Community discussions

MUM Europe 2020
 
User avatar
webor
newbie
Topic Author
Posts: 38
Joined: Sat Dec 20, 2008 2:33 am
Location: Europe

MTik L2TP/IPSec VPN server for Win clients behind NAT

Sat Dec 20, 2008 2:58 am

Hello to all! This is my first post here. Best regards to all of you. We recently bought MT (v 3.17 is up) and implemented it in our office LAN as a gateway for LAN and as a VPN server for remote access to our office LAN.
I have to say that this product is great, especially comparing the price and what you get for that, but this is nothing new :D . Thank you for such pro product with great price.

Ok, now about my problem. I saw here on the forum that MikoTik as a VPN L2TP/IPsec server for windows clients was not so good and successful combination in the past, but I successfully set up Mikrotik as a L2TP/IPsec server and everything works great when windows client has public IP address, but I have a problem when windows client is behind NAT router. Clients are using built-in windows xp SP2 client software.

I tried to configure win clients following Microsoft KB 818043 http://support.microsoft.com/kb/818043 entering value 2 in the registry of client.
On server side on MikroTik I enabled NAT Traversal option in IPsec configuration and in firewall filter I opened:
1.) protocol 50 ipsec-esp
2.) udp 500
3.) udp 1701
4.) udp 4500 port for NAT-T
but I have no success.

Can you please help me with suggestions and opinions. What to do more. It is really important to me. Tnx in advance!!
That is my signature
 
User avatar
hilton
Long time Member
Long time Member
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Sat Dec 20, 2008 5:34 pm

I don't think the problem is on your side. More likely the inability of a cr@ppy Moms and Pops router on the remote users' side to pass the IPSec protocol.

That's why most people use PPTP for remote connections from a single user to the Mikrotik router.

I may be wrong though.
Regards
Hilton
 
User avatar
webor
newbie
Topic Author
Posts: 38
Joined: Sat Dec 20, 2008 2:33 am
Location: Europe

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Sun Dec 21, 2008 1:01 am

Hilton, thank you on your response!!
I need to use l2tp/ipsec because known security vulnerabilities of pptp and strong security policy in my company. So, you think that at a server side is everything ok with configuration for NAT-T, and that a router on client side is bad?
This lousy router with NAT configuration and that win xp client is at my boss`s home and I need that VPN setup because my boss needs vpn connection from home to office LAN.
Hypothetically, would small new MT router (which would replace that lousy existing router) implemented at home of my boss solve the problem and would NAT-T than work?
Are there any suggestions about how to test this existing router for ipsec capabilities in terms of compatibility with MikroTik VPN server?
That is my signature
 
User avatar
hilton
Long time Member
Long time Member
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Sun Dec 21, 2008 4:05 pm

Hypothetically, would small new MT router (which would replace that lousy existing router) implemented at home of my boss solve the problem and would NAT-T than work?
If you install a Mikrotik router at the big guy's house, then you can create a LAN to LAN VPN which is permanently on, although this is most often set-up without the IPSec part, just using MPPE 128 stateless encoding of the L2TP connection.
Are there any suggestions about how to test this existing router for ipsec capabilities in terms of compatibility with MikroTik VPN server?
Assuming it's an ADSL router, you could test this my changing it to bridge (modem) mode and then create a PPPOE connection directly from the WinXP computer. Then test the L2TP VPN connection to your Mikrotik router. This test effectively bypasses the router and you then have the ability to turn off the XP firewall for testing purposes.

Remember, IPSec cannot pass through NAT without some help so you are relying on the ability of the router to do this properly. I believe two Mikrotiks will do this but I haven't implemented this configuration yet.
Regards
Hilton
 
User avatar
webor
newbie
Topic Author
Posts: 38
Joined: Sat Dec 20, 2008 2:33 am
Location: Europe

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Sun Dec 21, 2008 5:04 pm

Hilton, tnx a lot for your support and sharing knowledge!!
If you install a Mikrotik router at the big guy's house, then you can create a LAN to LAN VPN which is permanently on, although this is most often set-up without the IPSec part, just using MPPE 128 stateless encoding of the L2TP connection.
:-) "big guy's house" - you are right! Hm, LAN to LAN vpn is interesting but maybe to much for him and management of such setup, because he is not IT expert so maybe in such case some IT expert will need to go to his home to often and also I think that he do not want to have lots of IT infrastructure in his home running 24/7.
Assuming it's an ADSL router, you could test this my changing it to bridge (modem) mode and then create a PPPOE connection directly from the WinXP computer. Then test the L2TP VPN connection to your Mikrotik router. This test effectively bypasses the router and you then have the ability to turn off the XP firewall for testing purposes.
Yes in his home he has ADSL connection with dynamic IP. IP is changing on every new PPPoE connection and maximally last for 24 hours without changing IP address - it is reseted every 24 hours from his ISP.
I have tested l2tp/ipsec connection from his win xp sp2 machine when this machine has public ip address (using hsdpa-umts mobile internet modem) and in such scenario the machine 100% successfully establish l2tp/ipsec vpn connection with MT server in the office every time, and this is great. Only problem is when this machine is behind his home adsl router with NAT and this is standard situation which I need to solve. So, this adsl router is probably the problem?!
Remember, IPSec cannot pass through NAT without some help so you are relying on the ability of the router to do this properly. I believe two Mikrotiks will do this but I haven't implemented this configuration yet.
Yes, you are right! That is my problem. :( Are there any suggestions how to test this lousy router for its IPSec capabilities?


General guestion: MikroTik NAT-Traversal IPSec capabilities are targeted to scenario when client is behind NAT, and not when MT is behind NAT? Am I right?
That is my signature
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Sun Dec 21, 2008 7:01 pm

The router may have VPN Passthrough that needs to be disabled. I never had a problem using NAT with ipsec unless the passthrough wasn't enabled.
 
User avatar
webor
newbie
Topic Author
Posts: 38
Joined: Sat Dec 20, 2008 2:33 am
Location: Europe

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Sun Dec 21, 2008 8:26 pm

The router may have VPN Passthrough that needs to be disabled. I never had a problem using NAT with ipsec unless the passthrough wasn't enabled.
Tnx for your suggestion!!

To be honest, I didn't understand correctly.
"VPN passthrough that needs to be disabled" - I understand that VPN passthrough needs to be disabled and than the thing will work!
"never had a problem ... unless the passthrough wasn't enabled" - I understand that if VPN passthrough was disabled (was not enabled) than there is a problem, so VPN passthrough needs to be enabled.

Please, clarify it to me!
Tnx!
That is my signature
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Mon Dec 22, 2008 4:02 am

I mis-typed. VPN passthrough needs to be enabled. On the newer routers the option is there.
 
User avatar
webor
newbie
Topic Author
Posts: 38
Joined: Sat Dec 20, 2008 2:33 am
Location: Europe

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Mon Dec 29, 2008 8:29 pm

I have tested with old adsl router at my boss place without sucess.
Today I tried with new adsl router Zyxel P-660HW-D3 that supports vpn passthrough option but again I have no sucess.
I tried with NAT-port mapping in that adsl router and with opening of ports in the router but there is no success. I see in connections list that connection from client to MT on port 500 is assured, but connections on port 1701 and ipsec esp (50) are unreplied. Can someone give some hint what I need to do?

Important remark:
In MT I have ipsec peer adress 0.0.0.0/0 and generate policy set to yes and i can see in winbox in policies that policies are generated but src adress is 192.168.x.x LAN IP and not public IP of adsl router. Hows that?
That is my signature
 
User avatar
webor
newbie
Topic Author
Posts: 38
Joined: Sat Dec 20, 2008 2:33 am
Location: Europe

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Tue Jan 13, 2009 6:06 pm

Ok. I see that there is no help about configuration of that zyxel router to work with MikroTik.
I am stuck and I need to solve that so I think about buying small MT (eg. RB 450) and put that as a router in my boss house behind that zyxel that will be adsl modem (bridge).
Possible configuration:
internet ---> zyxel (adsl modem - bridge mode) ---> MikroTik (router for LAN - default gateway NAT) ---> home LAN of my boss

Can I get suggestions about how to configure VPN passthrough in such scenario on that new MT router. I want that he can connect from his home PC (Win XP SP2) that is behind MT router with NAT to remote MT VPN server using l2tp/ipsec. I want to test this on some old pc before purchasing new rb.
That is my signature
 
User avatar
richinuk
Member Candidate
Member Candidate
Posts: 142
Joined: Tue Jan 22, 2008 9:30 pm

Re: MTik L2TP/IPSec VPN server for Win clients behind NAT

Mon Feb 09, 2009 8:23 pm

Hi Webor / All,

I don't have a solution to offer, but wanted to chip in that I am having an almost identical issue.

My setup is fairly typical... WinXP SP3 -> NAT/PAT DSL -> Internet -> MT Server (no natting - direct on the internet)

However, what I can see from my debugging is that it seems that L2TP at the MT side is not sending replies. IPSec completes the phase 1 and phase 2 it appears (Bi-directional IPSec SA's are established). Even, the L2TP daemon on MT is reporting that it is receiving messages from the peer. It is further reporting that it is replying to those messages, but a packet capture shows no reply goes back out from MT towards the client.

Essentially, the sequence of exchanges between client and MT goes like this (according to my packet capture on MT):

UDP, client:500 -> MT:500
UDP, MT:500 -> client:500
... repeats a few times ...
... MT reports ISAKMP SA established ...
UDP, client:500 -> MT:500
UDP, MT:500 -> client:500
UDP, client:500 -> MT:500
... MT reports IPSec SA established ...

----- So at this stage, IPSec Phase 1 & 2 completed (it seems), now to do the L2TP in IPSec negotiation -----

ESP from client -> MT
... MT L2TP reports "rcvd control message from xx.xx.xx.xx:1701"
... MT L2TP reports "sent control message to xx.xx.xx.xx:1701"
* No packet transmitted according to MT capture
* No packet received according to WinXP capture
* Timeout of 1 second
ESP from client -> MT
... MT L2TP reports "rcvd control message from xx.xx.xx.xx:1701"
... MT L2TP reports "sent control message to xx.xx.xx.xx:1701"
* No packet transmitted according to MT capture
* No packet received according to WinXP capture
* Timeout of 2 seconds
ESP from client -> MT
... MT L2TP reports "rcvd control message from xx.xx.xx.xx:1701"
... MT L2TP reports "sent control message to xx.xx.xx.xx:1701"
* No packet transmitted according to MT capture
* No packet received according to WinXP capture
* Timeout of 4 seconds

and this continues with doubling timeouts between WinXP sending ESP packets (max 10 seconds). Eventually, ISAKMP SA's expire.

For the record, there doesn't appear to be any routing issues etc with MT. PPTP is working fine, etc. Firewall rules are set to permit any for the test.

So any thoughts on why L2TP says it's transmitting a response, but the packet capture on MT doesn't show anything?

Rich

Who is online

Users browsing this forum: kez, MSN [Bot], Sob and 89 guests