I‘m facing a problem with mikrotik L2TP/IPSEC VPN, I have a two interface Ubuntu 14.04 server, Which wan interface ETH0 have a public IP 103.88.x.x , lan interface ETH1 have private IP 192.168.0.1/24and connect a RB750r2 with ip 192.168.0.2/24, and now, I want to configure L2TP/IPSEC server on RB750r2.
So ,I add iptables nat for RB750 on ubuntu
iptables -t nat -A POSTROUTING -i eth0 -p udp 500 -j DNAT --to 192.168.0.2
iptables -t nat -A POSTROUTING -i eth0 -p udp 4500 -j DNAT --to 192.168.0.2
iptables -t nat -A POSTROUTING -i eth0 -p udp 1701 -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -o eth0 -j MASQUERADE
then my remote windows 8 client which behind nat, use windows l2tp/ipsec client connect ip 103.88.x.x get 809 error, I use wireshark analysis packet ,find ipsec pharse I and pharse II
is normal, but timeout after win8 client sent isakmp informaitional. I guess the problem is the ubuntu configure, anybody can tell me, how can I do? thanks!
Don’t try that! L2TP/IPsec server behind NAT is asking for problems.
When you want to persist, I would not use the “automatic” config of IPsec in the MikroTik as it makes a “port strict” rule.
Look at the IPsec rules that have been auto-created, remove the IPsec secret from your L2TP server and add similar
rules yourself to IPsec so you can experiment. Especially with the IPsec Peer definition, try options like
generate-policy=port-override
Mikrotik L2TP/IPSEC server behind nat (mikrotik wan interface without public IP address) doesn’t work or, at least, nobody suggest me how to make it work.
There is a mismatch in public/private address when the dynamic ipsec policy is created
It works if a static ipsec policy is created, but this needs the L2TP client address has to be ALWAYS the same.