Hi, It is quite possible (likely) that the router is messing with it. Unfortunately usually they are usually also servicing phones, so replacement is less easy. You could put something (eg. a Mikrotik) behind the router, and port forward to that temporarily, and see if 4500 and 500 traffic is actually getting through. eg. packet sniffer, or maybe a pass through firewall rule somewhere. As "Service" mentioned, if the client is windows and the Server is behind a nat. (And you are using pre shared key authentication) You need to make the registry changes. This is very specific, its only if the Server has a port forward too it, it doesn't apply if only the client is behind a Nat. (It doesnt apply for non windows clients either) During ipsec negotion the client gets told what the Server's actual IP address is, and if it doesnt match the external IP address it's sending too, (and its PSK, etc) it refuses to connect. Good Luck Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Public <public@talk.mikrotik.com.au> Date sent: Fri, 16 Oct 2020 18:45:57 +1100 Subject: Re: [MT-AU Public] [OFF-TOPIC] Reverse question Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] On Fri, 2020-10-16 at 15:03 +1100, Roger Plant wrote:
You shouldn't port forward 1701, this traffic goes encrypted inside the ipsec on port 4500 (when natted as in this case).
I've now read up on this and it does seem that L2TP is carried inside IPsec. I wonder why so many how-tos say that port 1701 needs to be port forwarded? Also, if it does not need to be port-forwarded, then port-forwarding it should have no effect on whether an L2TP/Ipsec VPN can be established or not. Which means that the Telstra router is screwing with either IKE or NAT-T. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant