Hello. I Have router from my isp, router have adress 192.168.1.1. My MT is connected, and have adress 192.168.1.2. DMZ is on isp router, i can forward ports on my MT and this is working from public ip (i forwarded printer config page, working). Also i have turned on and configured L2TP VPN, in firewall i add 500,4500,1701 and ipsec-esp. Ok, if i connect my laptop to isp router and have 192.168.1.3 ip adress i can connect to vpn via 192.168.1.2 and this is working, but if i try connect to vpn using public ip - not working. I don't have idea what i doing wrong. Someone can help?

More exported config would be needed to be able to diagnose the problem, the full one best:

/export file=anynameyouwish

File in Attachment

Hi,

If you are using a windows laptop to connect to your l2tp server, it won't work.
Windows doesn't like natted L2TP server endpoints. (unless using certificates)

There is a registry hack to make it work.
If there is only one person (or less good a very trusted few) know the ipsec password/key it should be fine.

https://learn.microsoft.com/en-us/troub ... t-t-device

You don't need to forward port 1701 from the ISP router it is wrapped in the port 4500 ipsec traffic,
(and the default ipsec policy firewall rules should allow it into the mikrotik when it gets extracted from the ipsec )

@rplant

tested, not working.

Not sure,

Check that the firewall rule with 500,4500,1701 is counting.
Perhaps split it into 3 rules, so you can see if you are getting all three counting (when coming in via isp router)

Some ISP routers are annoying with ipsec, and need fiddling to get them to pass it through properly.

There is normally a bit of logging when ipsec connections happen, you can look at it.
You can increase it if required.

/system logging
add topics=ipsec

Also the l2tp stage (if the ipsec stage completes ok)

In ISP Router i have DMZ - tested by redirecting ports (like 80, 8080, 500) and this is working - i see printer setup page. I don't have acess to ips router, but i must call to isp and tell them to check. Also tested by add three other rules in MT for 500, 4500, 1701 - no diffrences.

I think problem is with ipsec - like you say, but im not shure my config is properly and whether to argue with ISP

Ok, i added "/system logging add topics=ipsec" and when i connect localy i see this in logs. When i try connect by public ip i don't see this in logs. I tested ports 500,4500,1701 by forwarding to printer and this is works. So i whink problem is in ipsec-esp in isp

EDIT: I try connect to VPN by smartphone - working 100%. In windows not working, i try in other computer - this same. What's wrong?