Page 1 of 1
IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Sat Apr 27, 2013 7:11 am
by bitak
Hi,
is it possible to configure IPSec/L2TP VPN, when the Mikrotik router is behind NAT, but it is reachable by FQDN (all protocols and ports)?
I tried to add the hostname to my-id-user-fqdn field in ipsec peer configuration, but it still doesn't work.
/ppp profile
add change-tcp-mss=yes dns-server=192.168.101.1 local-address=192.168.101.1 name=VPN_server_profile \
remote-address=vpn_pool_pokus
/ppp secret
add name=ppp_secret password=ppp_pass profile=VPN_server_profile service=l2tp
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 my-id-user-fqdn=myrouter.mydomain.cz \
nat-traversal=yes secret=VPN_secret
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input protocol=ipsec-esp
add chain=input protocol=gre
add chain=input comment="L2TP VPN" dst-port=500,4500,1701 protocol=udp src-port=""
add action=drop chain=input in-interface=wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
Thanks for advice,
Jan
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Sat Apr 27, 2013 1:05 pm
by tomaskir
Do you mean L2TP/IPSec AC being behind NAT, or the L2TP/IPSec client being behind NAT?
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Sat Apr 27, 2013 1:39 pm
by bitak
L2TP/IPSec AC is behind NAT. Client is not an issue (I'm running the same config on another sites where Mikrotik is the gateway with public IP and it works fine regardless of whether a client is behind NAT).
I need to make VPN to Mikrotik gateway, which has private IP, all traffic to it is routed based on its FQDN. So it's reachable from internet, but not by IP, but only by FQDN.
I also tried to setup PPTP VPN to it and it works, so it's kinda strange for me why L2TP/IPSec not...
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Sat Apr 27, 2013 3:48 pm
by tomaskir
Pure PPTP will work, that is not a problem.
IPSec will NOT work when the AC is behind NAT. As soon as you involve IPSec, the iniciator can be behind NAT, but the responder (the AC) has to have a public IP.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Fri Aug 16, 2013 12:47 am
by gazdi
What is the solution when AC is behind NAT and has private IP ?
I'm having the same problem, the IPSEC VPN Server is behind the mikrotik RB450G.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Fri Aug 16, 2013 2:07 am
by tomaskir
The AC can not be behind nat. Only the client can be behind NAT.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Fri Aug 16, 2013 9:49 am
by gazdi
Tomaskir see please what I wrote in the the other topic
http://forum.mikrotik.com/viewtopic.php?f=14&t=75764
Thanks
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Wed Aug 21, 2013 6:23 pm
by Leolo
The AC can not be behind nat. Only the client can be behind NAT.
I understand that this is a limitation of Mikrotik devices, no?
Because Windows Server is perfectly capable of working with L2TP clients even when both (server and client) are behind NAT.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Wed Aug 21, 2013 6:24 pm
by tomaskir
Its a limitation of IPSec.
For pure L2TP, the AC can be behind NAT no problem. Not for L2TP/IPSec tho.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Wed Aug 21, 2013 6:34 pm
by Leolo
Mmm, then how does Windows Server manage to work?
I'd suppose that Microsoft is doing some trick to make it work. But I can assure you that I connect to several Windows 2003 Servers which are behind NAT (and I'm also behind a NAT)
I just have to tweak the registry a little bit:
http://support.microsoft.com/kb/926179
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
Regards.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Wed Aug 21, 2013 8:31 pm
by tomaskir
Oh yeah, with other vendors it can work, Cisco's IPSec works with the AC being behind NAT as well.
They dont include the IP header src and dst addresses and a few more things into the IPSec checksum calculations, and therefore the packet doesnt go invalid when processes by the IPSec process.
With Mikrotik tho, I dont know of any way how to make it work.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Sun Sep 15, 2013 9:51 am
by mitzone
it works. I tested this with a win7 client. IPSEC is on a NAT-ed synology NAS. On mikrotik, fw UPD port 500, 1701 and 4500 to the IPSEC vpn server.
on windows client this also needs to be configured :
http://support.microsoft.com/kb/926179
set it to 2.
I just spent a few hours trying to figure this out. Hope this helps anyone who lands here searching for a fix.
Cheers.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Mon Sep 16, 2013 4:11 am
by tomaskir
As mentioned before, other vendors IPSec AC can be behind NAT (doesnt matter if NAT is a Mikrotik or not)
The point discussed in this topic was that a Mikrotik IPSec AC can not be behind NAT (no matter what the NAT vendor is)
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Tue Sep 24, 2013 4:57 am
by K1w1user
I have two Mikrotik devices, x86 and RB1100AHX2 that currently use IPSEC Tunnel mode both behind Cisco Firewalls and using nat at both ends.
So it can be done with mikrotik ROS 6.3 in tunnel mode.
I'm still working on solving the transport mode option.
The policy sa-src-address should be the local outbound address before nat, and the sa-dst-address should be the firewall address that will be natted.
Nat traversal is set.
src-address=10.32.47.0/24 src-port=any dst-address=172.20.201.120/29 \
dst-port=any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.210.50 \
sa-dst-address=(remote-firewall) proposal=default priority=0
the outward facing address (nat destination) is 192.168.210.50
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Mon Dec 23, 2013 6:43 pm
by Andoniiiiii
As I read here, it could be done, but I am trying and the negotiation for IPSec start but could not be stablished, my scheme:
Private LAN RB951G v6.7 ADSL ROUTER
192.168.0.1/24 -----> 192.168.0.220 192.168.1.220 192.168.1.1 213.56.122.xxx
The ADSL Router default DMZ is 192.168.1.220
I call 213.56.122.xxx from a road-warrior PC using PPTP mschapv2 and VPN works fine.
I try and try using L2TP with IPSec server on mkt and I must have something wrong or it is not posible, it fails on IPSec negotiaion.
It creates:
a Dinamic policy in IP SEC:
src-address="Remote IP Public Address" src-port=any dst-address=213.56.122.xxx\
dst-port=any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=NO sa-src-address=="Remote IP Public Address"\
sa-dst-address=213.56.122.xxx proposal=default priority=2
Remote Peers:
Local Address: 192.168.1.220
Remote Address:="Remote IP Public Address"
Side: Responder
Established: in time...
Installed SA:
Src Address: :="Remote IP Public Address"
Dst Address: 192.168.1.220
...
Can tell me if will work with provided scheme?
Thanks in advance.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Fri Nov 27, 2015 10:26 am
by Unic
Hello,
i just want to know if its still not possible to have both sides behind a nat when you use L2TP/IPSEC with mikrotik, or is there now a possibility to create such a VPN-Connection.
I have seen that there are some changes on it lately (f.e. IPSEC Checkbox on L2TP Server)
Best Regards.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Thu May 12, 2016 11:24 am
by ik3umt
Quite old discussion , but I had the same problem , no way to make MT L2TP/IPSEC AC behind a nat , because the policy is created using public ip addresses, while SA are installed using MT AC WAN IP (but it is a private one anyway behind a NAT)
If you manually create a policy with MT WAN IP as source and remote client public ip (but it changes frequently , so useless) L2TP/IPSEC works like a charm !!!
Cisco does it , Microsoft does it, other brands do it,
I don't know why Mikrotik cannot implement a way to create a dynamic policy with routerboard WAN interface IP as source for incoming L2TP/IPSEC (or 0.0.0.0/0) requests.
Is it impossible or not enough required by many to be implemented ??
Any answer from MT staff please ??
thank you very much.
P.S. It seems to me , the same issue is present when securing a GRE tunnel between MT devices both end behind a NAT -and- one of two with dynamic ISP ip address:
Again, when a policy is created dynamically by MT device behind NAT it uses wrong parameters thus fails.
With both static ISP address no problems as the policies are created manually the right way.
Can you confirm this ??
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Thu May 26, 2016 2:48 pm
by djace
Also interested in this, as my Mikrotik is behind NAT! I have no other choice as I am required to do PPPoE by my ISP and this consumes too many resources on the Mikrotik. In order to achieve the maximum line speeds (this is a symmetric 300mbps connection), I need to put in the ISP router in between to do PPPoE take this load off the Mikrotik server... Therefore, the Mikrotik ends up behind NAT.
It would be a bit ridiculous that we can achieve this by redirecting the L2TP/IPSec ports in the Mikrotik to a Linux or Windows server in the LAN, behind NAT, but we can't do this directly on the Mikrotik.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Thu Jun 02, 2016 8:14 pm
by ik3umt
Is it an xDSL connection ?
I have no experience but I don't think PPPoE client inside MT machine takes so much resources once PPPoE connection is established.....
In one of my installations I have to do so, configure a cisco router as a straigth dsl modem (ATM and ethernet bridged together) and leave routerboard to do the PPPoE job in order to achieve the REAL public ip address right on the mikrotik WAN interface.
Other ISPs here furnish their own DSL router capable of telephone lines built-in as VoIP in their devices , so you loose this feature if router is replaced, all I can do is a transparent nat without any L2TP possibility if public IP is dynamic
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Thu Jan 12, 2017 8:47 pm
by kait
Finally it is works on 6.38, thanks.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Fri Jan 20, 2017 10:08 pm
by vilts
Finally it is works on 6.38, thanks.
Care to shed some light to this? I'm running 6.38.1 and cannot get this to work. MT server is behind nat and client cannot connect to it.
I did try the examples above, but to no avail. Not sure what or where goes wrong...
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Mon Jan 23, 2017 12:32 am
by gtb
Hi there, same question: configuring L2TP over IPSec VPN server on RB750 sitting behind a DSL modem (that does NATting), getting error 789 when grying to connect with Microsoft VPN client
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Tue Jan 24, 2017 12:16 am
by netflow
Care to shed some light to this? I'm running 6.38.1 and cannot get this to work. MT server is behind nat and client cannot connect to it.
I did try the examples above, but to no avail. Not sure what or where goes wrong...
It does not require any special configuration, just ensure you are forwarding UDP ports 500 and 4500 from your NAT router to your MT server.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Tue Jan 24, 2017 5:34 pm
by SPKA16
I would also like to know a example config. It still doesnt seem to work in 6.38.1 to get L2TP-VPN working behind NAT on Mikrotik..
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Tue Jan 24, 2017 5:36 pm
by mrz
Single L2TP/Ipsec client will work behind nat and no specific configuration is needed. If you have multiple clients behind same public IP then you may get a problem.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Tue Jan 24, 2017 7:33 pm
by vilts
Strange, doesn't work for me. Tried in AWS with CHR and at home with actual router. Same type of config works like a charm on externally connected MT, but when behind NAT, nothing. Connections are coming in, something happens and that's it, no connection.
I added config from Amazon CHR and logfile as well. Maybe you can take a look?
Firmware is 6.38.1.
Single L2TP/Ipsec client will work behind nat and no specific configuration is needed. If you have multiple clients behind same public IP then you may get a problem.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Wed Jan 25, 2017 9:01 pm
by SPKA16
I don't know what I did wrong before but it seems to be working now with the basic setup.
@vilts:
Config on the CHR doesn't show anything wrong, I pretty much have the same setup. Looks like the logs say it is established so maybe its your client?
Maybe you stil need to add
https://support.microsoft.com/en-us/hel ... erver-2008
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Thu Jan 26, 2017 6:22 pm
by vilts
Thanks, that was it! I had to add that registry key with value 2 for windows 10. Now Win10 and iOS work. No luck with android, but that seems to be android issue already. 2 out of 3 is still a good result. At least RouterOS side is fine now.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Thu Jan 26, 2017 7:54 pm
by darkprocess
Can you share the config i was expecting to do the same and i failed lot of time. Thanks
Envoyé de mon SM-A510F en utilisant Tapatalk
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Thu Jan 26, 2017 9:29 pm
by vilts
Can you share the config i was expecting to do the same and i failed lot of time. Thanks
Very basic config indeed, here's the relevant export from 6.38.1 firmware.
/ip pool
add name=ipsec-pool ranges=192.168.3.3-192.168.3.100
/ppp profile
add local-address=ipsec-pool name=ipsec-profile remote-address=ipsec-pool
/interface l2tp-server server
set authentication=mschap2 default-profile=ipsec-profile enabled=yes ipsec-secret=verisikret use-ipsec=yes
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec peer
add enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret=verisikret
/ppp secret
add name=juser password=passxxx profile=ipsec-profile
But you do need the registry change for newer windows machines. Worked out of the box for iOS and (most likely) wont work with 6.0.x androids due to their bug, as I've read.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Mon Jul 24, 2017 8:44 pm
by pribeiro
Single L2TP/Ipsec client will work behind nat and no specific configuration is needed. If you have multiple clients behind same public IP then you may get a problem.
We here also have this problem after switching from old Cisco gear to some Mikrotik routers using L2TP/IPSEC.
In the contractors that share a NAT device only one person (PC) at a time can work in our systems doing remote maintenance of our systems.
Using PPTP (outdated/insecure) this problem doesn't happen.
We were able to reproduce the problem in our lab. when the second user connects to the VPN, the first one (sharing the remote address) looses his connection.
The current L2TP/IPSEC generation should by "NAT friendly"
Is there any solution for this problem/bug?
thanks.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Tue Jul 25, 2017 10:29 am
by mrz
Solution is not to use L2TP/Ipsec. Instead there are better options. ike1+modeconf or ike2 road warrior setups.
Re: IPSec/L2TP VPN on Mikrotik behind NAT but with FQDN
Posted: Tue Feb 09, 2021 2:15 pm
by xylograde
Solution is not to use L2TP/Ipsec. Instead there are better options. ike1+modeconf or ike2 road warrior setups.
I'm just trying to do that, creating a AC with a brand new RB4011 and RouterOS 6.48.1. Looks tunnel enstablishes, but no traffic is flowing into... see
viewtopic.php?t=172425
Can you share a possible configuration for that condition?
Internet (89.12.133.11) <-----> ISP Router (192.168.0.254) <------> Mikrotik (192.168.0.253) <-----> LAN(s)
Thanks!