Hello everyone, many months now im trying to create VPN connection from remote devices (laptop, mobile etc) , outside my house, but i havent found why its not working.

Till now i can connect only with my Iphone remotly using L2TP, but my laptop cannot connect , it show an error saying: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remove computer. From logs i noticed that it shows error : No suitable proposal found.

I tried with Wireguard as well, it says that connects but without any communication to my router …

My Mikrotik has public IP but its behind NAT from my ISP router, which i have port forwarded ports 4500.1701,500.

My configuration is below :



interface bridge
add ingress-filtering=no name=bridge-Vlan-LAN pvid=10 vlan-filtering=yes
add name=bridge-Vlan-WLAN
add admin-mac=0000000 auto-mac=no comment=defconf mtu=1492 name=
bridgeLocal-LAN
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-ISP
set [ find default-name=ether3 ] name=ether3-Management
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=greece disabled=no
installation=indoor mode=ap-bridge ssid=“GAPO WLAN 2.4G” vlan-id=20
vlan-mode=use-tag
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=greece disabled=no
installation=indoor mode=ap-bridge ssid=“GAPO WLAN 5G” vlan-id=20
vlan-mode=use-tag wireless-protocol=802.11
/interface l2tp-server
add disabled=yes name=l2tp-in1 user=vpnlocal
/interface wireguard
add disabled=yes listen-port=9874 mtu=1420 name=wireguard-VPN_Local
/interface vlan
add disabled=yes interface=bridge-Vlan-LAN name=Vlan99 vlan-id=99
add disabled=yes interface=ether1-ISP mtu=1492 name=vlan1cosmote vlan-id=835
add interface=bridge-Vlan-LAN name=vlan10 vlan-id=10
add interface=bridge-Vlan-WLAN name=vlan20 vlan-id=20
add disabled=yes interface=ether1-ISP name=vlan838-ISPMANAGMENT vlan-id=838
/interface pppoe-client
add add-default-route=yes interface=vlan1cosmote name=pppoe-out1-Cosmote
user=000000
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=
aes-256-cbc,aes-128-cbc
/ip pool
add name=vpn ranges=192.168.100.2-192.168.100.255
add name=dhcp_pool2 ranges=10.10.1.2-10.10.1.254
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool5 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridgeLocal-LAN name=dhcp1
add address-pool=dhcp_pool4 interface=vlan20 name=dhcp3
add address-pool=dhcp_pool5 interface=vlan10 name=dhcp2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridgeLocal-LAN comment=defconf interface=ether3-Management
add bridge=bridge-Vlan-LAN comment=defconf interface=ether4 pvid=10
add bridge=bridge-Vlan-LAN comment=defconf interface=ether5 pvid=10
add bridge=bridge-Vlan-WLAN interface=wlan2 pvid=20
add bridge=bridge-Vlan-WLAN interface=wlan1 pvid=20
add bridge=bridge-Vlan-LAN interface=ether2 pvid=10
/interface bridge vlan
add bridge=bridge-Vlan-LAN tagged=bridge-Vlan-LAN untagged=
ether2,ether4,ether5 vlan-ids=10
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface list member
add interface=ether1-ISP list=WAN
add interface=ether2 list=LAN
add interface=ether3-Management list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireguard peers
add allowed-address=192.168.101.2/32 disabled=yes interface=
wireguard-VPN_Local public-key=
“000000=”
/interface wireless align
set active-mode=no audio-max=0 audio-min=0 frame-size=200 frames-per-second=1
/interface wireless cap
set bridge=bridgeLocal-LAN discovery-interfaces=bridgeLocal-LAN interfaces=
wlan1,wlan2
/ip address
add address=10.10.1.1/24 comment=Management-LAN interface=bridgeLocal-LAN
network=10.10.1.0
add address=192.168.100.1 comment=VPN interface=ether1-ISP network=
192.168.100.0
add address=10.10.20.1/24 comment=VLAN-WLAN interface=vlan20 network=
10.10.20.0
add address=10.10.10.1/24 comment=VLAN interface=vlan10 network=10.10.10.0
add address=192.168.101.1/24 interface=wireguard-VPN_Local network=
192.168.101.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client

DHCP client can not run on slave or passthrough interface!

add comment=defconf interface=wlan1
add interface=ether1-ISP
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=192.168.1.1 gateway=10.10.1.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.101.2
in-interface=wireguard-VPN_Local src-address=192.168.101.1
add action=drop chain=input dst-port=53 in-interface=ether1-ISP protocol=udp
add action=drop chain=input in-interface=ether1-ISP protocol=tcp src-port=53
add action=accept chain=input disabled=yes dst-port=4500 in-interface=
ether1-ISP protocol=udp src-port=4500
add action=accept chain=input disabled=yes dst-port=500 in-interface=
ether1-ISP protocol=udp src-port=500
add action=accept chain=input disabled=yes dst-port=1701 in-interface=
ether1-ISP protocol=udp src-port=1701
/ip firewall mangle
add action=passthrough chain=input disabled=yes protocol=tcp tcp-flags=syn
tcp-mss=1452-1452
/ip firewall nat
add action=masquerade chain=srcnat comment=“masq. vpn traffic” disabled=yes
out-interface=wireguard-VPN_Local src-address=192.168.101.0/24
add action=masquerade chain=srcnat
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=vpn
add disabled=yes name=00000
add local-address=192.168.100.3 name=vpnlocal remote-address=192.168.100.4
service=l2tp
/snmp
set trap-version=2
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no


I need some help

Fixes and wireguard
- one bridge, default pvid of 1 kept.

• remove vlans from wifi
• consistent vlan settings, pool, dhcp-server, dhcp-server network, ip address
• ip dhcp client should be removed/disabled, ISP settings are at pppoe settings.
• remove cap, not needed for internal radios.
• dns server setting for managememt network 10.10.1.0/24 doesnt fit, set to non-existent 192.168.1.1??
• masquerade rule for wireguard not required (router is server for handshake) and no need to masquerade outgoing traffic
  as all traffic is incoming from road warriors.
• mangle rule removed.
• firewall rules modified
• something I dont understand about managment vlan and vlan30 >>>>>???

/interface bridge
add ingress-filtering=no name=bridge-Vlan vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=greece disabled=no
installation=indoor mode=ap-bridge ssid=“GAPO WLAN 2.4G”
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=greece disabled=no
installation=indoor mode=ap-bridge ssid=“GAPO WLAN 5G” wireless-protocol=802.11

/interface wireguard
add disabled=no listen-port=9874 name=wireguard-VPN_Local

/interface vlan
add interface=bridge-Vlan name=vlan10 vlan-id=10
add interface=bridge-Vlan name=vlan20 vlan-id=20
add interface=bridge-Vlan name=Vlan99 vlan-id=99
add interface=bridge-Vlan name=vlan30 vlan-id=30 comment=“formerly bridge subnet” ???
add interface=ether1-ISP name=vlan1scomsote vlan-id=835
/interface pppoe-client
add add-default-route=yes interface=vlan1cosmote name=pppoe-out1-Cosmote

/ip pool
add name=dhcp_pool2 ranges=10.10.1.2-10.10.1.254
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool5 ranges=10.10.10.2-10.10.10.254

/ip dhcp-server
add address-pool=dhcp_pool2 interface=vlan99 name=dhcp1
add address-pool=dhcp_pool3 interface=vlan30 name=dhcp5
add address-pool=dhcp_pool4 interface=vlan20 name=dhcp3
add address-pool=dhcp_pool5 interface=vlan10 name=dhcp2

/interface bridge port
add bridge=bridge-Vlan interface=ether3-Management pvid=99 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=ether4 pvid=10 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=ether5 pvid=10 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=wlan2 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=wlan1 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=ether2 pvid=10 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface= ??? pvid=30 ???

/interface bridge vlan
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=ether2,ether4,ether5 vlan-ids=10
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=wlan1,wlan2 vlan-ids=20
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=ether3-Management vlan-ids=99
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=??? vlan-ids=30???

/interface list member
add interface=ether1-ISP list=WAN
add interface=pppoe-out1-Cosmote
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan99 list=LAN
add interface=vlan30 list=LAN ???

/interface wireguard peers
add allowed-address=192.168.101.2/32 disabled=yes interface=
wireguard-VPN_Local public-key=
“000000=”

/ip address
add address=10.10.1.1/24 comment=Management-LAN interface=vlan99
network=10.10.1.0
add address=10.10.20.1/24 comment=VLAN-WLAN interface=vlan20 network=
10.10.20.0
add address=10.10.10.1/24 comment=VLAN interface=vlan10 network=10.10.10.0
add address=10.10.30.1/24 comment=??? interface=vlan30 network=10.10.30.0 ???
add address=192.168.101.1/24 interface=wireguard-VPN_Local network=
192.168.101.0

/ip dhcp-server network
add address=10.10.1.0/24 dns-server=10.10.1.1 gateway=10.10.1.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback
(for router uses only)” dst-address=127.0.0.1
add action=accept chain=input dst-port=9874 protocol-udp comment=“wireguard connection”
add action=accept chain=input in-interface-list=LAN comment=“allow lan users to router services”
add action=drop chain=input comment=“Drop All Else”
+++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
add action=accept chain=forward comment=“local to WAN internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“remote to lans” in-interface=wireguard-VPN_Local out-interface-list=LAN
add action=drop chain=forward comment="DROP All Else

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1-Cosmote

As for the L2TP, I’m willing to bet that the problem is with the encryption algorthms. That’s why I would recommend you to read which algorthms does your laptop support from the following page:

https://help.mikrotik.com/docs/display/ROS/IPsec

and configure respectively the proposals and profiles from the IP/IPsec menu.

Laptop is running Windows (10)?

Check also this:
http://forum.mikrotik.com/t/windows-pcs-doesnt-connect-to-l2tp-ipsec-vpn/148477/1

I need WLAN Vlan to reduce traffice generation. As for filter rules all are inactive, maybe PPPoe is the problem? i have deactivated it,

Running windows 11…!

Thats what i was thinking, i will try it and come back !

Ive made all these changes but again nothing changed…

You could set in the L2TP server use-ipsec=required and add an IPsec secret if you haven’t so that the changes you’ve made can take effect, plus it’s more secure this way