15:58:02 l2tp,ppp,info l2tp-WIN-VPN: terminating… - session closed
15:58:02 l2tp,ppp,info l2tp-WIN-VPN: disconnected
15:58:03 ipsec,info ISAKMP-SA deleted 10.10.7.1[500]-10.10.7.2[500] spi:a90aa846852f85e9:45719b3f1dba969e rekey:1

On the other side PPTP is working good but required method is L2TP.

Ca6ko · October 27, 2023, 6:59am

Apparently, you already have one L2TP tunnel to the RRAS server via Mikrotik, and Windows won’t give you a second tunnel. Search on the topic 2 L2TP via NAT