Windows VPN RAS behind Mikrotik

SalvadorCY · November 10, 2020, 2:52pm

Hi all, I'm experimenting and issue when I want to manage Client VPN connections with a Windows Server 2016 RAS with L2TP and IPSec. I configure forward passthrough next rules pointing to Windows Server:
For VPN
TCP 1723
GRE

for L2TP over IPSEC
UDP 1701,500,4500
IPSEC-ESP
IPSEC-AH

Client request never arrived to Windows Server. Could anyone help me?
thanks in advance

sindy · November 10, 2020, 4:28pm

post your current configuration (see my automatic signature below for anonymisation hints)
for L2TP over IPsec, it is enough to forward UDP 500 and 4500 and IPSEC-ESP. AH is not used and UDP 1701 is encapsulated inside the IPsec transport packets (bare ESP of ESPoverUDP depending on the absence or presence of NAT at client side), so invisible to mid-path routers.
once you get past the forwarding issue: the Windows’ embedded client by default doesn’t accept NAT at server side. You can change this in registry on every client, or you need to do some more complex setup (like two Mikrotiks in a chain) to resolve this at server side, allowing the RAS to run on the public IP as well.