l2tp server with ipsec [2011UiAS-2HnD 6.19]

chaf84 · Thu Oct 02, 2014 10:45 am

Hi
I cant get my l2tp server to work I get the following log when i try to connect, it doesnt matter what password or login i use.

ipsec,debug couldn't find configuration.

My configuration

/interface l2tp-server server

            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: L2TP-In
          use-ipsec: yes
       ipsec-secret: ******

/ppp secret

 0   username       l2tp                  ****   L2TP-In

/ppp profile

 1   name="L2TP-In" local-address=192.168.0.1 remote-address=vpn-pool
     use-mpls=default use-compression=default use-vj-compression=default
     use-encryption=required only-one=default change-tcp-mss=default
     address-list="" dns-server=192.168.0.33

/ip ipsec proposal

 0  * name="default" auth-algorithms=sha1
      enc-algorithms=3des,aes-128-cbc,aes-256-cbc lifetime=30m pfs-group=none

/ip ipsec peer

 1  D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500
      auth-method=pre-shared-key secret="****"
      generate-policy=port-strict policy-group=default
      exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
      hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256
      dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

*Missed firewall config
/ip firewall filter

 chain=input action=accept protocol=udp in-interface=ether1-gateway
      dst-port=1701 log=no log-prefix=""

 2    chain=input action=accept protocol=udp in-interface=ether1-gateway
      dst-port=4500 log=no log-prefix=""

 3    chain=input action=accept protocol=ipsec-esp in-interface=ether1-gateway
      log=no log-prefix=""

 4    chain=input action=accept protocol=udp in-interface=ether1-gateway
      dst-port=500 log=no log-prefix=""

Anyone have the same issue or a solution to this?
I have a site2site vpn with ipsec up, maybe this is the problem.
I think I have posted all the config you need. I log the following ppp, l2tp and ipsec,!packet

chaf84 · Tue Oct 07, 2014 10:42 am

I been troubleshooting for a while know but I cant get it to work. I have tried to disable the l2tpserver and still get the same error in the my log.

Is it possible to have a vpn-tunnel with ipsec and l2tp-server with ipsec?

Anyone have some ideas what to do?

scottniven · Tue Oct 07, 2014 10:37 pm

Hi chaf84,

This is an export from my working L2TP with IPSec setup I'm testing with. It may be of some help to you. The X.X.X.X values were my WAN IP/Gateway/Network. The *'s were where the same password I had was (Both client and shared password were the same in my setup). The username for the L2TP connection was 'mikrotik'.

[admin@MikroTik] > export
# oct/07/2014 20:29:57 by RouterOS 6.20rc7
#
/interface pptp-server
add disabled=yes name=pptp-in1 user=mikrotik
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] disabled=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc
/ip pool
add name=dhcp ranges=10.10.10.10-10.10.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set 1 dns-server=8.8.8.8,8.8.4.4 local-address=10.10.10.2 remote-address=dhcp use-ipv6=no
/system logging action
set 2 remember=yes
/interface l2tp-server server
set enabled=yes ipsec-secret=******** use-ipsec=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=X.X.X.X/23 comment="default configuration" interface=ether1 network=X.X.X.0
add address=10.10.10.1/23 interface=ether1 network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/23 gateway=10.10.10.1 netmask=23
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=forward
add chain=input
add chain=output
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=l2tp-in1 new-routing-mark=vpnIn
add chain=prerouting
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set sip disabled=yes
/ip ipsec peer
add enc-algorithm=3des,aes-128,aes-192,aes-256 exchange-mode=main-l2tp generate-policy=port-override secret=********
/ip route
add distance=1 gateway=ether1 routing-mark=vpnIn
add distance=1 gateway=X.X.X.1
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=mikrotik password=******** profile=default-encryption service=l2tp
/snmp
set trap-community=public

Hope it helps.
Scott.

l2tp server with ipsec [2011UiAS-2HnD 6.19]

l2tp server with ipsec [2011UiAS-2HnD 6.19]

Re: l2tp server with ipsec [2011UiAS-2HnD 6.19]

Re: l2tp server with ipsec [2011UiAS-2HnD 6.19]