Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSec/L2TP between Win Mobile & MikroTik: Is it possible?

Post Reply
 
VN8
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2011 12:56 pm
Location: Tyumen, Russia

IPSec/L2TP between Win Mobile & MikroTik: Is it possible?

Wed Mar 09, 2011 7:46 pm

Hello!
Has anyone a positive experience for L2TP/IPSec between native Windows Mobile VPN client and MikroTik VPN server?
My RB450G@RouterOS 4.17 located behind another router – D-Link DFL 210 that establishes connection to ISP by L2TP, provides NAT. But port forwarding is provided for all necessary L2TP/IPSec services through the DFL-210 to IP of a "public" interface (ether1) of the RB450G. Mikrotik basically used for shaping and QoS. All local clients connected to RB450G.
Global network configuration is:

Internet <---> 109.x.x.x-(L2TP client)-[DFL-210]-192.168.200.1/29 <---> 192.168.200.2/29-[RB450G]-192.168.201.254/24

I want to assign an IP to remote client (Samsung i900 with Windows Mobile 6.1 Pro with Internet access via GPRS) from a same subnet where local clients are located.

My current L2TP server setups:
Code: Select all
 > /interface l2tp-server server print
          enabled: yes
          max-mtu: 1300
          max-mru: 1300
             mrru: disabled
   authentication: pap,chap,mschap1,mschap2
  default-profile: default-encryption


 > /ppp secret print
Flags: X - disabled 
 #   NAME               SERVICE CALLER-ID               PASSWORD               PROFILE               REMOTE-ADDRESS 
 0   remote_user        l2tp                            parol                  default-encryption   


 > /ppp profile print
Flags: * - default 
 0 * name="default-encryption" local-address=192.168.201.254 remote-address=vpn_pool 
     use-compression=default use-vj-compression=default 
     use-encryption=yes only-one=default change-tcp-mss=yes


 > /ip pool print
 # NAME                                     RANGES                         
 0 lan201_dhcp_pool                         192.168.201.2-192.168.201.50   
 1 vpn_pool                                 192.168.201.60-192.168.201.80
My current IPSec setups:
Code: Select all
 > /ip ipsec peer print 
Flags: X - disabled 
 0   address=0.0.0.0/0:500 auth-method=pre-shared-key secret="secret" generate-policy=yes exchange-mode=main 
     send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des 
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1


 > /ip ipsec proposal print 
Flags: X - disabled 
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
But a connection is not established. RouterOS debugger’s entries are presented below:
Code: Select all
23:18:20 ipsec respond new phase 1 negotiation: 192.168.200.2[500]<=>90.150.65.114[27834] 
23:18:20 ipsec begin Identity Protection mode. 
23:18:20 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 
23:18:20 ipsec received Vendor ID: FRAGMENTATION 
23:18:20 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
23:18:20 ipsec 
23:18:22 ipsec ISAKMP-SA established 192.168.200.2[500]-90.150.65.114[27834] spi:ed09b208b20fafa4:fb378f266bc77238 
23:18:22 ipsec respond new phase 2 negotiation: 192.168.200.2[500]<=>90.150.65.114[27834] 
23:18:22 ipsec no policy found, try to generate the policy : 10.30.113.58/32[1701] 109.x.x.x/32[1701] proto=udp dir=in 
23:18:23 ipsec IPsec-SA established: ESP/Transport 90.150.65.114[0]->192.168.200.2[0] spi=107432096(0x66748a0) 
23:18:23 ipsec IPsec-SA established: ESP/Transport 192.168.200.2[0]->90.150.65.114[0] spi=2474688(0x25c2c0) 
23:18:58 ipsec ISAKMP-SA expired 192.168.200.2[500]-90.150.65.114[27834] spi:ed09b208b20fafa4:fb378f266bc77238 
23:18:58 ipsec unknown Informational exchange received. 
23:18:59 ipsec ISAKMP-SA deleted 192.168.200.2[500]-90.150.65.114[27834] spi:ed09b208b20fafa4:fb378f266bc77238
It is all. No more anything in the Mikrotik system log, ipsec-debugger entries only although l2tp-debugger are enabled too.
What does means an "unknown Informational exchange received" error?
Thanks.

Sorry for my English :) .
Top
 
grg
newbie
Posts: 44
Joined: Fri Aug 20, 2010 9:51 am
Location: Latvia

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Wed Mar 09, 2011 11:51 pm

First thing to start with, if you want to play with IPSec you have to have latest v5 release, because version 4 does not include NAT-T fix. Another thing to remember is that IPSec server behind NAT firewall is deemed to fail. Even if you would manage to make it your main firewall with global IP address, you would still have to ensure that your Windows Mobile phone gets assigned global IP address too, because NAT-T feature still doesn't work with Windows Mobile and XP (i did a quick check).

grg
Top
 
VN8
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2011 12:56 pm
Location: Tyumen, Russia

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Thu Mar 10, 2011 2:01 pm

Thanks for your answer, grg.
Yes, you are right. The RouterOS v5rc11 also is unable to establish ipsec between itself and my NATed Windows Mobile client properly. A Mikrotik system log registers following errors that lead to disconnecting of ipsec:
Code: Select all
13:37:35 ipsec,debug Expecting IP address type in main mode, but FQDN. 
13:37:35 ipsec,debug invalid ID payload.
As I understood during an Internet searching it is a feature of a Windows Mobile client (and possibly a Windows XP client too) if it allocated behind NAT. Main mode with preshared key can to use IP only as ID according RFC 2409 but Windows Mobile client allocated behind NAT sends FQDN that contradicts to RFC 2409 therefore Mikrotik rejects a connection attempt.
Top
 
mikroguf
just joined
Posts: 11
Joined: Mon Dec 06, 2010 5:40 am

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Fri Mar 18, 2011 12:46 am

Yes I concur that the issue is with the client sending FQDN instead of IP address as part of the IPSec setup. We have seen this in XP when it is behind NAT, though curiously XP does send its IP address as long as it does not detect NAT.

I have asked MT to provide a fix for this on their side, as the chances of getting Microsoft to change there OS is completely NIL. CISCO had the same issue and were able to issue a fix in 7.2(3) for their PIX/ASA servers.

A workaround for you might be to remove the NAT from your server end by having your MT on a public IP and also ensuring that your carrier issues you with a public IP so that there is no NAT anywhere in the path. Then I suspect that WM will send the IP rather than the FQDN. However, this can be hard to achieve as most carriers use NAT on 3G/GRPS services.
Top
 
VN8
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2011 12:56 pm
Location: Tyumen, Russia

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Sun Mar 20, 2011 7:41 pm

I have asked MT to provide a fix for this on their side
As I know, there is a patch for Linux-based systems that fixes the problem. It would be nice if the developers will implement something similar in RouterOS.
Top
 
mikroguf
just joined
Posts: 11
Joined: Mon Dec 06, 2010 5:40 am

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Mon Mar 21, 2011 12:13 am

Do you have any specifics for the Linux patch? I'd love to research a bit more into exactly how Linux resolved this...
Top
 
grg
newbie
Posts: 44
Joined: Fri Aug 20, 2010 9:51 am
Location: Latvia

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Fri Apr 01, 2011 12:05 am

Version 5.0 still has the same FQDN problem. Mikrotik, if you don't want to make it a permanent change in code then please, at least add it as an option we could turn on or off. Something like a mode to work with broken IPSec clients.

Thanks.

grg
Top
 
VN8
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2011 12:56 pm
Location: Tyumen, Russia

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Fri Apr 01, 2011 2:03 am

Do you have any specifics for the Linux patch? I'd love to research a bit more into exactly how Linux resolved this...
I apologize for my long silence.
I found the following bypass method of the problem in the WEB:
Code: Select all
> --- src/racoon/ipsec_doi.c.orig       Thu Feb  2 23:37:17 2006
> +++ src/racoon/ipsec_doi.c    Sun Sep 24 23:28:42 2006
> @@ -3277,10 +3277,9 @@
>           iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
>                if (id_b->type != IPSECDOI_ID_IPV4_ADDR
>                 && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
> -                     plog(LLV_ERROR, LOCATION, NULL,
> +                     plog(LLV_WARNING, LOCATION, NULL,
>                               "Expecting IP address type in main mode, "
>                               "but %s.\n", s_ipsecdoi_ident(id_b->type));
> -                     return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
>               }
>       }
"> -" - old lines for deleting
"> +" - new line
It is an example for FreeBSD.
Top
 
2400baud
newbie
Posts: 29
Joined: Tue Nov 15, 2011 1:04 am

Re: IPSec/L2TP between Win Mobile & MikroTik: Is it possible

Mon Dec 05, 2011 5:33 pm

I just ran into this with XP behind a NAT.

It'd be good to get a workaround in RouterOS, because there's still plenty of XP out there.
Top
Post Reply

Who is online

Users browsing this forum: kehrlein, ragudelo and 82 guests
  4. RouterOS
  5. General