Page 1 of 1

RouterOS L2TP server with Windows XP/Vista client behind NAT

Posted: Sat Aug 15, 2009 11:57 pm
by adiazm
Hello everybody!

I've just finished to configure a MikroTik RouterOS L2TP Server with RouterOS 3.28 using a public IP address in ether1 interface and a LAN IP address in ether2.

Using this howto http://wiki.mikrotik.com/wiki/MikroTik_ ... IPSec/L2TP I can got to connect to my LAN over L2TP VPN but it only works when my Windows XP client is connected to the internet through a public IP address, but when I am behind a NAT device I cannot connect to my RouterOS VPN Server.

I don't have any trouble If I try to connect to another L2TP server (3com VPN Server) behind the same NAT device.

Someone knows how to resolve this?

Thanks for your help.

ADiazM

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Posted: Mon Aug 17, 2009 12:51 pm
by sergejs
I assume that you are using IPSec together with L2TP.
You can enable NAT-T. Check the IPSec configuration for the particular client, perhaps NATed traffic is entering on the router, but IPSec settings are configured to original client addresses (not NATted).

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Posted: Mon Aug 17, 2009 5:44 pm
by adiazm
Dear Sergejs,

Thanks a lot for your answer. I appreciate very much your help.

As I said before, with another L2TP/IPSec Server (3Com Appliance) don't have any trouble connecting to the VPN.

Is it possible that I need to adjust/enable something in the RouterOS configuration in order to get a successfull connection?

Thanks again.

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Posted: Mon Aug 17, 2009 8:28 pm
by rpress
NAT-T is what you want. I tried in the past with 3.25 but I couldn't get mine working though, it looks like there is some problem with the kernel routing packets incorrectly once NAT-T is enabled.

I posted about that problem a while ago in another thread. Let us know if you manage to get it working.

Re: RouterOS L2TP server with Windows XP/Vista client behind NAT

Posted: Mon Aug 17, 2009 9:04 pm
by adiazm
I tried to enable NAT-T in windows XP client using this reference http://support.microsoft.com/kb/885407 but I cannot get connected yet. I change the registry to AssumeUDPEncapsulationContextOnSendRule=2

But it doesn't work anyway. Then in my RouterOS device I had change my IPSec config from:
address=0.0.0.0/0:500 auth-method=pre-shared-key secret="123456789" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
to:
address=0.0.0.0/0:500 auth-method=pre-shared-key secret="123456789" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
But It still doesn't work.

Regards.