IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

bitak · Sat Apr 27, 2013 7:11 am

Hi,
is it possible to configure IPSec/L2TP VPN, when the Mikrotik router is behind NAT, but it is reachable by FQDN (all protocols and ports)?
I tried to add the hostname to my-id-user-fqdn field in ipsec peer configuration, but it still doesn't work.

/ppp profile
add change-tcp-mss=yes dns-server=192.168.101.1 local-address=192.168.101.1 name=VPN_server_profile \
remote-address=vpn_pool_pokus

/ppp secret
add name=ppp_secret password=ppp_pass profile=VPN_server_profile service=l2tp

/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 my-id-user-fqdn=myrouter.mydomain.cz \
nat-traversal=yes secret=VPN_secret

/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input protocol=ipsec-esp
add chain=input protocol=gre
add chain=input comment="L2TP VPN" dst-port=500,4500,1701 protocol=udp src-port=""
add action=drop chain=input in-interface=wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan

Thanks for advice,
Jan

tomaskir · Sat Apr 27, 2013 1:05 pm

Do you mean L2TP/IPSec AC being behind NAT, or the L2TP/IPSec client being behind NAT?

bitak · Sat Apr 27, 2013 1:39 pm

L2TP/IPSec AC is behind NAT. Client is not an issue (I'm running the same config on another sites where Mikrotik is the gateway with public IP and it works fine regardless of whether a client is behind NAT).
I need to make VPN to Mikrotik gateway, which has private IP, all traffic to it is routed based on its FQDN. So it's reachable from internet, but not by IP, but only by FQDN.

I also tried to setup PPTP VPN to it and it works, so it's kinda strange for me why L2TP/IPSec not...

tomaskir · Sat Apr 27, 2013 3:48 pm

Pure PPTP will work, that is not a problem.

IPSec will NOT work when the AC is behind NAT. As soon as you involve IPSec, the iniciator can be behind NAT, but the responder (the AC) has to have a public IP.

gazdi · Fri Aug 16, 2013 12:47 am

What is the solution when AC is behind NAT and has private IP ?
I'm having the same problem, the IPSEC VPN Server is behind the mikrotik RB450G.

tomaskir · Fri Aug 16, 2013 2:07 am

The AC can not be behind nat. Only the client can be behind NAT.

gazdi · Fri Aug 16, 2013 9:49 am

Tomaskir see please what I wrote in the the other topic http://forum.mikrotik.com/viewtopic.php?f=14&t=75764

Thanks

Leolo · Wed Aug 21, 2013 6:23 pm

The AC can not be behind nat. Only the client can be behind NAT.

I understand that this is a limitation of Mikrotik devices, no?

Because Windows Server is perfectly capable of working with L2TP clients even when both (server and client) are behind NAT.

tomaskir · Wed Aug 21, 2013 6:24 pm

Its a limitation of IPSec.

For pure L2TP, the AC can be behind NAT no problem. Not for L2TP/IPSec tho.

Leolo · Wed Aug 21, 2013 6:34 pm

Mmm, then how does Windows Server manage to work?

I'd suppose that Microsoft is doing some trick to make it work. But I can assure you that I connect to several Windows 2003 Servers which are behind NAT (and I'm also behind a NAT)

I just have to tweak the registry a little bit:

http://support.microsoft.com/kb/926179

A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.

Regards.

tomaskir · Wed Aug 21, 2013 8:31 pm

Oh yeah, with other vendors it can work, Cisco's IPSec works with the AC being behind NAT as well.
They dont include the IP header src and dst addresses and a few more things into the IPSec checksum calculations, and therefore the packet doesnt go invalid when processes by the IPSec process.

With Mikrotik tho, I dont know of any way how to make it work.

mitzone · Sun Sep 15, 2013 9:51 am

it works. I tested this with a win7 client. IPSEC is on a NAT-ed synology NAS. On mikrotik, fw UPD port 500, 1701 and 4500 to the IPSEC vpn server.

on windows client this also needs to be configured :

http://support.microsoft.com/kb/926179

set it to 2.

I just spent a few hours trying to figure this out. Hope this helps anyone who lands here searching for a fix.
Cheers.

tomaskir · Mon Sep 16, 2013 4:11 am

As mentioned before, other vendors IPSec AC can be behind NAT (doesnt matter if NAT is a Mikrotik or not)

The point discussed in this topic was that a Mikrotik IPSec AC can not be behind NAT (no matter what the NAT vendor is)

K1w1user · Tue Sep 24, 2013 4:57 am

I have two Mikrotik devices, x86 and RB1100AHX2 that currently use IPSEC Tunnel mode both behind Cisco Firewalls and using nat at both ends.

So it can be done with mikrotik ROS 6.3 in tunnel mode.

I'm still working on solving the transport mode option.

The policy sa-src-address should be the local outbound address before nat, and the sa-dst-address should be the firewall address that will be natted.
Nat traversal is set.

src-address=10.32.47.0/24 src-port=any dst-address=172.20.201.120/29 \
dst-port=any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.210.50 \
sa-dst-address=(remote-firewall) proposal=default priority=0

the outward facing address (nat destination) is 192.168.210.50

Andoniiiiii · Mon Dec 23, 2013 6:43 pm

As I read here, it could be done, but I am trying and the negotiation for IPSec start but could not be stablished, my scheme:

Private LAN RB951G v6.7 ADSL ROUTER
192.168.0.1/24 -----> 192.168.0.220 192.168.1.220 192.168.1.1 213.56.122.xxx

The ADSL Router default DMZ is 192.168.1.220

I call 213.56.122.xxx from a road-warrior PC using PPTP mschapv2 and VPN works fine.

I try and try using L2TP with IPSec server on mkt and I must have something wrong or it is not posible, it fails on IPSec negotiaion.

It creates:

a Dinamic policy in IP SEC:

src-address="Remote IP Public Address" src-port=any dst-address=213.56.122.xxx\
dst-port=any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=NO sa-src-address=="Remote IP Public Address"\
sa-dst-address=213.56.122.xxx proposal=default priority=2

Remote Peers:

Local Address: 192.168.1.220
Remote Address:="Remote IP Public Address"
Side: Responder
Established: in time...

Installed SA:

Src Address: :="Remote IP Public Address"
Dst Address: 192.168.1.220
...

Can tell me if will work with provided scheme?

Thanks in advance.

Unic · Fri Nov 27, 2015 10:26 am

Hello,

i just want to know if its still not possible to have both sides behind a nat when you use L2TP/IPSEC with mikrotik, or is there now a possibility to create such a VPN-Connection.

I have seen that there are some changes on it lately (f.e. IPSEC Checkbox on L2TP Server)

Best Regards.

ik3umt · Thu May 12, 2016 11:24 am

Quite old discussion , but I had the same problem , no way to make MT L2TP/IPSEC AC behind a nat , because the policy is created using public ip addresses, while SA are installed using MT AC WAN IP (but it is a private one anyway behind a NAT)

If you manually create a policy with MT WAN IP as source and remote client public ip (but it changes frequently , so useless) L2TP/IPSEC works like a charm !!!

Cisco does it , Microsoft does it, other brands do it,

I don't know why Mikrotik cannot implement a way to create a dynamic policy with routerboard WAN interface IP as source for incoming L2TP/IPSEC (or 0.0.0.0/0) requests.
Is it impossible or not enough required by many to be implemented ??

Any answer from MT staff please ??

thank you very much.

P.S. It seems to me , the same issue is present when securing a GRE tunnel between MT devices both end behind a NAT -and- one of two with dynamic ISP ip address:
Again, when a policy is created dynamically by MT device behind NAT it uses wrong parameters thus fails.

With both static ISP address no problems as the policies are created manually the right way.

Can you confirm this ??

djace · Thu May 26, 2016 2:48 pm

Also interested in this, as my Mikrotik is behind NAT! I have no other choice as I am required to do PPPoE by my ISP and this consumes too many resources on the Mikrotik. In order to achieve the maximum line speeds (this is a symmetric 300mbps connection), I need to put in the ISP router in between to do PPPoE take this load off the Mikrotik server... Therefore, the Mikrotik ends up behind NAT.

It would be a bit ridiculous that we can achieve this by redirecting the L2TP/IPSec ports in the Mikrotik to a Linux or Windows server in the LAN, behind NAT, but we can't do this directly on the Mikrotik.

ik3umt · Thu Jun 02, 2016 8:14 pm

Is it an xDSL connection ?
I have no experience but I don't think PPPoE client inside MT machine takes so much resources once PPPoE connection is established.....
In one of my installations I have to do so, configure a cisco router as a straigth dsl modem (ATM and ethernet bridged together) and leave routerboard to do the PPPoE job in order to achieve the REAL public ip address right on the mikrotik WAN interface.

Other ISPs here furnish their own DSL router capable of telephone lines built-in as VoIP in their devices , so you loose this feature if router is replaced, all I can do is a transparent nat without any L2TP possibility if public IP is dynamic

kait · Thu Jan 12, 2017 8:47 pm

Finally it is works on 6.38, thanks.

vilts · Fri Jan 20, 2017 10:08 pm

Finally it is works on 6.38, thanks.

Care to shed some light to this? I'm running 6.38.1 and cannot get this to work. MT server is behind nat and client cannot connect to it.

I did try the examples above, but to no avail. Not sure what or where goes wrong...

gtb · Mon Jan 23, 2017 12:32 am

Hi there, same question: configuring L2TP over IPSec VPN server on RB750 sitting behind a DSL modem (that does NATting), getting error 789 when grying to connect with Microsoft VPN client

netflow · Tue Jan 24, 2017 12:16 am

Care to shed some light to this? I'm running 6.38.1 and cannot get this to work. MT server is behind nat and client cannot connect to it.

I did try the examples above, but to no avail. Not sure what or where goes wrong...

It does not require any special configuration, just ensure you are forwarding UDP ports 500 and 4500 from your NAT router to your MT server.

SPKA16 · Tue Jan 24, 2017 5:34 pm

I would also like to know a example config. It still doesnt seem to work in 6.38.1 to get L2TP-VPN working behind NAT on Mikrotik..

Tue Jan 24, 2017 5:36 pm

Single L2TP/Ipsec client will work behind nat and no specific configuration is needed. If you have multiple clients behind same public IP then you may get a problem.

vilts · Tue Jan 24, 2017 7:33 pm

Strange, doesn't work for me. Tried in AWS with CHR and at home with actual router. Same type of config works like a charm on externally connected MT, but when behind NAT, nothing. Connections are coming in, something happens and that's it, no connection.

I added config from Amazon CHR and logfile as well. Maybe you can take a look?

Firmware is 6.38.1.

Single L2TP/Ipsec client will work behind nat and no specific configuration is needed. If you have multiple clients behind same public IP then you may get a problem.

SPKA16 · Wed Jan 25, 2017 9:01 pm

I don't know what I did wrong before but it seems to be working now with the basic setup.

@vilts:
Config on the CHR doesn't show anything wrong, I pretty much have the same setup. Looks like the logs say it is established so maybe its your client?
Maybe you stil need to add https://support.microsoft.com/en-us/hel ... erver-2008

vilts · Thu Jan 26, 2017 6:22 pm

Thanks, that was it! I had to add that registry key with value 2 for windows 10. Now Win10 and iOS work. No luck with android, but that seems to be android issue already. 2 out of 3 is still a good result. At least RouterOS side is fine now.

@vilts:
Config on the CHR doesn't show anything wrong, I pretty much have the same setup. Looks like the logs say it is established so maybe its your client?
Maybe you stil need to add https://support.microsoft.com/en-us/hel ... erver-2008

darkprocess · Thu Jan 26, 2017 7:54 pm

Can you share the config i was expecting to do the same and i failed lot of time. Thanks

Envoyé de mon SM-A510F en utilisant Tapatalk

vilts · Thu Jan 26, 2017 9:29 pm

Can you share the config i was expecting to do the same and i failed lot of time. Thanks

Very basic config indeed, here's the relevant export from 6.38.1 firmware.

/ip pool
add name=ipsec-pool ranges=192.168.3.3-192.168.3.100
/ppp profile
add local-address=ipsec-pool name=ipsec-profile remote-address=ipsec-pool
/interface l2tp-server server
set authentication=mschap2 default-profile=ipsec-profile enabled=yes ipsec-secret=verisikret use-ipsec=yes
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec peer
add enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret=verisikret
/ppp secret
add name=juser password=passxxx profile=ipsec-profile

But you do need the registry change for newer windows machines. Worked out of the box for iOS and (most likely) wont work with 6.0.x androids due to their bug, as I've read.

pribeiro · Mon Jul 24, 2017 8:44 pm

Single L2TP/Ipsec client will work behind nat and no specific configuration is needed. If you have multiple clients behind same public IP then you may get a problem.

We here also have this problem after switching from old Cisco gear to some Mikrotik routers using L2TP/IPSEC.
In the contractors that share a NAT device only one person (PC) at a time can work in our systems doing remote maintenance of our systems.
Using PPTP (outdated/insecure) this problem doesn't happen.
We were able to reproduce the problem in our lab. when the second user connects to the VPN, the first one (sharing the remote address) looses his connection.

The current L2TP/IPSEC generation should by "NAT friendly"
Is there any solution for this problem/bug?

thanks.

Tue Jul 25, 2017 10:29 am

Solution is not to use L2TP/Ipsec. Instead there are better options. ike1+modeconf or ike2 road warrior setups.

xylograde · Tue Feb 09, 2021 2:15 pm

Solution is not to use L2TP/Ipsec. Instead there are better options. ike1+modeconf or ike2 road warrior setups.

I'm just trying to do that, creating a AC with a brand new RB4011 and RouterOS 6.48.1. Looks tunnel enstablishes, but no traffic is flowing into... see viewtopic.php?t=172425
Can you share a possible configuration for that condition?

Internet (89.12.133.11) <-----> ISP Router (192.168.0.254) <------> Mikrotik (192.168.0.253) <-----> LAN(s)

Thanks!

IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN

Who is online