Community discussions

MikroTik App
 
User avatar
dserarols
just joined
Topic Author
Posts: 5
Joined: Thu May 16, 2019 7:09 pm
Location: Spain
Contact:

Mikrotik VPN server behind ISP router

Thu May 16, 2019 7:19 pm

Hi,

I am trying to configure a VPN server in a Mikrotik router behind an ISP router, this is the públic IP is not in my Mikrotik :-(

I've tried at first with a L2TP IPSec VPN without succes. The same configuration works fine if the Mikrotik has the public IP, so I think the problem is in a wrong port forwarding; if I am not wrong, I need UDP 500 and UDP 4500.
I've tried the same with PPTP VPN but it did not work. Forwarded port was 1723 UDP.

I read somewhere that in L2TP IPSec I have to allow (pass-through) ESP protocol, and GRE if I am using PPTP. I can not find these options in my ISP router (HG8245H).

Any clue about this issue?

PS: Using my HG8245H as a simple ONT and a PPPoE client in my Mikrotik is not an option, because these devices must be "plug and play" in the customer premises so there is not IT staff there.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik VPN server behind ISP router

Fri May 17, 2019 5:44 pm

Do you use Windows client? There's a problem with L2TP/IPSec behind NAT. Search for "AssumeUDPEncapsulationContextOnSendRule".

Other option would be different VPN type, SSTP or OpenVPN need only one port and work fine with NAT.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik VPN server behind ISP router

Fri May 17, 2019 5:52 pm

It is a bit more complex than it seems.

First regarding PPTP which is a simpler case (but PPTP is anything but secure so better don't use it). There, TCP/1723 is used to authenticate the client and negotiate the connection, GRE is used as transport for the actual tunnel packets. GRE is a dinosaurus protocol which doesn't have the notion of ports, so in NAT environment, ony one device on the private side of the NAT can talk to the same device on the public side of the NAT no matter how clever the NAT device would be. Some NAT devices cannot forward GRE at all, some will open a pinhole if the private side device sends a packet to the public side one but no public->private forwarding is configurable.

With L2TP, the behaviour changes depending on the overall situation. If there is no NAT at all, neither at "server" (responder) nor at "client" (initiator) side, IPsec indeed uses ESP as transport. Like GRE, ESP has no notion of ports, so the same type of limitations applies, except that the NAT device may support ESP forwarding but not GRE forwarding or vice versa. But an ESP packet is only sent when there is a payload packet which needs to be sent, so even if the NAT device supports ESP forwarding, the packet from client will not be let in until the server sends its own packet to the client.

If there is NAT at client or server side (or both), IPsec detects that and starts encapsulating ESP into UDP to allow NAT traversal. However, the embedded VPN client in Windows by default doesn't accept a situation where the NAT exists at server side, so although technically the IPsec would deal with it, the Windows client refuses to establish such connection. One possibility is to change this default behaviour in Windows' registry, but I have no idea whether the howto for Win7 which you can google out is applicable also for newer versions of Windows. Another possibility is to make the Mikrotik think it has the public IP on itself, but in that case ESP will be used if the client has a public address (i.e. no NAT on its end), so the ISP's box may not let it through.

And last, to have several L2TP/IPsec clients behind the same public IP at their end, you need to do some black magic at the server end.
 
User avatar
dserarols
just joined
Topic Author
Posts: 5
Joined: Thu May 16, 2019 7:09 pm
Location: Spain
Contact:

Re: Mikrotik VPN server behind ISP router

Wed May 22, 2019 11:47 am

Do you use Windows client? There's a problem with L2TP/IPSec behind NAT. Search for "AssumeUDPEncapsulationContextOnSendRule".

Other option would be different VPN type, SSTP or OpenVPN need only one port and work fine with NAT.
Yes, I use indeed a Windows client, but only for testing purposes. This L2TP/IPSec VPN should be formed by two Mikrotik. I will test it again without the Windows 7 Client.
 
User avatar
dserarols
just joined
Topic Author
Posts: 5
Joined: Thu May 16, 2019 7:09 pm
Location: Spain
Contact:

Re: Mikrotik VPN server behind ISP router

Wed May 22, 2019 11:58 am

It is a bit more complex than it seems.

First regarding PPTP which is a simpler case (but PPTP is anything but secure so better don't use it). There, TCP/1723 is used to authenticate the client and negotiate the connection, GRE is used as transport for the actual tunnel packets. GRE is a dinosaurus protocol which doesn't have the notion of ports, so in NAT environment, ony one device on the private side of the NAT can talk to the same device on the public side of the NAT no matter how clever the NAT device would be. Some NAT devices cannot forward GRE at all, some will open a pinhole if the private side device sends a packet to the public side one but no public->private forwarding is configurable.

With L2TP, the behaviour changes depending on the overall situation. If there is no NAT at all, neither at "server" (responder) nor at "client" (initiator) side, IPsec indeed uses ESP as transport. Like GRE, ESP has no notion of ports, so the same type of limitations applies, except that the NAT device may support ESP forwarding but not GRE forwarding or vice versa. But an ESP packet is only sent when there is a payload packet which needs to be sent, so even if the NAT device supports ESP forwarding, the packet from client will not be let in until the server sends its own packet to the client.

If there is NAT at client or server side (or both), IPsec detects that and starts encapsulating ESP into UDP to allow NAT traversal. However, the embedded VPN client in Windows by default doesn't accept a situation where the NAT exists at server side, so although technically the IPsec would deal with it, the Windows client refuses to establish such connection. One possibility is to change this default behaviour in Windows' registry, but I have no idea whether the howto for Win7 which you can google out is applicable also for newer versions of Windows. Another possibility is to make the Mikrotik think it has the public IP on itself, but in that case ESP will be used if the client has a public address (i.e. no NAT on its end), so the ISP's box may not let it through.

And last, to have several L2TP/IPsec clients behind the same public IP at their end, you need to do some black magic at the server end.
Thank you very much.

My idea is configure this VPN behind a router with just one server on one side and just one client on the other side. So I think the problem could be on my ISP router, which is not forwarding GRE or ESP protocols :-(
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik VPN server behind ISP router

Wed May 22, 2019 1:43 pm

If both the server and the client will be Mikrotiks, it should be enough to do port forwarding for UDP port 4500 from the public address to Mikrotik's address at responder side for IKEv2 (which I prefer myself), and UDP ports 500 and 4500 for IKE(v1); in the latter case don't forget to also set nat-traversal=yes in /ip ipsec profile. Do not set the public address on the Mikrotik itself.

This way the IPsec stack will notice the NAT and will encapsulate ESP into UDP, which costs some MTU but circumvents the blocked ESP.

IPsec doesn't notify the network about MTU reduction and silently fragments the packets, which adds unnecessary overhead. So it is better to find out what the actual payload maximum size is with the particular encryption and authentication algorithms used and set the TCP MSS accordingly using mangle rules. But you don't need to do this right from the start, first make the tunnel work.

And forget about PPTP of course, there is no way to make PPTP use UDP instead of GRE.

 
User avatar
dserarols
just joined
Topic Author
Posts: 5
Joined: Thu May 16, 2019 7:09 pm
Location: Spain
Contact:

Re: Mikrotik VPN server behind ISP router

Tue May 28, 2019 6:19 pm

Thank you very much. It worked!

If both the server and the client will be Mikrotiks, it should be enough to do port forwarding for UDP port 4500 from the public address to Mikrotik's address at responder side for IKEv2 (which I prefer myself), and UDP ports 500 and 4500 for IKE(v1); in the latter case don't forget to also set nat-traversal=yes in /ip ipsec profile. Do not set the public address on the Mikrotik itself.

This way the IPsec stack will notice the NAT and will encapsulate ESP into UDP, which costs some MTU but circumvents the blocked ESP.

IPsec doesn't notify the network about MTU reduction and silently fragments the packets, which adds unnecessary overhead. So it is better to find out what the actual payload maximum size is with the particular encryption and authentication algorithms used and set the TCP MSS accordingly using mangle rules. But you don't need to do this right from the start, first make the tunnel work.

And forget about PPTP of course, there is no way to make PPTP use UDP instead of GRE.

 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik VPN server behind ISP router

Tue Aug 11, 2020 6:48 pm

am having the very same challenge - have two Mikrotik Routers .... our internet connection on the server side is behind the ISP's CGN. Kindly assist - cant seem to understand "it should be enough to do port forwarding for UDP port 4500 from the public address to Mikrotik's address at responder side for IKEv2"
You do not have the same challenge. The OP deals with an ISP-provided router in their own premises, which has a public IP from the operator and on which they can configure port-forwarding or 1:1 inbound dst-nat (DMZ). Your case is different - the device in your premises gets a CGNAT IP from the ISP, there is no real public IP somewhere in the ISP's network which would be 1:1 dst-nat'ed to the CGNAT one (or at least it would be very unusual, there would be little advantage in doing it this complex as compared to assigning the public IP directly to the router in your premises). So you cannot set up any forwarding from a static public IP to your 'Tik on your own. Depending on ISP size, they may be open to forwarding a UDP port from one of their public IPs to your CGNAT IP, so this would be the first thing to try.

If they refuse to do that because they are large and such setup it doesn't fit into their service offering, and if the client 'Tik is also not on a public IP (or behind a router with a public IP on its WAN which you can manage yourself), there are two possibilities:
  • use some other device on a public IP, like a CHR in a datacenter, and let both the Mikrotiks act as initiators towards it. The drawback is that that the traffic between the two initiators is available in plaintext on that device, so if your paranoia is advanced enough, you may prefer to set up these connections with null encryption and use them as a tunnel for an inner VPN connection which will be encrypted, so you'll end up with a tunnel in tunnel setup.
  • use the cloud DNS service of Mikrotik, or any other dns service which supports update by the public IP of the NAT, and configure both peers with passive=no and with address set to the domain name of the remote 'Tik; this way, both will initiate UDP connections from port 4500 to port 4500, and if you are lucky (which is not guaranteed, though!), both NATs will keep the source port unchanged, so each NAT will treat the initial packet from the remote 'Tik as a response to the initial packet from its local 'Tik.
 
oxigeno20
Member Candidate
Member Candidate
Posts: 110
Joined: Tue May 23, 2006 5:29 pm
Location: Argentina

Re: Mikrotik VPN server behind ISP router

Tue Aug 11, 2020 9:41 pm

A few weeks ago I deployed a similar scenario, in my case the VPN server was on my router. And the forwarding of the VPN was made on the router before (the border router)
Image

The problem with that, is than all users will connect with the same origin address (the internal IP address of the border router). But to face it you could try to disable "One session per host" in the VPN server settings.

Remember that in the second router you need to have a masqarade rule for the VPN range addresses.

If you want to see the whole setup rules go ahead:
http://www.tech-nico.com/blog/port-forw ... -mikrotik/
 
venboi
just joined
Posts: 2
Joined: Fri Apr 30, 2021 9:24 am

Re: Mikrotik VPN server behind ISP router

Tue May 11, 2021 6:14 am

Hi,

I am trying to configure a VPN server in a Mikrotik router behind an ISP router, this is the públic IP is not in my Mikrotik :-(

I've tried at first with a L2TP IPSec VPN without succes. The same configuration works fine if the Mikrotik has the public IP, so I think the problem is in a wrong port forwarding; if I am not wrong, I need UDP 500 and UDP 4500.
I've tried the same with PPTP VPN but it did not work. Forwarded port was 1723 UDP.

I read somewhere that in L2TP IPSec I have to allow (pass-through) ESP protocol, and GRE if I am using PPTP. I can not find these options in my ISP router (HG8245H).

Any clue about this issue?

PS: Using my HG8245H as a simple ONT and a PPPoE client in my Mikrotik is not an option, because these devices must be "plug and play" in the customer premises so there is not IT staff there.
Just ask your ISP to bridge your connection. And it can solve your problem.
 
User avatar
dserarols
just joined
Topic Author
Posts: 5
Joined: Thu May 16, 2019 7:09 pm
Location: Spain
Contact:

Re: Mikrotik VPN server behind ISP router

Tue May 11, 2021 11:46 am

Thanks, but the idea was deploying several Mikrotiks and install them behind a DHCP router (and several ISP). There were not any local tech support and this deployement needed to be simple and standard.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik VPN server behind ISP router

Tue May 11, 2021 12:00 pm

As mentioned above, it is quite doable to make a VPN from a customer router that is behind all kinds of NAT, but it is not really easy to do the same thing with the "central server".
So either get a more professional connection for just that server (where you can have your external IP on the MikroTik router, i.e. no CGNAT and no ISP router), or get a VPS in a datacenter where you can deploy CHR and use it as the central router. Of course make sure you can have a public static IP on the VPS.

Who is online

Users browsing this forum: Briancer, GoogleOther [Bot], lurker888 and 65 guests