L2TP through IPSEC RDP, WWW

Hello,

I have suckcessful with configure IPSEC beetween two sites Mikrotik1 and Mikrotik2, i can Ping from PC1 to PC2 and others. I can use RDP and get response from www.

The problem is when i configure L2TP on Mikrotik1. When i connect from PC-L2TP everything is ok with lan on Mikrotik1. When I ping PC2 or Laptop2 i get response,
When i try connect via RDP i get response to fill login and pass but it stuck on “securing the connection”. Also when i try to open www give response connection timed out.

I Try to change MTU on Mikrotik1 to 1172 (this is the last good value when i got the response)

ping 172.222.22.185 -f -l 1172 -t

Pinging 172.222.22.185 with 1172 bytes of data:
Reply from 172.222.22.185: bytes=1172 time=55ms TTL=126
Reply from 172.222.22.185: bytes=1172 time=40ms TTL=126

Also i’m try to add on mikrotik1
/ip firewall mangle add action=change-mss chain=forward dst-address=172.222.22.185 log=yes new-mss=
1172 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1172 passthrough=yes
protocol=tcp tcp-flags=syn

And still nothing. I cannot connect via RDP. Please help

If you don’t mind the large payload packets to get split into two transport ones, use MLPPP on the L2TP link. At both the L2TP server and client, set max-mtu=1100 max-mru=1100 mrru=1504 (change the settings at the server first as the change at the client will cause the connection to reestablish while the change at server will not).

If you do mind it, bear in mind that the size of the ping in Windows specifies the size of the payload, so 1172 bytes of “ping size” actually mean 1200 bytes of MTU (20 bytes of IP header and 8 bytes of ICMP header), whereas what your rule changes is not MTU but MSS, i.e. the TCP payload, so you have to set the new-mss to just 1160 bytes (20 bytes of IP header and 20 bytes of TCP header). Also, add a match condition tcp-mss=1161-20000 to the mangle rule, to avoid accidentally raising the MSS instead of lowering it.