Community discussions

MikroTik App
  4. RouterOS
  5. General

VPN client behind nat not working

Post Reply
 
thenoob
just joined
Topic Author
Posts: 22
Joined: Wed Mar 27, 2013 2:23 am

VPN client behind nat not working

Fri Dec 29, 2017 5:51 am

hi
i am trying to setup a VPN box ( mikrotik) on the internet and have clients(a few simultaneous) connect from behind a nat.


i tried setting up pptp , l2tp/ipsec , and pure IPsec but so far my results are sketchy :
pptp works but is very unsafe ( i would like my private info to remain private)
i can connect from the internet if i am directly connected to it but not if behind a nat.
looking at the forum there is a plethora of issues with L2tp and nat .

to give you an idea :
(android/windows client) -> phone/router(nat) -> internet -> RB router ( wan has a public , resolvable and reachable address) - > radius server on LAN*
if i connect from the phone its working but if i try with the tablet just behind it ( thethering) its not working. same goes for everything that has a NAT in between client and server.
*radius is known to be working since it works with the phone



here is my current config :
# model = 2011UAS-2HnD
# dec/28/2017 22:43:11 by RouterOS 6.41
Code: Select all
/ip pool add name=pool-vpn ranges=172.16.0.10-172.16.0.100
/ip ipsec mode-config add address-pool=pool-vpn name=ikev2 split-include=10.0.0.0/8
/ip ipsec policy group add name=ikev2
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add auth-algorithms=sha256 enc-algorithms="" lifetime=8h name=ikev2 pfs-group=none

/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dh-group=modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128,3des generate-policy=port-strict hash-algorithm=sha256 mode-config=ikev2 \
    passive=yes policy-template-group=ikev2 secret=[thats secret!]
/ip ipsec policy
add dst-address=172.16.0.0/24 group=ikev2 src-address=10.0.0.0/8 template=yes
add dst-address=172.16.0.0/24 group=ikev2 src-address=0.0.0.0/0 template=yes

/ip ipsec user settings
set xauth-use-radius=yes

ps: i know this post may be redundant sorry about that but i have not seen any config that actually works when client is behind nat. also note that i did not yet enable ikev2 (since i have not certificate yet)
Top
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VPN client behind nat not working

Fri Dec 29, 2017 5:40 pm

You need to use nat-compatible vpn solutions, like for example pptp, openvpn, sstp. The last two are secure.
Top
Post Reply

Who is online

Users browsing this forum: chuflo and 38 guests
  4. RouterOS
  5. General