VPN with L2tp/IPsec Problem

davadut · March 29, 2014, 8:03am

hello,

can any one help about this problem,

i use VPN L2tp/Ipsec on My Mikrotik but now i have problem.

i create user at ppp---secret
i make 5 user for login

and when i use at my office i can't connect the user more than 1 user, every time i dial other user the one that already connect is disconnected.

this happen when i dial in one Local Network on other office.

this is my setting :

L2tp Server:

/interface l2tp-server server> pr
enabled: yes
max-mtu: 1450
max-mru: 1450
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default

PPP secret

/ppp secret> pr
Flags: X - disabled

NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS

0 ao1 l2tp L2TP-Profile
1 ao2 l2tp L2TP-Profile
2 cideng1 l2tp L2TP-Profile
3 cideng2 l2tp L2TP-Profile
4 cideng3 l2tp L2TP-Profile
5 cideng4 l2tp L2TP-Profile

ppp profile

/ppp profile> pr
Flags: * - default
0 * name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default
use-compression=default use-vj-compression=default use-encryption=default
only-one=default change-tcp-mss=yes address-list=""

1 name="L2TP-Profile" local-address=Local-RT remote-address=RT-Cideng
remote-ipv6-prefix-pool=(unknown) use-ipv6=default use-mpls=default
use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default address-list=""
dns-server=xxx.xxx.xxx.xxx

2 * name="default-encryption" remote-ipv6-prefix-pool=none use-ipv6=yes
use-mpls=default use-compression=default use-vj-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes address-list=""

IPsec Peer

/ip ipsec peer> pr
Flags: X - disabled
0 address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="xxxxxxxxxx"
generate-policy=port-override exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=1m
dpd-maximum-failures=3

Proposal

/ip ipsec proposal> pr
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des,aes-256-cbc
lifetime=30m pfs-group=none

any one can help?

thanks

rextended · March 29, 2014, 8:11am

Do not worry,

there is possible to estabilish only one connection at the time.

In future version of RouterOS is possible to make more than one connection.

for estabilish more connections use PPtP connection, it is already encrypted.

davadut · March 29, 2014, 1:37pm

dear rextended

thanks for your time to answer about my question.

now my l2tp/ipsec is up and running.
the problem is i can’t connect to mikrotik VPN Server with different username even i already set different username for every PC that connect to the Mikrotik VPN server.

is always only one username that can connect, if i try connect with different username and PC, the one that already connect will disconnect.

any one can help me?
thankyou

rextended · March 29, 2014, 3:32pm

What are the license level of your router?
http://wiki.mikrotik.com/wiki/Manual:License_levels#License_Levels
Need to be level 3+ to make more than 1 link PPTP

davadut · March 30, 2014, 12:34am

i have level 6 for my router.

i am using ainos mikrotik.
pptp is runing well but if l2tp/ipsec is not.

thanks

huntah · March 30, 2014, 9:18am

As rextended said before you can only connect ONE client behind same static IP.

So if you have multiple users at a hotel which uses NAT (so all your users are behind NAT with same IP) only 1 will work.

This is a limitation of L2TP/IPSEC implementation on Mikrotik.

You can try OPVN or PPTP if you need more than one concurrent user behind same NAT.

davadut · April 2, 2014, 1:58am

hello huntah,

ok i understand, thanks
but a while ago i try with 3 user it can connect to the VPN server from my head office that is with IP using NAT.
after 3 days i can’t connect to the VPN server Any more.

is mikrotik have expire time for VPN connected with same IP using NAT?

thanks

huntah · April 3, 2014, 1:42pm

If I understood you correctly a while ago 3 differrent users could connect to VPN server (L2TP) just not at the same time.
And now it is not working at all.. I would try to reboot the VPN router and see if it helps.

If you havent changed anything it should work.
Once on ROS 6.11 my L2TP/IPSEC server stopped working and all I could do is Reboot the router. It did not help enable disable L2TP Server, IPSEC Flush all etc..
Maybe there is some bug in L2TP in ROS6.11 but since then it is working for me without problems…And I cannot reproduce the problem (nor I want to because it is our main GW ) but if it happens again I will SUPOUT.RIF and send it to support@mikrotik.com ..

davadut · April 8, 2014, 4:49am

hi huntah..

i try to reboot and i try to reset the router and create the VPN L2tp/IPsec again and is not working for 5 user with one NAT internet connected to the server.

i don’t why.