Hello everyone, many months now im trying to create VPN connection from remote devices (laptop, mobile etc) , outside my house, but i havent found why its not working.

Till now i can connect only with my Iphone remotly using L2TP, but my laptop cannot connect , it show an error saying: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remove computer. From logs i noticed that it shows error : No suitable proposal found.

I tried with Wireguard as well, it says that connects but without any communication to my router ...

My Mikrotik has public IP but its behind NAT from my ISP router, which i have port forwarded ports 4500.1701,500.

My configuration is below :



interface bridge
add ingress-filtering=no name=bridge-Vlan-LAN pvid=10 vlan-filtering=yes
add name=bridge-Vlan-WLAN
add admin-mac=0000000 auto-mac=no comment=defconf mtu=1492 name=\
bridgeLocal-LAN
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-ISP
set [ find default-name=ether3 ] name=ether3-Management
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=greece disabled=no \
installation=indoor mode=ap-bridge ssid="GAPO WLAN 2.4G" vlan-id=20 \
vlan-mode=use-tag
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=greece disabled=no \
installation=indoor mode=ap-bridge ssid="GAPO WLAN 5G" vlan-id=20 \
vlan-mode=use-tag wireless-protocol=802.11
/interface l2tp-server
add disabled=yes name=l2tp-in1 user=vpnlocal
/interface wireguard
add disabled=yes listen-port=9874 mtu=1420 name=wireguard-VPN_Local
/interface vlan
add disabled=yes interface=bridge-Vlan-LAN name=Vlan99 vlan-id=99
add disabled=yes interface=ether1-ISP mtu=1492 name=vlan1cosmote vlan-id=835
add interface=bridge-Vlan-LAN name=vlan10 vlan-id=10
add interface=bridge-Vlan-WLAN name=vlan20 vlan-id=20
add disabled=yes interface=ether1-ISP name=vlan838-ISPMANAGMENT vlan-id=838
/interface pppoe-client
add add-default-route=yes interface=vlan1cosmote name=pppoe-out1-Cosmote \
user=000000
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-128-cbc
/ip pool
add name=vpn ranges=192.168.100.2-192.168.100.255
add name=dhcp_pool2 ranges=10.10.1.2-10.10.1.254
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool5 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridgeLocal-LAN name=dhcp1
add address-pool=dhcp_pool4 interface=vlan20 name=dhcp3
add address-pool=dhcp_pool5 interface=vlan10 name=dhcp2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridgeLocal-LAN comment=defconf interface=ether3-Management
add bridge=bridge-Vlan-LAN comment=defconf interface=ether4 pvid=10
add bridge=bridge-Vlan-LAN comment=defconf interface=ether5 pvid=10
add bridge=bridge-Vlan-WLAN interface=wlan2 pvid=20
add bridge=bridge-Vlan-WLAN interface=wlan1 pvid=20
add bridge=bridge-Vlan-LAN interface=ether2 pvid=10
/interface bridge vlan
add bridge=bridge-Vlan-LAN tagged=bridge-Vlan-LAN untagged=\
ether2,ether4,ether5 vlan-ids=10
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface list member
add interface=ether1-ISP list=WAN
add interface=ether2 list=LAN
add interface=ether3-Management list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireguard peers
add allowed-address=192.168.101.2/32 disabled=yes interface=\
wireguard-VPN_Local public-key=\
"000000="
/interface wireless align
set active-mode=no audio-max=0 audio-min=0 frame-size=200 frames-per-second=1
/interface wireless cap
set bridge=bridgeLocal-LAN discovery-interfaces=bridgeLocal-LAN interfaces=\
wlan1,wlan2
/ip address
add address=10.10.1.1/24 comment=Management-LAN interface=bridgeLocal-LAN \
network=10.10.1.0
add address=192.168.100.1 comment=VPN interface=ether1-ISP network=\
192.168.100.0
add address=10.10.20.1/24 comment=VLAN-WLAN interface=vlan20 network=\
10.10.20.0
add address=10.10.10.1/24 comment=VLAN interface=vlan10 network=10.10.10.0
add address=192.168.101.1/24 interface=wireguard-VPN_Local network=\
192.168.101.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=wlan1
add interface=ether1-ISP
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=192.168.1.1 gateway=10.10.1.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.101.2 \
in-interface=wireguard-VPN_Local src-address=192.168.101.1
add action=drop chain=input dst-port=53 in-interface=ether1-ISP protocol=udp
add action=drop chain=input in-interface=ether1-ISP protocol=tcp src-port=53
add action=accept chain=input disabled=yes dst-port=4500 in-interface=\
ether1-ISP protocol=udp src-port=4500
add action=accept chain=input disabled=yes dst-port=500 in-interface=\
ether1-ISP protocol=udp src-port=500
add action=accept chain=input disabled=yes dst-port=1701 in-interface=\
ether1-ISP protocol=udp src-port=1701
/ip firewall mangle
add action=passthrough chain=input disabled=yes protocol=tcp tcp-flags=syn \
tcp-mss=1452-1452
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
out-interface=wireguard-VPN_Local src-address=192.168.101.0/24
add action=masquerade chain=srcnat
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=vpn
add disabled=yes name=00000
add local-address=192.168.100.3 name=vpnlocal remote-address=192.168.100.4 \
service=l2tp
/snmp
set trap-version=2
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no


I need some help

Fixes and wireguard
- one bridge, default pvid of 1 kept.
- remove vlans from wifi
- consistent vlan settings, pool, dhcp-server, dhcp-server network, ip address
- ip dhcp client should be removed/disabled, ISP settings are at pppoe settings.
- remove cap, not needed for internal radios.
- dns server setting for managememt network 10.10.1.0/24 doesnt fit, set to non-existent 192.168.1.1??
- masquerade rule for wireguard not required (router is server for handshake) and no need to masquerade outgoing traffic
as all traffic is incoming from road warriors.
- mangle rule removed.
- firewall rules modified
- something I dont understand about managment vlan and vlan30 >>>>>???????

/interface bridge
add ingress-filtering=no name=bridge-Vlan vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=greece disabled=no \
installation=indoor mode=ap-bridge ssid="GAPO WLAN 2.4G"
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=greece disabled=no \
installation=indoor mode=ap-bridge ssid="GAPO WLAN 5G" wireless-protocol=802.11

/interface wireguard
add disabled=no listen-port=9874 name=wireguard-VPN_Local

/interface vlan
add interface=bridge-Vlan name=vlan10 vlan-id=10
add interface=bridge-Vlan name=vlan20 vlan-id=20
add interface=bridge-Vlan name=Vlan99 vlan-id=99
add interface=bridge-Vlan name=vlan30 vlan-id=30 comment="formerly bridge subnet" ?????
add interface=ether1-ISP name=vlan1scomsote vlan-id=835

/interface pppoe-client
add add-default-route=yes interface=vlan1cosmote name=pppoe-out1-Cosmote

/ip pool
add name=dhcp_pool2 ranges=10.10.1.2-10.10.1.254
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool5 ranges=10.10.10.2-10.10.10.254

/ip dhcp-server
add address-pool=dhcp_pool2 interface=vlan99 name=dhcp1
add address-pool=dhcp_pool3 interface=vlan30 name=dhcp5
add address-pool=dhcp_pool4 interface=vlan20 name=dhcp3
add address-pool=dhcp_pool5 interface=vlan10 name=dhcp2

/interface bridge port
add bridge=bridge-Vlan interface=ether3-Management pvid=99 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=ether4 pvid=10 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=ether5 pvid=10 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=wlan2 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=wlan1 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface=ether2 pvid=10 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge-Vlan interface= ?????? pvid=30 ???????

/interface bridge vlan
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=ether2,ether4,ether5 vlan-ids=10
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=wlan1,wlan2 vlan-ids=20
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=ether3-Management vlan-ids=99
add bridge=bridge-Vlan tagged=bridge-Vlan untagged=????? vlan-ids=30?????

/interface list member
add interface=ether1-ISP list=WAN
add interface=pppoe-out1-Cosmote
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan99 list=LAN
add interface=vlan30 list=LAN ????

/interface wireguard peers
add allowed-address=192.168.101.2/32 disabled=yes interface=\
wireguard-VPN_Local public-key=\
"000000="

/ip address
add address=10.10.1.1/24 comment=Management-LAN interface=vlan99 \
network=10.10.1.0
add address=10.10.20.1/24 comment=VLAN-WLAN interface=vlan20 network=\
10.10.20.0
add address=10.10.10.1/24 comment=VLAN interface=vlan10 network=10.10.10.0
add address=10.10.30.1/24 comment=???? interface=vlan30 network=10.10.30.0 ?????
add address=192.168.101.1/24 interface=wireguard-VPN_Local network=\
192.168.101.0

/ip dhcp-server network
add address=10.10.1.0/24 dns-server=10.10.1.1 gateway=10.10.1.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback \
(for router uses only)" dst-address=127.0.0.1
add action=accept chain=input dst-port=9874 protocol-udp comment="wireguard connection"
add action=accept chain=input in-interface-list=LAN comment="allow lan users to router services"
add action=drop chain=input comment="Drop All Else"
+++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
add action=accept chain=forward comment="local to WAN internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="remote to lans" in-interface=wireguard-VPN_Local out-interface-list=LAN
add action=drop chain=forward comment="DROP All Else

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1-Cosmote

As for the L2TP, I'm willing to bet that the problem is with the encryption algorthms. That's why I would recommend you to read which algorthms does your laptop support from the following page:

https://help.mikrotik.com/docs/display/ROS/IPsec

and configure respectively the proposals and profiles from the IP/IPsec menu.

Laptop is running Windows (10)?

Check also this:
viewtopic.php?t=174518

I need WLAN Vlan to reduce traffice generation. As for filter rules all are inactive, maybe PPPoe is the problem? i have deactivated it,

Laptop is running Windows (10)?

Check also this:
viewtopic.php?t=174518

Running windows 11...!

As for the L2TP, I'm willing to bet that the problem is with the encryption algorthms. That's why I would recommend you to read which algorthms does your laptop support from the following page:

https://help.mikrotik.com/docs/display/ROS/IPsec

and configure respectively the proposals and profiles from the IP/IPsec menu.

Thats what i was thinking, i will try it and come back !

Ive made all these changes but again nothing changed....

You could set in the L2TP server use-ipsec=required and add an IPsec secret if you haven't so that the changes you've made can take effect, plus it's more secure this way