L2TP+IPsec VPN with drops

rbuserdl · September 8, 2020, 2:30pm

Hello team,

I have the following issue:
There is one place with 2 WAN connections, I had previously a PPTP VPN in a Windows Server which was removed, then I created a L2TP+IPsec in the border router (RB1100Dx4)
Since the users stopped connecting to PPTP Server and started to connect to L2TP+IPsec VPN on the border router, some users tell me that they are having issues with the VPN, I could talk and make test with 2 of them and I realiced that the issue is not the same, but it is happening with WAN1 as with WAN2
One user has the following issue: She connects from her house to the VPN and uses RDP to a Windows client on the RB VPN Server side (Private IP, of course), the most of the times she report that RDP fall but the VPN connection is still up, so she connects to RDP again and can continue.
Another user has the following issue: She connects from her house to the VPN and uses different services, but the VPN goes down and she needs to connect again to VPN
Both users reports that the issue happen when the VPN is not being used (No traffic), although the first user, while she has the RDP active, her VPN is being used (of course)
Both users uses WiFi to connect from their houses and I could not convince them to connect with cable
Other users have not issues
I am not sure about how the “Keepalive timeout” works, I changed it from 30 to 60 seconds with no differences.
Here are the settings:

/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=172.16.0.1 name=L2TP remote-address=dhcp_l2tp
/ppp secret
add disabled=yes name=user password=Passw0rd1! profile=L2TP service=l2tp
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP enabled=yes ipsec-secret=S3cr3t01 keepalive-timeout=60 max-mru=1460 max-mtu=1460 use-ipsec=required

All users have “split tunnel” enabled from the client side

Any idea?
Any one can explain to me how “Keepalive timeout” works? Since the manual page says not too much
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

Regards,
Damián

mstehle · September 9, 2020, 8:12am

It is not really a remedy for your problem. But I have had it with some users and was able to assign it mainly to their internet connection.
It was mainly DS-Light connections that were affected by the problem.
I assume that you have a Windows client.
I also activated the SSTP VPN in the router and switched the affected users to SSTP.
Since then I have rest.

rbuserdl · September 9, 2020, 8:09pm

Any idea?

rbuserdl · September 10, 2020, 12:36pm

Thank you, I will test it with SSTP

NTheZone · September 10, 2020, 11:38pm

Windows 10 will disconnect a VPN link after about 7.5 hours – https://community.ui.com/questions/VPN-disconnects-after-around-78-Hours-VPN-L2TP-IPSec-running-on-a-Edgerouter-Infinity/4fb4f526-31cf-48e1-b948-02798cfaceec To prevent a disconnect, I run a continual ping to the router in a command prompt window, e.g. “ping - t 192.168.88.1” That seems to work. Otherwise you can use task manager to reconnect to the VPN every 7 hours, or so, or whenever a dropped connection is detected.

I have zero problems with Microsoft RDP over split-tunnel VPN (L2TP+IPSec). And it works much better than TeamViewer or Google Remote Desktop.

rbuserdl · September 14, 2020, 12:28pm

Thanks for your answers,

The issue is not every 7 hours, the issue happen in random time, a couple of minutes (usually less then half hour)
I configured a SSTP VPN and it seems to be working fine
Anyone knows why SSTP is more stable than L2TP+IPsec? Is there any workaround in the mikrotik side?

Regards,
Damián

NTheZone · December 23, 2020, 5:04am

Something happened either in recent updates of Windows 10, or RouterOS, but I can no longer connect through to my remote Mikrotik router VPN from several wireless networks.