I am having difficulties remotely accessing through VPN.
I have a Mikrotik RB2011iL with RouterOS v6.42.6 and had setup a VPN link which has been used for many months. However, 2 new colleagues need to have access and it is not working (despite working fine for all the other colleagues). And it is not a limitation on the number of connections as it is set to not limit the number of connections and it also fails when nobody else is logged-in.
The error that is logged at the Mikrotik during these attempts is:
jul/26 21:24:44 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 660
jul/26 21:24:45 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 660
jul/26 21:24:46 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 660
jul/26 21:24:51 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463
jul/26 21:24:52 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463
jul/26 21:24:53 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463
jul/26 21:24:56 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463
As the setup is unique at the router, I investigated at the client level. Everything is equal, except the operating system on these 2 new colleagues that have the latest Windows 10 release.
The error that they get at their PC, after the initial “Connecting to yyy.yy.yy.yy” is “The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPSEC tunnel, the security parameters required for IPSEC negotiation might not be configured properly”
At the client side I am using the same configuration on all the 4 PCs:
• Server name or address: yyy.yy.yy.yy
• VPN type: Automatic
• Type of sign-in: Username and password
What must be changed to accept the newer Windows 10 (if that is the problem) and the other PCs?
Thank you
Re: L2TP/IPSEC VPN with Windows 10
Something in Windows' VPN client may have changed intentionally or unintentionally. To see what has changed in particular, you'll need to use logging on Mikrotik, see this similar topics for details.
-
-
ruiesteves
newbie
- Posts: 31
- Joined:
Re: L2TP/IPSEC VPN with Windows 10
Hi Sindy.
Thank you for your reply.
I went through the post that you mentioned and the linked wiki page https://wiki.mikrotik.com/wiki/Manual:IP/IPsec. I tried the L2TP setup and I tried the Mode Conf and the IKE2. But none worked and at this time I am already confused.
I attached the configuration file. It has all the configurations that I did today and none work.
I just need one of them to work with a Windows 10 client. I guess that L2TP is enough, but it was only working on 2 PCs and not on the other 2 PCs.
What is wrong with it?
Thank you.
Thank you for your reply.
I went through the post that you mentioned and the linked wiki page https://wiki.mikrotik.com/wiki/Manual:IP/IPsec. I tried the L2TP setup and I tried the Mode Conf and the IKE2. But none worked and at this time I am already confused.
I attached the configuration file. It has all the configurations that I did today and none work.
I just need one of them to work with a Windows 10 client. I guess that L2TP is enough, but it was only working on 2 PCs and not on the other 2 PCs.
What is wrong with it?
Thank you.
You do not have the required permissions to view the files attached to this post.
Re: L2TP/IPSEC VPN with Windows 10
The post I've linked to in my previous one was a clear instruction how to find out what the new Windows10 client requires and which of its requirements are not compatible with your current settings.
Instead of following that instruction to find out how to slightly modify the current L2TP/IPsec setup, you have tried with another VPN mode (ike2) at Windows side. But the requirements for phase 1 and/or phase 2 authentication, encryption, and other algorithms exist in ike2 case as well, so without finding out which combinations of these algorithms the client supports and proposes, you cannot succeed either.
So without visualizing the failed communication, there is no way ahead.
So I'd keep the configuration on Mikrotik side in its working state, double-check that by connecting one of the "old" PCs which do connect successfully, and then disconnect as much IPsec peers as you can without affecting your workflow (to minimize the amount of unrelated events in the log), start the logging and press [connect] on one of those Windows10 machines which fail to connect. After getting the error message from Windows, you can stop logging and start reading the log. It is not that hard but if you feel lost, just obfuscate the IP addresses and post the log file.
And one general remark - L2TP/IPsec doesn't work for two clients accessing the same server from behind the same public address unless you implement a server-side workaround.
Instead of following that instruction to find out how to slightly modify the current L2TP/IPsec setup, you have tried with another VPN mode (ike2) at Windows side. But the requirements for phase 1 and/or phase 2 authentication, encryption, and other algorithms exist in ike2 case as well, so without finding out which combinations of these algorithms the client supports and proposes, you cannot succeed either.
So without visualizing the failed communication, there is no way ahead.
So I'd keep the configuration on Mikrotik side in its working state, double-check that by connecting one of the "old" PCs which do connect successfully, and then disconnect as much IPsec peers as you can without affecting your workflow (to minimize the amount of unrelated events in the log), start the logging and press [connect] on one of those Windows10 machines which fail to connect. After getting the error message from Windows, you can stop logging and start reading the log. It is not that hard but if you feel lost, just obfuscate the IP addresses and post the log file.
And one general remark - L2TP/IPsec doesn't work for two clients accessing the same server from behind the same public address unless you implement a server-side workaround.
-
-
ruiesteves
newbie
- Posts: 31
- Joined:
Re: L2TP/IPSEC VPN with Windows 10
Hi Sindy,
Sorry for my confusion. This time I followed the instructions.
I cleaned up the configuration, returning to the starting point (cleaned configuration attached)
I also set:
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start where topics~"ipsec"
The result is the attached file ipsec-start.txt
as I am not a network /communications expert, I am unable to interpret and find the most appropriate solution.
can you please help me?
Thank you
I forgot to tell that the error that the client displays is:
The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly
Sorry for my confusion. This time I followed the instructions.
I cleaned up the configuration, returning to the starting point (cleaned configuration attached)
I also set:
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start where topics~"ipsec"
The result is the attached file ipsec-start.txt
as I am not a network /communications expert, I am unable to interpret and find the most appropriate solution.
can you please help me?
Thank you
I forgot to tell that the error that the client displays is:
The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly
You do not have the required permissions to view the files attached to this post.
Re: L2TP/IPSEC VPN with Windows 10
The log shows that the Windows try first to establish an ike2 IPsec connection (where only one exchange mode is available) and then an ike1 connection (where several exchange modes exist - main, aggressive, base). When Mikrotik receives an initial packet of an IPsec connection, it looks for a peer whose address and exchange-mode parameters match the incoming request. Peers with exchange-mode set to main and main-l2tp cannot be distinguished from each other because these two only differ by handling, not by the identification code in the initial packet.
So please post the output of /ip ipsec peer print as that will show also dynamically added peers. Replace the IP addresses you want to hide by meaningful strings, but hide only what really needs to be hidden, keep 0.0.0.0/0 and alike unchanged.
But if you have really checked that the other Windows machines can connect successfully with this configuration, it means that the failing Windows client indicates use of aggressive, base, or by mistake some non-standardized mode. To confirm that, you would have to change the logging setting to log also the contents of the packets using /system logging set [find topics~"ipsec"] topics=ipsec and repeat the procedure.
So please do both steps above and post the results.
So please post the output of /ip ipsec peer print as that will show also dynamically added peers. Replace the IP addresses you want to hide by meaningful strings, but hide only what really needs to be hidden, keep 0.0.0.0/0 and alike unchanged.
But if you have really checked that the other Windows machines can connect successfully with this configuration, it means that the failing Windows client indicates use of aggressive, base, or by mistake some non-standardized mode. To confirm that, you would have to change the logging setting to log also the contents of the packets using /system logging set [find topics~"ipsec"] topics=ipsec and repeat the procedure.
So please do both steps above and post the results.
Re: L2TP/IPSEC VPN with Windows 10
Hi
I had similar issues with Windows 10 so I moved over to IKev2 and created certificates no problems any more
Just remember to set PFS group to none otherwise it will drop randomly as I found out
Ta
I had similar issues with Windows 10 so I moved over to IKev2 and created certificates no problems any more
Just remember to set PFS group to none otherwise it will drop randomly as I found out
Ta
Re: L2TP/IPSEC VPN with Windows 10
Just noticed that - in the configuration you've posted in your previous post, the l2tp-server configuration does not create a dynamic IPsec peer, and the static one has address=0.0.0.0/32. So either the older Win10 client allows to establish L2TP connection without the IPsec tunnel whereas the new one doesn't, or there must be a mistake in the "restored" configuration because 0.0.0.0/32 doesn't match any address, there should be 0.0.0.0/0 to accept connections from anywhere.
-
-
ruiesteves
newbie
- Posts: 31
- Joined:
Re: L2TP/IPSEC VPN with Windows 10
Hi
You are right. It should be 0.0.0.0/0 and not 0.0.0.0/32. I already fixed it.
Attached you can find the log with the new details.
When we finish debugging, what is the command to restore the normal log without all those details?
This is the output of the command /ip ipsec peer print:
# aug/ 5/2018 20:59: 1 by RouterOS 6.42.6
# software id = 6X1L-00W2
#
Flags: X - disabled, D - dynamic, R - responder
0 R address=0.0.0.0/0 auth-method=pre-shared-key
secret="********************" generate-policy=port-strict
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha512 enc-algorithm=aes-256,3des dh-group=modp1024
lifetime=1d dpd-interval=2m dpd-maximum-failures=5
Thank you.
You are right. It should be 0.0.0.0/0 and not 0.0.0.0/32. I already fixed it.
Attached you can find the log with the new details.
When we finish debugging, what is the command to restore the normal log without all those details?
This is the output of the command /ip ipsec peer print:
# aug/ 5/2018 20:59: 1 by RouterOS 6.42.6
# software id = 6X1L-00W2
#
Flags: X - disabled, D - dynamic, R - responder
0 R address=0.0.0.0/0 auth-method=pre-shared-key
secret="********************" generate-policy=port-strict
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha512 enc-algorithm=aes-256,3des dh-group=modp1024
lifetime=1d dpd-interval=2m dpd-maximum-failures=5
Thank you.
You do not have the required permissions to view the files attached to this post.
Re: L2TP/IPSEC VPN with Windows 10
Check the settings of the new Windows client - in all its proposals in all the attempts, the Windows client only proposes to use certificates for mutual authentication, whereas your configuration is for authentication using a shared secret:
20:42:52 ipsec rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = pre-shared key:RSA signatures
To stop logging of ipsec debug, you'll just disable or remove the /system logging item with topics~ipsec.
20:42:52 ipsec rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = pre-shared key:RSA signatures
To stop logging of ipsec debug, you'll just disable or remove the /system logging item with topics~ipsec.
-
-
ruiesteves
newbie
- Posts: 31
- Joined:
Re: L2TP/IPSEC VPN with Windows 10
Hi
When setting the VPN on the client side, I selected "VPN type=Automatic". Probably with the newer Win10 version it behaves differently. So, I changed to "VPN type=L2TP/IPsec with pre-shared key".
Now it also fails but now the error is: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer".
Attached I am sending the log for this attempt.
It seems that we are one step closer but not yet there.
When setting the VPN on the client side, I selected "VPN type=Automatic". Probably with the newer Win10 version it behaves differently. So, I changed to "VPN type=L2TP/IPsec with pre-shared key".
Now it also fails but now the error is: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer".
Attached I am sending the log for this attempt.
It seems that we are one step closer but not yet there.
You do not have the required permissions to view the files attached to this post.
Re: L2TP/IPSEC VPN with Windows 10 [SOLVED]
Looking at your /ip ipsec peer print, I can see hash-algorithm=sha512 enc-algorithm=aes-256,3des dh-group=modp1024 and I wonder how it could ever work with the older versions of Windows clients as these older versions definitely didn't support sha512 (nor does the new one). So I'm afraid it might be that the older windows clients could fall back to plain L2TP without IPsec (which would be worth testing - when one of the old WIndows client will be the only one connected, try /ip ipsec remote-peers print to see whether that PC's public IP is in the list - if it is not, it is connected using a plain L2TP) while the new version does not permit the fallback.
So the next step is to set peer's hash-algorithm to sha1, enc-algorithm to aes-256 and dh-group to modp2048 which are the strongest phase 1 algorithms proposed by the Windows client, which to my knowledge the older clients support too. This way, both old and new clients should get past phase 1, and the next thing may be to deal with will be the phase 2 proposal.
So the next step is to set peer's hash-algorithm to sha1, enc-algorithm to aes-256 and dh-group to modp2048 which are the strongest phase 1 algorithms proposed by the Windows client, which to my knowledge the older clients support too. This way, both old and new clients should get past phase 1, and the next thing may be to deal with will be the phase 2 proposal.
-
-
ruiesteves
newbie
- Posts: 31
- Joined:
Re: L2TP/IPSEC VPN with Windows 10
It worked fine with one of the new PCs. I will check with the older ones to see if they still connect
Thank you!
Thank you!
Re: L2TP/IPSEC VPN with Windows 10
I'm posting this here for the benefit of others who happen across this topic. My understanding of the most secure settings that will still allow the included Windows 10 (1703 aka Creators Update) IPsec client to connect via IPSec PSK are as follows:
Phase1: (/ip ipsec peer profile)
dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
Phase2: (/ip ipsec proposal)
auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256
Unfortunately, these settings can not be configured in the GUI, you'll need to use Powershell. Below is a working configuration (if you want IPsec shared secret support) for Windows 10 and iOS 12 devices.
Windows 10 PowerShell L2TP/IPsec PSK settings:
MikroTik L2TP/IPsec PSK server settings
Phase1: (/ip ipsec peer profile)
dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
Phase2: (/ip ipsec proposal)
auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256
Unfortunately, these settings can not be configured in the GUI, you'll need to use Powershell. Below is a working configuration (if you want IPsec shared secret support) for Windows 10 and iOS 12 devices.
Windows 10 PowerShell L2TP/IPsec PSK settings:
Code: Select all
#
# Compatible with Windows 10 and iOS 12 clients for connecting to MikroTik
#
# Reading
# https://forum.mikrotik.com/viewtopic.php?&t=137634
# https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration
# https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
# https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
# https://security.stackexchange.com/a/171511
#
# Follow up settings in the Windows GUI: Control Panel \ Network and Internet \ Network Connections
#
# Use ECP-256 (DHGroup19) to wrap an AES128 keys. Use ECP-521 (DHGroup21) to wrap AES256 keys.
#
#
# EncryptionMethod = Phase 1
# IntegrityCheckMethod = Hash Algorithm
# DHGroup = Initial Key Exchange during setup
# CipherTransformConstants = Phase 2
# PfsGroup = Perfect forward Secrecy (when the keys get exchanged again, say after an hour)
#
# AuthenticationTransformConstants = AH (not ESP which we use here)
Add-VpnConnection -Name "VPNName" -ServerAddress PublicIPAddress -TunnelType "L2tp"
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPNName" -EncryptionMethod AES256 -CipherTransformConstants AES256 -IntegrityCheckMethod SHA256 -PfsGroup ECP256 -DHGroup ECP256 -AuthenticationTransformConstants SHA196 -PassThru -Force
MikroTik L2TP/IPsec PSK server settings
Code: Select all
######################################
# Minimal settings for L2TP/IPSec VPN
######################################
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=required ipsec-secret="PasswordSecret"
/interface l2tp-server
add name=L2TP user=uservpn
/ppp secret
add name=uservpn password="PasswordUser" service=l2tp
/ppp profile
set default local-address=192.168.0.1 remote-address=pool_LAN use-encryption=required
#Phase1 settings, Windows 7 requires hash-algorithm=sha1
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
# added automatically when l2tp-server server enabled=yes
#/ip ipsec peer
#add local-address=PublicIP exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret="PasswordSecret" comment=Phase1
#Phase2 Settings
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256
# configure the rest of the router
/interface list
add name=LAN
add name=WAN
/interface list member
add interface=bridge-LAN list=LAN
add interface=L2TP1 list=LAN
add interface=ether1 list=WAN
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500 comment=L2TP_IPSEC
add chain=input protocol=ipsec-esp
add chain=forward action=accept connection-state=new in-interface-list=LAN comment="Allow LAN"
/interface
set bridge-LAN arp=proxy-arp
# optional
/system logging
add topics=ipsec,!packet