This road warrior L2TP/IPsec is so, so FRUSTRATING, it seems that it could make one jump over the cliff. No matter how much improvements, it just seem to follow a golden rule: the more things change, the more they remain the same.

The problem I have is the L2TP server never gets to the authentication process...even when a dynamic policy gets generated. Everything works at home using a guess network to connect. However, when on the road, the L2TP server just won't authenticate. This failure was described in 2012 here: http://forum.mikrotik.com/viewtopic.php?t=67746 and again in 2014 here: https://www.mail-archive.com/mikrotik@m ... 08704.html

It's not the firewall as the L2TP server is sending and receiving control messages with the client...it NEVER authenticates and enter a dead zone. Is it a bug (read that in the pass)? Can any Guru or others provide a working solution? Is IPsec Policy really doesn't like an unknown IP address...if so, then how can a road warrior VPN work?

Can you please confirm that this is using mobile networks eg 3G/4G as i know in NZ we have to change our APN settings on mobile devices to allow VPN traffic through.

Can you please confirm that this is using mobile networks eg 3G/4G as i know in NZ we have to change our APN settings on mobile devices to allow VPN traffic through.

No, the client is using either iOS devices or Android devices over WIFI.

Yep same issue here cant get l2tp working with iOS however pptp works fine


Sent from my iPhone using Tapatalk

Since I can connect to my VPN from my guess network at home...connection from the coffee failed, to trouble shoot most would say check firewall. However, from the coffee shop, L2TP is sending and receiving control messages with the client...therefore that would imply going through the firewall, doesn't it! Also that would imply that IPsec established successfully as well. Here is my firewall (screen shoot below)...does it look acceptable and as recommended?

Enable ipsec debug logs in /system logging menu.

Try to connect and post the log output here.

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.

Enable ipsec debug logs in /system logging menu.

Try to connect and post the log output here.

Thanks for responding and awaiting my follow MrZ. My log is very long (both L2TP and IPsec)...would take too much time to redact confidential info. Could I just send the supout file to Mikrotik support...I have been in communication with Maris B.

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.

Thanks Fallenwrx for responding. I am using RouterOS 6.29 and when one selects IPsec in the L2TP server, it auto generates an IPsec Peer with a policy to "port strict" that's unchangeable.

What ticket number?

if you open the dynamic peer and copy it - make the required change and then delete the original peer does that work for you?

I had/have similar issue, described here.
Only workaround I find is that you need to add always manually the outgoing policy. (which is very inconvenient in case of roadwarriors)
I was also in contact with Mikrotik support (ticket number is Ticket#2015061266000262), where they stated in case both client and server are behind NAT, then L2TP/IPsec will not work. This is a limitation of Mikrotik I guess, because with SoftEther it works.
Let's hope there will be an improvement in v7.

What ticket number?

[Ticket#2015061066000766] VPN Analysis and Recommendation

Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communication with the client...just not engaging and completing the authentication process...so, one could see how I am leaning towards the conclusion.

The way to resolve is to use advance configuration to forward that port to a secure port that's firewall friendly such as port 443. I searched and found this: http://wiki.mikrotik.com/wiki/Traffic_P ... ion_Script
Of course, that's not clear to me. I want to keep my firewall setup and hope I can get the help to resolve my VPN issue.

Per Mikrotik support, I disabled all drop rules and that doesn't resolve the L2TP authentication process thus making connection possible, despite IPsec successfully connects. Sent another supout file.

I had/have similar issue, described here.
Only workaround I find is that you need to add always manually the outgoing policy. (which is very inconvenient in case of roadwarriors)
I was also in contact with Mikrotik support (ticket number is Ticket#2015061266000262), where they stated in case both client and server are behind NAT, then L2TP/IPsec will not work. This is a limitation of Mikrotik I guess, because with SoftEther it works.
Let's hope there will be an improvement in v7.

I read that you got yours working...when you say "need to add always manually the outgoing policy" what exactly do you mean? Is it that before you go to the outside world you add the policy manually?

Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communication with the client...just not engaging and completing the authentication process...so, one could see how I am leaning towards the conclusion.

The way to resolve is to use advance configuration to forward that port to a secure port that's firewall friendly such as port 443. I searched and found this: http://wiki.mikrotik.com/wiki/Traffic_P ... ion_Script
Of course, that's not clear to me. I want to keep my firewall setup and hope I can get the help to resolve my VPN issue.

Thought to share the web document claiming what I stated above about the weakness of L2TP...the firewall issue. It might help others in their VPN decision making. Here's the link: https://www.bestvpn.com/blog/4147/pptp- ... -vs-ikev2/

I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.

I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.

Sorry that was a false alarm...problem still has not resolved.

Thanks to Mikrotik support for resolving my VPN issue. It turned out to be the dynamic generated peer where the problem resided. So, if I reboot the router, I would need to delete the dynamic generated peer for the manually created peer to take effect.

My hope is that Mikrotik gives one the option in the L2TP server to elect whether to issue a dynamic generated peer or manually create the peer in up coming RouterOS releases. One thing I noticed is that once the L2TP server has been enabled with an IPsec pre-shared key, one cannot edit the key...so that needs to change.

One thing I noticed is that once the L2TP server has been enabled with an IPsec pre-shared key, one cannot edit the key...so that needs to change.

Not exactly clear where you are trying to edit the key.
In /ip ipsec peers it will not be possible because peer is Dynamic.
But you can edit ipsec-secret in L2TP server settings.

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.

Actually, Fallenwrx, that's exactly what worked with passive unchecked...thanks for sharing. Maybe Mikrotik should allow the option to select generate IPsec-peer manually in the L2TP server in future RouterOS releases.