[OFF-TOPIC] Reverse question
This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway... I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly. When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed. Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope. Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell they don't work either! Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
Yup, it's a Telstra thing. They sell am l2tp service so practically block any others. Your account manager might be able to help you, or just use wireguard/OpenVPN etc. On Fri, 16 Oct 2020, 12:47 Karl Auer, <kauer@nullarbor.com.au> wrote:
This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway...
I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly.
When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed.
Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope.
Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell they don't work either!
Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending...
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Out of curiosity, why don't you just land the L2TP on the 'tik? On 16/10/2020 11:44 am, Karl Auer wrote
I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly.
On Fri, 2020-10-16 at 12:17 +1000, Dave Browning wrote:
Out of curiosity, why don't you just land the L2TP on the 'tik?
At home, where the MikroTik is the endpoint, a VPN terminated on the NAS works just fine. It's a client with a Telstra router/modem that has the problem. The Telstra device does allegedly support L2TP/IPsec with PSK, so I suppose one PlanB would be to try terminating it there. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 16 October 2020 12:45 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] [OFF-TOPIC] Reverse question
This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway...
I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly.
When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed.
Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope.
Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell
L2TP is a GRE protocol, so there are limitations in supporting independent sessions through NAT (GRE has no 'ports' so NAT can't work the same way) Since Telstra operate their own L2TP services, I expect that they are likely to have some kind of regime in place that ensures robust provision of that solution which would need to intercept GRE traffic and inspect/direct accordingly. So I suppose it's just as likely that 'blocking' other third party l2tp is probably more of a 'collateral damage' of that system than intentional commercial protection :-j Cheers! Mike. they
don't work either!
Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending...
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi, A couple of thoughts. If the router is the telstra business router netgear v7610 (which it sounds very much like), various software versions of this have lots of problems with port forwarding. Telstra support know all about it, and you (or the registered owner) can ask them to downgrade it. (usually they downgrade to version 6A) 2.2.2.6A Note: I have not actually used the specific ports 500 and 4500, but have had to have a few downgraded for other port forwardings. You shouldn't port forward 1701, this traffic goes encrypted inside the ipsec on port 4500 (when natted as in this case). (or in the ESP payload when there is no Nat). Good Luck. Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Public <public@talk.mikrotik.com.au> Date sent: Fri, 16 Oct 2020 12:44:31 +1100 Subject: [MT-AU Public] [OFF-TOPIC] Reverse question Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway... I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly. When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed. Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope. Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell they don't work either! Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
On Fri, 2020-10-16 at 15:03 +1100, Roger Plant wrote:
A couple of thoughts.
Thanks Roger.
Telstra support know all about it, and you (or the registered owner) can ask them to downgrade it. (usually they downgrade to version 6A) 2.2.2.6A
*They* downgrade it? Might leave that as a last resort.
You shouldn't port forward 1701, this traffic goes encrypted inside the ipsec on port 4500 (when natted as in this case).
OK - will have to read up a bit more on this :-) It's all starting to sound as if deep-sixing the Telstra router is the best and simplest solution. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
On Fri, 2020-10-16 at 15:03 +1100, Roger Plant wrote:
You shouldn't port forward 1701, this traffic goes encrypted inside the ipsec on port 4500 (when natted as in this case).
I've now read up on this and it does seem that L2TP is carried inside IPsec. I wonder why so many how-tos say that port 1701 needs to be port forwarded? Also, if it does not need to be port-forwarded, then port-forwarding it should have no effect on whether an L2TP/Ipsec VPN can be established or not. Which means that the Telstra router is screwing with either IKE or NAT-T. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
Hi, It is quite possible (likely) that the router is messing with it. Unfortunately usually they are usually also servicing phones, so replacement is less easy. You could put something (eg. a Mikrotik) behind the router, and port forward to that temporarily, and see if 4500 and 500 traffic is actually getting through. eg. packet sniffer, or maybe a pass through firewall rule somewhere. As "Service" mentioned, if the client is windows and the Server is behind a nat. (And you are using pre shared key authentication) You need to make the registry changes. This is very specific, its only if the Server has a port forward too it, it doesn't apply if only the client is behind a Nat. (It doesnt apply for non windows clients either) During ipsec negotion the client gets told what the Server's actual IP address is, and if it doesnt match the external IP address it's sending too, (and its PSK, etc) it refuses to connect. Good Luck Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Public <public@talk.mikrotik.com.au> Date sent: Fri, 16 Oct 2020 18:45:57 +1100 Subject: Re: [MT-AU Public] [OFF-TOPIC] Reverse question Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] On Fri, 2020-10-16 at 15:03 +1100, Roger Plant wrote:
You shouldn't port forward 1701, this traffic goes encrypted inside the ipsec on port 4500 (when natted as in this case).
I've now read up on this and it does seem that L2TP is carried inside IPsec. I wonder why so many how-tos say that port 1701 needs to be port forwarded? Also, if it does not need to be port-forwarded, then port-forwarding it should have no effect on whether an L2TP/Ipsec VPN can be established or not. Which means that the Telstra router is screwing with either IKE or NAT-T. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
Can you forward ESP (type 50) packets with the Telstra unit? If not you will struggle to get this working. If you can move to just using IKEv2 instead of L2TP/IPSec for authentication, encryption and tunnelling you can convince it to use only UDP port 500 to do everything. Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> On Sat, 17 Oct 2020, at 09:44, Roger Plant wrote:
Hi,
It is quite possible (likely) that the router is messing with it. Unfortunately usually they are usually also servicing phones, so replacement is less easy.
You could put something (eg. a Mikrotik) behind the router, and port forward to that temporarily, and see if 4500 and 500 traffic is actually getting through. eg. packet sniffer, or maybe a pass through firewall rule somewhere.
As "Service" mentioned, if the client is windows and the Server is behind a nat. (And you are using pre shared key authentication) You need to make the registry changes. This is very specific, its only if the Server has a port forward too it, it doesn't apply if only the client is behind a Nat. (It doesnt apply for non windows clients either)
During ipsec negotion the client gets told what the Server's actual IP address is, and if it doesnt match the external IP address it's sending too, (and its PSK, etc) it refuses to connect.
Good Luck Regards Roger
One other thought, Rebooting the Telstra Router after changing the port forwarding is sometimes required. ---------------------------- Roger Plant
On Fri, 2020-10-16 at 15:07 +1100, Roger Plant wrote:
Rebooting the Telstra Router after changing the port forwarding is sometimes required.
I always reboot after making any changes to commodity routers. No good in this case. Good tip generally though. Thanks, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
participants (6)
-
Aaron Were
-
Dave Browning
-
Jason Hecker
-
Karl Auer
-
Mike Everest
-
Roger Plant