Page 1 of 1

L2TP server... what could be happening?

Posted: Thu Mar 29, 2012 11:33 pm
by michaelcarey
Hi Everybody,

I've set up an L2TP server on a Mikrotik/Routerboard RB750 (PPPoE ADSL connection). Everything seems to be OK, I'm using a pre-shared key. I've configured the Firewall/Filter Rules to allow UDP 500,1701,4500 and protocol 50.

I can connect to it with the two Win7 machines in my home office (different ADSL connection)... but not with my WinXP laptop which is on the same network as the Win7 machines.

The WinXP machines stay in the "Connecting to xxxxx..." phase and eventually time out with a error message. "Error 792: The L2TP connection attempt failed because security negotiation timed out."

I can see the connection attempt appearing in WinBox IP/IPSEC/Remote Peers...

I thought it might have been something in the laptop that was causing the trouble... but if I use my Huawei 3G USB "modem" to connect my laptop to the internet, it works fine and I can connect to the L2TP server and access the internal network via the L2TP connection.

Both WinXp machines at my work (NAT'd ADSL) also cannot connect to the Mikrotik L2TP server, but a Win7 computer belonging to a customer works fine using the same network and ADSL/router connection.

Does WinXp need some "changes" to be made that Win7 does not? What is stopping the WinXP machines behind a NAT router from connecting?


Any ideas?

Michael.

**edit** It appears that if my WinXP laptop is on the LAN side of the Mikrotik RB750 and I "aim" the L2TP connection at the internal IP address, it connects to the L2TP server OK.

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 1:08 am
by ditonet
Search MS knowledge base for Q240262 and Q818043.
WinXP needs some registry modification.

HTH,

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 2:12 am
by michaelcarey
Thank you for the reply. I think I have seen one of these KB articles before.

Q818043 (I think) does not apply to me as as according to the article, this update has been already been applied with SP3.

Q240262 seems to be for Windows 2000. Does this KB article still apply to WinXP?

I do agree that it does seem to be a NAT-T issue... it seems to have been discussed here too :-

http://forum.mikrotik.com/viewtopic.php?f=1&t=47207

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 2:33 am
by michaelcarey
OK... I looked a little more into the thread I posted just above and found this post :-
Hi .. I had the same problem when using IPsec/L2TP and NAT-T

I resolved this by changing the IPsec > Peer > Exchange Mode from "main" to "main l2tp"

This revision allows the the FQDN as the peer ID with preshared key authorization in main mode;

Cheers,
Luke

I changed this setting in my RB750... and it works!

:D

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 2:51 am
by ditonet
You didn't post your config, so my asumption was that 'exchange-mode=main l2tp'.
WinXP L2TP/IPSec client requires this mode an registry modification as described in
mentioned MS KB articles. Good to know that it works for you :)

Regards,

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 10:27 am
by michaelcarey
You didn't post your config, so my asumption was that 'exchange-mode=main l2tp'.
WinXP L2TP/IPSec client requires this mode an registry modification as described in
mentioned MS KB articles. Good to know that it works for you :)

Regards,
In the Mikrotik online manual "chapters" referring to L2TP, I found no reference to the "exchange-mode..." setting in IPSEC/peers...

http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

This is the section of user manual I was working with when setting up my L2TP server... in the IPSec configuration the "exchange mode..." setting is not mentioned at all.

http://wiki.mikrotik.com/wiki/MikroTik_ ... IPSec/L2TP

Maybe the manual could be updated to include this?

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 10:48 am
by ditonet
You are right, online manual sometimes is inaccurate.
Some new features are only mentioned in changelog:
http://www.mikrotik.com/download/CHANGELOG_5
'Main L2TP' mode for example.
Anyway, RouterOS is still my favourite :)

Regards,

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 11:50 am
by michaelcarey
Oh yes... please don't misunderstand.

I really like Mikrotik... very powerful.

Mikrotik and Routerboard!

:D

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 12:16 pm
by mrz
Documentation updated.
Second article was user created so anyone can edit it.

Re: L2TP server... what could be happening?

Posted: Fri Mar 30, 2012 12:45 pm
by ditonet
Thanks!

Regards,