L2TP/IPSec for Road Warrior

donisg · Sat Mar 15, 2014 5:06 pm

Has anyone successfully deployed L2TP/IPSec for Road Warrior?
After two weeks of testing I'm giving up

Situation:
1. Central point. Almost default config Mikrotik router (ROS v.:6.10) with NAT'ed LAN behind it.
2. Clients. Win7, iOS, Android behind NAT'ed Mikrotik. All L2TP users and devices are configured to have their own names/passw. There is no situation same username on separate devices.
3. Configuration was made based on this example: http://www.nasa-security.net/mikrotik/m ... ith-ipsec/
Problem:
Any ONE of clients can successfully connect to central point (access remote LAN resources, etc.)
Second client also successfully connects, but then first client stop working (no internet, no ping to remote LAN resources).
If second client disconnects, first client starts working.
Tried to look at l2tp/ipsec logs but with no luck.

efaden · Sat Mar 15, 2014 5:40 pm

Has anyone successfully deployed L2TP/IPSec for Road Warrior?
After two weeks of testing I'm giving up
Situation:
1. Central point. Almost default config Mikrotik router (ROS v.:6.10) with NAT'ed LAN behind it.
2. Clients. Win7, iOS, Android behind NAT'ed Mikrotik. All L2TP users and devices are configured to have their own names/passw. There is no situation same username on separate devices.
3. Configuration was made based on this example: http://www.nasa-security.net/mikrotik/m ... ith-ipsec/
Problem:
Any ONE of clients can successfully connect to central point (access remote LAN resources, etc.)
Second client also successfully connects, but then first client stop working (no internet, no ping to remote LAN resources).
If second client disconnects, first client starts working.
Tried to look at l2tp/ipsec logs but with no luck.

Post your export.

donisg · Sat Mar 15, 2014 11:04 pm

Post your export.

IPsec and PPP or L2TP?
Sorry, never done export before

efaden · Sat Mar 15, 2014 11:08 pm

Post your whole export, just remove your IP's and passwords.

Basically just type

ros code

/export

and then put the output into Syntax tags here.

Sent from my SCH-I545 using Tapatalk

donisg · Sun Mar 16, 2014 9:51 am

deleted

donisg · Sun Mar 16, 2014 9:52 am

ros code

/interface bridge
add arp=proxy-arp l2mtu=1598 name=bridge1 protocol-mode=rstp
/interface ethernet
set 0 comment=WAN
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 comment="LAN Switch"
/interface wireless
set 0 band=2ghz-b/g/n l2mtu=2290 ssid=MikroTik
/ip neighbor discovery
set ether1 comment=WAN
set ether5 comment="LAN Switch"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=LAN_pool ranges=192.168.0.180-192.168.0.235
/ip dhcp-server
add address-pool=LAN_pool disabled=no interface=ether5 name=dhcp1
/ppp profile
add bridge=bridge1 change-tcp-mss=yes dns-server=8.8.8.8 local-address=\
    192.168.0.254 name=L2TP_IN_Profile only-one=no remote-address=LAN_pool \
    use-encryption=yes use-ipv6=no
/queue simple
add max-limit=128k/1M name=Zydrunas2_speed_limit target=192.168.0.3/32 time=\
    8h-19h,mon,tue,wed,thu,fri
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" \
    paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
    permissions=owner signup-allowed=no time-zone=-00:00
/certificate scep client
add server=0.0.0.0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP_IN_Profile enabled=yes \
    max-mru=1460 max-mtu=1460
/ip address
add address=WAN_IP/24 interface=ether1 network=WAN_Network
add address=192.168.0.254/24 interface=ether5 network=192.168.0.0
add address=192.168.0.42/24 interface=bridge1 network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=212.59.0.1,212.59.1.1,8.8.8.8 gateway=\
    192.168.0.254
/ip dns
set servers=212.59.0.1,212.59.1.1
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add chain=input connection-state=new dst-port=500 in-interface=ether1 \
    protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=ether1 \
    protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=ether1 \
    protocol=udp
add chain=input connection-state=new in-interface=ether1 protocol=ipsec-esp
add chain=input connection-state=new in-interface=ether1 protocol=ipsec-ah
add action=log chain=forward content=youtube.com disabled=yes log-prefix=\
    youtube.com src-address=192.168.0.0/24
add action=log chain=forward content=.mp3 log-prefix=mp3 src-address=\
    192.168.0.0/24
add action=drop chain=forward content=.mp3 src-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec peer
add dpd-interval=disable-dpd dpd-maximum-failures=1 exchange-mode=main-l2tp \
    generate-policy=port-override hash-algorithm=sha1 nat-traversal=yes \
    secret=SECRET
add
/ip route
add distance=1 gateway=WAN_GW
add disabled=yes distance=1 dst-address=WAN_IP/32 gateway=ether5 \
    pref-src=192.168.0.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=9587
set ssh disabled=yes
set api disabled=yes
/ppp secret
add name=testas password="PASSWORD" profile=L2TP_IN_Profile service=l2tp
add name=NAME password="PASSWORD" profile=\
    L2TP_IN_Profile service=l2tp
add name=NAME2 password="PASWORD" profile=L2TP_IN_Profile service=l2tp
/snmp
set contact=Name enabled=yes location=Ofisas trap-community=\
    public trap-target=192.168.0.64
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=Router
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/system leds
set 0 interface=wlan1
/system logging
set 1 action=disk
set 2 action=disk
set 3 action=disk
add topics=l2tp
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=84.15.121.61 secondary-ntp=212.59.0.1
/system scheduler
/system script
/tool e-mail
/tool graphing interface
add interface=ether1
add interface=ether5
/tool graphing resource

JanezFord · Sun Mar 16, 2014 11:01 am

Are your clients behind the same gateway using nat-traversal or they connect from different IP?

JF

huntah · Sun Mar 16, 2014 1:05 pm

As far as I know there can be only one L2TP/IPSEC tunnel behind the same NATed internet connection.

For example when two of out employies stay at the same hotel with public Wifi only one can work.
This is the limitation of Mikrotik implementation of L2TP/IPSEC VPN.

Cisco VPN client to Cisco ASA has no problem with multiple clients over same NATed internet connection.

I hope this will be fixed soon or if anyone knows how to make it work with multiple clients please DO tell!

donisg · Sun Mar 16, 2014 2:53 pm

Are your clients behind the same gateway using nat-traversal or they connect from different IP?

JF

Yes, clients are on the same network.

efaden · Sun Mar 16, 2014 2:55 pm

Are your clients behind the same gateway using nat-traversal or they connect from different IP?

JF
Yes, clients are on the same network.

Thats your problem then...

donisg · Sun Mar 16, 2014 3:01 pm

As far as I know there can be only one L2TP/IPSEC tunnel behind the same NATed internet connection.

If this true, its is very bad.
PPTP - non secure, only one connection from same NATes network.
OpenVPN - no UDP support.
L2TP/IPsec - only one connection from same NATes network ???
SSTP - only Windows support (no iOS, Androis clients).

If L2TP/IPsec really can make only one connection, so it looks like Mikrotik has no solution for Road Warrior setup.

What other uses for RW vpn setups?

huntah · Sun Mar 16, 2014 8:00 pm

PPTP works with multiple clients behind same NAT..
If you have multiple static IPs on gateway (L2tp Server) you can make clients connect each to specific static IP.. Yes I know its a stupid work around but it works

Or you can use OpenVPN via TCP.. it also works for multiple Natted clients..

Since you need IOS and Droid I am not sure if SSTP will work (I havent tried that)..

donisg · Sun Mar 16, 2014 8:39 pm

PPTP works with multiple clients behind same NAT..

Works only in case if PPTP helper enabled (Mikrotik). In hotels you cannot configure routers. So in real world it is useless.

If you have multiple static IPs on gateway (L2tp Server) you can make clients connect each to specific static IP.. Yes I know its a stupid work around but it works

If it is 2-3 clients it maybe work around. But when you have 50+ it will not work.

Or you can use OpenVPN via TCP.. it also works for multiple Natted clients..

Did not tried yet. What is wrong with TCP why all wants UDP?

Since you need IOS and Droid I am not sure if SSTP will work (I haven't tried that)..

I tried to google, but could not find SSTP clients for iOS and Androids.

donisg · Sun Mar 16, 2014 8:41 pm

Can Mikrotik support confirm that there can be only one L2TP/IPSEC tunnel behind the same NATed internet connection?

JanezFord · Sun Mar 16, 2014 8:52 pm

PPTP works with multiple clients behind same NAT..
If you have multiple static IPs on gateway (L2tp Server) you can make clients connect each to specific static IP.. Yes I know its a stupid work around but it works
Or you can use OpenVPN via TCP.. it also works for multiple Natted clients..

Since you need IOS and Droid I am not sure if SSTP will work (I havent tried that)..

If you want to use OpenVPN on android device you have to root it. It is not a procedure everyone is comfortable with and it can also cause waranty problems with some mobile operators.

Hopefully Mikrotik will fix this issue with roadwarrior ipsec some day ...

JF.

huntah · Sun Mar 16, 2014 9:11 pm

One more thing I just remembered Mikrotik have enabled IPSEC XAUTH support..
This is on my try list

See here:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf

Also no mention of Droid or IOS support.. For Windows you have Shrew VPN Client..

ON PPTP VPN Passthrough I have good experience (in Europe). Most hotels I stayed at have PPTP contrack enabled (VPN Passthrough) on their Routers/Firewalls.

For OpenVPN udp is faster but tcp is more reliable. Most vendors prefer udp (no transmision control) and thus faster and more suitable for VoIP and Gaming. OpenVPN has its own transmision protocol. But I must say if you have enough bandwidth (upload) on VPN server it should also work with tcp and Mikrotik.

jaytcsd · Mon Mar 17, 2014 4:38 am

I can get it working if the ISP isn't port blocking, which in my travels is seen quite often, but as you noticed only one PC can connect at a time.

I tried SSTP but have not been successful, the step by step examples in the wiki are lacking.

Have you seen this?
http://tinc-vpn.org/

I just read about it at https://www.grc.com/sn/sn-445.htm

svetozar · Mon Mar 17, 2014 8:41 am

One more thing I just remembered Mikrotik have enabled IPSEC XAUTH support..
This is on my try list

See here:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf

Also no mention of Droid or IOS support.. For Windows you have Shrew VPN Client..

ON PPTP VPN Passthrough I have good experience (in Europe). Most hotels I stayed at have PPTP contrack enabled (VPN Passthrough) on their Routers/Firewalls.

For OpenVPN udp is faster but tcp is more reliable. Most vendors prefer udp (no transmision control) and thus faster and more suitable for VoIP and Gaming. OpenVPN has its own transmision protocol. But I must say if you have enough bandwidth (upload) on VPN server it should also work with tcp and Mikrotik.

Is mikrotik supports ovpn udp?

marrold · Mon Mar 17, 2014 7:33 pm

I'm interested to see if you get this working.

donisg · Mon Mar 17, 2014 11:49 pm

I'm interested to see if you get this working.

Today received answer from Mikrotik support:
Currently we are working on a L2tp/ipsec to support more than one client behind nat.
....
Maybe month, maybe a little longer.

margusl · Mon Jun 16, 2014 3:36 pm

+1.
Any news?
Waiting this also!

margusl · Tue Jun 17, 2014 11:49 am

If you have multiple static IPs on gateway (L2tp Server) you can make clients connect each to specific static IP.. Yes I know its a stupid work around but it works
If it is 2-3 clients it maybe work around. But when you have 50+ it will not work.

How to do it correct/best way, if i have ~10 L2TP/IPSEC clients and 5 useable Publik IP-s?

margusl · Thu Aug 07, 2014 11:34 am

I'm interested to see if you get this working.
Today received answer from Mikrotik support:
Currently we are working on a L2tp/ipsec to support more than one client behind nat.
....
Maybe month, maybe a little longer.

Pushing this thread a little bit... Is there any news from MikroTik? i have looked changelog from latest releases but there aren't fixes for that issue. Can anyone direct me to do workaround to resolve this issue? I really appreciate that!

Best wishes!

donisg · Thu Aug 07, 2014 12:00 pm

Still no news.
I solved my RW case with softether.org.
Very powerful VPN server software. Spend 2 days for setting up, but works like a charm. Very flexible. Open Source.

margusl · Thu Aug 21, 2014 4:58 pm

Still no news.
I solved my RW case with softether.org.
Very powerful VPN server software. Spend 2 days for setting up, but works like a charm. Very flexible. Open Source.

i googled a bit but seems like same issue.
I ended up here: http://www.vpnusers.com/viewtopic.php?p ... 58536c8ff5
Look also: https://wiki.strongswan.org/issues/365

g18c · Thu Aug 28, 2014 1:06 pm

Same issue for me, did anyone have an update from Mikrotik?

cdt · Sat Aug 30, 2014 12:49 pm

Was not able to get the "road warrior" setup working at all in 5.x to 6.18, kept receiving "failed to pre-process ph2 packet." After 3-4 hours, wiping the unit configuration and moving to 6.19 started to work better. Still did not get it to work after another 5 hours. Gave up and re-installed my Sonicwall for now.

jaytcsd · Mon Sep 01, 2014 11:03 am

http://mikrotik.patokatech.com

this works for me from Win 7 and 8. these screen shots are from version 5.??, I have upgraded to
6.19 and it still works.

Generate policy is Port Override in 6.19, I have not updated my screen shots yet.

Only one user can log in at a time.

appleoddity · Wed Dec 31, 2014 4:00 am

Has anybody found a way around this limitation yet? Or, can confirm how to fix it?

I just installed v6.24 and I still can't connect more than one client at a time on the same NATted network.

I'm a new MikroTik user and have been extremely impressed with these little guys. I really didn't expect to hit this issue when setting up VPNs. This is a major limitation. I'm setting up an entirely cloud based infrastructure with domain controller, remote app server, and other things all in the cloud with end to end VPN connectivity for mobile clients. There are many users who will be connecting from the same networks as some others. Thought this MikroTik would work great. But, this is a real drag.

appleoddity · Wed Dec 31, 2014 6:15 am

Still no news.
I solved my RW case with softether.org.
Very powerful VPN server software. Spend 2 days for setting up, but works like a charm. Very flexible. Open Source.

Thank you so much for this suggestion. It is unfortunate that I had to, but I setup SoftEther VPN on a server behind my MikroTik router.

It took me about 20 minutes to install and configure due to the remarkably simple interface. All I had to do was forward UDP ports 500 and 4500 on the MikroTik's public IP to the SoftEther VPN server. Multiple windows clients are now connecting flawlessly on the same NATted network.

alexusss · Sat Apr 04, 2015 2:31 pm

Hi! Is there any news about this bug?
This is real critical issue with Mikrotik! I would like to buy a couple CCR routers.
But after this issue I think my opinion will change.

rbarnhart · Fri Sep 04, 2015 3:20 pm

Has anyone successfully deployed L2TP/IPSec for Road Warrior?
After two weeks of testing I'm giving up
Situation:
1. Central point. Almost default config Mikrotik router (ROS v.:6.10) with NAT'ed LAN behind it.
2. Clients. Win7, iOS, Android behind NAT'ed Mikrotik. All L2TP users and devices are configured to have their own names/passw. There is no situation same username on separate devices.
3. Configuration was made based on this example: http://www.nasa-security.net/mikrotik/m ... ith-ipsec/
Problem:
Any ONE of clients can successfully connect to central point (access remote LAN resources, etc.)
Second client also successfully connects, but then first client stop working (no internet, no ping to remote LAN resources).
If second client disconnects, first client starts working.
Tried to look at l2tp/ipsec logs but with no luck.

Has Mikrotik fixed this? I can only have one L2TP connection at a time if coming from the same natted lan.....

mrz · Wed Sep 09, 2015 7:01 pm

You can have as many L2TP connections as you like from the same NATed router. Limitation is only for ipsec or any combination of ipsec (ipsec/l2tp, ipsec/gre etc.)
Fix for this problem will be in ROS v7.

Janhouse · Thu Feb 18, 2016 2:25 pm

Any ideas when v7 might come out?

saintofinternet · Mon Oct 03, 2016 10:31 am

running a L2TP/IPSec on a Mikrotik router.

cannot connect more than 1 users from a remote NAT'ed network.

only one user connects. if another connects it causes the first one to disconnect.

using Ver. 6.37

craigreilly · Mon Oct 03, 2016 8:36 pm

yes - when do we expect v7 release to fix L2TP with IPsec issues?

saintofinternet · Tue Oct 04, 2016 4:06 am

normis can you suggest a workaround atleast please.... i need it very badly.

Unic · Tue Oct 04, 2016 3:40 pm

Hi,

as more as i use mikrotik, vpn is often the problem.

- No Ipsec behind two nated devices.
- L2TP/IPSEC no multiple Connection behind one external IP.
- no ikev2 Support.
- openvpn: no udp support (that not a problem for me, but openvpn is not implemented very well and you need some fallback switches on newer openvpn clients)
edit: - as far as i know: no IPSec support when both devices are behind NAT

There is a post somewhere where normis asks why all people asking for ros7, its the same OS/GUI! Four points from above are the reason

And another big problem: no performanceoverviews for VPN connections. In the "new" cloudworld vpn is one of the most important features.

saintofinternet · Tue Oct 04, 2016 3:58 pm

i think i am sure to loose a big... big... big... order where i was supposed to deploy Mikrotik for pure VPN purpose....

wondering what i should tell the client now??

malstro · Wed Oct 05, 2016 2:01 pm

.. hm this is really frustrating.

I am really excited about MikroTik and RouterOS (until now) ..

Unfortunately it's really sad, that there is no straight-forward solution to support a totally everyday scenario, to connect the most common devices via a roadwarrior setup (iPhones from within a Hotel Wi-Fi, Laptops from the Starbucks across the street, ... you get the idea)
Also the suggested workarounds aren't suitable for most scenarios:
- you simply can't expect Non-IT-guys to deploy their own AccessPoint which connects to the VPN at every location where they go ..
- you simply can't expect simple users to setup a OpenVPN including all certificates - which is especially impractical for mobile devices ..

Love to see ROS v7 here, which should provide a solution for this issue of a lot of MikroTik customers.

Jan89 · Wed Oct 05, 2016 3:35 pm

I do not have any problems with l2tp over IPsec between mikrotik and devices like windows 10, iphone, another mikrotik. Devices are behind NAT.

generate-policy=port-override

it is important to work with devices behind nat.
Below my configuration:

/interface l2tp-server server
set default-profile=default enabled=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override secret=xxx
/ppp secret
add local-address=192.168.61.1 name=xxx password=xxx remote-address=192.168.61.11 remote-ipv6-prefix=::/64
/ip firewall filter
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah

saintofinternet · Wed Oct 05, 2016 3:47 pm

hello Jan89...

can you connect multiple devices behind one NAT'ed LAN via VPN to a L2TP/IPSec gateway on Mikrotik?

Jan89 · Wed Oct 05, 2016 3:59 pm

Damn it, with two devices behind the same NAT there is a problem :/
When I connect second device, vpn on the first first stopped working :/

saintofinternet · Wed Oct 05, 2016 5:54 pm

welcome to the party!!!

craigreilly · Wed Oct 05, 2016 6:00 pm

Hi Jan89 - welcome to our nightmare.

So we should all email John Tully and ask him when they are going to release v7. These forums show that this release is sorely needed and should be top of mind for them.
I'm about to jump ship and find a new partner.

Siona · Wed Oct 05, 2016 6:20 pm

You can use sstp. It works OK on doubled NAT. The only problem is bandwidth... It can hit 10-15 mbps.

malstro · Thu Oct 06, 2016 11:04 am

I'm kinda relieved and disappointed at the same time ..

SSTP isn't an option, since it isn't supported by the most common devices (maybe Windows, but not Mac or Smartphones like Android or iOS).
And YES: of course there is somewhat of a solution, like downloading a dedicated client app to support OpenVPN, SSTP, and so on ..

For practical reasons we need a simple and native Multi-Client-Same-NATed-encrypted-VPN solution!

arnaldo · Thu Oct 13, 2016 11:40 pm

Let me joint the party and share my toughts here.

With Apple dropping PPTP, this issue has become a more sensitive problem. Setting up an L2TP/IPSEC server for road warriors was not a major problem once I moved to 6.37.1. It works fine for Win7-10, Android, macOS (10.11 and 10.12) and iOS 10.

But as most know, more than one client behind the same NATed network will not work, nor will it work in case of double NAT

After struggling with this problem for a while found the obvious: IPSEC does not play well with NAT. It was never intended to be used behind NATed endpoints (actual hosts that will use the tunnel can be NATed without any problem). That's why I resigned to a scenario that offer both L2TP/IPSEC and OpenVPN.

One thing here caught my attention: "ROS 7 will remove the restriction for having more than one L2TP/IPSEC user behind the same NATed network".
My understanding is that the router on the client side (road warrior) side of the equation is the one that cannot distinguish the traffic, not the server side router. Therefore, nothing can be done on the server side to remedy the situation.

I may be wrong, but I think that what ROS 7 may add is to allow more than one NATed client when ROS is the remote side router. This will allow multiple users behind a Miktotik with ROS 7 to connect to the same L2TP/IPSEC server (ROS or not).

If I'm correct, this will not solve the dilemma such as when two employees from the same company are in the same hotel trying to reach the company's VPN server (or some similar scenario). Unless the hotel uses a Miktrotik router!

With more and more networks being moved behind NAT gateways, specially with mobile devices, the preferred VPN protocol need to be NAT friendly. There are a few scenarios where it can get really ugly:

a) Double NAT. This one is getting more and more common, like notebook tethered to a mobile device with a carrier that uses NAT.
b) Cheap router with simplistic (TCP/UPD only) NAT or with poor or limited IPSEC NAT.
c) Mobile modems for notebooks that are routers instead of an interface. These guys have really crappy NAT support

That said, I'm more interested in a nice (OpenVPN?) TCP/UDP based VPN. May waste some bandwidth, may be a bit more complex to setup. But way, it works even with the server behind a crappy router (I have one site where the Mikrotik is behind a crappy cable modem and OpenVPN server works there).

Unic · Fri Oct 14, 2016 9:51 pm

One thing here caught my attention: "ROS 7 will remove the restriction for having more than one L2TP/IPSEC user behind the same NATed network".
My understanding is that the router on the client side (road warrior) side of the equation is the one that cannot distinguish the traffic, not the server side router. Therefore, nothing can be done on the server side to remedy the situation.

No, this is a serverside bug and can be fixed by just changing the serverside.

I wonder if the hardwareencryptin (from RB750Gr3 f.e.) can boost OpenVPN encryption too. Than (at least for me) Openvpn would be an alternative as long as i wait for the fix.

The Problem here is simple. I cant sell this for a customer when i need to say: "Of course you can use a roadwarrior with mikrotik as with other Firewalls like fortigate. BUT you cant use it in Hotels f.e. where some of your employees have a meeting. So its a solution that just down work everytime" Bad enough that i need to discuss about missing ikev2 with remoteadmins.

wassimdaccache · Mon Nov 07, 2016 3:07 am

Have the same issue here. I was planning to use Mikrotik for a big deployment. Sadly, i wont be able to use it if they wont release ROS v7 this year.

Siona · Mon Nov 07, 2016 7:47 am

You can check change log of 6.38rc24. There are many ipsec improvements.

infused · Wed Nov 09, 2016 10:47 pm

Well crap.

Is this the same for tunneling l2tp back to a domain controller behind the router (nat). I've been having issues and now thinking this is it...

beamer · Sun Nov 27, 2016 2:22 am

Since Apple has dropped PPTP support altogether, I had to switch to L2TP/IPSec and also came across this nasty limit that only one session through the same NATing router is working.

With PPTP there was no "fix", but for L2TP there should be! Come on Mikrotik!!

One thing here caught my attention: "ROS 7 will remove the restriction for having more than one L2TP/IPSEC user behind the same NATed network".
My understanding is that the router on the client side (road warrior) side of the equation is the one that cannot distinguish the traffic, not the server side router. Therefore, nothing can be done on the server side to remedy the situation.

Microsoft had the same bug with Windows 2008 R2 server but repaired it:
https://support.microsoft.com/en-us/kb/2028625

So it seems it can be fixed on the L2TP server side!

Fred · Thu Dec 08, 2016 6:13 pm

Hi, any news?

hamster · Sun Dec 11, 2016 2:58 pm

I haven't tested out this personally yet, but it seems that a lot of work is being done on IPSec in the upcoming 6.38 release. We might not need to wait for ROSv7. Specifically, check out the changelog in 6.38rc29 release: "ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only)". This line also appears in some earlier RC's as mentioned by Siona.

This might just be what we've been waiting for guys!

margusl · Tue Dec 13, 2016 12:32 pm

Thank You Mikrotik! Very promising! I will try out asap...

Br.
Margus

kpan · Tue Jan 03, 2017 1:26 am

Unfortunatelly I have checked it on 6.38 final and is not working yet.
You cannot establish multiple l2tp/IPsec connection for the same IP to your l2tp/IPsec mikrotik server

mrz · Tue Jan 03, 2017 1:39 pm

l2tp/IPsec is not going to work if all clients initiating l2tp from the same port (unfortunately windows does that, macos and iphones might work since they are using random source port).
What works is if you have pure ipsec in tunnel mode with ikev1 and ikev2.

hamster · Tue Jan 03, 2017 1:49 pm

Thanks for clarification, mrz. A follow-up question: will it also work with L2TP over IPSec and multiple Windows clients in one of the future releases of ROS?

mrz · Tue Jan 03, 2017 1:58 pm

No it will not work. We will not focus on l2tp/ipsec since mostly all vendors are switching to ike2 and l2tp/ipsec becomes deprecated.

OKNET · Tue Jan 03, 2017 11:55 pm

Mrz,
Can you confirm that mikrotik L2TP/ipsec server can't work behind NAT (i.e.NATted by ISP DSL router) when clients (road warriors) have dynamic IP addresses ??

margusl · Wed Jan 04, 2017 12:06 am

Mrz,
Can you confirm that mikrotik L2TP/ipsec server can't work behind NAT (i.e.NATted by ISP DSL router) when clients (road warriors) have dynamic IP addresses ??

Dynamic IP is not a problem and It is not a question to ask here. Mikrotik L2TP/ipsec works very well clients with dynamics IP-s. Problem comes when two or more Windows clients tries to connect from same nated network with same dynamic or static ip.

OKNET · Wed Jan 04, 2017 1:25 am

Ok probably mislead the question because of topic title......
I've simply asked here because I never had a definitive answer on the issue of a MT L2TP/ipsec server running behind a nat (and eventually a solution)
It's an old problem asked for by many of us without a firm answer.

mrz · Wed Jan 04, 2017 12:36 pm

It works, but in some scenarios it might fail. v6.38 definitely have this problem fixed.

hamster · Wed Jan 04, 2017 2:17 pm

And of course, a prerequisite is that you have the ability to manage firewall on your ISP's router and configure port forwarding to your MikroTik...

OKNET · Wed Jan 04, 2017 3:02 pm

And of course, a prerequisite is that you have the ability to manage firewall on your ISP's router and configure port forwarding to your MikroTik...

All incoming internet traffic forwarded transparently to MikroTik WAN (that is a LAN for ISP router)
I've tried tens of configurations
The problem was in dynamically created ipsec policy, that didn't match the MT wan (that, in fact, has a private IP behind ISP router wan)

Just switched to 6.38 ...... bang ! ...... worked at first shot !!

At last....thank you MT staff.

dackhack · Mon Feb 13, 2017 10:47 pm

Hi,
I'm new to mikrotik ipsec/l2tp, and I'm a bit confused. One question:
Two or more clients in a hotel (same ip) trying to connect to a mikrotik router with public ip.
Will it work fine If they are mac computers (random ports)? Will not it work if they are windows (same port)?

hamster · Thu Feb 16, 2017 12:58 am

@dackhack It should work fine if the clients are Mac computers, yes. Or even if one client is Windows and all the others are Macs. The problem will arise when 2 or more clients are Windows computers, behind the same public IP. Perhaps there's a registry hack for Windows to randomise the ports, but I'm not aware of it.

dackhack · Tue Feb 28, 2017 11:01 pm

thank you for your reply @hamster. It does not work for me for mac clients in the same nat. I will continue to test configurations.

hamster · Wed Mar 01, 2017 12:22 am

I'm sorry to hear that. Unfortunately I'm in all Windows/Linux environment, so I have no way to test this out for you, I just gave you information based on information about Macs available on the internet. One thing worth noting here is that some network setups can screw with your clients, for example any "VPN helpers" on client's routers, or it could be even intentionally blocked, so I'd definitely make sure to test this config behind a router/NAT that I have control over.

ferasawadi · Thu Mar 09, 2017 9:06 pm

Hello .
I was woundring . Can u replace my existing hotspot server with L2TP ?
I have few clients who steal customers mac address and steal thier accounts .
I have about 400 active client on hotspot now .
I read alot and i have a small lap i have 10 active l2tp connections and they are work fine .
Can you please advice

plankanater · Wed Apr 12, 2017 6:15 pm

Has anyone figured out the best route to go for this?

Did you install a client on windows? Or did you install like an ASA to handle the vpn?

plankanater · Wed Apr 12, 2017 6:16 pm

Accidentally posted twice. Could not delete.

idlemind · Wed Apr 12, 2017 10:10 pm

Shame this issue is still such a problem. Windows has designed a work-around that is at least feasible. Setup your VPN and add special routes that are triggered only when the connection is active. No more batch file on the desktop ...

https://technet.microsoft.com/itpro/pow ... ctionroute

Windows 10 / Server 2016 only. MS hasn't been back-dating new commandlets like these into Windows 7 even running the latest version of PowerShell.

andybross · Mon Apr 24, 2017 9:08 pm

this helped me to make it work with multitple connections:

IP : IPSEC : PEERS : DEFAULT: advanced: generate policy: port strict

enggheisar · Mon May 08, 2017 9:00 pm

/ip pool
add name=IPSECVPN ranges=172.31.0.2-172.31.0.31
This is the Best and simple config for apple device
/ppp profile
add change-tcp-mss=yes local-address=172.31.0.1 name=ipsec remote-address=IPSECVPN use-encryption=yes

/ppp secret
add name=test password=test profile=ipsec

/interface l2tp-server server
set default-profile=ipsec enabled=yes ipsec-secret=1234567890 use-ipsec=yes

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des

/ip ipsec peer
add address=0.0.0.0/0 dpd-interval=2s enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=1234567890

If you have problem please send your router debug to me

craigreilly · Thu Oct 19, 2017 11:52 pm

Are you saying this setup should work for multiple road warriors behind the same NAT using a mix of Windows/Apple devices?
Currently we have ipSec disabled to accomodate our Mac users to overcome this issue on the Mikrotik.

idlemind · Fri Oct 20, 2017 6:13 am

A problem IPv6 was born to fix ...

coopertown · Wed Jan 31, 2018 2:52 am

Sorry All, but have to add my 5 cents into this post. We originally decided to test mikrotik as we intend to set up one of our location which uses lots of hardware the order totaling $10k... we were testing it for over a month but when we got to multiple VPN client, we realized that Mikrotik is not the solution given its OpenVPN and L2TP/IPSEC limitation. It is very unfortunate, as I believe its great hardware for price to quality, yet i cant stop wondering... Since this issue existed going back all the way to 2008 (oldest post i've seen on this issue) and given that its 2018, did Mikrotik management realize how much business they lost during that time frame and customers like us now for their hardware? Well... i hope they hurry up with that ROS 7 given that it seems people speak of it as 'mythical unicorn' after all the time they claim to come out with it... but for now, we have to say bye to mikrotik.... I'm very disappointed as i really like it despite its many shortcomings.

gargiulo5000 · Mon Feb 26, 2018 1:22 pm

Hi all,
is this problem related to the Mikrotik as a VPN Server or as a client?
Say for example i want my RouterBoard to act as a client that connects to a remote VPN service,
i want more than one device to use the tunnell simultaneously, not just one!

Thanks for the replies.

sindy · Mon Feb 26, 2018 3:11 pm

Hi all,
is this problem related to the Mikrotik as a VPN Server or as a client?
Say for example i want my RouterBoard to act as a client that connects to a remote VPN service,
i want more than one device to use the tunnell simultaneously, not just one!

Thanks for the replies.

Mikrotik as L2TP/IPsec client suffers from the same limitation like any other client in terms that it must be the only one connecting to a given server from behind the same public IP address. Rumour has it that some servers can overcome this limitation which Mikrotik attributes to the protocol specification.

But if you have a Mikrotik as the server too, you can avoid this limitation by using pure IPsec without L2TP. In this case, several "clients" can connect to the same "server" from behind the same public address (just double-checked that by setting up the second one).

mrz · Mon Feb 26, 2018 3:17 pm

Some clients can also overcome this problem, by randomizing source L2TP port.

sindy · Mon Feb 26, 2018 3:49 pm

Some clients can also overcome this problem, by randomizing source L2TP port.

Now wait a bit

A month ago there was a topic which dealt with that among other things, and Emils has explained that the information about the UDP port on client side NAT is lost at some stage of processing at server side, and from the ESP in transport mode the clients cannot be distinguished from each other. If it can be solved in such a simple way as randomizing the L2TP port at client side, why the client implementation in ROS doesn't have such option yet? That should be ways simpler than modification of the server side handling where you would have to let the remote UDP port bubble to the next processing stage somehow.

For @gargiulo5000, this is likely not an option as it is not available instantly, and my suggestion may not be an option too if the "VPN" is actually used for censorship bypass so the VPN server is not his own one.

mrz · Mon Feb 26, 2018 3:52 pm

It is in TODO list, however that will solve problem only if client is RouterOS. But such setups mostly are done where clients are laptops and mobile devices.

sindy · Mon Feb 26, 2018 4:12 pm

It is in TODO list, however that will solve problem only if client is RouterOS. But such setups mostly are done where clients are laptops and mobile devices.

Agreed that it won't help users using their RB as a VPN server but it would be beneficial for the "centralized bypass of censorwall" setups where I've seen numerous requirements to route part of traffic of LAN clients of the RB through a VPN in another country. And it is not a rule that the RBs used this way have public IPs.

idlemind · Mon Feb 26, 2018 4:25 pm

It is in TODO list, however that will solve problem only if client is RouterOS. But such setups mostly are done where clients are laptops and mobile devices.

How about IPv6 support in the L2TP/IPSec server implementation. This avoids the need for NAT traversal or source port randomization entirely. It's supported in Android and IOS as a client.

gargiulo5000 · Mon Feb 26, 2018 11:48 pm

Some clients can also overcome this problem, by randomizing source L2TP port.
Now wait a bit A month ago there was a topic which dealt with that among other things, and Emils has explained that the information about the UDP port on client side NAT is lost at some stage of processing at server side, and from the ESP in transport mode the clients cannot be distinguished from each other. If it can be solved in such a simple way as randomizing the L2TP port at client side, why the client implementation in ROS doesn't have such option yet? That should be ways simpler than modification of the server side handling where you would have to let the remote UDP port bubble to the next processing stage somehow.

For @gargiulo5000, this is likely not an option as it is not available instantly, and my suggestion may not be an option too if the "VPN" is actually used for censorship bypass so the VPN server is not his own one.

Nailed it,
the server is not mine, it is a third part service for me.
So it's pointless for me to buy a 750Gr3 with hardware IPsec acceleration.
Sweet.
And i suppose this acceleration does not work with OpenVPN.
Even sweeter.
What can i do goddamnit
What can i do

jaytcsd · Tue Feb 27, 2018 1:09 am

Can a mAP be used to tunnel to a Mikrotik using IPIP or EOIP with the mAP letting multiple users in?
I tried this about a year ago but never did get it to work. I think my stumbling point was trying to get the mAP into a motel wifi for the WAN side.

sindy · Tue Feb 27, 2018 10:33 am

Can a mAP be used to tunnel to a Mikrotik using IPIP or EOIP with the mAP letting multiple users in?
I tried this about a year ago but never did get it to work. I think my stumbling point was trying to get the mAP into a motel wifi for the WAN side.

Can you diagram what you want in a new topic as it seems to be only loosely related to the current topic? I am using a client μTik connected to a μTik AP and was using EoIP connection over that to connect two cAPs to a cAPsMAN running on the AP, and there was no trouble in that. I've migrated to VPLS since then but for no particular reason.

idlemind · Tue Feb 27, 2018 3:17 pm

Can a mAP be used to tunnel to a Mikrotik using IPIP or EOIP with the mAP letting multiple users in?
I tried this about a year ago but never did get it to work. I think my stumbling point was trying to get the mAP into a motel wifi for the WAN side.

I did it with cap lites, the little hockey puck looking things. I gave them to friends to use for stretching layer 2 for old games.

Use the L2TP client with or without IPSec on the cap lites. Use the new connection as the basis of the EoIP tunnel if you need a true shared broadcast domain. Allow fragmentation in PPP and EoIP if you need to simulate 1500 MTU to an old game.

In a lot of cases the L2TP with Proxy ARP would be sufficient but adding EoIP makes it Ethernet equivalent and that is the most comfortable place for old software.

Your question in particular, I'd use L2TP Client with IPSec if the mAP is using Internet as transport and has a dynamic IP. You can put EoIP under it if you need to stretch layer 2 for the wireless clients although that's typically not required. You can use BGP or OSPF with static neighbors on L2TP as an alternative to static routes or use normal broadcast (multicast) based discovery with an overlay EoIP or GRE tunnel if you don't want to set a default route back from client to server and inject routes via the PPP functionality on the server.

sindy · Sat Mar 31, 2018 12:41 am

Hi all,
is this problem related to the Mikrotik as a VPN Server or as a client?
Say for example i want my RouterBoard to act as a client that connects to a remote VPN service,
i want more than one device to use the tunnell simultaneously, not just one!

When digging into something else, I've realized and tested that with Mikrotik as an L2TP/IPsec client, there actually is a way that several these Mikrotik clients hidden behind the same public address could access a remote VPN server. @gargiulo5000 or anyone else, are you still interested?

rushlife · Mon Apr 02, 2018 8:47 pm

hi, anybody...
some fix ? any update ?

sindy · Tue Apr 03, 2018 11:39 pm

some fix ? any update ?

On which sub-topic? "Mikrotik as server for 3rd party clients" or "Mikrotik as a client"?

sindy · Thu Apr 05, 2018 11:57 pm

Whoever has not lost interest in this topic, check my solution described in this topic.

ros code

ros code

Who is online