Page 1 of 1

L2TP / IPSEC client behind NAT

Posted: Mon Nov 27, 2017 3:21 pm
by felek
Hi!

I have 3 localizations that have microtik routers.
One in data center with l2tp / ipsec server and two offices with mikrotik and l2tp / ipsec clients. Everything was working until one day - ISP in one office decided to take out public ip. After that - vpn connection is enabled, ping is working, ssh is working but http not..
I have no idea where to find problem. Connections to the same router from computer in the same nated network is working fine. NAT-T is enabled.

Re: L2TP / IPSEC client behind NAT

Posted: Mon Nov 27, 2017 5:45 pm
by pe1chl
You cannot have more than one L2TP connection with the same public IP.
So when your ISP has moved your two locations behind the same public IP (using NAT) you are out of luck.
Ask them to use a different IP for your two locations.

Re: L2TP / IPSEC client behind NAT

Posted: Mon Nov 27, 2017 6:13 pm
by felek
Ok. Thank you - but I have internal nated IP only in one localization. And when I connect by l2tp client in mikrotik (that is gateway in that network) - http doesnt work (but ping and ssh is working).
When I disabled vpn on router and I configured it on one computer - despite the nat - everything is working.

Re: L2TP / IPSEC client behind NAT

Posted: Mon Nov 27, 2017 6:59 pm
by pe1chl
You may have a problem with double-NAT in some cases.
When you are using automatically generated IPsec configuration on the L2TP server, look at the dynamic IPsec peer that it has generated, then remove that IPsec secret at the L2TP server and manually create an IPsec peer with the same configuration as the automatic one except generate-policy=port-override (instead of port-strict).
When that fixes it, please submit a bugreport to MikroTik.

Re: L2TP / IPSEC client behind NAT

Posted: Tue Nov 28, 2017 5:15 pm
by felek
Ok. Thank you for suggestion that it could be a bug. I upgraded software to latest version and everything is ok :)