VPN l2tp/ipsec terminated connection

Esctk · December 12, 2016, 9:06am

Hi,
I have a problem with vpn connection (L2TP/Ipsec).
I establish vpn connection and is all about. How do I connect the second user disconnects the first and after a while the second user

My hardware is:
RB951G-2HnD
RouterOS v.6.37.3
My configuration:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.254.1/24 192.168.254.0 bridge1
1 192.168.100.1/30 192.168.100.0 ether5
2 D 88.156.242.147/22 88.156.240.0 ether1

bridge1 (wifi,lan)
ether1 - WAN
ether5 - DMZ

[admin@MikroTik] > ip pool print

NAME RANGES

0 dhcp_pool1 192.168.254.2-192.168.254.254
1 POOL-VPN 10.10.10.2-10.10.10.100

[admin@MikroTik] > ppp profile print
Flags: * - default
0 * name=“default” use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list=“” on-up=“” on-down=“”
1 name=“Profile-VPN” local-address=10.10.10.1 remote-address=POOL-VPN use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=default use-upnp=default address-list=“” on-up=“” on-down=“”
2 * name=“default-encryption” use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list=“” on-up=“” on-down=“”

[admin@MikroTik] > ppp secret print
Flags: X - disabled

NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS

0 user1 any pass1 Profile-VPN
1 user2 any pass2 Profile-VPN

[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=:: passive=no port=500 auth-method=pre-shared-key secret=“password” generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=no hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

[admin@MikroTik] > interface l2tp-server server print
enabled: yes
max-mtu: 1450
max-mru: 1450
mrru: disabled
authentication: mschap1,mschap2
keepalive-timeout: disabled
max-sessions: unlimited
default-profile: Profile-VPN
use-ipsec: no
ipsec-secret:
allow-fast-path: no

pukkita · December 12, 2016, 9:16am

use-ipsec: no

You specified L2TP/IPSec, so that should be enabled, and a secret set.

Are you sure the first client is actually connected? do you see an ip assigned and can ping? Depending on client settings it may not connect if encryption isn’t enabled.

pe1chl · December 12, 2016, 9:26am

That is not correct, you can set use-ipsec=no for the L2TP server and then manually set IPsec as he did,
and it will work OK. That way you can set certain parameters to other than default values.

But w.r.t the original question: are both those clients coming from the same public IP, e.g. behind the same NAT router?
That does not work. Only one user can be on the same address.

Esctk · December 12, 2016, 9:49am

But w.r.t the original question: are both those clients coming from the same public IP, e.g. behind the same NAT router?
That does not work. Only one user can be on the same address.

Yes, This is the same address WAN (NAT) , Thanks

pe1chl · December 12, 2016, 10:01am

Ok, that cannot be done with L2TP/IPsec.
It may be that you encounter this problem mainly during testing, or also in operational environment.
Depending on that, you need to find another solution. It is not going to work, it seems. Even the
new release candidate version that improves some of these aspects is not fixing it for L2TP.

Esctk · December 12, 2016, 10:57am

So is buying mikrotik to the location of a small office (3 people) and settings to new hardware client (small office) ↔ server (main company)
Is there another solution?

cdiedrich · December 12, 2016, 12:40pm

I think the best solution for that small remote office would be the deployment of a dedicated router (a 750Gr3 or 3011 would surely perform fantastically) and run a tunnel of your choice between the main and the remote office.
Then enable routing between the two subents and you’re ready to go - and to expand the remote office if necessary.
-Chris

pukkita · December 12, 2016, 12:52pm

Oops, missed that, my fault.

pe1chl · December 12, 2016, 5:32pm

Yes that is what I do as well, a 750Gr3 (hEX 3) is a fantastic router for this purpose and has a very low price.
I configure a L2TP or GRE over IPsec tunnel for only a /30 network and then setup BGP to route the subnets.
This works really well for such dynamic callers and is quite easy to configure:

/routing bgp peer
add name=(somename) nexthop-choice=force-self remote-address=(address_of_peer) remote-as=65530 route-reflect=yes ttl=1
/routing bgp network
add network=(address_of_local_network)/(netmask)

Esctk · December 13, 2016, 8:52am

Thanks all
I test solution SSTP. It looks good.
All remote from the small office use windows os