Community discussions

MikroTik App
 
menelaos
just joined
Topic Author
Posts: 2
Joined: Wed Dec 25, 2019 12:05 pm

creating l2tp server

Wed Dec 25, 2019 12:18 pm

I've been trying to create an l2tp over ipsec for days and i'm stuck not knowing what to do
the log file is: https://pastebin.com/fnH3DWcv
do you make something out of it?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: creating l2tp server

Sun Dec 29, 2019 8:05 pm

You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: creating l2tp server

Mon Dec 30, 2019 3:15 pm

You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...
+1
 
menelaos
just joined
Topic Author
Posts: 2
Joined: Wed Dec 25, 2019 12:05 pm

Re: creating l2tp server

Thu Jan 02, 2020 10:41 am

You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...

# jan/02/2020 10:38:53 by RouterOS 6.45.7
# software id = X0SX-GX9H
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED08CC18B8
/interface l2tp-server
add name=l2tp-in1 user=arty
/interface l2tp-server server
set default-profile=profile1 enabled=yes use-ipsec=yes


This is the export of the l2tp server config
Thank you for taking the time to help me.
 
techlord
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Nov 18, 2019 4:33 pm

Re: creating l2tp server

Thu Jan 02, 2020 4:49 pm

Hi!

I've just finished setting up my L2TP/IPSEC server on my RB3011 (6.46.1) and I have to say it was a pain....most tutorials are incomplete or obsolete related to newest ROS versions. Not only that, the router got frozen a lot during ipsec parameters changes and it needed hard reboot. Now it's stable and working well. I wanted to do the config in WebFig and not CLI. I did so many changes to the config, most blind shots, so I may not remember everything but here are the basic steps:

1) Create a pool of IPs from which the server will give IPs to the clients. I created pool 192.168.1.2-192.168.1.10. The IP 192.168.1.1 I manually assigned to the router but that is optional.
/ip pool
add name=Remote-users-pool ranges=192.168.1.2-192.168.1.10

2) Under PPP menu you have to:
a) Create a PPP Profile where you give name, router IP (local address) and IPs for clients from the pool above
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.1 name=L2TP-Profile remote-address=Remote-users-pool use-encryption=yes use-ipv6=no use-upnp=yes

b) Create at least 1 user that will be allowed to connect. this is under "Secrets"
/ppp secret
add name=remote profile=L2TP-Profile service=l2tp
make a note of the user/ password, you will need it on the client.

c) OPTIONAL - you can have increased security if you add a password specific for L2TP under "L2TP Secrets" -> make note of it, you will need it on the client if you configure it

d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes

e) OPTIONAL
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
/interface l2tp-server
add name=L2TP-IF user=remote
NOTE: This is one of the things that really annoys me, this interface is named differently between CLI and WEBFIG AND under webfig is PPP-> Interface-> L2TP server binding but under CLI is under /interface l2tp-server. yes, it can be directly configured under interface BUT under CLI there is no "binding" in the name

3) IPSEC
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile

b) under Identities - something deployed automatically by ROS which points to an IPSEC peer named " l2tp-in-server" - cannot be modified

c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified

d) under groups - a default group which i renamed L2TP

e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)

f) under policies - a default policy which I modified to
- use template
- link to group L2TP
- link to the default proposal
- ipsec protocol - esp
- action encrypt

I really tried to create another set of items and not use the defaults but it simply did not work, most errors being related to IPSEC phase 2. but with the options above it works.

4) Put these security rules somewhere before your DROP rule.

/ip firewall filter
****for IPSEC/L2TP establishment; my WAN is PPPoE, replace yours as needed*******
add action=accept chain=input comment="L2TP/IPSEC Server" in-interface=PPPoE protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=4500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=1701 in-interface=PPPoE protocol=udp

********for flows between your inside network(mine is 192.168.0.0/24, on bridge) and the l2tp interface ( I put 192.168.1.0/24 for ease) - modify as needed **
add action=accept chain=forward comment=L2TP dst-address=192.168.0.0/24 in-interface=L2TP-IF out-interface=bridge src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 in-interface=bridge out-interface=L2TP-IF src-address=192.168.0.0/24

After this I could connect with my Android 9 terminal and access the local network. On the client you need:
- Router external IP
- l2tp user and pass
- l2tp password (optional, if you configure it on the server)
- IPSEC preshared key


Hope this helps!
 
nickb333
just joined
Posts: 19
Joined: Sat Jul 25, 2015 1:45 pm
Location: UK

Re: creating l2tp server

Thu Jan 02, 2020 8:32 pm

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \
    in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\
    icmp-admin-prohibited
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.
 
techlord
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Nov 18, 2019 4:33 pm

Re: creating l2tp server

Fri Jan 03, 2020 12:24 am

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \
    in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\
    icmp-admin-prohibited
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.
Actually it's related to how ROS processes the packets. You do need the 1701 L2TP rule and I do have hits on it whenever I used the L2TP/IPSEC tunnel from my android.
It's even in the mk wiki.
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
 
nickb333
just joined
Posts: 19
Joined: Sat Jul 25, 2015 1:45 pm
Location: UK

Re: creating l2tp server

Fri Jan 03, 2020 1:39 am

I have seen cases where the L2TP connections come up without IPSEC encryption so I would suggest adding a firewall rule to block this.
/ip firewall filter add action=reject chain=input comment="Reject L2TP with no IPSEC" dst-port=1701 \
    in-interface=PPPoE ipsec-policy=in,none protocol=udp reject-with=\
    icmp-admin-prohibited
As the L2TP connection is encapsulated in IPSEC you shouldn't need a rule on your external interface allowing connections to 1701/UDP.
Actually it's related to how ROS processes the packets. You do need the 1701 L2TP rule and I do have hits on it whenever I used the L2TP/IPSEC tunnel from my android.
It's even in the mk wiki.
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
My bad, it appears the input chain also processes packets after they are decapsulated from ipsec. So for my application I've modifed the accept 1701/udp rule so it only passes the packet if it arrives via ipsec.
add action=accept chain=input dst-port=1701 in-interface=ether2 ipsec-policy=\
    in,ipsec log=yes protocol=udp src-port=""
But I'll leave my original rule as any l2tp that arrives unencrypted gets an icmp-admin-prohibited reply. I've seen this happen in practice when using l2tp/ipsec from a Mikrotik client.

Thanks for an interesting discussion.
 
noythetop
just joined
Posts: 2
Joined: Sat Dec 28, 2019 12:50 pm

Re: creating l2tp server

Fri Jan 03, 2020 1:07 pm

Hi!

I've just finished setting up my L2TP/IPSEC server on my RB3011 (6.46.1) and I have to say it was a pain....most tutorials are incomplete or obsolete related to newest ROS versions. Not only that, the router got frozen a lot during ipsec parameters changes and it needed hard reboot. Now it's stable and working well. I wanted to do the config in WebFig and not CLI. I did so many changes to the config, most blind shots, so I may not remember everything but here are the basic steps:

1) Create a pool of IPs from which the server will give IPs to the clients. I created pool 192.168.1.2-192.168.1.10. The IP 192.168.1.1 I manually assigned to the router but that is optional.
/ip pool
add name=Remote-users-pool ranges=192.168.1.2-192.168.1.10

2) Under PPP menu you have to:
a) Create a PPP Profile where you give name, router IP (local address) and IPs for clients from the pool above
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.1 name=L2TP-Profile remote-address=Remote-users-pool use-encryption=yes use-ipv6=no use-upnp=yes

b) Create at least 1 user that will be allowed to connect. this is under "Secrets"
/ppp secret
add name=remote profile=L2TP-Profile service=l2tp
make a note of the user/ password, you will need it on the client.

c) OPTIONAL - you can have increased security if you add a password specific for L2TP under "L2TP Secrets" -> make note of it, you will need it on the client if you configure it

d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes

e) OPTIONAL
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
/interface l2tp-server
add name=L2TP-IF user=remote
NOTE: This is one of the things that really annoys me, this interface is named differently between CLI and WEBFIG AND under webfig is PPP-> Interface-> L2TP server binding but under CLI is under /interface l2tp-server. yes, it can be directly configured under interface BUT under CLI there is no "binding" in the name

3) IPSEC
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile

b) under Identities - something deployed automatically by ROS which points to an IPSEC peer named " l2tp-in-server" - cannot be modified

c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified

d) under groups - a default group which i renamed L2TP

e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)

f) under policies - a default policy which I modified to
- use template
- link to group L2TP
- link to the default proposal
- ipsec protocol - esp
- action encrypt

I really tried to create another set of items and not use the defaults but it simply did not work, most errors being related to IPSEC phase 2. but with the options above it works.

4) Put these security rules somewhere before your DROP rule.

/ip firewall filter
****for IPSEC/L2TP establishment; my WAN is PPPoE, replace yours as needed*******
add action=accept chain=input comment="L2TP/IPSEC Server" in-interface=PPPoE protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=4500 in-interface=PPPoE protocol=udp
add action=accept chain=input dst-port=1701 in-interface=PPPoE protocol=udp

********for flows between your inside network(mine is 192.168.0.0/24, on bridge) and the l2tp interface ( I put 192.168.1.0/24 for ease) - modify as needed **
add action=accept chain=forward comment=L2TP dst-address=192.168.0.0/24 in-interface=L2TP-IF out-interface=bridge src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 in-interface=bridge out-interface=L2TP-IF src-address=192.168.0.0/24

After this I could connect with my Android 9 terminal and access the local network. On the client you need:
- Router external IP
- l2tp user and pass
- l2tp password (optional, if you configure it on the server)
- IPSEC preshared key


Hope this helps!
This was extremely helpful. Thanks for going out of your way to make such a long and detailed post.
 
techlord
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Nov 18, 2019 4:33 pm

Re: creating l2tp server

Fri Jan 03, 2020 8:09 pm

Glad it helps. I actually think this forum needs a good [TUTORIAL] section with configuration examples for most features. the Wiki is a little...bland? There are countless threads with requests for help configuring stuff and you have to read for hours and pick what you need...
 
jaytcsd
Member
Member
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: creating l2tp server

Sun Jan 12, 2020 5:07 am

I asked about a forum just for VPNs way back, like you said this info is scattered around. I've found some good videos and some that seem like they are an excuse
to put someone's personal music playlist on.
 
gidgrey
just joined
Posts: 2
Joined: Wed Jan 08, 2020 10:20 pm

Re: creating l2tp server

Mon Jan 13, 2020 8:21 am

Here is a step by step video for L2TP vpn https://www.youtube.com/watch?v=v2K0qOb_SLU
 
tikcc
just joined
Posts: 4
Joined: Tue Dec 01, 2020 11:47 pm

Re: creating l2tp server

Sat Jul 31, 2021 12:43 am

Hi all, have been playing a bit with the L2TP server on my home router and got the VPN tunnel working. The only thing that slightly bothers me is that I'm not getting any hits on this firewall rule when clients connect:
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
Am I missing something, is that rule even needed (if so, in which situations)?

(if it makes any difference - the connecting clients have been iOS macOS devices with their built-in VPN client)
 
nagylzs
Member
Member
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: creating l2tp server

Tue Aug 03, 2021 9:57 am

Hi all, have been playing a bit with the L2TP server on my home router and got the VPN tunnel working. The only thing that slightly bothers me is that I'm not getting any hits on this firewall rule when clients connect:
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
Am I missing something, is that rule even needed (if so, in which situations)?

(if it makes any difference - the connecting clients have been iOS macOS devices with their built-in VPN client)
Hello,

If you want to force ipsec then you need to set use-ipsec=required instead of use-ipsec=yes.

For example:
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=jnasegfASDFgvsadfrg54 use-ipsec=required
If you are using Windows 10 client, then you need to change adapter settings for the connection, then do this:

* On the VPN settings page, click Change adapter options.
* Click your VPN to select it.
* Click Change settings of this connection.
* The Properties for this VPN appear.
* Click the Security tab.
* From the Data encryption drop-down list, select Require encryption (disconnect if server declines).

If you want to secure your connection even further, you should change your default ipsec settings, something like this
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 comment="For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
Please note these:

* the L2TP server uses the default ipsec profile/proprosal. It may also used by other services on your router, so be careful when chaging the default settings.
* the l2tp client of Windows 10 is a bit silly/outdated and it does not support the most secure algorithms. Then settings given above are the most secure that work with Windows 10 (IMHO). You may find that it won't work with other clients.
* many other operating systems support much secure algs
 
nagylzs
Member
Member
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: creating l2tp server

Tue Aug 03, 2021 10:26 am

d) Under PPP -> Interface -> L2TP Server -> Enable and select the profile you created above. Furthermore "use ipsec-yes" and make a note of the IPSEC secret you put there.
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-Profile enabled=yes use-ipsec=yes
You can set allow-fast-path here, the cost is that you won't be able to apply special firewall rules to these packets. It is possible that your WAN connection is so slow, that using fast path has no real benefits. Sometimes it is better not to use fast path.
e) OPTIONAL
Under PPP-> Interface you can add a new "L2TP server binding" where you choose a name and put the user you created above. This step is optional because ROS will create the interface automatically but if you create it yourself you can name it and use it on the firewall policies.
/interface l2tp-server
add name=L2TP-IF user=remote
This is something that I did not know. Nice! :-) If you want, you can also use fixed remote IP addresses instead of using a pool.
/ppp secret
add name=user1 password=password1 profile=ipsec_vpn_maybe_your_default remote-address=192.168.5.121 service=l2tp
It gives another way to construct per-user firewall rules (e.g. filter by fixed remote ip instead of interface name).
3) IPSEC
Once you enable the L2TP/IPSEC server above some config gets auto deployed under IP-> IPSEC. some people say it works directly but for me it needed a lot of tweaking and it really took me 2 days to get it to work. under IP-> IPSEC you should have:
a) under Profiles a default profile which I modified to use some of the protocols I wanted
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=test-profile
The L2TP server in routeros can use the default ipsec configuration. It is "all or nothing". It means that you either use the default ipsec settings and let L2TP server generate policies for you, OR alternatively you can create your ipsec tunnel over l2tp manually. The former is easier to setup, but it is not so flexible. The later is more flexible (for example, you can create different profiles/algorigthms for different peers), but it is more difficult and time consuming to setup.

If you decide to use the default ipsec profile and proposal, then you need to configure it in a way so that every l2tp client will be able to use it. There is tradeoff: some clients cannot use the most secure algorithms supported by ROS. So before your configure your default ipsec proposal/profile, you need to know what kind of clients will be connecting, and their supported algorithms. There is a list of supported algos here:

* https://wiki.mikrotik.com/wiki/Manual:I ... figuration
* https://wiki.mikrotik.com/wiki/Manual:I ... figuration
* https://wiki.mikrotik.com/wiki/Manual:I ... figuration
* https://wiki.mikrotik.com/wiki/Manual:I ... figuration
* https://wiki.mikrotik.com/wiki/Manual:I ... figuration

For example, Windows 10 does not support any hash algo except SHA1 in phase2. That means, if you don't allow SHA1 for phase 2, then Windows 10 clients won't be able to connect.
c) under peers - an automatically deployed peer named "l2tp-in-server" which should be linked to the default profile (which I renamed test-profile) - cannot be modified
d) under groups - a default group which i renamed L2TP
e) under proposals - you have the default but I selected only the protocols I wanted ( sha1 for Auth and all aes-xxx-cbc for Encr). Pfs group2 (mod 1024)
Yes, L2TP server is generating/using default settings and you can't change that. If you really need to fine-tune ipsec settings, then you need to disable ipsec on the l2tp server, and setup ipsec (policies, peers, identities, profile and proposal) manually.
 
tikcc
just joined
Posts: 4
Joined: Tue Dec 01, 2020 11:47 pm

Re: creating l2tp server

Tue Aug 03, 2021 10:55 pm

Hello,

If you want to force ipsec then you need to set use-ipsec=required instead of use-ipsec=yes.

For example:
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=jnasegfASDFgvsadfrg54 use-ipsec=required
If you are using Windows 10 client, then you need to change adapter settings for the connection, then do this:

* On the VPN settings page, click Change adapter options.
* Click your VPN to select it.
* Click Change settings of this connection.
* The Properties for this VPN appear.
* Click the Security tab.
* From the Data encryption drop-down list, select Require encryption (disconnect if server declines).

If you want to secure your connection even further, you should change your default ipsec settings, something like this
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 comment="For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
Please note these:

* the L2TP server uses the default ipsec profile/proprosal. It may also used by other services on your router, so be careful when chaging the default settings.
* the l2tp client of Windows 10 is a bit silly/outdated and it does not support the most secure algorithms. Then settings given above are the most secure that work with Windows 10 (IMHO). You may find that it won't work with other clients.
* many other operating systems support much secure algs

Thanks for taking the time to reply, I think the settings I have are OK (but I have added them below just in case I'm overlooking something). As I wrote before, the connection itself works (can be seen also from the screenshot). Just that one firewall rule for protocol 50 (ipsec-esp) - or the need for it - confuses me. If it does not process any packets, why do we need it? (even with the protocol 50 (ipsec-esp) rule disabled, the VPN connection will still work)

IPsec policy details on an active client connection:
Screen01.png

l2tp server, IPSec, ppp configs (export without passwords)
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP-profile enabled=yes \
    use-ipsec=required

/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc pfs-group=modp2048

/ppp profile
add bridge=bridge.lan change-tcp-mss=yes dns-server=192.168.xxx.xxx \
    local-address=192.168.xxx.xxx name=L2TP-profile remote-address=pool.lan \
    use-encryption=required

/ppp secret
add name=mt-vpn-01 profile=L2TP-profile service=l2tp

and the relevant firewall rules in input chain:

/ip firewall filter
add action=accept chain=input dst-port=500,4500 in-interface=combo.wan \
    protocol=udp
add action=accept chain=input dst-port=1701 in-interface=combo.wan \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input in-interface=combo.wan protocol=ipsec-esp

You do not have the required permissions to view the files attached to this post.
 
nagylzs
Member
Member
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: creating l2tp server

Wed Aug 04, 2021 6:00 pm

Thanks for taking the time to reply, I think the settings I have are OK (but I have added them below just in case I'm overlooking something). As I wrote before, the connection itself works (can be seen also from the screenshot). Just that one firewall rule for protocol 50 (ipsec-esp) - or the need for it - confuses me. If it does not process any packets, why do we need it? (even with the protocol 50 (ipsec-esp) rule disabled, the VPN connection will still work)
Is your L2TP server or L2TP client behind NAT? When a peer is behind NAT, then ipsec uses so called "NAT Traversal". It changes the ESP packets so that they appear as normal UDP packets on port 4500. As a result, they can traverse NAT firewalls that would otherwise block ipsec-esp connections. (ESP packets have no concept of a "port", so it is not possible to do NAT on them.) If your "accept ipsec-esp" rule is not counting, then it might be because these packets arrive as UDP port=4500 packets, then decapsulated into ESP and the further decapsulated and decrypted.

You can find details about NAT traversal here: https://en.wikipedia.org/wiki/NAT_traversal.

You can check if your policies are using NAT-T this way: "/ip ipsec active-peers print" and look for the "N" flag.
 
tikcc
just joined
Posts: 4
Joined: Tue Dec 01, 2020 11:47 pm

Re: creating l2tp server

Wed Aug 04, 2021 10:09 pm

Is your L2TP server or L2TP client behind NAT? When a peer is behind NAT, then ipsec uses so called "NAT Traversal". It changes the ESP packets so that they appear as normal UDP packets on port 4500. As a result, they can traverse NAT firewalls that would otherwise block ipsec-esp connections. (ESP packets have no concept of a "port", so it is not possible to do NAT on them.) If your "accept ipsec-esp" rule is not counting, then it might be because these packets arrive as UDP port=4500 packets, then decapsulated into ESP and the further decapsulated and decrypted.

You can find details about NAT traversal here: https://en.wikipedia.org/wiki/NAT_traversal.

You can check if your policies are using NAT-T this way: "/ip ipsec active-peers print" and look for the "N" flag.

Well, you hit the nail right on head with NAT - indeed, all the tests I made were from behind NAT (on client side). I had also completely forgot that the mobile operator NAT's all connections on their end, so when I was trying directly from the phone via 4G I did not have a direct connection out, but also NAT'ed.

Mystery solved 8)

Who is online

Users browsing this forum: bp0, GoogleOther [Bot], rplant and 89 guests