Community discussions

MikroTik App
 
User avatar
grusu
Member Candidate
Member Candidate
Topic Author
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

problems with l2tp/ipsec traffic

Tue May 27, 2025 2:52 pm

Hi,

In my company, I have an RB1100AHx4 router on which I have set up l2tp/ipsec clients for the routers of the companies I manage which are also from Mikrotik.
After updating to v7.18 I noticed that some web pages on the servers I access via VPN are no longer loading correctly, especially those using older software. I have tried all versions from 7.18 to 7.19.1 on my router and they behave the same. The only solution I found was to lower the mtu in the l2tp clients from 1450, which is the default, to 1400 and it seems to work.
I submitted this issue to Mikrotik as ticket SUP-188725 on May 22, which has not yet been taken over by the support team.

Thanks,
Geo
 
BlueTechnomage
newbie
Posts: 49
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: problems with l2tp/ipsec traffic

Tue May 27, 2025 6:47 pm

I am having the same issue. Let me know what they say.
 
User avatar
grusu
Member Candidate
Member Candidate
Topic Author
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: problems with l2tp/ipsec traffic

Thu May 29, 2025 10:55 am

It has not yet been read by the Mikrotik team.
 
User avatar
grusu
Member Candidate
Member Candidate
Topic Author
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: problems with l2tp/ipsec traffic

Tue Jun 03, 2025 8:03 am

I tested version 7.17 and it has the same problem. Only downgrading to version 7.16.2 solved the problem.
I sent the information to support and am waiting for a response.
 
johnson73
Member Candidate
Member Candidate
Posts: 260
Joined: Wed Feb 05, 2020 10:07 am

Re: problems with l2tp/ipsec traffic

Tue Jun 03, 2025 9:28 am

Have you also update system-> routerboard? I've sometimes just forgotten this step :) I use ipsec vpn in several offices and I have no problems with version 7.19.1. Is it possible to view the config?
/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys, etc. )
 
User avatar
grusu
Member Candidate
Member Candidate
Topic Author
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: problems with l2tp/ipsec traffic

Tue Jun 03, 2025 10:47 am

I manage the networks of several clients, so over 100 devices, and it occurred to me to update the firmware as well. :D
By the way, it would be very useful if we could also see the firmware version in the winbox interface at Neigbors.
 
User avatar
grusu
Member Candidate
Member Candidate
Topic Author
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: problems with l2tp/ipsec traffic

Tue Jun 03, 2025 11:00 am

Have you also update system-> routerboard? I've sometimes just forgotten this step :) I use ipsec vpn in several offices and I have no problems with version 7.19.1. Is it possible to view the config?
Some pages load seemingly without problems but I noticed that others load partially or certain subpages do not work. Especially the web pages of servers with older software versions.
But I also had problems with the administration page of truenas, the latest version.
I used to have problems with some RDP sessions to Windows 2012 server but I did not associate them with the l2tp/ipsec connection. Now that I think about it, it is possible that it was also the cause.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1418
Joined: Tue Jun 23, 2015 2:35 pm

Re: problems with l2tp/ipsec traffic

Wed Jun 04, 2025 7:51 am

@grusu

Have you tryed ovpn or WG maybe on v7.18?

wondering if you will get same experience
 
User avatar
grusu
Member Candidate
Member Candidate
Topic Author
Posts: 168
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: problems with l2tp/ipsec traffic

Wed Jun 04, 2025 11:39 am

Hi nichky,

I am interested in the operation of the l2tp/ipsec vpn service. All the companies I manage use this service to connect remotely. It all started during the covid pandemic.
The advantages are: good security, hardware acceleration, direct support in the Windows operating system. Also, the credentials are saved encrypted, making it difficult to clone them. The Wireguard client contains the settings in the clear; they can be easily copied by anyone. As far as I know, it is the same in the case of OVPN.
OVPN has had unfortunate implementations in older RouterOS versions and I have not used it. It would also be quite complicated to change the settings on all clients now.
I have a site to site WG setup between my router and a client's router and it seems to be working normally.
I suspect the problem is with l2tp, so I don't see what 1s the point of testing other VPN protocols.

Thanks,
Geo
 
BlueTechnomage
newbie
Posts: 49
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: problems with l2tp/ipsec traffic

Fri Jun 06, 2025 6:33 pm

We upgraded our routers back in 2022 and we had this problem, and Mikrotik support team could not figure it out and said at it was our Microsoft Windows computers. But we were also having the problem with our Android tablets and having issues and we could not SSH or use Winbox to get to the remote site going thought the VPN. It took a Microsoft network engineer to tell them that they were wrong, and the problem was with the VPN router. The IP packets that where being sent out of the VPN were too big. So we had to lower the MTU to 1404 to get it to work right. And with this new version we have to even lower now it to 1400. And the worst part of all this was the support person that was working on support case never responds so I had to email their sales team to get a response on my case it took over 7 mouths. And they never responded to my last questions. So the MTU has to be set at 1404 to work right. So how come that the old router MTU is set to 1460 and works but the new one has to be set lower? And why is the default MTU set to 1450 if that does not work? They just closed the case never answered.
 
oreggin
Member Candidate
Member Candidate
Posts: 205
Joined: Fri Oct 16, 2009 9:21 pm

Re: problems with l2tp/ipsec traffic

Sun Jun 08, 2025 1:25 pm

If you using a tunnel, you must be calculating or to measure by testing the correct MTU for the tunnel. Furthermore, you must to care about TCP MSS adjustment to work TCP correctly as TCP doesn't care about Path MTU.
For example, if you have a correct ISP and you got 1500byte MTU for your Uplink, then your L2TP tunnel goes trough the Uplink has 1460byte MTU. If you using IPSec to encrypt the L2TP tunnel, it has plus overhead.
For example My ISP provides me 1492byte MTU for Uplink, so my raw L2TP tunnel MTU is 1452byte, I use IPSec ESP, it adds plus 78byte overhead (may vary depends on transform sets), so I must set L2TP interface MTU to 1374byte. Furthermore I must set TCP MSS adjust for IPv4 to 1334byte and for IPv6 to 1314byte. These steps are mandatory for correct traffic handling inside the tunnel.
 
User avatar
Maggiore81
Trainer
Trainer
Posts: 633
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: problems with l2tp/ipsec traffic

Sun Jun 08, 2025 1:34 pm

We use L2TPv2 (and v3) with IPSEC

We have found excellent results using MRU 1500 and MTU 1400 (so we have space for overhead and encryption)
In the profile be sure that the tickbox about "change MSS" is enabled.
 
antoniocerasuolo
Member Candidate
Member Candidate
Posts: 221
Joined: Fri Dec 29, 2023 11:55 am

Re: problems with l2tp/ipsec traffic

Sun Jun 08, 2025 10:28 pm

Hi,

sorry to get in the middle but before I spend the $$..

I'm thinking of getting this RB1100AHx4 to sit between my ISP and my two firewalls.

I'm looking for price Vs Quality, do you reccomend this device? as opposed to the RB4XXX or RB5XXX series routers?
 
borte6510
just joined
Posts: 10
Joined: Mon Sep 30, 2024 9:14 pm
Location: turkey

Re: problems with l2tp/ipsec traffic

Wed Jun 11, 2025 9:42 am

What changed after 7.16.2? I lowered the MTU. Still getting disconnected.