Community discussions

 
mimicaty
just joined
Topic Author
Posts: 5
Joined: Sat Jul 16, 2016 12:52 pm

Mikrotik L2TP/IPSEC server nat behind Ubuntu

Sat Jul 16, 2016 1:07 pm

Friends:

  I‘m facing a problem with mikrotik L2TP/IPSEC VPN, I have a two interface Ubuntu 14.04 server, Which wan interface ETH0 have a public IP 103.88.x.x , lan interface ETH1 have  private IP 192.168.0.1/24and connect a RB750r2 with ip 192.168.0.2/24, and now, I want to configure L2TP/IPSEC server on RB750r2.

So ,I add iptables nat for RB750 on ubuntu
iptables -t nat -A POSTROUTING -i eth0 -p udp 500 -j DNAT --to 192.168.0.2
iptables -t nat -A POSTROUTING -i eth0 -p udp 4500 -j DNAT --to 192.168.0.2
iptables -t nat -A POSTROUTING -i eth0 -p udp 1701 -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -o eth0 -j MASQUERADE

then my remote windows 8 client which behind nat, use windows l2tp/ipsec client connect ip 103.88.x.x get 809 error, I use wireshark analysis packet ,find ipsec pharse I and pharse II
is normal, but timeout after win8 client sent isakmp informaitional. I guess the problem is the ubuntu configure, anybody can tell me, how can I do? thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 5930
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik L2TP/IPSEC server nat behind Ubuntu

Sat Jul 16, 2016 5:42 pm

Don't try that!  L2TP/IPsec server behind NAT is asking for problems.
When you want to persist, I would not use the "automatic" config of IPsec in the MikroTik as it makes a "port strict" rule.
Look at the IPsec rules that have been auto-created, remove the IPsec secret from your L2TP server and add similar
rules yourself to IPsec so you can experiment.   Especially with the IPsec Peer definition, try options like
generate-policy=port-override
 
ik3umt
Member Candidate
Member Candidate
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: Mikrotik L2TP/IPSEC server nat behind Ubuntu

Sun Jul 17, 2016 3:12 am

Take a look at 

http://forum.mikrotik.com/viewtopic.php?f=2&t=72198
http://forum.mikrotik.com/viewtopic.php?f=2&t=105910

Mikrotik L2TP/IPSEC server behind nat (mikrotik wan interface without public IP address) doesn't work or, at least, nobody suggest me how to make it work.
There is a mismatch in public/private address when the dynamic ipsec policy is created
It works if a static ipsec policy is created, but this needs the L2TP client address has to be ALWAYS the same.
 
 
mimicaty
just joined
Topic Author
Posts: 5
Joined: Sat Jul 16, 2016 12:52 pm

Re: Mikrotik L2TP/IPSEC server nat behind Ubuntu

Sun Jul 17, 2016 4:42 pm

Thank you , I have give up this solution.

Who is online

Users browsing this forum: No registered users and 72 guests