Community discussions

 
User avatar
calvinsteel
just joined
Topic Author
Posts: 2
Joined: Tue Mar 12, 2019 12:51 pm
Location: San Jose, CA, USA
Contact:

L2TP VPN can not connect on Windows 10

Wed Jul 03, 2019 1:33 pm

I am new vpn user and I have configured an L2TP server with a shared key on my laptop. I have tried numerous ways like disabling of firewall but it can’t connect. Anyone can help me.
 
Fesiitis
just joined
Posts: 11
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: L2TP VPN can not connect on Windows 10

Wed Jul 03, 2019 5:12 pm

Does it stuck on "Connecting to **IP address**"? If yes then it's not Mikrotik problem. I have same issue with L2TP. On 1803 I had this issue if I had GeForce Experience installed on Windows 10. After upgrade to 1809 L2TP does not work even without GeForce Experience. Haven't tried with 1903.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: L2TP VPN can not connect on Windows 10

Thu Jul 04, 2019 9:23 am

It is not clear from your post, how your network is set up. I assume, L2TP server is behind router with dst-nat to this server, and you are trying to connect from Windows client. If so, Windows registry modification is required on client computer. Read this (although article is about Windows Vista, it applies to newer Windows versions)
https://support.microsoft.com/en-us/hel ... in-windows
---
Karlis
 
sindy
Forum Guru
Forum Guru
Posts: 3806
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN can not connect on Windows 10

Thu Jul 04, 2019 1:32 pm

All in all, @CalvinSteel, please describe your overall setup at server and client side and what exactly the Windows client complains about, as it's all just guessing.

@karlisi, it is possible to run an LT2P/IPsec server on a Mikrotik behind a NATing device even without tweaking the Windows registry, the price to pay is that the clients then cannot have public IPs directly on themselves. Even that limitation can be circumvented along with the other limitation of just one client behind each public IP, but the configuration becomes quite complex in that case.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: L2TP VPN can not connect on Windows 10

Thu Jul 04, 2019 3:36 pm

it is possible to run an LT2P/IPsec server on a Mikrotik behind a NATing device even without tweaking the Windows registry, the price to pay is that the clients then cannot have public IPs directly on themselves.
How? We have many sites with Windows clients behind src-nat and l2tp/ipsec server behind dst-nat, never able to connect without registry patch.
---
Karlis
 
sindy
Forum Guru
Forum Guru
Posts: 3806
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN can not connect on Windows 10

Thu Jul 04, 2019 4:49 pm

How? We have many sites with Windows clients behind src-nat and l2tp/ipsec server behind dst-nat, never able to connect without registry patch.
  1. (optional for clarity) add a bridge interface with no member ports
  2. attach the public IP of the NAT behind which the server Mikrotik lives to an interface on the Mikrotik as a /32 one (normally to the portless bridge one created above, but you can use any interface)
  3. /ip firewall nat
    print chain=dstnat where !dynamic
    add chain=dstnat place-before=0 action=dst-nat protocol=udp dst-port=500,4500 in-interface=your-wan-interface \
    to-addresses=the.public.ip.mentioned.above
  4. enjoy
With this "forth and back dst-nat" setup, the local address of the IPsec responder is the same like the source address from which the packets actually arrive to the initiator, the NAT-T concludes that there is no NAT at server side. Therefore, if there is no NAT at initiator side either, the peers conclude they can use ESP, which is an issue if you cannot configure forwarding of ESP to the Mikrotik at the NAT at the Mikrotik end.

If you need to be able to connect several L2TP/IPsec clients from behind the same client-side NAT, read this.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
calvinsteel
just joined
Topic Author
Posts: 2
Joined: Tue Mar 12, 2019 12:51 pm
Location: San Jose, CA, USA
Contact:

Re: L2TP VPN can not connect on Windows 10

Thu Jul 04, 2019 5:35 pm

It is not clear from your post, how your network is set up. I assume, L2TP server is behind router with dst-nat to this server, and you are trying to connect from Windows client. If so, Windows registry modification is required on client computer. Read this (although article is about Windows Vista, it applies to newer Windows versions)
https://support.microsoft.com/en-us/hel ... in-windows
Thank You! I hope it will help me to connect but I already read too many guides on l2tp like
https://www.vpngate.net/en/howto_l2tp.aspx
https://www.expressvpn.com/what-is-vpn/protocols/l2tp
https://www.purevpn.com/what-is-vpn/protocols/l2tp

but still nothing. Now I read microsoft support guide and hope to get better solution.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: L2TP VPN can not connect on Windows 10

Fri Jul 05, 2019 9:05 am

  1. (optional for clarity) add a bridge interface with no member ports
  2. attach the public IP of the NAT behind which the server Mikrotik lives to an interface on the Mikrotik as a /32 one (normally to the portless bridge one created above, but you can use any interface)
  3. /ip firewall nat
    print chain=dstnat where !dynamic
    add chain=dstnat place-before=0 action=dst-nat protocol=udp dst-port=500,4500 in-interface=your-wan-interface \
    to-addresses=the.public.ip.mentioned.above
  4. enjoy
With this "forth and back dst-nat" setup, the local address of the IPsec responder is the same like the source address from which the packets actually arrive to the initiator, the NAT-T concludes that there is no NAT at server side. Therefore, if there is no NAT at initiator side either, the peers conclude they can use ESP, which is an issue if you cannot configure forwarding of ESP to the Mikrotik at the NAT at the Mikrotik end.

OK, I need to test this. The main concern is about the same public IP to 2 separate interfaces, WAN and L2TP fake bridge. Or I am missing something?
---
Karlis
 
sindy
Forum Guru
Forum Guru
Posts: 3806
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN can not connect on Windows 10

Fri Jul 05, 2019 10:16 am

The main concern is about the same public IP to 2 separate interfaces, WAN and L2TP fake bridge. Or I am missing something?
I'm not sure I understand your concern. The public /32 IP will exist on the Mikrotik only once, and you can choose whether you attach it to a dedicated interface (the port-less bridge), to the WAN, or to another interface. If your Mikrotik's WAN was connected to internet directly, you wouldn't need this trick.

The kernel accepts packets for any local IP regardless the interface they came in through, and the IPsec stack responds from the same address to which the initial request of the IKE session has arrived. Connection tracking and the dst-nat rule ensure that the initial request which came in to the private IP of the WAN will be seen as coming to the public IP by the IPsec stack and that the external NAT box will see the responses of the IPsec stack sent from the public IP as coming from the private IP of Mikrotik's WAN. Only for connections initiated locally the source address is chosen depending on the out-interface chosen by routing or, if set, the pref-src of the route. So if your NAT box between the Mikrotik and the internet supports ESP forwarding, you need to make sure that if the first ESP packet is eventually sent by the Mikrotik (I don't remember the L2TP initial exchange), it will be sent from the private IP attached to the WAN or src-nated to it, so that the external NAT box would see it coming from its LAN subnet. And you need to care about this latter point only if there is a chance that clients running on public IPs will connect. As said earlier, if the external NAT box cannot forward ESP, the complex setup for multiple clients behind the same public IP forces a "client-side" NAT into the path and thus eliminates ESP from the scenario even if the client is actually running on a public IP.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: L2TP VPN can not connect on Windows 10

Fri Jul 05, 2019 1:32 pm

Ah, I see, I should explain better. l2tp server is running on other Mikrotik device behind Mikrotik router.
Windows l2tp client -> remote LAN -> SOHO router -> Internet -> Mikrotik router with dst-nat -> LAN -> Mikrotik l2tp server
In this setup VPN can't connect without Windows registry modification.
---
Karlis
 
sindy
Forum Guru
Forum Guru
Posts: 3806
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN can not connect on Windows 10

Fri Jul 05, 2019 2:06 pm

All the setup I've described is relevant to the "inner Mikrotik" (the one running the L2TP/IPsec server farther away from the internet uplink) - the "outer Mikrotik" is considered a 3rd party NAT box here.

But as the 3rd party NAT box is actually a Mikrotik, it does support ESP forwarding through NAT, so you can use another dst-nat rule on the outer Mikrotik to forward not only UDP ports 500 and 4500 but also ESP from the WAN to the inner Mikrotik. Of course this means you cannot use IPsec on the outer Mikrotik (or, more precisely, you can with limitations and if you take very specific measures).

As for the "conflict" between the same public IP being up on both Mikrotiks, the inner one doesn't know that the same address is up on the outer one and vice versa, so there is no conflict. The outer Mikrotik dst-nats its own WAN public IP to the private WAN IP of the inner one, and the inner Mikrotik dst-nats it back to the same public IP, but in its local context the word "back" has no relevance.

I assume you have good reasons to take all this burden (registry tweaking or implementing my trick) rather than running the L2TP/IPsec directly on the outer Mikrotik.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: L2TP VPN can not connect on Windows 10

Fri Jul 05, 2019 2:44 pm

I assume you have good reasons to take all this burden (registry tweaking or implementing my trick) rather than running the L2TP/IPsec directly on the outer Mikrotik.
Don't want to enable proxy-arp on LAN interface, to access devices on internal network.
---
Karlis
 
sindy
Forum Guru
Forum Guru
Posts: 3806
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN can not connect on Windows 10

Fri Jul 05, 2019 3:13 pm

Don't want to enable proxy-arp on LAN interface, to access devices on internal network.
Well, doing so is only necessary if you assign IP addresses from the LAN subnet to the PPP (L2TP and other) clients, as in that case the clients in LAN subnet send ARP requests for the PPP clients' IPs rather than using the gateway. So if you use two adjacent subnets which can be covered by a common 1-bit-shorter mask (such as 192.168.0.0/24 and 192.168.1.0/24 which together fit into 192.168.0.0/23), you can use one of them for LAN clients and the other one for PPP clients so that you didn't need the proxy-arp, but you can refer to both using a common dst-address and src-address matchers in the firewall where you want to give the same treatment to both groups (but hey, we have the /ip firewall address-list to group together non-adjacent subnets and ranges).

@calvinsteel, sorry for hijacking the topic, I hope we'll be able to help you with the original issue once you provide more information.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: L2TP VPN can not connect on Windows 10

Mon Jul 08, 2019 8:46 am

Thanks, I will test it.

And yes, this should go to separate topic
---
Karlis

Who is online

Users browsing this forum: No registered users and 51 guests