I have had a similar issue and a registry tweak fixed it on a win7/8/10 machine. Try add these; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent] "AssumeUDPEncapsulationContextOnSendRule"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters ] "AssumeUDPEncapsulationContextOnSendRule"=dword:00000002 Something about going from a nat to nat network I recall. I have used those Telstra Business Modem/Routers before and can confirm DMZ'ding the Mik or portforwarding to the Mik work with SSTP/L2TP/IKEv2 VPN. They must have the latest firmware though as there is a bug with the NAT settings I recall that switches between strict and loose? modes. A simple toggle from one back to the other fixed it for me on one job with older firmware. Also I only ever have to allow udp 500,4500 and 1701 with a ipsec policy:in rule to be more secure on the Mik. I only ever port forward udp 500 and 4500 on the Telstra modems and not 1701. Kind Regards, Kym Weckert Service Technician Allneeds Computers 342 King William Street Adelaide SA 5000 Ph: 08 8211 8661 | Web: allneeds.com.au Sales: sales@allneeds.com.au Tech Support service@allneeds.com.au Warranty & Returns warranty@allneeds.com.au Mon-Fri 9:30-5:30 | Sat 9:30-2:00 | Public Holidays, please visit website. ABN: 57 511 389 752 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of public-request@talk.mikrotik.com.au Sent: Friday, 16 October 2020 2:38 PM To: public@talk.mikrotik.com.au Subject: Public Digest, Vol 79, Issue 1 Send Public mailing list submissions to public@talk.mikrotik.com.au To subscribe or unsubscribe via the World Wide Web, visit http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au or, via email, send a message with subject or body 'help' to public-request@talk.mikrotik.com.au You can reach the person managing the list at public-owner@talk.mikrotik.com.au When replying, please edit your Subject line so it is more specific than "Re: Contents of Public digest..." Today's Topics: 1. [OFF-TOPIC] Reverse question (Karl Auer) 2. Re: [OFF-TOPIC] Reverse question (Aaron Were) 3. Re: [OFF-TOPIC] Reverse question (Dave Browning) 4. Re: [OFF-TOPIC] Reverse question (Mike Everest) 5. Re: [OFF-TOPIC] Reverse question (Roger Plant) 6. Re: [OFF-TOPIC] Reverse question (Roger Plant) ---------------------------------------------------------------------- Message: 1 Date: Fri, 16 Oct 2020 12:44:31 +1100 From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] [OFF-TOPIC] Reverse question Message-ID: <d2f110cc4f2fecc3647d8bb723b4be627133e64d.camel@nullarbor.com.au> Content-Type: text/plain; charset="UTF-8" This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway... I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly. When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed. Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope. Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell they don't work either! Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 ------------------------------ Message: 2 Date: Fri, 16 Oct 2020 13:00:00 +1100 From: Aaron Were <awere@tdj.com.au> To: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] [OFF-TOPIC] Reverse question Message-ID: <CAAB_-AyHKxDF3hQv67hmOAoVJe_J-u8iF1qa_eFpbb=WKJj+Ag@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" Yup, it's a Telstra thing. They sell am l2tp service so practically block any others. Your account manager might be able to help you, or just use wireguard/OpenVPN etc. On Fri, 16 Oct 2020, 12:47 Karl Auer, <kauer@nullarbor.com.au> wrote:
This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway...
I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly.
When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed.
Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope.
Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell they don't work either!
Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending...
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
------------------------------ Message: 3 Date: Fri, 16 Oct 2020 12:17:10 +1000 From: Dave Browning <dave@dlbnetworks.com> To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] [OFF-TOPIC] Reverse question Message-ID: <9eaeeb3d-75d3-e19c-c446-26a8d911c1b2@dlbnetworks.com> Content-Type: text/plain; charset=utf-8; format=flowed Out of curiosity, why don't you just land the L2TP on the 'tik? On 16/10/2020 11:44 am, Karl Auer wrote
I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 16 October 2020 12:45 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] [OFF-TOPIC] Reverse question
This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway...
I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly.
When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed.
Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope.
Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell
------------------------------ Message: 4 Date: Fri, 16 Oct 2020 14:09:24 +1100 From: "Mike Everest" <mike@duxtel.com> To: <kauer@nullarbor.com.au>, "'MikroTik Australia Public List'" <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] [OFF-TOPIC] Reverse question Message-ID: <038601d6a369$c0b66200$42232600$@duxtel.com> Content-Type: text/plain; charset="us-ascii" L2TP is a GRE protocol, so there are limitations in supporting independent sessions through NAT (GRE has no 'ports' so NAT can't work the same way) Since Telstra operate their own L2TP services, I expect that they are likely to have some kind of regime in place that ensures robust provision of that solution which would need to intercept GRE traffic and inspect/direct accordingly. So I suppose it's just as likely that 'blocking' other third party l2tp is probably more of a 'collateral damage' of that system than intentional commercial protection :-j Cheers! Mike. they
don't work either!
Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending...
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
------------------------------ Message: 5 Date: Fri, 16 Oct 2020 15:03:25 +1100 From: "Roger Plant" <rplant@melbpc.org.au> To: MikroTik Public <public@talk.mikrotik.com.au>, kauer@nullarbor.com.au Subject: Re: [MT-AU Public] [OFF-TOPIC] Reverse question Message-ID: <5F891B8D.10053.13E545E@rplant.melbpc.org.au> Content-Type: text/plain; charset=US-ASCII Hi, A couple of thoughts. If the router is the telstra business router netgear v7610 (which it sounds very much like), various software versions of this have lots of problems with port forwarding. Telstra support know all about it, and you (or the registered owner) can ask them to downgrade it. (usually they downgrade to version 6A) 2.2.2.6A Note: I have not actually used the specific ports 500 and 4500, but have had to have a few downgraded for other port forwardings. You shouldn't port forward 1701, this traffic goes encrypted inside the ipsec on port 4500 (when natted as in this case). (or in the ESP payload when there is no Nat). Good Luck. Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Public <public@talk.mikrotik.com.au> Date sent: Fri, 16 Oct 2020 12:44:31 +1100 Subject: [MT-AU Public] [OFF-TOPIC] Reverse question Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway... I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly. When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed. Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope. Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell they don't work either! Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant ------------------------------ Message: 6 Date: Fri, 16 Oct 2020 15:07:28 +1100 From: "Roger Plant" <rplant@melbpc.org.au> To: MikroTik Public <public@talk.mikrotik.com.au>, kauer@nullarbor.com.au Subject: Re: [MT-AU Public] [OFF-TOPIC] Reverse question Message-ID: <5F891C80.12862.1420A81@rplant.melbpc.org.au> Content-Type: text/plain; charset=US-ASCII One other thought, Rebooting the Telstra Router after changing the port forwarding is sometimes required. ---------------------------- Roger Plant ------------------------------ Subject: Digest Footer _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au ------------------------------ End of Public Digest, Vol 79, Issue 1 *************************************