I’m trying to set up a “road warrior” style VPN, so I can access devices I have at home on LAN (file share, remote desktop, etc.) when away from home without opening any of these up to the big scary Internet. After setting it up, and trying to test it, I am able to connect successfully using my iPhone 6s or Android 7.0 Tablet, or Windows 7 desktop (it has no WiFi, so I can’t tether it) over LAN. However, when I try to test using an outside connection, I have a perplexing result:

iPhone 6s over cellular – failure
Android 7.0 tablet connected via WiFi to iPhone 6s Personal Hotspot (over cellular) – successful
Crappy chinese Windows 10 laptop – failure

I tried adding debug/ipsec/l2tp to my logging and see many messages (including signs of connection attempts and negotiation), but nothing that sticks out as an error or obvious path to fix. My best guess is this had something to do with encryption or authentication, but there are many encryption/authentication options in several places (IP/IPSec/Peers, PPP/L2TPServer/Authentication, PPP/Profiles/Default) so it’s too many for me to feel comfortable flipping and trying at random.

For my configuration, I have a new RB951G-2HnD running RouterOS 6.34.6 (bugfix). It is connected directly to the Internet so its WAN IP is a public IP. There are no other gateways/switches/etc. on the network. I did nothing for my initial setup that wasn’t in “Quick Set” (set up wireless, enabled upnp, changed the local IPs).

I then followed the instructions here to set up L2TP: http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#L2TP.2FIpSec_setup

I then moved the two firewall rules created at the end of the instructions above to 3/4, above the entry that says “drop all from WAN”.

My router ip is *.1, LAN DHCP range is *.100-199, PPP profile local address is *.200, and PPP profile remote address uses a pool from *.210-.244. All these settings seem to be working as intended when connecting to the VPN over the LAN.

My iOS configuration is type: L2TP with the correct username/password/shared secret. Like I said, it works for the Android tablet when tethered to the same connection.

If anyone could assist or point me in the right direction it would be much appreciated. I have read everything I can find on the Wiki or Google but haven’t found anything guiding me toward the solution.

I am totally open to using a completely different setup if it would be more appropriate. I originally set up a PPTP connection successfully using the easy wizard on the Quick Set page, but PPTP is being deprecated from iOS/macOS. I just it to work with all major devices (Windows 7+/Android/iOS/macOS). Ideally out of the box but I don’t have anything against using a separate app. My use case is pretty simple so I really just need something simple without a kamikaze level of insecurity.

For anyone else that might be having a similar issue:

Without changing anything, it turned out I could connect to the VPN successfully via my iPhone through the WiFi at a friend’s house. For whatever reason, something didn’t work over the cellular connection. I’ve seen some people mention here and in various other forums that a cellular connection could have its own weird requirements, so this must have been the case. It’s above my understanding to figure out why, but if anyone has some guidance it is appreciated!

For anyone else in my boat, if you can connect to your VPN over LAN but not over cellular, go ahead and seek out another Internet connection if you don’t actually need cellular and are just using it for testing purposes.

I have experienced that the L2TP/IPsec does not properly work over double-NAT, at least not in some of the cases.
Your cellular connection may well be doing double-NAT.
I fixed it by configuring the IPsec layer manually on the server, and setting generate-policy=port-override on the peer config.
So, you go to the L2TP server config and remove IPsec there, then you setup the peer manually:

/ip ipsec peer
add enc-algorithm=aes-128 generate-policy=port-override local-address=
aaa.bbb.ccc.ddd passive=yes secret=sssssssssssssssssssssssssssssss

With this change, it works OK for me. It removes the strict port checking on the IPsec rule, which causes problems
with double-NAT. A side effect will be that you cannot connect two clients from the same public address (behind the NAT).
This may be a problem in large-scale use where many users are connecting at the same time and may end up behind
the same public address of a single cellular provider.

what the ip local-address do you input ? IP Public or Private you got on the setup IP Pool ?

The above example is for a server that has a public IP and clients that have private IP behind single or double NAT.
The aa.bb.cc.dd address is the public IP on the server.

You can set 0.0.0.0/0 in public ip

But I’ve tested and also can’t ping anything beside my mikrotik LAN interface when connected over L2TP/IPsec

konrad@MacBook-Pro [~/] ping 10.5.0.120
PING 10.5.0.120 (10.5.0.120): 56 data bytes
64 bytes from 10.5.0.120: icmp_seq=0 ttl=64 time=23.296 ms

— 10.5.0.120 ping statistics —
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 23.296/23.296/23.296/0.000 ms
konrad@MacBook-Pro [~/] ping 10.5.0.149
PING 10.5.0.149 (10.5.0.149): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

That is an entirely different issue!
You must make sure that routing is correct everywhere.
Put the VPN in a separate subnet, make sure forwarding rules in the router allow the traffic, and make sure the systems
you want to reach know that the route to this network is via your router (this can be done as part of their default route,
but that only works when the VPN subnet is outside of their local LAN subnet).

There are tricks to work around it but I would not advise that. Make a proper network plan.

I’m quite sure I have made a good network plan. I wouldn’t be asking for help if I wouldn’t do anything yet. I was using tutorials, reading and it still doesn’t work.

My routing is

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 xx.xx.xx.1 1
1 ADS 10.0.0.0/8 10.5.0.1 1
2 A S ;;; [ Route to provider1 / part of network /9 ]
10.0.0.0/9 10.5.0.120 ether2 1
3 ADC 10.5.0.0/22 10.5.0.120 ether2 0
4 A S ;;; [ Route to provider2 ]
10.128.0.0/9 ether2 1
5 ADC xx.xx.xx.xx/22 xx.xx.xx.xx ether1 0
6 ADC 172.16.0.253/32 172.16.0.254 0

my router is 10.5.0.120 with 172.16.0.254 for L2TP/IPsec. 10.128.0.0/9 is GCP infrastructure. And 10.0.0.0/9 is infrastructure of network which mikrotik is a part of.
I’ve set on GCP routing to 10.0.0.0/9 & 172.16.0.0/24 through GCP tunnel which is established with mikrotik through IPsec S2S tunnel. Also set firewall rules to allow traffic from 10.0.0.0/9 & 172.16.0.0/24. The same goes for mikrotik:

firewall nat:

0 ;;; [My Network] => [GCP Network]
chain=srcnat action=accept src-address=10.0.0.0/9 dst-address=10.128.0.0/9 log=no log-prefix=“”

1 chain=srcnat action=accept src-address=172.16.0.0/24 dst-address=10.128.0.0/9 log=no log-prefix=“”

Any server in 10.0.0.0/9 after adding static routing to 10.128.0.0/9 via 10.5.0.120 sees the GCP nodes in that network. And the same goes from GCP. It sees all server behind mikrotik in 10.0.0.0/9. But there is issue with C2S to mikrotik when user is connecting.

But a vpn user from 172.16.0.0/24 doesn’t sees any host from 10.128.0.0/9 network and the same goes from GCP when trying to ping 172.16.0.254 (mikrotik vpn server) or even connected vpn user.