nvm ...i changed my Windows Server from using RAS to use Wireguard and now i connect via Wireguard from my RB4011 to it.

Life is too short to waste your time with such bs

I have followed what others have suggested on this forum but nothing worked. I ended up downgrading to version 6.49 I ended up downgrading from 7.6 to 6.49.7 for exact the same reason: I could not connect via L2TP/IPSEC to one of my servers after the upgrade. Why does Mikrotik screw something up wh...

Did you find a solution yet?

I spent 4 hours on Friday finding an error in my L2TP/IpSec Setup in Mikrotik which stopped working out of the blue until i realised to reboot my cable modem after which the VPN was instantly working again.

Obviously this beavior is pita

The solution is as simple and embarrassing as it can get: I use a FRITZ!box as a cable modem and IPv6 was disabled on that box. For some reason I was able to connect via LTE for quite a while though. After enabling IPv6 on the FRITZ!box again I can instantly connect both from LTE via L2TP/IPSec and ...

Out of nowhere the VPN connection via L2TP/IPSec from WLAN is working again - I use the IPSec feature from L2TP server. Via LTE it does not and the difference is: When I connect from WLAN the iPhone has the IPv4 address of the Router and no IPv6 address. Via LTE it has an IPv6 address and an IPv4 ad...

What rules do I need in the firewall and are there any specific NAT rules I have to check? My RB4011 handles two other VPN connections without problems (I use the RB4011 as a client to connect to a Windows Server 2019) and there is a VPN connection using xauth and certificates to a LiSS 3000. My iPh...

That makes no difference. I tried the whole day to connect via L2TP/IPSec and Phase 2 does not get esrablished. Then I set up IKEv2 using certificates following a MUM tutorial on YouTube. Both Phase 1 and Phase 2 get established but iOS still does not show connected. I have no clue what happened sin...

I am not able to connect to ROS 6.48.3 (and .4).

I don’t know when this happened but I was using VPN from both LTE and WLAN until just recently.

This is major issue as I have no access to my documents when traveling.

I have exactly the same issue it seems. A L2TP/IPSec Setup which did work for years now suddenly stopped working when i try to connect my iPhone (iOS 14.7.1) via LTE. The same setup does work when my iPhone is connected in another WLAN though. Via LTE it keeps saying the packet is retransmitted by <...

I wanted to add that one should check whether an IPv6 interface is setup on the RAS because if not you won’t get a connection.

I got it running and it's ok for the weekend. Optimisation time next week. I can connect to my Windows RAS using MikroTik L2TP-Client. IP Adress pool on the RAS starts one IP lower than the local address of my MikroTik for the VPN which means i did add a permanent route to my LAN using the (non chan...

sindy, thx a lot for being patient. Meanwhile i managed to get a connection. I have disabled my manual settings from /ip ipsec policy, /ip ipsec peer and /ip ipsec identity Then i setup an /interface l2tp-client and got an "NO-PROPOSAL-CHOSEN" when trying to establish phase 2 After some re...

I am half way through. The reason why i could not connect from my iPhone was due to the fact, that my provider simply did not enable IPv6 on the server. I did so, removed RAS role and installed it with VPN and NAT, configured RAS and enabled NAT on the NIC for IPSec and address 127.0.0.1 and voila i...

The src nat was necessary but (ofc) not the reason for the mentioned problem.

Did configure both sides from scratch, added new PSK and still get the INVALUD-ID-INFORMATION at the end and no phase 2.

This could be a solution for my LAN yet it does not answer why I can’t connect from my iPhone via LTE...

Ok, I guess I found one reason for my problems: I have a tunnel setup to another site. The policy uses a separate up address on the MikroTik and I have 2 src nat rules for my LAN network and L2TP Server network. The local address for the policy to the Windows RAS belongs to the LAN and there is no s...

P.S.: When I tried my iPhone to connect to the Windows RAS I used LTE so my router is not interfering with any DST-NAT rules and I didn’t get an answer as well. Especially as I enabled detailed logging on the RAS Server I don’t understand there is no output at all in its logs. And my provider of the...

I did already connect the Windows Server as a client to the Mikrotik L2TP Server. And i can see that the MikroTik is establishing phase 1 with the Windows Server from its logfile. So the IP’s are correct. Where would I look for the ID (logfile Settings to ipsec and debug) and most importantly how wo...

I try to connect to a Windows Server 2019 RAS using L2TP/IPSec with a Pre-Shared Key. I can establish phase 1 and then the connection gets stuck with an INVALID-ID-INFORMATION error. The same Router (RB4011 Running 6.47.1) establishes a tunnel using IPSec with certificate to another site using a cer...

I would be very interested to know this as well (eventhough the question is more than 3 years old now).

It seems i would have to define the mangle rules for every vlan that is defined and not only for the ethernet interface these vlan's are connected to.

Can somebody please confirm this?

Little update with no real solution (yet): By coincidence i noticed, that when i leave the In-Interface in 11 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=LAG1 connection-mark=WAN1_conn log=no log-prefix="" 12 chain=prerouting action=mark-routi...

It seems the behavior I see is rather unique...

Hmm, i already have routing marks in the output chain as well as in the prerouting chain (11-14 from above): 11    chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=LAG1 connection-mark=WAN1_conn log=no log-prefix="" 12    chain=prerouting action=ma...

Btw.: As soon as i enter a route for the VPN client to the gateway 10.10.2.1 (ether5-gateway), it does work instantly. Obviously i can not connect with the same client (IP) via WAN1 because of that route and the client has a dynamic IP. The point is, it is working with that route and it should work ...

Thanks for your answer. The incoming connection is marked with WAN2_conn, it is just that the answer back is going to WAN1 regardless. I have added your rules on the input chain but it does not make a difference. Furthermore i have observed that i had to activate rule 3 in; [admin@MikroTik RB3011] >...

I am lost. I configured PCC as per http://wiki.mikrotik.com/wiki/Manual:PCC and this is working fine. Incoming connections from either WAN interface are marked correctly. The router adress is 10.10.2.253, WAN Uplinks are 10.10.1.1 (ether1-gateway) and 10.10.2.1 (ether5-gateway) and the VPN Server is...