it was pretty easy to setup an L2TP/IPSec VPN server with ros (v.6.34 and .35). In contradiction to all the tutorials I’ve found, this doesn’t work if the client is behind a NAT gateway.
The VPN related configuration is
/ip pool
add name=vpn-pool ranges=192.168.200.100-192.168.200.149
/ppp profile
set *0 dhcpv6-pd-pool=none local-address=192.168.200.254 remote-address=\
vpn-pool
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=\
x use-ipsec=yes
/ppp secret
add name=x password=x service=l2tp
At the client side, I get the following log:
racoon[34818]: accepted connection on vpn control socket.
racoon[34818]: Connecting.
racoon[34818]: IPSec Phase 1 started (Initiated by me).
racoon[34818]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
racoon[34818]: >>>>> phase change status = Phase 1 started by us
racoon[34818]: >>>>> phase change status = Phase 1 started by peer
racoon[34818]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
racoon[34818]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
racoon[34818]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
racoon[34818]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
racoon[34818]: IKEv1 Phase 1 AUTH: success. (Initiator, Main-Mode Message 6).
racoon[34818]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
racoon[34818]: IKEv1 Phase 1 Initiator: success. (Initiator, Main-Mode).
racoon[34818]: IPSec Phase 1 established (Initiated by me).
racoon[34818]: IKE Packet: receive success. (Information message).
racoon[34818]: IPSec Phase 2 started (Initiated by me).
racoon[34818]: >>>>> phase change status = Phase 2 started
racoon[34818]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
racoon[34818]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
racoon[34818]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
racoon[34818]: IKEv1 Phase 2 Initiator: success. (Initiator, Quick-Mode).
racoon[34818]: IPSec Phase 2 established (Initiated by me).
racoon[34818]: >>>>> phase change status = Phase 2 established
Then, after about 20 seconds, it times out:
racoon[34818]: IPSec disconnecting from server x.x.x.x
racoon[34818]: IKE Packet: transmit success. (Information message).
racoon[34818]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
racoon[34818]: IKE Packet: transmit success. (Information message).
racoon[34818]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
racoon[34818]: glob found no matches for path "/var/run/racoon/*.conf"
racoon[34818]: pfkey DELETE failed: No such file or directory
There are packets flowing through the firewall on udp/500 and udp/4500. Entirely disabling the firewall doesn’t help.
If the client connects to the server without being NAT’ed, everything is fine.
I have no experience with the server side on MikroTik but I use the client side to a Cisco router as a server and
it works without problem.
I see you have only a simple setup that assumes default IPsec parameters.
Check if the resulting configuration for IPsec has NAT-T set, and if not do a manual config.
I did not change any IPSec related configuration, as this seems to be dynamically generated by the L2TP server.
Searching for NAT-T only reveals one setting in
I have replaced our Cisco router with a MikroTik and I encountered the same issue…
It is a bug. The automatically generated config specifies “port strict” as the rule for generate policy.
This means the IPsec policy will be generated with explicit portnumbers. 1701 for the local port, and
usually also 1701 for the remote port.
However, this is done incorrectly. It puts the port number of the NAT-T layer in the policy instead of the
port number of the L2TP session. So you see local port 1701 and remote port some different number.
However, when looking in a packet trace it is clear that the remote port for the L2TP traffic is 1701.
I could work around it by removing the “Use IPsec” in the L2TP server and creating an IPsec Peer
definition manually, with address ::/0 port 500 auth pre-shared-key, the secret, but with the setting
Generate Policy set to “port override”.
Hi, I have run into this same issue trying to connect my iMac to my L2tp/ipsec vpn. It won’t connect with Generate Policy set to ‘Port Strict’ But will connect when I set it to ‘Port Override’.
I’m pretty new to all this stuff so was wondering if there was any disadvantage or security issue with setting Generate Policy to ‘Port Override’?
you can connect only a single L2TP VPN from a single public IP (could hit you when you are on 4G internet and have several users at the same provider that uses NAT)
when you make UDP traffic from the same public IP to the same router, it goes over the same IPsec VPN. this may be confusing or it may fail to work.
In the “normal use case” of having a single client that only uses the VPN and does not go to other hosts that are on the same IP (forwarded ports on the same router) it works fine.