In my company, I have an RB1100AHx4 router on which I have set up l2tp/ipsec clients for the routers of the companies I manage which are also from Mikrotik.
After updating to v7.18 I noticed that some web pages on the servers I access via VPN are no longer loading correctly, especially those using older software. I have tried all versions from 7.18 to 7.19.1 on my router and they behave the same. The only solution I found was to lower the mtu in the l2tp clients from 1450, which is the default, to 1400 and it seems to work.
I submitted this issue to Mikrotik as ticket SUP-188725 on May 22, which has not yet been taken over by the support team.
I tested version 7.17 and it has the same problem. Only downgrading to version 7.16.2 solved the problem.
I sent the information to support and am waiting for a response.
Have you also update system-> routerboard? I’ve sometimes just forgotten this step I use ipsec vpn in several offices and I have no problems with version 7.19.1. Is it possible to view the config?
/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys, etc. )
I manage the networks of several clients, so over 100 devices, and it occurred to me to update the firmware as well.
By the way, it would be very useful if we could also see the firmware version in the winbox interface at Neigbors.
Some pages load seemingly without problems but I noticed that others load partially or certain subpages do not work. Especially the web pages of servers with older software versions.
But I also had problems with the administration page of truenas, the latest version.
I used to have problems with some RDP sessions to Windows 2012 server but I did not associate them with the l2tp/ipsec connection. Now that I think about it, it is possible that it was also the cause.
I am interested in the operation of the l2tp/ipsec vpn service. All the companies I manage use this service to connect remotely. It all started during the covid pandemic.
The advantages are: good security, hardware acceleration, direct support in the Windows operating system. Also, the credentials are saved encrypted, making it difficult to clone them. The Wireguard client contains the settings in the clear; they can be easily copied by anyone. As far as I know, it is the same in the case of OVPN.
OVPN has had unfortunate implementations in older RouterOS versions and I have not used it. It would also be quite complicated to change the settings on all clients now.
I have a site to site WG setup between my router and a client’s router and it seems to be working normally.
I suspect the problem is with l2tp, so I don’t see what 1s the point of testing other VPN protocols.
We upgraded our routers back in 2022 and we had this problem, and Mikrotik support team could not figure it out and said at it was our Microsoft Windows computers. But we were also having the problem with our Android tablets and having issues and we could not SSH or use Winbox to get to the remote site going thought the VPN. It took a Microsoft network engineer to tell them that they were wrong, and the problem was with the VPN router. The IP packets that where being sent out of the VPN were too big. So we had to lower the MTU to 1404 to get it to work right. And with this new version we have to even lower now it to 1400. And the worst part of all this was the support person that was working on support case never responds so I had to email their sales team to get a response on my case it took over 7 mouths. And they never responded to my last questions. So the MTU has to be set at 1404 to work right. So how come that the old router MTU is set to 1460 and works but the new one has to be set lower? And why is the default MTU set to 1450 if that does not work? They just closed the case never answered.
If you using a tunnel, you must be calculating or to measure by testing the correct MTU for the tunnel. Furthermore, you must to care about TCP MSS adjustment to work TCP correctly as TCP doesn’t care about Path MTU.
For example, if you have a correct ISP and you got 1500byte MTU for your Uplink, then your L2TP tunnel goes trough the Uplink has 1460byte MTU. If you using IPSec to encrypt the L2TP tunnel, it has plus overhead.
For example My ISP provides me 1492byte MTU for Uplink, so my raw L2TP tunnel MTU is 1452byte, I use IPSec ESP, it adds plus 78byte overhead (may vary depends on transform sets), so I must set L2TP interface MTU to 1374byte. Furthermore I must set TCP MSS adjust for IPv4 to 1334byte and for IPv6 to 1314byte. These steps are mandatory for correct traffic handling inside the tunnel.
We have found excellent results using MRU 1500 and MTU 1400 (so we have space for overhead and encryption)
In the profile be sure that the tickbox about “change MSS” is enabled.
I use ipsec vpn in several offices and I have no problems with version 7.19.1. Is it possible to view the config?