I try to connect to a Windows Server 2019 RAS using L2TP/IPSec with a Pre-Shared Key.

I can establish phase 1 and then the connection gets stuck with an INVALID-ID-INFORMATION error.

The same Router (RB4011 Running 6.47.1) establishes a tunnel using IPSec with certificate to another site using a certificate without problem and I also setup an L2TP/IPSec Server on it which I use to connect to when I am away.

What gets me stuck even further is that I can not connect to the Windows Server with my iPhone too and even though I have logging enabled on the RAS Server there is no log entry.

I do have separate rules enabling UDP 500 and 4500 on the Windows Server.

Where could I start looking for a solution? This error seems to be really rare.

even though I have logging enabled on the RAS Server there is no log entry.

This sounds almost as if you were connecting somewhere else for some reason (maybe a dst-nat rule on the path between the client and the server).

I do have separate rules enabling UDP 500 and 4500 on the Windows Server.

Do these rules count, so that we could exclude the crazy idea above?

Where could I start looking for a solution? This error seems to be really rare.

I'd say on some Microsoft support page/center, but maybe you could first try the reverse: set up an L2TP/IPsec server on some other Mikrotik, connect the Windows embedded VPN client configured for L2TP/IPsec and the Mikrotik client, both while running a detailed logging at the Mikrotik L2TP/IPsec server side, to see what ID type the Windows client is sending, and set the same ID type when connecting, as a client, to the Windows Server?

I did already connect the Windows Server as a client to the Mikrotik L2TP Server.

And i can see that the MikroTik is establishing phase 1 with the Windows Server from its logfile. So the IP’s are correct.

Where would I look for the ID (logfile Settings to ipsec and debug) and most importantly how would I set the ID on the MikroTik then?

P.S.: When I tried my iPhone to connect to the Windows RAS I used LTE so my router is not interfering with any DST-NAT rules and I didn’t get an answer as well.

Especially as I enabled detailed logging on the RAS Server I don’t understand there is no output at all in its logs.

And my provider of the vServer confirmed they are not blocking any ports.

Just to be sure in the policy I set my router’s LAN IP as SRC and the IP pool of the Windows RAS as DST address ... so that all destination IP are routed through the tunnel.

The Peer has the router WAN address as local and the Windows RAS (WAN) IP as it’s destination and this seems to work fine as phase 1 gets established.

Ok, I guess I found one reason for my problems:

I have a tunnel setup to another site. The policy uses a separate up address on the MikroTik and I have 2 src nat rules for my LAN network and L2TP Server network.

The local address for the policy to the Windows RAS belongs to the LAN and there is no src nat rule setup in my firewall.

So I guess I should add a new up address on my router which is then the local address of my policy for the RAS and I have to setup a src nat rule in the firewall with exactly this IP and destination address list being the IP Pool of the RAS (same as destination address of the ipsec policy).

Because right now there is no src nat rule in firewall for the new vpn site (Windows RAS)

This could be a solution for my LAN yet it does not answer why I can’t connect from my iPhone via LTE...

The src nat was necessary but (ofc) not the reason for the mentioned problem.

Did configure both sides from scratch, added new PSK and still get the INVALUD-ID-INFORMATION at the end and no phase 2.

The fact that neither the Mikrotik nor the Apple can connect indicates an issue at Windows server end.

How have you configured the L2TP/IPsec client at Mikrotik side? Using use-ipsec=yes and setting ipsec-secret to the PSK value configured on the server on the /interface l2tp-client row, or have you configured the IPsec peer, identity, and policy manually?

If the former, there is nothing you could do at Mikrotik side. Both the Windows' native VPN client and the Mikrotik if IPsec configuration is created automatically send their IP address as their initiator ID in case of L2TP/IPsec with PSK setup.

If you've set the IPsec configuration manually, set my-id=address:some.ip.add.ress and remote-id=ignore on the /ip ipsec identity row representing the server and try again.

I am half way through.

The reason why i could not connect from my iPhone was due to the fact, that my provider simply did not enable IPv6 on the server. I did so, removed RAS role and installed it with VPN and NAT, configured RAS and enabled NAT on the NIC for IPSec and address 127.0.0.1 and voila i can connect from my iPhone.

Now i have to dig a bit deeper into MikroTik manuals and tutorials.

I basically copied the settings i use to connect to another VPN Site but that one uses a certificate. The tunnel is established automatically.

I want to use the same functionality for the MikroTik to connect to my Windows Server 2019 RAS but using IPSec/L2TP and a PSK.

The big difference here is, i have to specify a username/password to authenticate via RAS. I don't have any certificates installed on the server yet and i must not use PPTP (for the reasons we all know).

So i have to find a way for the MikroTik to serve as an L2TP client to automatically connect to my Windows Server and i would prefer to configure all this from within IPSec on MikroTik side.

If somebody could steer me in the right direction, i would be really grateful.

If somebody could steer me in the right direction, i would be really grateful.

I've tried already, see my previous post. From what you wrote now instead of explicitly answering my question, I deduct that you've configured the IPsec settings for L2TP manually, rather than allowing RouterOS to create them for you automatically. If so, you need to set the identity row the way I've shown above. Or post the export of the current config for a check.

sindy, thx a lot for being patient.

Meanwhile i managed to get a connection. I have disabled my manual settings from /ip ipsec policy, /ip ipsec peer and /ip ipsec identity

Then i setup an /interface l2tp-client and got an "NO-PROPOSAL-CHOSEN" when trying to establish phase 2

After some reasearch i changed /ip ipsec proposal PFS-Group from modp1024 to none and the tunnel got established.

I can ping the remote end of the tunnel, i.e. the Windows RAS from my MikroTik but i can not ping it from my PC but this is now just a routing issue i guess.

I got it running and it's ok for the weekend. Optimisation time next week.

I can connect to my Windows RAS using MikroTik L2TP-Client. IP Adress pool on the RAS starts one IP lower than the local address of my MikroTik for the VPN which means i did add a permanent route to my LAN using the (non changing) IP of my Mikrotik. To be precise:

IP Adress on MikroTik for L2TP-VPN to my RAS is not set.

IP Pool on RAS is set to 192.168.218.251-192.168.218.252. This means, my RAS is always 192.168.218.251 and my MikroTik is always using 192.168.218.252.

Then i did a and i can reach my LAN from the Windows RAS.

I can ping in both directions. That's enough for the weekend. I am going to look into optimisation next week.

I wanted to add that one should check whether an IPv6 interface is setup on the RAS because if not you won’t get a connection.