Hello!
I have configured my MikroTik router as the L2TP through IPSEC server, everything works great. The problem is that my customer behind his MikroTik router cannot connect to my L2TP server, but he can do that via 3G. How can I settle down it?
Is your client using the L2TP client on his PC or his Mikrotik as the client?
I can use my windows 8 PC through a Mikrotik into a VPN on a remote Mikrotik, the local router can’t have any port blocking on 500, 1701 or 4500.
Customer is using his Apple computer as a L2TP as a client. I also tried my computer and phone. When using LTE, everything works perfectly, when using in customer location behind MiktoTik NAT, it is impossible to connect to the L2TP server
So, I tried to find the problem. It looks like the problem is on the server side, because I can connect to another MikroTik router via L2TP w/ IPSec, but cannot connect to my home router from the same place. But it is possible to connect to home router, if disconnected from the work network and connected to 4G.
Here are the router configuration, hope it will help to find the problem:
# oct/05/2016 07:07:45 by RouterOS 6.37
# software id = G330-U5IZ
#
/interface bridge
add admin-mac=E4:8D:8C:53:CF:69 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-Ce/gn(20dBm), SSID: dz_10, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-53CF6F \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(20dBm), SSID: dz_10, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-53CF6E wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1 \
passphrase=passphrase
/caps-man configuration
add country=latvia datapath=datapath1 mode=ap name=cfg1 rx-chains=0,1,2 \
security=security1 ssid=dz_10 tx-chains=0,1,2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.3.10-192.168.3.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=3d name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 enabled=yes ipsec-secret=\
secret use-ipsec=yes
/interface sstp-server server
set default-profile=default-encryption
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.3.1 enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=192.168.3.1/24 comment=defconf interface=ether2-master network=\
192.168.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.3.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow l2tp" dst-port=1701,500,4500 \
log=yes protocol=udp
add action=accept chain=input log=yes protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn password=password profile=default-encryption
/system clock
set time-zone-name=Europe/Riga
/system ntp client
set enabled=yes server-dns-names=\
lv.pool.ntp.org,europe.pool.ntp.org,pool.ntp.org
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled silent-boot=yes
/system watchdog
set automatic-supout=no watch-address=8.8.8.8
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
I seem to recall having this problem, I think I had to allow 500, 1701 and 4500 in my forward rules.