Site2Site IPSec over L2TP - MTU-Size Problem?

RouterOS General
1

Hi Experts,

I have a very complicated Setup but I Documented it the attaches PDF.

  • Starting point: Two Mikrotik-RB750Gr3 Routers, both in a private (NAT)-Network.
  • Goal: Establish Site-2-Site Connection between them.
  • Idea:
  • L2TP Connection to establish Link to MikroTik-Router in private Network (Port-Forwarding: UDP 1701)
    • IPSec-Tunnel in L2TP-Connection to get better encryption

Everything works fine, but when the Tunnel is established Pings goes through the tunnel, but e.g. Browsing on the Fileserver (PC1) is not possible.
I think it is a MTU-Problem:

  • from Client (Mikrotik#2) to Server (Mikrotik#1) is 1450 but
  • from Server (Mikrotik#1) to Client (Mikrotik#2) is 1390

Where can/must I set the MTU to 1390?
Or is there another option to configure a site-2-site VPN?

I would be very thankful for the correct advice, how to solve my problem.
VPN-Problem.png
VPN-Problem.pdf (103 KB)

2

Additional Info:
After establishing the L2TP Tunnel (without IPSec) the MTU-is:

  • from Client (Mikrotik#2) to Server (Mikrotik#1) is 1450 and
  • from Server (Mikrotik#1) to Client (Mikrotik#2) is 1450

In the moment, where I activate the IPSec-Policies the MTU from Server to client goes down to 1390
Where are the 60 Bits gone (is it one IP-Header)?

3

Just Speeking to myself:

Meanwile i think I found my error and the correct solution:

Problem Solver-Step 1:
I solved the Problem by setting the MTU for the L2TP-Tunnel manual to 1350.

/interface l2tp-client
add allow=mschap2 connect-to=dyn.myname.com disabled=no max-mru=1350 max-mtu=1350 name=L2TP-1 password=Pass-1 profile=L2TP-plain user=User-1

From this point it was possible to setup the IPSec-Tunnel without Errors

But I don’t think, that this should be the right solution, so I investigates further, getting to the.

Final Problem Solver-Step:
I got the information to set change-tcp-mss=yes from https://justit.eu/mikrotik-l2tpipsec-vpn/
When I set change-tcp-mss=no and delete the MTU-Settings from Step1 it is still OK.

/ppp profile
add name=L2TP-plain use-encryption=no

Conclusion
My Error was setting change-tcp-mss=yes in the L2TP-Profile