Community discussions

 
benjaminb
just joined
Topic Author
Posts: 4
Joined: Thu Nov 10, 2016 5:34 am

VPN L2TPi/PSEC to Win 2012 R2 RRAS

Thu Nov 10, 2016 5:50 am

Hi Everyone,

I am here because I need you help! I am quite a beginner...
I have setup a routing and remote access role on a Windows Server 2012 R2.
I have then set lots of rules on our Mikirotik firewall.
PPTP vpn is working properly but L2TP over IPSEC not at all. I can see some inbound packets on the firewall but the windows server does not receive anything.
I my case the router has 192.168.1.254 and W2012R2 server has 192.168.1.3 for IP.
Here are a copy of the Firewall / filter rules:
Image

And the NAT tab:
Image

What am I missing here?
Thank you in advance for your help,

Benjamin
 
benjaminb
just joined
Topic Author
Posts: 4
Joined: Thu Nov 10, 2016 5:34 am

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Mon Nov 14, 2016 5:00 am

Sorry to bump my topic, but does anyone know why L2TP over IPSEC is not working while PPTP is?
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Mon Nov 14, 2016 1:33 pm

I'm running L2TP on my RB750Gr3, only needed the 3 UDP ports.
Have you tried the L2TP VPN server locally?
 
benjaminb
just joined
Topic Author
Posts: 4
Joined: Thu Nov 10, 2016 5:34 am

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Fri Nov 18, 2016 5:23 am

Hi Erlinden,

Thank you for replying.
I went on site and did a local test of the L2TP over IPSec VPN. It works properly, Clients connect on it and can access network share, etc.

What are your rules for your firewall?
The router is a 951G 2HnD, I recently updated it to 6.37.1.

Kind regards,

Benjamin
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Fri Nov 18, 2016 12:23 pm

I just had to open ports 500, 1701 and 4500 for UDP, you should add port forwards like mentioned here:
https://www.nasa-security.net/mikrotik/ ... ith-ipsec/
 
benjaminb
just joined
Topic Author
Posts: 4
Joined: Thu Nov 10, 2016 5:34 am

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Mon Nov 21, 2016 3:13 am

I solved my connection issue with this Microsoft KB:
How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008 (https://support.microsoft.com/en-us/kb/926179)

So it was working all along, firewall rules were right. One just has to add a registry key to allow L2TP vpn behind NAT:
AssumeUDPEncapsulationContextOnSendRule value 2

Thank you for your help :)
 
User avatar
a.devecerski
just joined
Posts: 22
Joined: Tue Jan 24, 2006 11:23 pm

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Sat May 06, 2017 3:46 pm

Hi people

I'm trying to make more or less the same setup described above work, but without success so far.
The only difference is my RRAS server is Windows 2003 machine.

Like with benjaminb's start situation PPTP over NAT is functional, no problem. I've added all of the mentioned firewall/NAT rules (including those for ipsec protocols), then tried first without registry thing, then with registry key added. Even tried varying key value, 2 or 1. Nothing.

One odd thing I've noticed, UDP:1701 counters, both firewall and NAT, are stuck to 0 (like in the initial post screens).
UDP:500/UDP:4500 counters are going up at connection attempts.

Any ideas, maybe?
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Sat May 06, 2017 8:07 pm

Hi people

I'm trying to make more or less the same setup described above work, but without success so far.
The only difference is my RRAS server is Windows 2003 machine.

Like with benjaminb's start situation PPTP over NAT is functional, no problem. I've added all of the mentioned firewall/NAT rules (including those for ipsec protocols), then tried first without registry thing, then with registry key added. Even tried varying key value, 2 or 1. Nothing.

One odd thing I've noticed, UDP:1701 counters, both firewall and NAT, are stuck to 0 (like in the initial post screens).
UDP:500/UDP:4500 counters are going up at connection attempts.

Any ideas, maybe?
You need to double-check that you are running a protocol and security level supported by Win Server 2003.

Ultimately I would encourage you to not have a direct VPN in to your server. Ideally a user would VPN into your router and then access the server via the local IP. This allows you to more easily have multiple servers running on your network that outside users may access and it allows greater granularity of control for access. For example you can assign a user a specific VPN IP instead of just a random IP from a pool and you can grant them access via FW rules to specific IPs.
 
User avatar
a.devecerski
just joined
Posts: 22
Joined: Tue Jan 24, 2006 11:23 pm

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Sun May 07, 2017 1:04 pm

You need to double-check that you are running a protocol and security level supported by Win Server 2003.

Ultimately I would encourage you to not have a direct VPN in to your server. Ideally a user would VPN into your router and then access the server via the local IP. This allows you to more easily have multiple servers running on your network that outside users may access and it allows greater granularity of control for access. For example you can assign a user a specific VPN IP instead of just a random IP from a pool and you can grant them access via FW rules to specific IPs.
Win Server 2003 supports PPTP and L2TP. SSTP and IKE2 are not supported.
MS-CHAP, MS-CHAPv2, PEAP and few other authentication protocols are supported.
As far as I can see, this should work.

As for this suggestion, the whole idea behind RRAS server backed by Windows Active Directory is easier administration. Everybody already has defined access/rights/privileges, they just need to clear VPN verification and that's it. I tried doing as Revelation suggested couple of years ago, but it involved creating parallel security organisation. Or maybe I'm not aware of the way to get ROS to use AD created users/groups for authentication.

Regards
 
User avatar
a.devecerski
just joined
Posts: 22
Joined: Tue Jan 24, 2006 11:23 pm

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Mon May 08, 2017 2:45 pm

...I've added all of the mentioned firewall/NAT rules (including those for ipsec protocols), then tried first without registry thing, then with registry key added. Even tried varying key value, 2 or 1. Nothing...
As pretty much always, careful (re)reading helps :shock:
MSKB mentioned earlier says "...you can enable communication by changing a registry value on the VPN client computer and the VPN server...."
All is well now.

Thanks

Who is online

Users browsing this forum: No registered users and 31 guests