2 static ips wan1 wan2
wan1 pppoe dial to modem (bridge)
wan2 modem dials and ip given to wan2 port lets say 192.168.20.10 and modem is 192.168.20.1(gw), dmz done in modem to the 20.10 ip and ipsec and vpn ports also forwarded to 20.10(mikrotikwan2)
vpn server made in mikrotik
dial to wan1 ip from outside works very well
wan2 dial shows connected in mikrotik ph1 and ph2 established and windows drops connection never a success in connection
any ideas?
Your post is not clear…
Please make a diagram with how things are set up and how you want things to work.
Are you getting RFC1918 IPs from your ISP? Or are they public IPs you just changing?
The WAN2 modem and DMZ configuration throws up a red flag… What is happening and why? You are actually doing “DMZ” port-forwarding on the modem to your Mikrotik router? And wanting to use it for VPN? This is asking for trouble. Most gateways’ DMZ only forward TCP and UDP traffic, ignoring (dropping) all the other protocols.
When you say “dial” are you referring to PPPoE? What access technology? Are WAN1 and WAN2 actually different ISPs? Or the different IPs from the same ISP? If the same ISP, why do you want to do it this way??
Are WAN1 and WAN2 actually different ISPs?
Yes, Different ISP’s (both have public , static ip. Can ping them from outside.
mikrotiks firewall mangle is configured fully to
preroute → new connection mark
preroute → new connection mark → new routing mark
output → new connection mark → new routing mark
above is for both the isp ports and works well with every thing
ok so wan1 has a fiber epon , thats on bridge mode hence it is configured as pppoe in mikrotik and has a static ip from isp, in this vpn connects from outside
wan2 has a modem that is not in bridge. this is also epon but already dialed pppoe in the modem itself. so themode has dmz and vpn port forwarding which is enabled.
both of them are public static ips.
for example i have a sql database , on wan2 modem i port forward that port to the mikrotik and mikrotik throws it at the server and i can connect to the database.
i have been trying to get the isp to give the username and password of the modem on wan2 so that i can put it on bridge mode and use wan2 as pppoe but the wan2 isp has bad support
You are actually doing “DMZ” port-forwarding on the modem to your Mikrotik router?
yes plus there is an option in modem to allow vpn connection through to which ip address, here i have given ip address of the wan2 port of mikrotik and when i connect from outside i can see in mikrotik ph1 and ph2 completed and established but then it disconnects in a matter of 4 or 5 seconds everytime
But with wan1 which is pppoe it works well.
i suspect the modem is holding something.
This is a symptom of TCP and UDP being forwarded, but not the other protocols… 47 (GRE) and 50 (ESP) as examples.. TCP is protocol 6, ICMP is protocol 1, UDP is protocol 17..
There are many, many protocols and most times, DMZ only means TCP and UDP, there are simply no options in the gateways for the other protocols.
My first thought anyways..
Depending on your configuration, any NAT can/will break the VPN because the packets are changed as they are NAT’d.
Personally, I wouldn’t hesitate to try and hack the modem/gateway to get the credentials, but I would never suggest someone else do that.. lol
hahah i tire the html hack see the password as text but its encrypted or some isps lock the macaddress of the dialing modem so that any other modem on th line with correct username and password would not dial
Certificate sometimes, username and password, usually. MAC address, not really
Having static IPs.. Is it still a residential account? Or a business account.. It would be normal for a business to use their own router..
Otherwise, one of those scenarios is most likely your issue. Check the manuals on NAT-T, otherwise, you need to bypass that gateway.
Whereas IPsec as such doesn’t care where the NAT takes place, the Windows embedded client does - with default settings, it breaks connection if the NAT detector indicates that the actual address of the responder (the private one of your Mikrotik) doesn’t match the one configured at the Windows side (the public IP of the modem).
There are two ways to handle this - either to change registry settings on every single Windows client you use, or to put up the public IP also on the Mikrotik an “un-dst-nat” the incoming IPSec connections back to that IP address, see http://forum.mikrotik.com/t/l2tp-vpn-can-not-connect-on-windows-10/131292/6
The drawback of the latter option is that it doesn’t work if the Windows initiator is on a public IP address unless the DMZ on the modem can forward also ESP traffic.
(either to change registry settings on every single Windows client you use)
i know this but avoiding it
(or to put up the public IP also on the Mikrotik an “un-dst-nat” the incoming IPSec connections back to that IP address, see viewtopic.php?p=738129#p738129)
can try this
But does that fix it?
ok so tried with this
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/l2tp-ipsec-vpn-client-connection-issue
setting it to 2 works
with this registry hack i can connect to the vpn of the router
but this one did not work
"
/ip firewall nat
print chain=dstnat where !dynamic
add chain=dstnat place-before=0 action=dst-nat protocol=udp dst-port=500,4500 in-interface=your-wan-interface
to-addresses=the.public.ip.mentioned.above
"
I’d have to see the complete configuration to say why. The dst-nat rule alone seems fine to me.
well the connection by miktoik does get established but what is not being forwarded by modem → mikrotik for windows to see it right?
Sorry, I did not understand your description of the situation. You’ve stated that it works end-to-end with the Windows registry change, hence the IPsec settings, L2TP settings, and port-forwarding on the modem must all be correct. The dst-address of the L2TP transport packets is inherited from the IPsec transport packets carrying them during decapsulation, so no dst-nat rule should be necessary for UDP port 1701.
So something in the other settings must be wrong. See my automatic signature for a mini-howto on how to obtain the configuration in a concise form and anonymize it properly before posting.
" so no dst-nat rule should be necessary for UDP port 1701. " without this, but with windows regstry hack i can connect to the vpn. but i want to avoid registry hack .
one way is bridging the modem and dial from mikrotik as my wan1 does, this is on wan 2 through modem of isp and for wan2 regity hack only works with win10.
ok another develpoment
win 10 pc 1 , with registry mod
win 10 pc2 , without registry mod
(pc1 pc2 using same internet and same lan)
try connecting pc2 to vpn on wan2 = no success
connect pc1 to wan2 vpn and it succeeds → now connect pc2 (which is without registry mod and it is a sucess)
Wait - are both PCs at the same site, i.e. from the perspective of the server, do they connect from the same public IP address?
Yes both pcs are at same site same public ipadress correct
That’s a separate can of worms then, you need a complicated workaround to make L2TP/IPsec work in this case.