L2TP server... what could be happening?

michaelcarey · March 29, 2012, 8:33pm

Hi Everybody,

I’ve set up an L2TP server on a Mikrotik/Routerboard RB750 (PPPoE ADSL connection). Everything seems to be OK, I’m using a pre-shared key. I’ve configured the Firewall/Filter Rules to allow UDP 500,1701,4500 and protocol 50.

I can connect to it with the two Win7 machines in my home office (different ADSL connection)… but not with my WinXP laptop which is on the same network as the Win7 machines.

The WinXP machines stay in the “Connecting to xxxxx…” phase and eventually time out with a error message. “Error 792: The L2TP connection attempt failed because security negotiation timed out.”

I can see the connection attempt appearing in WinBox IP/IPSEC/Remote Peers…

I thought it might have been something in the laptop that was causing the trouble… but if I use my Huawei 3G USB “modem” to connect my laptop to the internet, it works fine and I can connect to the L2TP server and access the internal network via the L2TP connection.

Both WinXp machines at my work (NAT’d ADSL) also cannot connect to the Mikrotik L2TP server, but a Win7 computer belonging to a customer works fine using the same network and ADSL/router connection.

Does WinXp need some “changes” to be made that Win7 does not? What is stopping the WinXP machines behind a NAT router from connecting?

Any ideas?

Michael.

edit It appears that if my WinXP laptop is on the LAN side of the Mikrotik RB750 and I “aim” the L2TP connection at the internal IP address, it connects to the L2TP server OK.

ditonet · March 29, 2012, 10:08pm

Search MS knowledge base for Q240262 and Q818043.
WinXP needs some registry modification.

HTH,

michaelcarey · March 29, 2012, 11:12pm

Thank you for the reply. I think I have seen one of these KB articles before.

Q818043 (I think) does not apply to me as as according to the article, this update has been already been applied with SP3.

Q240262 seems to be for Windows 2000. Does this KB article still apply to WinXP?

I do agree that it does seem to be a NAT-T issue… it seems to have been discussed here too :-

http://forum.mikrotik.com/t/nat-t-ipsec-issues-still-exist/42797/1

michaelcarey · March 29, 2012, 11:33pm

OK… I looked a little more into the thread I posted just above and found this post :-

I changed this setting in my RB750… and it works!

ditonet · March 29, 2012, 11:51pm

You didn’t post your config, so my asumption was that ‘exchange-mode=main l2tp’.
WinXP L2TP/IPSec client requires this mode an registry modification as described in
mentioned MS KB articles. Good to know that it works for you

Regards,

michaelcarey · March 30, 2012, 7:27am

In the Mikrotik online manual “chapters” referring to L2TP, I found no reference to the “exchange-mode…” setting in IPSEC/peers…

http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

This is the section of user manual I was working with when setting up my L2TP server… in the IPSec configuration the “exchange mode…” setting is not mentioned at all.

http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP

Maybe the manual could be updated to include this?

ditonet · March 30, 2012, 7:48am

You are right, online manual sometimes is inaccurate.
Some new features are only mentioned in changelog:
http://www.mikrotik.com/download/CHANGELOG_5
‘Main L2TP’ mode for example.
Anyway, RouterOS is still my favourite

Regards,

michaelcarey · March 30, 2012, 8:50am

Oh yes… please don’t misunderstand.

I really like Mikrotik… very powerful.

Mikrotik and Routerboard!

mrz · March 30, 2012, 9:16am

Documentation updated.
Second article was user created so anyone can edit it.

ditonet · March 30, 2012, 9:45am

Thanks!

Regards,