Mikrotik RB2011 with public IP and L2TP server enabled, use IPSEC and PSK.
# feb/20/2018 12:56:31 by RouterOS 6.41.2
My clients are connecting from behind NAT to the public IP. On another setup, I use local /ppp secret users and they connect just fine from behind NAT. (Server still public IP).
The only solution I found to let Windows clients connect when using radius backend are if you Locate the registry subtree, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent. Create a new DWORD (32-bit) value in this subtree. AssumeUDPEncapsulationContextOnSendRule = 2.
But the MACOS clients are still not connecting when using radius backend, I dont know a similar solution on mac to the registry hack.
I have setup the Radius according to this guide: https://mum.mikrotik.com/presentations/ ... 423579.pdf
Questions:
- Why can I auth without problem with local users on the same l2tp server? How is the connection different local users?
- Why do I have to change registry on windows clients? If the registry hack isnt turned on, the request never makes it to the radius server. (see log)
- Both Windows and mac clients can natively connect to L2TP IPSEC server with PSK on mikrotik if /ppp secret local users are used.
Code: Select all
/ppp export verbose hide-sensitive
/ppp profile
add address-list="" !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
!insert-queue-before !interface-list local-address=192.168.1.2 name=l2tp-ipsec-profile on-down="" on-up="" only-one=default !outgoing-filter !parent-queue \
!queue-type !rate-limit remote-address=kontornett-pool !session-timeout use-compression=default use-encryption=yes use-mpls=default use-upnp=default \
!wins-server
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=yes
Code: Select all
/interface l2tp-server export verbose hide-sensitive
/interface l2tp-server server
set allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address default-profile=l2tp-ipsec-profile enabled=yes keepalive-timeout=30 \
max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=yes
Code: Select all
/radius export verbose hide-sensitive
/radius
add accounting-backup=no accounting-port=1813 address=192.168.1.7 authentication-port=1812 called-id="" disabled=no domain=domainuser.lan realm="" service=ppp \
timeout=300ms
/radius incoming
set accept=no port=3799
Log when a client without registry hack connects; no log appears in NPS server. Mikrotik never appears to contact NPS.
Code: Select all
12:34:09 ipsec,info respond new phase 1 (Identity Protection): 777.777.777.77[500]<=>555.555.555.555[500]
12:34:10 ipsec,info ISAKMP-SA established 777.777.777.77[4500]-555.555.555.555[4500] spi:8b9386975afda9da:02eb53c7978e4acd
12:34:11 l2tp,info first L2TP UDP packet received from 555.555.555.555
12:34:11 l2tp,ppp,error <555.555.555.555>: user client@domainuser authentication failed - radius timeout
12:34:11 ipsec,info purging ISAKMP-SA 777.777.777.77[4500]<=>555.555.555.555[4500] spi=8b9386975afda9da:02eb53c7978e4acd.
12:34:11 ipsec,info ISAKMP-SA deleted 777.777.777.77[4500]-555.555.555.555[4500] spi:8b9386975afda9da:02eb53c7978e4acd rekey:1