L2TP IPSec behind Internet

sleriguer · January 23, 2020, 4:35pm

Hey guys,

Sorry for my English,

I’m in 6.44.6 and behind a livebox with DMZ pointing to my Wan.

I have been trying for a few days to connect a vpn for nomadic connections, in l2tp on ipsec.
No problem to establish the connection when I am in my lan, same if I connect on the subnet of the box (regardless of the type of box and the ISP) to the wan mikrotik.
The problem is when I try from another Internet connection from a client (in this case windows10) pointing to the public ip address.

I checked the dmz of the livebox, it works.

I could read that behind a Nat the ipsec was not well crossed with mikrotik (Nat traversal problem?) Because with PPTP it works without problem, logical.

The firewall has been disabled for the test, the src-nat masquerade has been informed …
I activated the more complete log concerning the ipsec and l2tp subjects, but difficult to interpret.

I am on an RB4011 but I also tested this configuration on other models with the same result.

I do not understand what can be problematic?

Pub IP <=> BOX 192.168.250.254/24 (Dmz to 250.214) <=> WAN MT 192.168.250.214/24 <=> LAN MT 192.168.15.254/24
Zone VPN: 10.0.0.0/24

Nat rules:

add action = masquerade chain = srcnat comment = "defconf: masquerade" ipsec-policy = out, none out-interface-list = WAN
add action = masquerade chain = srcnat comment = "NAT L2TP Ipsec" src-address = 10.10.10.0 / 24
add action = dst-nat chain = dstnat comment = FTP_Web Server dst-port = 21 in-interface-list = WAN protocol = tcp src-port = "" to-addresses = 192.168.250.214 to-ports = 21
add action = dst-nat chain = dstnat dst-port = 20 in-interface-list = WAN protocol = tcp src-port = "" to-addresses = 192.168.250.214 to-ports = 20
add action = dst-nat chain = dstnat comment = HTTPS_ServeurWeb dst-port = 443 in-interface-list = WAN protocol = tcp to-addresses = 192.168.250.214 to-ports = 443

Firewall rules:
All disabled

PPP rules (IPSec required):

/ dpi profile
add dns-server = 8.8.8.8 local-address = 10.10.10.1 name = VPN-L2TP remote-address = VPN-L2TP use-encryption = yes
/ secret dpi
add name = steve password = profile ilovemum = VPN-L2TP

IPSec rules (with key pre-shared by peers):

/ ip ipsec profile
set [find default = yes] enc-algorithm = aes-128,3des, des
/ ip ipsec proposition
set [find default = yes] enc-algorithms = aes-256-cbc, aes-128-cbc, 3des, des pfs-group = none

karlisi · January 24, 2020, 12:22pm

Read this, it works very well
http://forum.mikrotik.com/t/l2tp-vpn-can-not-connect-on-windows-10/131292/1

Another solution is to modify Windows client registry:
http://woshub.com/l2tp-ipsec-vpn-server-behind/
Original MS article about this solution (works also on latest Windows versions)
https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows

sleriguer · January 27, 2020, 3:16pm

thks,

but not really very well…

its just for one client connection
For multiple sessions, it gets more complicated

I finally made the choice for IPSec PSK + Xauth with Shrew Vpn client

karlisi · January 28, 2020, 6:52am

First solution not usable only for clients which all are behind one NAT.