VPN L2TP/IPSEC DMZ Apple connects Windows doesn't

KitMikro · August 3, 2017, 10:02am

Hi All,

I have the following configuration (http://forum.mikrotik.com/t/bridge-mode-with-vpn/109862/1) behind a cable modem. It’s configured as DMZ. I can connect on the public IP to the WebFig, also I can connect to the VPN from my iPhone and Macbook. But I can’t connect from any Windows 10 computer…

What am I missing?

In the log I see the following

respond new phase 1 (Identity Protection) (followed by the correct IP addresses)
purging ISAKMP-SA (followed by the correct IP addresses)
ISAKMP-SA deleted (followed by the correct IP addresses)

emils · August 3, 2017, 10:42am

First of all, make sure you are running the latest stable version of RouterOS. If it still does not work, enable IPsec debug logs, generate supout.rif file after a failed connection attempt from Windows and send it to support@mikrotik.com.

You can enable debug logs with this command:

/system logging add topics=ipsec

Generate supout file:

/system sup-output

KitMikro · August 3, 2017, 10:58am

emils:

First of all, make sure you are running the latest stable version of RouterOS. If it still does not work, enable IPsec debug logs, generate supout.rif file after a failed connection attempt from Windows and send it to support@mikrotik.com.

You can enable debug logs with this command:
/system logging add topics=ipsec
Generate supout file:
/system sup-output

consider it done! thanks for the quick reply.

update:

the IPSEC part is working for the Windows client, the L2TP fails.
when connecting from my Mac, it does show the expected activity in de log file. If the Windows client connects there is no L2TP activity shown in the log.

/interface bridge
add name=bridge1
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,3des name=L2TP-Proposal pfs-group=none
/ip pool
add name=poolVPN ranges=172.31.80.1-172.31.80.20
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=poolVPN name=\
    l2tp-profile remote-address=poolVPN
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes \
    ipsec-secret=PASSWORD use-ipsec=yes
/ip address
add address=192.168.5.100/24 interface=ether2 network=192.168.5.0
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1 src-address=\
    172.31.80.0/24
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,3des exchange-mode=main-l2tp \
    generate-policy=port-override secret=SHARED_SECRET
/ip ipsec policy
add proposal=L2TP-Proposal template=yes
/ip route
add distance=1 gateway=192.168.5.1
/ppp secret
add name=USERNAME password=PASSWORD profile=l2tp-profile service=l2tp

KitMikro · August 4, 2017, 8:31am

Ok editing the windows 10 registry worked;

*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
*New DWORD (32-bit) Value:AssumeUDPEncapsulationContextOnSendRule
*Set the value to 2