Hi Team,
I have a MikroTik RB750Gr3 behind a NAT router (Fortigate).
The Fortigate is forwarding UDP ports 500 and 4500 and ESP value 50 to the internal IP address of the RB750Gr3.
The connection works, sometimes.
My laptop can connect to the VPN on 1 internet connection and not on another.
Some of the clients can connect and others cannot.
I replicated the same setup on my home network and got the same results.
Someone suggested adjusting the MTU. So I had a play with that on both the RB750Gr3 and the PC but neither made any difference.
The same person also said to enable nat-traversal but I cannot find it. It no long seems to be in this section:
/ip ipsec peer
add generate-policy=yes hash-algorithm=sha1 nat-traversal=yes secret=test123456
What have I done wrong?
Please help.
Thanks,
Callum
Re: L2TP/IPSec server behind NAT issues.
IPSec settings moved around a bit, nat-traversal is now in /ip ipsec profile.
Re: L2TP/IPSec server behind NAT issues.
Thanks Sob, found it and it is enabled.
Re: L2TP/IPSec server behind NAT issues.
Some clients, namely Windows, also don't like when server is behind NAT and have to be reconfigured to work with it:
https://docs.microsoft.com/en-us/troubl ... t-t-device
https://docs.microsoft.com/en-us/troubl ... t-t-device
Re: L2TP/IPSec server behind NAT issues.
Thanks Sob but unfortunately that made no difference.
Re: L2TP/IPSec server behind NAT issues.
Usually when the same client works in some network environments and doesn't in other ones, the difference is how fragmentation is handled on the network path between the client and the server. Where second fragments of large packets are lost and thus the large packets do not get through, already the IPsec negotiation doesn't succeed. But I've seen this with IKEv2 and certificates, not sure whether IKE(v1) with pre-shared key can ever suffer from this.
Another thing I've seen was that bare IPsec with IKE(v1) did not pass through a Fortigate firewall at client side because it was tampering with the encrypted payload.
So I'd recommend to sniff at the client PC with capture filter matching on the IP address of the server, and at the server with capture filter matching on the public IP address from behind which the client connects, and compare the results to see whether all packets and fragments make it to their destinations.
Another thing I've seen was that bare IPsec with IKE(v1) did not pass through a Fortigate firewall at client side because it was tampering with the encrypted payload.
So I'd recommend to sniff at the client PC with capture filter matching on the IP address of the server, and at the server with capture filter matching on the public IP address from behind which the client connects, and compare the results to see whether all packets and fragments make it to their destinations.
Who is online
Users browsing this forum: No registered users and 140 guests