L2TP/IPSec RSA not supporting NAT-T?

voxmaster · October 5, 2017, 8:58am

Hello!
I have fully working:
L2TP/IPSec PSK with NAT-T (client behind the NAT)
L2TP/IPSec RSA without NAT-T (public IP used)
However, when I’ve tried to use L2TP/IPSec RSA with Client behind the NAT - got error on client side: (789 on Win10), got error on MikroTik side:
ISAKMP-SA established
the packet is retransmitted by [client IP]
And then:
phase1 negotiation failed due to time up

/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=FirmVPN-SRV comment=VPN-Clients-RSA dh-group=modp1024 \
enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes

Cert.png

So the question to MikroTik Support:
-Does RouterOS supports L2TP/IPSec RSA with NAT-T technology? If it does, where should I look for debug?

emils · October 6, 2017, 8:21am

Thank you very much for the report, I have managed to reproduce the issue and we are looking into it.

emils · October 12, 2017, 7:13am

Please try the latest release candidate version of RouterOS. The issue should be fixed.