Community discussions

MikroTik App
 
User avatar
adiazm
just joined
Topic Author
Posts: 13
Joined: Sat Aug 15, 2009 11:39 pm

RouterOS L2TP server with Windows XP/Vista client behind NAT

Sat Aug 15, 2009 11:57 pm

Hello everybody!

I've just finished to configure a MikroTik RouterOS L2TP Server with RouterOS 3.28 using a public IP address in ether1 interface and a LAN IP address in ether2.

Using this howto http://wiki.mikrotik.com/wiki/MikroTik_ ... IPSec/L2TP I can got to connect to my LAN over L2TP VPN but it only works when my Windows XP client is connected to the internet through a public IP address, but when I am behind a NAT device I cannot connect to my RouterOS VPN Server.

I don't have any trouble If I try to connect to another L2TP server (3com VPN Server) behind the same NAT device.

Someone knows how to resolve this?

Thanks for your help.

ADiazM
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Mon Aug 17, 2009 12:51 pm

I assume that you are using IPSec together with L2TP.
You can enable NAT-T. Check the IPSec configuration for the particular client, perhaps NATed traffic is entering on the router, but IPSec settings are configured to original client addresses (not NATted).
 
User avatar
adiazm
just joined
Topic Author
Posts: 13
Joined: Sat Aug 15, 2009 11:39 pm

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Mon Aug 17, 2009 5:44 pm

Dear Sergejs,

Thanks a lot for your answer. I appreciate very much your help.

As I said before, with another L2TP/IPSec Server (3Com Appliance) don't have any trouble connecting to the VPN.

Is it possible that I need to adjust/enable something in the RouterOS configuration in order to get a successfull connection?

Thanks again.
 
rpress
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Thu May 07, 2009 5:13 am

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Mon Aug 17, 2009 8:28 pm

NAT-T is what you want. I tried in the past with 3.25 but I couldn't get mine working though, it looks like there is some problem with the kernel routing packets incorrectly once NAT-T is enabled.

I posted about that problem a while ago in another thread. Let us know if you manage to get it working.
 
User avatar
adiazm
just joined
Topic Author
Posts: 13
Joined: Sat Aug 15, 2009 11:39 pm

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Mon Aug 17, 2009 9:04 pm

I tried to enable NAT-T in windows XP client using this reference http://support.microsoft.com/kb/885407 but I cannot get connected yet. I change the registry to AssumeUDPEncapsulationContextOnSendRule=2

But it doesn't work anyway. Then in my RouterOS device I had change my IPSec config from:
address=0.0.0.0/0:500 auth-method=pre-shared-key secret="123456789" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
to:
address=0.0.0.0/0:500 auth-method=pre-shared-key secret="123456789" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
But It still doesn't work.

Regards.

Who is online

Users browsing this forum: hanzel619, m86895, shimo and 126 guests