Page 1 of 1

VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Thu Nov 10, 2016 5:50 am
by benjaminb
Hi Everyone,

I am here because I need you help! I am quite a beginner...
I have setup a routing and remote access role on a Windows Server 2012 R2.
I have then set lots of rules on our Mikirotik firewall.
PPTP vpn is working properly but L2TP over IPSEC not at all. I can see some inbound packets on the firewall but the windows server does not receive anything.
I my case the router has 192.168.1.254 and W2012R2 server has 192.168.1.3 for IP.
Here are a copy of the Firewall / filter rules:
Image

And the NAT tab:
Image

What am I missing here?
Thank you in advance for your help,

Benjamin

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Mon Nov 14, 2016 5:00 am
by benjaminb
Sorry to bump my topic, but does anyone know why L2TP over IPSEC is not working while PPTP is?

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Mon Nov 14, 2016 1:33 pm
by erlinden
I'm running L2TP on my RB750Gr3, only needed the 3 UDP ports.
Have you tried the L2TP VPN server locally?

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Fri Nov 18, 2016 5:23 am
by benjaminb
Hi Erlinden,

Thank you for replying.
I went on site and did a local test of the L2TP over IPSec VPN. It works properly, Clients connect on it and can access network share, etc.

What are your rules for your firewall?
The router is a 951G 2HnD, I recently updated it to 6.37.1.

Kind regards,

Benjamin

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Fri Nov 18, 2016 12:23 pm
by erlinden
I just had to open ports 500, 1701 and 4500 for UDP, you should add port forwards like mentioned here:
https://www.nasa-security.net/mikrotik/ ... ith-ipsec/

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Mon Nov 21, 2016 3:13 am
by benjaminb
I solved my connection issue with this Microsoft KB:
How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008 (https://support.microsoft.com/en-us/kb/926179)

So it was working all along, firewall rules were right. One just has to add a registry key to allow L2TP vpn behind NAT:
AssumeUDPEncapsulationContextOnSendRule value 2

Thank you for your help :)

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Sat May 06, 2017 3:46 pm
by a.devecerski
Hi people

I'm trying to make more or less the same setup described above work, but without success so far.
The only difference is my RRAS server is Windows 2003 machine.

Like with benjaminb's start situation PPTP over NAT is functional, no problem. I've added all of the mentioned firewall/NAT rules (including those for ipsec protocols), then tried first without registry thing, then with registry key added. Even tried varying key value, 2 or 1. Nothing.

One odd thing I've noticed, UDP:1701 counters, both firewall and NAT, are stuck to 0 (like in the initial post screens).
UDP:500/UDP:4500 counters are going up at connection attempts.

Any ideas, maybe?

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Sat May 06, 2017 8:07 pm
by Revelation
Hi people

I'm trying to make more or less the same setup described above work, but without success so far.
The only difference is my RRAS server is Windows 2003 machine.

Like with benjaminb's start situation PPTP over NAT is functional, no problem. I've added all of the mentioned firewall/NAT rules (including those for ipsec protocols), then tried first without registry thing, then with registry key added. Even tried varying key value, 2 or 1. Nothing.

One odd thing I've noticed, UDP:1701 counters, both firewall and NAT, are stuck to 0 (like in the initial post screens).
UDP:500/UDP:4500 counters are going up at connection attempts.

Any ideas, maybe?
You need to double-check that you are running a protocol and security level supported by Win Server 2003.

Ultimately I would encourage you to not have a direct VPN in to your server. Ideally a user would VPN into your router and then access the server via the local IP. This allows you to more easily have multiple servers running on your network that outside users may access and it allows greater granularity of control for access. For example you can assign a user a specific VPN IP instead of just a random IP from a pool and you can grant them access via FW rules to specific IPs.

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Sun May 07, 2017 1:04 pm
by a.devecerski
You need to double-check that you are running a protocol and security level supported by Win Server 2003.

Ultimately I would encourage you to not have a direct VPN in to your server. Ideally a user would VPN into your router and then access the server via the local IP. This allows you to more easily have multiple servers running on your network that outside users may access and it allows greater granularity of control for access. For example you can assign a user a specific VPN IP instead of just a random IP from a pool and you can grant them access via FW rules to specific IPs.
Win Server 2003 supports PPTP and L2TP. SSTP and IKE2 are not supported.
MS-CHAP, MS-CHAPv2, PEAP and few other authentication protocols are supported.
As far as I can see, this should work.

As for this suggestion, the whole idea behind RRAS server backed by Windows Active Directory is easier administration. Everybody already has defined access/rights/privileges, they just need to clear VPN verification and that's it. I tried doing as Revelation suggested couple of years ago, but it involved creating parallel security organisation. Or maybe I'm not aware of the way to get ROS to use AD created users/groups for authentication.

Regards

Re: VPN L2TPi/PSEC to Win 2012 R2 RRAS

Posted: Mon May 08, 2017 2:45 pm
by a.devecerski
...I've added all of the mentioned firewall/NAT rules (including those for ipsec protocols), then tried first without registry thing, then with registry key added. Even tried varying key value, 2 or 1. Nothing...
As pretty much always, careful (re)reading helps :shock:
MSKB mentioned earlier says "...you can enable communication by changing a registry value on the VPN client computer and the VPN server...."
All is well now.

Thanks