Community discussions

MikroTik App
 
fleg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Mon Nov 06, 2017 12:31 pm

Can`t open connection to L2tp server via port forwarding

Tue Feb 22, 2022 3:31 pm

I have a client MT gw in my network (10.100.4.171) with activated L2TP server. When I tried connect from my network 10.100.0.0/16 connection was made succesfully.
But I`d like to connect via main GW with public static IP.
I forwarded udp 500 and 4500.
3 ;;; VPN repack
chain=dstnat action=dst-nat to-addresses=10.100.4.171 to-ports=4500
protocol=udp dst-address=public_IP dst-port=4500 log=no
log-prefix=""

14 ;;; VPN repack
chain=dstnat action=dst-nat to-addresses=10.100.4.171 to-ports=500
protocol=udp dst-address=public_IP dst-port=500 log=no
log-prefix=""
I can see incoming packets in 10.100.4.171 but connection failed.
4:22:20 ipsec,info respond new phase 1 (Identity Protection): 10.100.4.171[500]<=>85.237.234.6[3697]
14:22:21 ipsec,info ISAKMP-SA established 10.100.4.171[4500]-85.237.234.6[7045] spi:ff076a170ab61237:42c2af4843ec15df
14:22:57 ipsec,info purging ISAKMP-SA 10.100.4.171[4500]<=>85.237.234.6[7045] spi=ff076a170ab61237:42c2af4843ec15df.
14:22:57 ipsec,info ISAKMP-SA deleted 10.100.4.171[4500]-85.237.234.6[7045] spi:ff076a170ab61237:42c2af4843ec15df rekey:1
Something wrong with GRE?

I have no idea where can be a problem because I never forwarded L2TP before.
This is routing case because GW(MT)-----router(MT)-----AP(MT)-----10.100.4.171(MT) but I have no drop rules in the firewalls in the routing trace.
Any idea?
 
mixig
Member
Member
Posts: 315
Joined: Thu Oct 27, 2011 2:19 pm

Re: Can`t open connection to L2tp server via port forwarding

Sat Apr 09, 2022 4:40 pm

To allow L2TP w/ IPSec traffic, open UDP ports 500, 1701 & 4500
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: Can`t open connection to L2tp server via port forwarding

Mon Apr 11, 2022 2:35 pm

You also need to forward IPSec ESP (Protocol 50) to the L2TP VPN server.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Can`t open connection to L2tp server via port forwarding

Mon Apr 11, 2022 3:28 pm

No, when NAT traversal is involved the IPsec ESP traffic is encapsulated in UDP. The initial IKE handshake uses UDP port 500, if NAT is detected in the path a switch to UDP port 4500 is made and this port is also used for encapsulated ESP. Once the IPsec connection is established the L2TP UDP port 1701 traffic is tunneled within it.

If the client devices is a Windows PC the default IPsec settings do not work when connecting to an server behind NAT, see https://docs.microsoft.com/en-us/troubl ... t-t-device

Who is online

Users browsing this forum: No registered users and 15 guests