VPN with Android Mobile to MikroTik RouterOS version 6.13

kneuzgi · Sat May 24, 2014 6:58 pm

Hi

I'm looking for a good and secure VPN connection from my android mobile phone
to my mikrotik router (MikroTik RouterOS version 6.13)

If possible with a good manual/documentiation so that it's easy to
create for a beginner.

Thanks for any help

Regards

Kneuzgi

Zapnologica · Sat May 24, 2014 10:58 pm

Im also looking at implementing a simple VPN for ipad and android access.

I have followed a tutorial on PPTP Server but my windows client always gives em an 800 Error? I Will be watching out for a link or something.

mcskiller · Sun May 25, 2014 6:41 am

L2tp + ipsec

Enviado desde mi XT925 usando Tapatalk 2

kneuzgi · Sun May 25, 2014 1:07 pm

L2tp + ipsec -> sounds good

but how can I configure that ?

Thanks

kneuzgi · Sun May 25, 2014 1:31 pm

on my Android I have only following settings:

- PPTP
- L2TP/IPSEC PSK
- L2TP/IPSEC RSA
- IPSec Xauth PSK
- IPSec Xauth RSA
- IPSec Hybrid RSA

kneuzgi · Sun May 25, 2014 1:36 pm

found something on the internet but it doesn't work with my mobile ...

http://www.nasa-security.net/mikrotik/m ... ith-ipsec/

any help ?

docmarius · Sun May 25, 2014 4:22 pm

Is there any reason why PPtP with MPPE-128 and MS-CHAP V2 would not be sufficient?
Cracking a 128bit encryption is not trivial. The biggest risk is yourself giving away your username and password.
And it is supported by a lot of devices, including Windows, Android and iOS.

LE: Ok. It seems that MS-CHAP2 can be cracked...
https://www.cloudcracker.com/blog/2012/ ... s-chap-v2/
On a 48 core FPGA dedicated device and a network capture it takes half a day to a day, but never the less.

Zapnologica · Sun May 25, 2014 10:51 pm

I have setup a PPTP server, but I am having no luck connecting to it from my phone.

I enabled PPTP Server, Added A PPTP Binding server , added 2 users under secrets, configured a profile for me using a ip pool.

I can connect on my windows 8 desktop, but for some reason my windows 8 laptop and my android cant connect to it?

When I try connect I see this in the log on the mikrotik:

    pptp, info       TCP connection established from 41.208.229.224

But then thats it, the client times out trying to connect.

When I connect on my desktop, which for some reason seems to work, the following is in the log.

    pptp, info           TCP connection established from 41.208.229.224
    pptp,ppp,info      test loggen in, 10.0.0.10
    pptp,ppp,info      <pptp-Test> authenticated
    pptp,ppp,info      <pptp-Test> using encoding - MPPE128 stateless
    pptp,ppp,info      <pptp-Test> Connected

What could be causing this error?
Is there a minimum password or user length?

I have done some debugging and found that if i try connect to the vpn on my android via the wireless, it doesnt connect, but I still see the tcp connection on the mikrotik,

but if i disable wireless and connect to the vpn via gsm. it seems to connect? Why would this be? The vpn server is a remote mikrotik, and im using dyndns.org to point to it.

mcskiller · Mon May 26, 2014 3:39 pm

I have setup a PPTP server, but I am having no luck connecting to it from my phone.

I enabled PPTP Server, Added A PPTP Binding server , added 2 users under secrets, configured a profile for me using a ip pool.

I can connect on my windows 8 desktop, but for some reason my windows 8 laptop and my android cant connect to it?

When I try connect I see this in the log on the mikrotik:
Code: Select all
    pptp, info       TCP connection established from 41.208.229.224
But then thats it, the client times out trying to connect.

When I connect on my desktop, which for some reason seems to work, the following is in the log.
Code: Select all
    pptp, info           TCP connection established from 41.208.229.224
    pptp,ppp,info      test loggen in, 10.0.0.10
    pptp,ppp,info      <pptp-Test> authenticated
    pptp,ppp,info      <pptp-Test> using encoding - MPPE128 stateless
    pptp,ppp,info      <pptp-Test> Connected
What could be causing this error?
Is there a minimum password or user length?

I have done some debugging and found that if i try connect to the vpn on my android via the wireless, it doesnt connect, but I still see the tcp connection on the mikrotik,

but if i disable wireless and connect to the vpn via gsm. it seems to connect? Why would this be? The vpn server is a remote mikrotik, and im using dyndns.org to point to it.

Here in my country 3g carriers are blocking pptp ports.
Because of that for mobile vpn i am using l2tp+ipsec

Enviado desde mi XT925 usando Tapatalk 2

W4SHY · Wed May 28, 2014 2:44 pm

Hi Guys,

I installed ROS 6.13 as a VM on my ESXi running version 5.5. I tried to get PPTP to work with my iPhone 5 for days without success - then I found this post:

http://forum.mikrotik.com/viewtopic.php?f=15&t=78280

Turns out ESXi 5.5 had a bug that would drop PPTP traffic. After upgrading to 5.5 U1, I was able to connect.

http://kb.vmware.com/selfservice/micros ... Id=2063788

W.

cdsJerry · Thu May 29, 2014 5:41 pm

Im also looking at implementing a simple VPN for ipad and android access.

I have followed a tutorial on PPTP Server but my windows client always gives em an 800 Error? I Will be watching out for a link or something.

I wouldn't waste your time setting up a PPTP connection as it's been hacked so badly it's considered nearly worthless. In my case the entire reason I'm switching routers to MikroTik is to get away from PPTP. Now if OpenVPN wasn't so darned confusing! And the Wiki is useless as it's an old version and not clear at all.

kneuzgi · Thu May 29, 2014 6:37 pm

is there any manual for L2tp + ipsec ?

My Android Mobile can only:
- PPTP
- L2TP/IPSEC PSK
- L2TP/IPSEC RSA
- IPSec Xauth PSK
- IPSec Xauth RSA
- IPSec Hybrid RSA

I do not like to use PPTP !

Thanks

spippan · Tue Jan 13, 2015 1:38 pm

is there any manual for L2tp + ipsec ?

My Android Mobile can only:
- PPTP
- L2TP/IPSEC PSK
- L2TP/IPSEC RSA
- IPSec Xauth PSK
- IPSec Xauth RSA
- IPSec Hybrid RSA

I do not like to use PPTP !

Thanks

got a similar issue connecting to my L2TP/IPsec server on my RB951 (ROSv6.24) via 3G / cellular (other VPNs thou work)
i tested to an other L2TP/IPsec VPN of a friend of mine ... success (via 3G)

i see that my iphone6 connects to the router to ports 500 and 4500

in the log i see:

12:28:23 ipsec,error phase1 negotiation failed due to time up 62.47.42.145[4500]<=>212.95.7.165[6365] 9b**0:a**dd

### ("**" for privacy reasons ;) hope you understand)

when i connect my iPhone6 to a WiFi (does not matter which one) there is no problem with the L2TP/IPsec connection from my iPh6 to my RB951

what can i do to

cdsJerry · Tue Jan 13, 2015 3:18 pm

I'm sorry but as you can tell from all the messages prior to your post, no one seems to be able to make this work and there has been no response from support on this in months. You can post all the questions you like, but there's been no help for anyone here. Worst router ever. Worst support ever.

gabrielpike · Tue Jan 13, 2015 5:50 pm

is there any manual for L2tp + ipsec ?

My Android Mobile can only:
- PPTP
- L2TP/IPSEC PSK
- L2TP/IPSEC RSA
- IPSec Xauth PSK
- IPSec Xauth RSA
- IPSec Hybrid RSA

I do not like to use PPTP !

Thanks
got a similar issue connecting to my L2TP/IPsec server on my RB951 (ROSv6.24) via 3G / cellular (other VPNs thou work)
i tested to an other L2TP/IPsec VPN of a friend of mine ... success (via 3G)

i see that my iphone6 connects to the router to ports 500 and 4500

in the log i see:
Code: Select all
12:28:23 ipsec,error phase1 negotiation failed due to time up 62.47.42.145[4500]<=>212.95.7.165[6365] 9b**0:a**dd

### ("**" for privacy reasons ;) hope you understand)
when i connect my iPhone6 to a WiFi (does not matter which one) there is no problem with the L2TP/IPsec connection from my iPh6 to my RB951

what can i do to

Same problem tested on 6.24, router log shows first l2tp packet then nothing happens. Works on WiFi connection but on 3G connection fails.

spippan · Tue Jan 13, 2015 5:51 pm

UPDATE:
what i was able to do is, to set up a VPN connection to the same router with the same user via PPTP!

when i try to set up the connection via L2TP/IPsec ... no luck...

error in log:

14:08:17 ipsec,error phase1 negotiation failed due to time up 194.166.###.###[500]<=>62.218.###.###[500] cd1b2f**********:04d593**********

spippan · Tue Jan 13, 2015 5:57 pm

is there any manual for L2tp + ipsec ?

My Android Mobile can only:
- PPTP
- L2TP/IPSEC PSK
- L2TP/IPSEC RSA
- IPSec Xauth PSK
- IPSec Xauth RSA
- IPSec Hybrid RSA

I do not like to use PPTP !

Thanks
got a similar issue connecting to my L2TP/IPsec server on my RB951 (ROSv6.24) via 3G / cellular (other VPNs thou work)
i tested to an other L2TP/IPsec VPN of a friend of mine ... success (via 3G)

i see that my iphone6 connects to the router to ports 500 and 4500

in the log i see:
Code: Select all
12:28:23 ipsec,error phase1 negotiation failed due to time up 62.47.42.145[4500]<=>212.95.7.165[6365] 9b**0:a**dd

### ("**" for privacy reasons ;) hope you understand)
when i connect my iPhone6 to a WiFi (does not matter which one) there is no problem with the L2TP/IPsec connection from my iPh6 to my RB951

what can i do to
Same problem tested on 6.24, router log shows first l2tp packet then nothing happens. Works on WiFi connection but on 3G connection fails.

yep ... also got that msg sometimes...

Chalky · Fri Feb 20, 2015 5:04 pm

I'm having exactly the same problem, works fine over Wi-Fi but will not work over Cellular. I've tried a Nexus 5 with Lollipop and an iPhone 5 with iOS 8.1.3, I've tried a T-Moible UK and Three UK SIM Card and neither will work.

Can't figure out where the issue lies.

spippan · Tue Mar 03, 2015 1:05 pm

I'm having exactly the same problem, works fine over Wi-Fi but will not work over Cellular. I've tried a Nexus 5 with Lollipop and an iPhone 5 with iOS 8.1.3, I've tried a T-Moible UK and Three UK SIM Card and neither will work.

Can't figure out where the issue lies.

i'm even seeing the connection (phase 1) is established via port 500, 4500 and 1701 from my mobile (FROM my mobile IP address) when i look it up in [ ip > firewall > connections ]
in the LOG i see something like "11:58:34 l2tp,info first L2TP UDP packet received from 213.162.68.xxx"
but NO SUCCESS with L2TP via 3G (mobile cell)

on the firewall side is get this:

[ 213.162.68.xxx = my iPhone over 3G // 212.183.32.xxx = my Routerboard on rOS 6.27]

[spippan@RB2011_sp-private] > ip firewall connection print 
Flags: S - seen-reply, A - assured 
 #    PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT    
 8 SA udp      213.162.68.xxx:64557  212.183.32.xxx:4500               55s        
10 SA udp      213.162.68.xxx:9659   212.183.32.xxx:500                1m26s      
11 SA udp      213.162.68.xxx:62263  212.183.32.xxx:1701               1m27s

JAza · Tue Nov 03, 2015 11:06 pm

Not sure what all people are on about in this thread - I followed the instructions above to that nasa-security.net link and it worked great for me.

750GL with 5.25 or so and Nex 5, Lollipop Dream (5.0.1)

spippan · Thu Nov 05, 2015 5:23 pm

Not sure what all people are on about in this thread - I followed the instructions above to that nasa-security.net link and it worked great for me.

750GL with 5.25 or so and Nex 5, Lollipop Dream (5.0.1)

which cellular provider do you use? and are you getting a official WAN IP on your mobile via your 3G/4G mobile data connection?

jaytcsd · Sun Nov 08, 2015 8:50 pm

I have an L2TP VPN connection on a Verizon droid to an RB751 running 6.32.3.

spippan · Wed Nov 11, 2015 11:01 am

I have an L2TP VPN connection on a Verizon droid to an RB751 running 6.32.3.

so then i assume Verizon is permitting direct IP communication from your mobile device to your router (vpn server)

i do not have that advantage here in austria (telering / t-mobile)
if i were with H3G (drei.at) i could activate "Open Internet" and then it works flawlessly.

BUT

i found a better solution for VPN .... OPEN VPN
works on GSM/UMTS/3G/LTE and WiFi with mi iPhone6 ... bit more administrative work at the beginning (self-signed cert, trail-and-error implementation

and key distribution to end-devices) but when it's configured ... works like a charm

NOTE: RouterOS still only supports TCP OVPN

jaytcsd · Wed Nov 11, 2015 9:50 pm

I looked at open VPN but couldn't figure out the cert process, looks like you stuck it out.

dinaafifi · Sun Dec 13, 2015 4:00 am

Here you can find step by step instructions to get VPN service on your Android phone http://www.vpnfaqs.com/2015/12/how-to-u ... oid-phone/ yoy can also use the same VPN account on your ipad and at the same connection time within encrypted tunnel ensures security and online privacy.

spippan · Wed Dec 16, 2015 5:11 pm

I looked at open VPN but couldn't figure out the cert process, looks like you stuck it out.

i used easy-rsa (with pkitool) which is included in the OpenVPN Tunnelblick Mac OS X suite

in terminal:

nano vars
source vars
./clean-all
./pkitool --initca
./pkitool --pass --server openVPN
./pkitool --pass client
KEY_CN=OpenVPN-Client-02 ./pkitool --pass client02
KEY_CN=OpenVPN-Client-03 ./pkitool --pass client03

here a short overview of the usage of EASY-RSA:

Creating Certificates with Easy-RSA
Easy-RSA is part of OpenVPN package at [[1]]. As of OpenVPN version 2.1 the usage is as follows:

Initialisation on Linux:

cd easy-rsa
less README
vi vars
source vars
./clean-all

=========================================================================================

Create CA (Certificate Authority, required to sign client and server certificates)

./pkitool --initca

=========================================================================================
Create Server Certificate

./pkitool --pass --server RB450

=========================================================================================

Convert Server private key to .pem format

openssl rsa -in keys/RB450.key -out keys/RB450.pem

=========================================================================================
Create Client Certificate

./pkitool --pass client1

=========================================================================================

Convert Client private key to .pem format

openssl rsa -in keys/client1.key -out keys/client1.pem

###======================================================================================

### routerboard specific ###

Usage
Referring to easy-rsa example above upload following files via sftp to RouterBoard

RB450.crt
RB450.pem
ca.crt

!! Do not upload your private ca.key !!! Now import the certificate and then its key !!

/certificate
import file=RB450.crt
import file=RB450.pem
import file=ca.crt

To the clients upload

ca.crt
client1.crt
client1.pem

And import the keys:

/certificate
import file=client1.crt
import file=client1.pem
import file=ca.crt

###======================================================================================

after that configure the OpenVPN server on the routerboard with the server certificate for which you also uploaded the server-key! (NOT the ca.crt)

VPN working with iOS client, windows client, mac osx client and also from Routerboard <=> Routerboard via OpenVPN

jaytcsd · Sat Dec 19, 2015 11:18 am

I'll give it a try, thanks for the detailed info.

spippan · Tue Jan 05, 2016 12:29 am

I'll give it a try, thanks for the detailed info.

success?

jaytcsd · Tue Jan 05, 2016 5:09 am

Been busy trying to get site to site IPsec working, haven't had a chance to try this yet.

spippan · Tue Jan 05, 2016 12:19 pm

Been busy trying to get site to site IPsec working, haven't had a chance to try this yet.

no problem

if help is needed, notifications to this thread are ON. glad if i can help.
anyways good luck with your site-to-site IPsec

cohprog · Fri Feb 26, 2016 10:27 am

RouterOS configuration for Android L2TP/IPSec PSK VPN:

RouterOS:

/ip pool add name="VPN" ranges=10.0.0.1-10.0.0.254

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add enc-algorithms=3des,aes-256-cbc name=l2tp-vpn pfs-group=none

/ppp profile
add change-tcp-mss=yes dns-server=XXX.XXX.XXX.XXX local-address=VPN name=\
l2tp-vpn remote-address=VPN

/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-vpn enabled=yes ipsec-secret=\
SECRETKEY max-mru=1460 max-mtu=1460 use-ipsec=yes

/ip ipsec policy
set (unknown) proposal=l2tp-vpn

/ppp secret
add name=USER password=PASSWORD profile=l2tp-vpn service=l2tp

/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key passive=yes secret=SECRETKEY generate-policy=port-override exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=3des,aes-256

On Android, create a L2TP/IPSec PSK VPN.
Add the address of the VPN server and the pre-shared IPSec secret key (SECRETKEY). Don't enter a secret for L2TP or a user for IPSec.

oriolrius · Wed Jul 27, 2016 9:14 pm

Hi, I just published a howto on my blog page about how to set up a PPTP server compatible with Android. I'm using routerOS 6.34.3 and Android 5 and 6.
http://oriolrius.cat/blog/2016/07/27/mi ... r-android/
I hope it's being useful.
Oriol

e2ks · Fri Apr 14, 2017 3:02 pm

Can just add one hopefully useful tip. In case if client is Android device, it seems not all IPSec authentication algorithms are supported.

In IPSec proposal settings can not use sha256 or sha512 as Auth. Algorithm, Android fails to connect if those are used. Sha1 works fine

Not sure if same applies to all device models and versions of Android, but that was my experience on Sony Xperia X, Android verion 7.1.1. RouterOS v.6.38.5

pe1chl · Tue Apr 18, 2017 3:16 pm

Thank you! I was fighting L2TP/IPsec PSK on Android and indeed it turns out it is due to the SHA256 which
was enabled in Proposals and does not work on Android. It is OK on most other platforms.

ajack46 · Tue Apr 18, 2017 5:43 pm

so what do we do to work on android.

pe1chl · Tue Apr 18, 2017 5:51 pm

It works in the default config, the problems only start when you enable those super duper hashing and encryption methods that nobody needs yet are "recommended by the experts".

savage75 · Mon Nov 06, 2017 10:43 am

Hi,
Was trying L2TP/IPSec PSK it works fine with PCs but nothing with android and iOS ?
I'm using routerOS 6.36.1 ?

any workaround ?

thanks

pe1chl · Mon Nov 06, 2017 10:35 pm

Please read before you write!

savage75 · Tue Nov 07, 2017 9:36 am

Hi pe1chl,
was reading your post regarding the SHA256 on Proposals but I'm using sha1 and still no success to make it work, getting Unsuccessful when try to connect to VPN through the Android !

pe1chl · Tue Nov 07, 2017 10:26 am

It works fine for me with Android. But you should leave the phase1 settings at default or else it will fail.

savage75 · Tue Nov 07, 2017 12:03 pm

It works fine for me with Android. But you should leave the phase1 settings at default or else it will fail.

thanks pe1chl, just need to confirm by saying phase1 means ?