Trying to get my iPhone to connect to my RouterOS with L2TP

lcx · Sun Mar 21, 2010 10:50 pm

I have successfully set up L2TP on my RB750G, I can connect when my iPhone is connected to local lan (rb ip: 192.168.1.1 iPhone IP: 192.168.1.250)
If I switch of wireless from my iPone and try the same over 3G it doesn't work anymore. I have no idea what I'm doing wrong.

Here my config:

# mar/21/2010 20:49:41 by RouterOS 4.6
#
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
    lifetime=1d nat-traversal=no proposal-check=obey secret=****** send-initial-contact=yes

/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
    lifetime=1d nat-traversal=no proposal-check=obey secret=***** send-initial-contact=yes

Successful connection over local IP

20:16:56 ipsec respond new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.250[500] 
20:16:56 ipsec begin Identity Protection mode. 
20:16:56 ipsec received Vendor ID: RFC 3947 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
20:16:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
20:16:56 ipsec 
20:16:56 ipsec received Vendor ID: DPD 
20:16:56 ipsec ISAKMP-SA established 192.168.1.1[500]-192.168.1.250[500] spi:7f07341ef01ee630:032133f662cfba14 
20:16:57 ipsec respond new phase 2 negotiation: 192.168.1.1[500]<=>192.168.1.250[500] 
20:16:57 ipsec no policy found, try to generate the policy : 192.168.1.250/32[49163] 192.168.1.1/32[1701] proto=udp dir=in 
20:16:57 ipsec trns_id mismatched: my:3DES peer:AES 
20:16:57 ipsec trns_id mismatched: my:3DES peer:AES 
20:16:57 ipsec IPsec-SA established: ESP/Transport 192.168.1.250[0]->192.168.1.1[0] spi=98895759(0x5e5078f) 
20:16:57 ipsec IPsec-SA established: ESP/Transport 192.168.1.1[0]->192.168.1.250[0] spi=98628188(0x5e0f25c) 
20:16:57 l2tp,ppp,info <l2tp-0>: waiting for call... 
20:16:58 l2tp,ppp,info <l2tp-0>: authenticated 
20:16:58 l2tp,ppp,info <l2tp-0>: connected 
20:16:58 l2tp,ppp,info,account iphone logged in, 1.1.1.2

Connection from external IP

20:19:00 ipsec respond new phase 1 negotiation: 213.141.117.108[500]<=>194.24.158.2[23655] 
20:19:00 ipsec begin Identity Protection mode. 
20:19:00 ipsec received Vendor ID: RFC 3947 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
20:19:00 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
20:19:00 ipsec 
20:19:00 ipsec received Vendor ID: DPD 
20:19:01 ipsec ISAKMP-SA established 213.141.117.108[500]-194.24.158.2[23655] spi:9b1a26a96f00d68a:caeca333c89ef7ed 
20:19:02 ipsec respond new phase 2 negotiation: 213.141.117.108[500]<=>194.24.158.2[23655] 
20:19:02 ipsec no policy found, try to generate the policy : 10.100.198.228/32[49165] 213.141.117.108/32[1701] proto=udp dir=in 
20:19:02 ipsec trns_id mismatched: my:3DES peer:AES 
20:19:02 ipsec trns_id mismatched: my:3DES peer:AES 
20:19:02 ipsec IPsec-SA established: ESP/Transport 194.24.158.2[0]->213.141.117.108[0] spi=109031144(0x67faee8) 
20:19:02 ipsec IPsec-SA established: ESP/Transport 213.141.117.108[0]->194.24.158.2[0] spi=49812715(0x2f814eb)

I have no clue where the IP 10.100.198.228/32 is coming from.
Any help would be appreciated.

fewi · Sun Mar 21, 2010 11:51 pm

Don't know about other providers, but on AT&T you get a private IP address that is PAT'd by AT&T. ESP requires NAT-T to work with PAT, so try turning that on.

lcx · Mon Mar 22, 2010 10:29 am

unfortunately no lock with nat-t enabled.

08:26:53 system,info,account user admin logged in from 192.168.1.3 via winbox 
08:27:03 ipsec 213.141.117.108[4500] used for NAT-T 
08:27:03 ipsec 10.16.30.1[4500] used for NAT-T 
08:27:03 ipsec 192.168.1.1[4500] used for NAT-T 
08:27:03 system,info ipsec peer changed by admin 
08:27:32 ipsec respond new phase 1 negotiation: 213.141.117.108[500]<=>194.24.158.1[53120] 
08:27:32 ipsec begin Identity Protection mode. 
08:27:32 ipsec received Vendor ID: RFC 3947 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
08:27:32 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
08:27:32 ipsec 
08:27:32 ipsec received Vendor ID: DPD 
08:27:32 ipsec Selected NAT-T version: RFC 3947 
08:27:32 ipsec Hashing 213.141.117.108[500] with algo #2  
08:27:32 ipsec NAT-D payload #0 verified 
08:27:32 ipsec Hashing 194.24.158.1[53120] with algo #2  
08:27:32 ipsec NAT-D payload #1 doesn't match 
08:27:32 ipsec NAT detected: PEER 
08:27:32 ipsec Hashing 194.24.158.1[53120] with algo #2  
08:27:32 ipsec Hashing 213.141.117.108[500] with algo #2  
08:27:32 ipsec Adding remote and local NAT-D payloads. 
08:27:32 ipsec NAT-T: ports changed to: 194.24.158.1[53122]<->213.141.117.108[4500] 
08:27:32 ipsec KA list add: 213.141.117.108[4500]->194.24.158.1[53122] 
08:27:32 ipsec ISAKMP-SA established 213.141.117.108[4500]-194.24.158.1[53122] spi:b2d0c1e77a137307:321e8e89ef21b294 
08:27:33 ipsec respond new phase 2 negotiation: 213.141.117.108[4500]<=>194.24.158.1[53122] 
08:27:33 ipsec no policy found, try to generate the policy : 10.100.123.163/32[49152] 213.141.117.108/32[1701] proto=udp dir=in 
08:27:33 ipsec Adjusting my encmode UDP-Transport->Transport 
08:27:33 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
08:27:33 ipsec trns_id mismatched: my:3DES peer:AES 
08:27:33 ipsec trns_id mismatched: my:3DES peer:AES 
08:27:34 ipsec IPsec-SA established: ESP/Transport 194.24.158.1[53122]->213.141.117.108[4500] spi=228076702(0xd982c9e) 
08:27:34 ipsec IPsec-SA established: ESP/Transport 213.141.117.108[4500]->194.24.158.1[53122] spi=60891111(0x3a11fe7)

LE: I just noticed this is kind of a double post. My problem sounds much like this topic: http://forum.mikrotik.com/viewtopic.php?f=2&t=33595

blake · Wed Sep 15, 2010 10:07 am

20:19:02 ipsec trns_id mismatched: my:3DES peer:AES
20:19:02 ipsec trns_id mismatched: my:3DES peer:AES

I was able to silence that error with:

/ip ipsec proposal set default enc-algorithms=aes-256

Still unable to make my iPhone connect though.

ciphercore · Wed Sep 15, 2010 10:30 pm

I know that on Rogers (3G in Canada) you are required to have VPN access. I have this b/c I need it for work.

It gives my phone a public IP vs 10.x.x.x. Try from another location via wifi.

Trying to get my iPhone to connect to my RouterOS with L2TP

Trying to get my iPhone to connect to my RouterOS with L2TP

Re: Trying to get my iPhone to connect to my RouterOS with L

Re: Trying to get my iPhone to connect to my RouterOS with L

Re: Trying to get my iPhone to connect to my RouterOS with L

Re: Trying to get my iPhone to connect to my RouterOS with L