L2TP IPSec VPN not working from W10 (other Windows connects OK)

RouterOS General
1

Good day!
RB2011UiAS ROS 6.46.4

I've set up a VPN connection to my corporate gateway RB2011 with L2Tp and IPSec
My client is W10 PC and when I connect VPN nothing happens (Connecting...) after entering credentials.

Strage thing is that another client with Windows PC connects sucessfully


L2TP config:
/ppp profile
add bridge=bridge-local change-tcp-mss=yes dns-server=, local-address= name=l2tp remote-address=vpn.it.adm
use-compression=yes use-encryption=yes
add bridge=bridge-local change-tcp-mss=yes dns-server=, local-address= name="l2tp-2 (sub)" remote-address=
vpn.it.sub use-compression=yes use-encryption=yes
/ppp secret
add name=user123 password=1234567 profile=l2tp service=l2tp
add name=user456 password=1234567 profile="l2tp-2 (sub)" service=l2tp



IPSec config: (AA.AAA.AAA.AA - gateway Internet IP address)
/ip ipsec mode-config
add address-pool=vpn.it.adm name=cfg1
/ip ipsec profile
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_1
add dh-group=modp1024 name=profile_2 nat-traversal=no
/ip ipsec peer
add address=AA.AAA.AAA.AA/32 name=peer3 profile=profile_2

This entry is unreachable

add name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add enc-algorithms=3des name=proposal1 pfs-group=none
/ip ipsec identity

address ID must be used in main mode or use my-id=auto!

add generate-policy=port-override mode-config=cfg1 my-id=user-fqdn peer=peer1 remote-id=ignore secret=123

Suggestion to use stronger pre-shared key or different authentication method

add peer=peer3 secret=test
add auth-method=pre-shared-key-xauth password=123 username=user1
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 proposal=proposal1 src-address=0.0.0.0/0
add dst-address=XXX.XXX.XXX.0/24 peer=peer3 sa-dst-address=AA.AAA.AAA.AA sa-src-address=0.0.0.0 src-address=XXX.XXX.XXX.0/24 tunnel=yes



Log: (AA.AAA.AAA.A - my "real" Internet IP address, BBB.BBB.BBB.BB - client IP address

16:00:57 ipsec,info respond new phase 1 (Identity Protection): AA.AAA.AAA.A[500]<=>BBB.BBB.BBB.BB[27097]
16:00:58 ipsec,info ISAKMP-SA established AA.AAA.AAA.A[4500]-BBB.BBB.BBB.BB[46871] spi:07e02ea806179125:b1
fbf4fae1bac4fc
16:00:59 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:00:59 l2tp,debug,packet (M) Message-Type=SCCRQ
16:00:59 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:00:59 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:00:59 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:00:59 l2tp,debug,packet Firmware-Revision=0xa00
16:00:59 l2tp,debug,packet (M) Host-Name="nb01.tstp.int"
16:00:59 l2tp,debug,packet Vendor-Name="Microsoft"
16:00:59 l2tp,debug,packet (M) Assigned-Tunnel-ID=19
16:00:59 l2tp,debug,packet (M) Receive-Window-Size=8
16:00:59 l2tp,info first L2TP UDP packet received from BBB.BBB.BBB.BB
16:00:59 l2tp,debug tunnel 7 entering state: wait-ctl-conn
16:00:59 l2tp,debug,packet sent control message to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=19, session-id=0, ns=0, nr=1
16:00:59 l2tp,debug,packet (M) Message-Type=SCCRP
16:00:59 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:00:59 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:00:59 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:00:59 l2tp,debug,packet Firmware-Revision=0x1
16:00:59 l2tp,debug,packet (M) Host-Name="gw1"
16:00:59 l2tp,debug,packet Vendor-Name="MikroTik"
16:00:59 l2tp,debug,packet (M) Assigned-Tunnel-ID=7
16:00:59 l2tp,debug,packet (M) Receive-Window-Size=4
16:00:59 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=7, session-id=0, ns=1, nr=1
16:00:59 l2tp,debug,packet (M) Message-Type=SCCCN
16:00:59 l2tp,debug tunnel 7 entering state: estabilished
16:00:59 l2tp,debug,packet sent control message (ack) to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=19, session-id=0, ns=1, nr=2
16:00:59 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=7, session-id=0, ns=2, nr=1
16:00:59 l2tp,debug,packet (M) Message-Type=ICRQ
16:00:59 l2tp,debug,packet (M) Assigned-Session-ID=1
16:00:59 l2tp,debug,packet (M) Call-Serial-Number=0
16:00:59 l2tp,debug,packet (M) Bearer-Type=0x2
16:00:59 l2tp,debug,packet 1(vendor-id=311)=0x59:45:ac:39:17:0e:4f:48:a7:37:ad:09:b3:31:fc:a8
16:00:59 l2tp,debug session 1 entering state: wait-connect
16:00:59 l2tp,debug,packet sent control message to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=19, session-id=1, ns=1, nr=3
16:00:59 l2tp,debug,packet (M) Message-Type=ICRP
16:00:59 l2tp,debug,packet (M) Assigned-Session-ID=1
16:01:00 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:01:00 l2tp,debug,packet tunnel-id=7, session-id=1, ns=3, nr=2
16:01:00 l2tp,debug,packet (M) Message-Type=ICCN
16:01:00 l2tp,debug,packet (M) Tx-Connect-Speed-BPS=72200000
16:01:00 l2tp,debug,packet (M) Framing-Type=0x1
16:01:00 l2tp,debug,packet Proxy-Authen-Type=4
16:01:00 l2tp,debug session 1 entering state: established
16:01:00 l2tp,debug,packet sent control message (ack) to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:01:00 l2tp,debug,packet tunnel-id=19, session-id=0, ns=2, nr=4
16:01:00 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP lowerup
16:01:00 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP open
16:01:01 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:01 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x1
16:01:01 l2tp,ppp,debug,packet <mru 1372>
16:01:01 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:01 l2tp,ppp,debug,packet
16:01:02 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:02 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x2
16:01:02 l2tp,ppp,debug,packet <mru 1372>
16:01:02 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:02 l2tp,ppp,debug,packet
16:01:03 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:03 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x3
16:01:03 l2tp,ppp,debug,packet <mru 1372>
16:01:03 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:03 l2tp,ppp,debug,packet
16:01:05 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:05 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x4
16:01:05 l2tp,ppp,debug,packet <mru 1372>
16:01:05 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:05 l2tp,ppp,debug,packet
16:01:09 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:09 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x5
16:01:09 l2tp,ppp,debug,packet <mru 1372>
16:01:09 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:09 l2tp,ppp,debug,packet
16:01:14 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:14 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x6
16:01:14 l2tp,ppp,debug,packet <mru 1372>
16:01:14 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:14 l2tp,ppp,debug,packet

2

Few days before I had the same issue (Windows 10 build 1909). Nothing was changed on the router side. Restarting router had no effect. I connected using my second PC with older build of Win10 with success. Next day everything were fine using any of my PC…

3

Can possibly be two scenarios, one is a register change if any of the devices are behind NAT.

Other is you need to connect using start->settings->VPN->the VPN you want to connect and click on connect there

4

Yes I agree it is this. Common Windows 10 problem. Usually after connecting once this long-winded way, you can connect again via the network connections popup in the corner.

5

Hi,

I’m having similar problem. Some W10 do not connect, other OS yes, like mac or mikrotik.

After some testing, if I disable IPSEC in mikrotik, it works with user/pass.

Using IPSEC, the behavior is that the W10 try to connect, the SA is established but no first packet received. In the SA, the W10 try to connect from 1701 and thats the reason of not finishing the connection and no packet is receive. Other OS try to use a different source port, for example mac use 52948, and it works. I do not now why W10 is not changing origin port for a different like W10 is the client and not the server.

Any ideas how to solve this?

thanks.
http://ibb.co/hLfdTGD
https://ibb.co/6tNTq5C

6

I am having the same problem - any solution for that?
I have 2 different mikrotik routers, on both there is L2TP servers with IPSec configured. I can connect to both with iPhone. However, only to one I can connect with my Windows 10 client. There was a problem before with Windows 10 (after some udpdate), and I couldn’t connect with Windows to any of it, but Microsoft fixed it, but now I can connect to only one of them. What amy be the issue?

7

No ideas?

8

After a recent update on windows 10, IPsec connections would fail… This was later patched…
So make sure your operating system has all the recent updates…
https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-21h2#2773msgdesc

9

I am aware about that. I have all windows updates. What is funny, I have another L2TP/IPSec server on another MikroTik and it didn’t work for some time. But after recent updates it works again. However, on the server I am talking about it is still the same..