L2TP/IPsec: Multiple Road Warriors Behind NAT
L2TP/IPsec: Multiple Road Warriors Behind NAT
Section titled “L2TP/IPsec: Multiple Road Warriors Behind NAT”A common deployment problem: several users in the same office or behind the same home router all try to connect to your RouterOS L2TP/IPsec server. The first client connects successfully. Subsequent clients fail — IKE completes but the L2TP session never starts, or connections drop randomly.
This guide explains why this happens and how to fix it.
Why Multiple Clients Behind NAT Fail
Section titled “Why Multiple Clients Behind NAT Fail”Standard IPsec uses ESP (protocol 50), which has no port numbers. A NAT device can track TCP and UDP sessions by their port numbers, but it cannot distinguish two ESP streams from the same public IP. The second client’s ESP packets collide with the first client’s SA at the server, and phase 2 negotiation breaks.
NAT Traversal (NAT-T) solves this by wrapping ESP inside UDP port 4500, which does have ports. Each client behind the NAT device gets a distinct UDP source port, allowing both the NAT device and the RouterOS server to keep the sessions separate.
RouterOS enables nat-traversal=yes by default. The missing pieces that most configurations omit are:
| Setting | Location | Purpose |
|---|---|---|
generate-policy=port-strict | /ip ipsec identity | Creates a unique Phase 2 policy per client (keyed by port) |
level=unique | /ip ipsec policy | Requires a distinct SA for each traffic flow |
Without port-strict and level=unique, RouterOS tries to reuse an existing SA for new connections from the same public IP, which fails for the second and subsequent clients.
Prerequisites
Section titled “Prerequisites”- RouterOS 7.x
- A public IP on the router (or upstream NAT forwarding UDP 500, UDP 4500, and ESP to the router)
- Firewall rules open for UDP 500 and UDP 4500
Complete Configuration
Section titled “Complete Configuration”Step 1 — IP Pool and PPP Profile
Section titled “Step 1 — IP Pool and PPP Profile”/ip pool add name=l2tp-pool ranges=10.10.10.10-10.10.10.200
/ppp profile add \ name=l2tp-prof \ local-address=10.10.10.1 \ remote-address=l2tp-pool \ use-encryption=yes \ dns-server=8.8.8.8,8.8.4.4Step 2 — Enable the L2TP Server
Section titled “Step 2 — Enable the L2TP Server”/interface l2tp-server server set \ enabled=yes \ use-ipsec=require \ ipsec-secret=YourStrongPSK \ default-profile=l2tp-prof \ authentication=mschap2The ipsec-secret is a single shared PSK used by all clients. Per-user identity is provided by the PPP credentials in the next step — do not attempt to set different PSKs per user at the L2TP layer.
Step 3 — Add PPP Users
Section titled “Step 3 — Add PPP Users”/ppp secret add name=user1 password=Pass1 service=l2tp profile=l2tp-prof/ppp secret add name=user2 password=Pass2 service=l2tp profile=l2tp-prof/ppp secret add name=user3 password=Pass3 service=l2tp profile=l2tp-profEach user has a unique username and password. This is the correct layer for per-user differentiation.
Step 4 — Configure IPsec for Multiple NAT Clients
Section titled “Step 4 — Configure IPsec for Multiple NAT Clients”This is the critical step. Apply these settings to the auto-generated IPsec objects that RouterOS creates when use-ipsec=require is set:
# Enable NAT traversal on the default IPsec profile/ip ipsec profile set [find default=yes] nat-traversal=yes
# Use port-strict policy generation so each NAT'd client gets its own Phase 2 policy/ip ipsec identity set [find] generate-policy=port-strict
# Require a unique SA per traffic flow/ip ipsec policy set [find] level=uniqueNote: If you have manually created named IPsec objects rather than using auto-generation, apply these settings to the relevant named objects instead of
[find default=yes].
Step 5 — Firewall Rules
Section titled “Step 5 — Firewall Rules”These rules must appear before any drop rules in the input chain:
/ip firewall filteradd chain=input action=accept protocol=udp dst-port=500,4500 \ in-interface-list=WAN comment="L2TP/IPsec IKE and NAT-T"add chain=input action=accept protocol=ipsec-esp \ in-interface-list=WAN comment="L2TP/IPsec ESP"Client-Side Considerations
Section titled “Client-Side Considerations”Windows Registry Fix for NAT
Section titled “Windows Registry Fix for NAT”Windows blocks L2TP/IPsec connections through NAT by default. Each Windows client needs a registry change before connecting:
- Open
regedit - Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent - Add a DWORD value named
AssumeUDPEncapsulationContextOnSendRuleset to2 - Reboot
Without this change, Windows refuses to send L2TP/IPsec packets when it detects it is behind NAT.
NAT Device (Client-Side Router/Firewall)
Section titled “NAT Device (Client-Side Router/Firewall)”The NAT device between the clients and the internet must:
- Not have SIP/ALG or IPsec passthrough features enabled — these intercept and mangle IKE packets
- Keep UDP 4500 state alive long enough for IKE keepalives (DPD) to maintain the session
- Allow outbound UDP 500, UDP 4500, and ESP (protocol 50)
If the client-side NAT device has an “IPsec passthrough” toggle, disable it. It is designed for older NAT-unaware IPsec and conflicts with NAT-T.
Verification
Section titled “Verification”After all clients connect, verify that each has its own security associations:
# Should show one SA per connected client/ip ipsec sa print
# Should show one active PPP session per connected user/ppp active print
# Check that policies are per-client (port-unique entries)/ip ipsec policy printExpected output for three connected clients: three distinct SA pairs (one inbound, one outbound per client), three PPP active sessions, and three dynamically generated policies each with unique source/destination ports.
Troubleshooting
Section titled “Troubleshooting”Second client fails immediately after first connects
Section titled “Second client fails immediately after first connects”Classic symptom of missing generate-policy=port-strict. Apply the setting from Step 4 and flush stale SAs:
/ip ipsec identity set [find] generate-policy=port-strict/ip ipsec policy set [find] level=unique/ip ipsec sa flushConnections drop after a few minutes
Section titled “Connections drop after a few minutes”The client-side NAT device is expiring the UDP 4500 mapping. Lower the DPD interval so keepalives prevent this:
/ip ipsec profile set [find default=yes] dpd-interval=30s dpd-maximum-failures=5If the NAT device has a configurable UDP timeout, set it to at least 120 seconds.
no Phase 2 policy found in logs
Section titled “no Phase 2 policy found in logs”The Phase 2 policy was not created or is stale. Flush and reconnect:
/ip ipsec sa flush/ip ipsec policy printIf no dynamic policies appear after flushing, confirm generate-policy=port-strict is set:
/ip ipsec identity print detailEnable verbose logging
Section titled “Enable verbose logging”/system logging add topics=ipsec,!debug action=memory/system logging add topics=l2tp,!debug action=memory/log print follow where topics~"ipsec|l2tp"Remove after debugging:
/system logging remove [find topics~"ipsec"]/system logging remove [find topics~"l2tp"]Stale IPsec SAs after client reconnect
Section titled “Stale IPsec SAs after client reconnect”Stale SAs from a previous session can block a new connection from the same IP:
/ip ipsec sa flushSee Also
Section titled “See Also”- L2TP/IPsec — Base L2TP/IPsec server and client setup
- IPsec — Full IPsec reference including IKEv2, site-to-site, and certificate auth