L2TP/IPsec with firewall rule

cpliu903 · May 5, 2016, 11:57am

When enable L2TP/IPSec, ros will be generate a peer, then I have add follow firewall rule, but cannot connect VPN.
Please advise which rule is missing ?

[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 D address=::/0 local-address=:: passive=yes port=500
auth-method=pre-shared-key secret=“test1234”
generate-policy=port-strict policy-template-group=default
exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des
dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 ;;; defconf: accept establieshed,related
chain=input action=accept
connection-state=established,related log=no log-prefix=“”

2 ;;; Allow IPSec Policy Matcher
chain=input action=accept in-interface=ether1 log=yes
log-prefix=“” ipsec-policy=in,ipsec

3 ;;; Allow L2TP/IPSec
chain=input action=accept protocol=udp
dst-port=1701,500,4500 log=no log-prefix=“”

4 ;;; Allow IPSec
chain=input action=accept protocol=ipsec-esp log=no log-prefix=“”

Revelation · May 5, 2016, 11:51pm

What is your WAN interface / IP? Please do not type out the full public IP. use: x.x.x.(last octet)

What do the logs show?

The logs are going to be the best bet to find the problem. I don’t see anything “wrong” off-hand. Most likely you have a different setting somewhere between the client and the router.

With that said, I would configure your L2TP accept chain as an inbound on a specific interface - your WAN. I also like to see the ports separated into their own accept statements.

cpliu903 · May 6, 2016, 1:01am

My WAN interface is ether1 and my client is iPhone

only log below message with L2TP:
first L2TP UDP packet recevide from xxx.xxx.xxx.xxx

Revelation · May 8, 2016, 2:08pm

Try configuring yours more like mine: (ether5 is my WAN interface)

 7    ;;; Permit L2TP VPN
      chain=input action=accept protocol=udp in-interface=ether5 dst-port=500 log=no log-prefix="" 

 8    chain=input action=accept protocol=udp in-interface=ether5 dst-port=4500 log=no log-prefix="" 

 9    chain=input action=accept protocol=udp in-interface=ether5 dst-port=1701 log=no log-prefix="" 

10    chain=input action=accept protocol=ipsec-esp in-interface=ether5 log=no log-prefix=""

jaytcsd · May 24, 2016, 5:22am

http://l2tp.patokatech.com/

screen prints of my L2TP setup, win 7, 8 and droid phone all work.

adipurnomo92 · September 27, 2017, 2:56am

you can share this link again? this link need permit

jaytcsd · October 8, 2017, 5:39am

Try it now, I moved to a new hosting site and forgot to change indexing permissions.