I'm tearing my hair out with a VPN issue. My VPN works with iOS/MacOS devices perfectly - no problems connecting to anything on the internal network. But I can't get it working with a Windows 10 client. Any suggestions gratefully received!
The client seems to successfully connect. It can resolve DNS names on the internal network configured under /ip dns static on the router, and can ping them successfully too. But any attempt at a TCP connection receives no response. I've reproduced this on multiple clients on both mobile and fixed (single-NAT) internet connections.
Relevant sections of my config are:
Code: Select all
/ip pool
add name=vpn ranges=10.10.10.2-10.10.10.255
/ppp profile
add dns-server=10.10.10.1 local-address=10.10.10.1 name=L2TP only-one=no \
remote-address=vpn
/interface l2tp-server server
set default-profile=L2TP enabled=yes ipsec-secret=\
SomethingSecure max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip firewall filter
...
add action=accept chain=input comment="Accept from VPN" log-prefix=acceptvpn \
src-address=10.10.10.0/24
add action=accept chain=input comment="Accept L2TP" connection-state=new \
dst-port=500,1701,4500 in-interface=pppoe-out1 log=yes log-prefix=\
"fw accept l2tp" protocol=udp
add action=accept chain=input comment="Accept ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Accept ipsec-ah" in-interface-list=WAN \
protocol=ipsec-ah
...
add action=accept chain=forward comment="Forward from VPN" log-prefix=\
forwardvpn src-address=10.10.10.0/24
...
/ip firewall nat
...
add action=masquerade chain=srcnat comment="masq. vpn traffic" log-prefix=\
vpnmasq src-address=10.10.10.0/24
...
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ppp secret
add name=vpn password=SomethingElseSecure profile=L2TP
Code: Select all
[22:32:28 ipsec,info respond new phase 1 (Identity Protection): 212.69.11.22[500]<=>92.40.33.44[11988]
22:32:28 ipsec received MS NT5 ISAKMPOAKLEY ID version: 9
22:32:28 ipsec received Vendor ID: RFC 3947
22:32:28 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
22:32:28 ipsec received Vendor ID: FRAGMENTATION
22:32:28 ipsec Fragmentation enabled
22:32:28 ipsec 92.40.33.44 Selected NAT-T version: RFC 3947
22:32:28 ipsec Adding xauth VID payload.
22:32:28 ipsec sent phase1 packet 212.69.11.22[500]<=>92.40.33.44[11988] 732a4f9cf65235f9:3b533cf648815df4
22:32:28 ipsec NAT detected: PEER
22:32:28 firewall,info fw accept l2tp input: in:pppoe-out1 out:(unknown 0), src-mac 20:e0:9c:df:1b:4e, proto UDP, 92.40.33.44:11988->212.69.11.22:500, len 436
22:32:28 ipsec Adding remote and local NAT-D payloads.
22:32:28 ipsec sent phase1 packet 212.69.11.22[500]<=>92.40.33.44[11988] 732a4f9cf65235f9:3b533cf648815df4
22:32:29 ipsec NAT-T: ports changed to: 92.40.33.44[40087]<=>212.69.11.22[4500]
22:32:29 ipsec KA list add: 212.69.11.22[4500]->92.40.33.44[40087]
22:32:29 ipsec,info ISAKMP-SA established 212.69.11.22[4500]-92.40.33.44[40087] spi:732a4f9cf65235f9:3b533cf648815df4
22:32:29 ipsec respond new phase 2 negotiation: 212.69.11.22[4500]<=>92.40.33.44[40087]
22:32:29 ipsec searching for policy for selector: 212.69.11.22:1701 ip-proto:17 <=> 92.40.33.44:1701 ip-proto:17
22:32:29 ipsec generating policy
22:32:29 ipsec Adjusting my encmode UDP-Transport->Transport
22:32:29 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2)
22:32:29 ipsec sent phase2 packet 212.69.11.22[4500]<=>92.40.33.44[40087] 732a4f9cf65235f9:3b533cf648815df4:00000000
22:32:29 ipsec IPsec-SA established: ESP/Transport 92.40.33.44[40087]->212.69.11.22[4500] spi=0x840ab0d
22:32:29 ipsec IPsec-SA established: ESP/Transport 212.69.11.22[4500]->92.40.33.44[40087] spi=0x389325e2
22:32:29 l2tp,info first L2TP UDP packet received from 92.40.33.44
22:32:29 l2tp,ppp,info,account vpn logged in, 10.10.10.249 from 92.40.33.44
22:32:29 l2tp,ppp,info <l2tp-vpn>: authenticated
22:32:29 l2tp,ppp,info <l2tp-vpn>: connected
Martin