Community discussions

MikroTik App
  4. RouterOS
  5. General

MikroTik L2TP/IPSec client

Post Reply
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Thu Mar 10, 2016 9:48 pm

MikroTik L2TP/IPSec client

Mon Apr 27, 2020 12:05 am

I'm trying to connect to an L2TP server using IPSec with my MikroTik hAP (RouterOS 6.46.5) but I can't. The same credentials work on my computer/phone.
These are the setting on the router
Code: Select all
 /interface l2tp-client
add connect-to=l2tp-server ipsec-secret=******* keepalive-timeout=disabled name=l2tp-out1 password=***** use-ipsec=yes user=******
And this is log print follow-only
16:53:55 l2tp,ppp,info l2tp-out1: initializing...
16:53:55 l2tp,ppp,info l2tp-out1: connecting...
16:53:55 system,info device changed by admin
16:53:58 l2tp,debug tunnel 3 received no replies, disconnecting
16:53:58 l2tp,debug tunnel 3 entering state: dead
16:53:58 l2tp,debug session 1 entering state: dead
16:53:58 l2tp,debug tunnel 4 entering state: wait-ctl-reply
16:53:58 l2tp,debug,packet sent control message to l2tp-server:1701 from 0.0.0.0:1701
16:53:58 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:53:58 l2tp,debug,packet (M) Message-Type=SCCRQ
16:53:58 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:53:58 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:53:58 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:53:58 l2tp,debug,packet Firmware-Revision=0x1
16:53:58 l2tp,debug,packet (M) Host-Name="MikroTik"
16:53:58 l2tp,debug,packet Vendor-Name="MikroTik"
16:53:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=4
16:53:58 l2tp,debug,packet (M) Receive-Window-Size=4
16:53:58 ipsec,info initiate new phase 1 (Identity Protection): 192.168.88.23[500]<=>l2tp-server[500]
16:53:59 l2tp,debug,packet sent control message to l2tp-server:1701 from 0.0.0.0:1701
16:53:59 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:53:59 l2tp,debug,packet (M) Message-Type=SCCRQ
16:53:59 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:53:59 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:53:59 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:53:59 l2tp,debug,packet Firmware-Revision=0x1
16:53:59 l2tp,debug,packet (M) Host-Name="MikroTik"
16:53:59 l2tp,debug,packet Vendor-Name="MikroTik"
16:53:59 l2tp,debug,packet (M) Assigned-Tunnel-ID=4
16:53:59 l2tp,debug,packet (M) Receive-Window-Size=4
16:53:59 ipsec,info the packet is retransmitted by l2tp-server[500].
16:53:59 ipsec,info ISAKMP-SA established 192.168.88.23[4500]-l2tp-server[4500] spi:79c9011332a7f16e:710d188085e49fb1
16:54:00 l2tp,debug,packet sent control message to l2tp-server:1701 from 0.0.0.0:1701
16:54:00 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:54:00 l2tp,debug,packet (M) Message-Type=SCCRQ
16:54:00 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:54:00 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:54:00 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:54:00 l2tp,debug,packet Firmware-Revision=0x1
16:54:00 l2tp,debug,packet (M) Host-Name="MikroTik"
16:54:00 l2tp,debug,packet Vendor-Name="MikroTik"
16:54:00 l2tp,debug,packet (M) Assigned-Tunnel-ID=4
16:54:00 l2tp,debug,packet (M) Receive-Window-Size=4
16:54:02 l2tp,debug,packet sent control message to l2tp-server:1701 from 0.0.0.0:1701
16:54:02 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:54:02 l2tp,debug,packet (M) Message-Type=SCCRQ
16:54:02 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:54:02 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:54:02 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:54:02 l2tp,debug,packet Firmware-Revision=0x1
16:54:02 l2tp,debug,packet (M) Host-Name="MikroTik"
16:54:02 l2tp,debug,packet Vendor-Name="MikroTik"
16:54:02 l2tp,debug,packet (M) Assigned-Tunnel-ID=4
16:54:02 l2tp,debug,packet (M) Receive-Window-Size=4
16:54:06 l2tp,debug,packet sent control message to l2tp-server:1701 from 0.0.0.0:1701
16:54:06 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:54:06 l2tp,debug,packet (M) Message-Type=SCCRQ
16:54:06 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:54:06 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:54:06 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:54:06 l2tp,debug,packet Firmware-Revision=0x1
16:54:06 l2tp,debug,packet (M) Host-Name="MikroTik"
16:54:06 l2tp,debug,packet Vendor-Name="MikroTik"
16:54:06 l2tp,debug,packet (M) Assigned-Tunnel-ID=4
16:54:06 l2tp,debug,packet (M) Receive-Window-Size=4
16:54:14 l2tp,debug,packet sent control message to l2tp-server:1701 from 0.0.0.0:1701
16:54:14 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:54:14 l2tp,debug,packet (M) Message-Type=SCCRQ
16:54:14 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:54:14 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:54:14 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:54:14 l2tp,debug,packet Firmware-Revision=0x1
16:54:14 l2tp,debug,packet (M) Host-Name="MikroTik"
16:54:14 l2tp,debug,packet Vendor-Name="MikroTik"
16:54:14 l2tp,debug,packet (M) Assigned-Tunnel-ID=4
16:54:14 l2tp,debug,packet (M) Receive-Window-Size=4
16:54:22 l2tp,debug tunnel 4 received no replies, disconnecting
16:54:22 l2tp,debug tunnel 4 entering state: dead
16:54:22 l2tp,debug session 1 entering state: dead
16:54:22 l2tp,ppp,debug l2tp-out1: CCP close
16:54:22 l2tp,ppp,debug l2tp-out1: BCP close
16:54:22 l2tp,ppp,debug l2tp-out1: IPCP close
16:54:22 l2tp,ppp,debug l2tp-out1: IPV6CP close
16:54:22 l2tp,ppp,debug l2tp-out1: MPLSCP close
16:54:22 l2tp,ppp,info l2tp-out1: terminating... - session closed
16:54:22 l2tp,ppp,debug l2tp-out1: LCP lowerdown
16:54:22 l2tp,ppp,debug l2tp-out1: LCP down event in initial state
16:54:22 l2tp,ppp,info l2tp-out1: disconnected
16:54:22 l2tp,ppp,info l2tp-out1: initializing...
16:54:22 l2tp,ppp,info l2tp-out1: connecting...
16:54:22 l2tp,ppp,debug l2tp-out1: CCP close
16:54:22 l2tp,ppp,debug l2tp-out1: BCP close
16:54:22 l2tp,ppp,debug l2tp-out1: IPCP close
16:54:22 l2tp,ppp,debug l2tp-out1: IPV6CP close
16:54:22 l2tp,ppp,debug l2tp-out1: MPLSCP close
16:54:22 l2tp,ppp,info l2tp-out1: terminating... - old tunnel is not closed yet
16:54:22 l2tp,ppp,debug l2tp-out1: LCP lowerdown
16:54:22 l2tp,ppp,debug l2tp-out1: LCP down event in initial state
16:54:22 l2tp,ppp,info l2tp-out1: disconnected
16:54:22 l2tp,ppp,info l2tp-out1: initializing...
16:54:22 l2tp,ppp,info l2tp-out1: connecting...
Does anyone have an idea what to check?
Last edited by lacibsd on Mon Apr 27, 2020 12:32 am, edited 1 time in total.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 12:15 am

A non properly configured firewall could be a reason for that...
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Thu Mar 10, 2016 9:48 pm

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 12:21 am

On the server or client side?
A non properly configured firewall could be a reason for that...
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 12:25 am

On the server or client side?
A non properly configured firewall could be a reason for that...
On the Client, since you ve tested with another device and the server works...
If for example on your firewall you have any strange rules on top blocking in the Input chain ports essential for the L2TP/IPsec to work, eg UDP 500,500,1701 or any related protocol you could have this problem...
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Thu Mar 10, 2016 9:48 pm

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 12:27 am

I see. The computer/phone is behind the same firewall as MikroTik, using the same IP class

On the Client, since you ve tested with another device and the server works...
If for example on your firewall you have any strange rules on top blocking in the Input chain ports essential for the L2TP/IPsec to work, eg UDP 500,500,1701 or any related protocol you could have this problem...
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 12:45 am

Your computer is not handled by the Input chain...
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Thu Mar 10, 2016 9:48 pm

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 12:52 am

Hmmm, interesting
Just to be sure we are not misunderstanding each other here is a topology:
Code: Select all
L2TP server <---Internet---> WAN-Router-LAN-192.168.88.1/24
Computer-192.168.88.10, Phone-192.168.88.11, MikroTik-192.168.88.12
I though the same rules apply to all three devices
Your computer is not handled by the Input chain...
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 1:08 am

Please export your firelwall settings with hide-sensitive...
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Thu Mar 10, 2016 9:48 pm

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 1:19 am

Please find below, this is from the L2TP client Mikrotik
Code: Select all
[admin@MikroTik] > ip firewall export hide-sensitive
# apr/26/2020 18:17:35 by RouterOS 6.46.5
# software id = PRS2-615N
#
# model = 951Ui-2nD
# serial number = 5D450151BDDA
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Please export your firelwall settings with hide-sensitive...
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 1:21 am

Your Firewall is fine...
When you try to connect to the Server, make sure there is no other L2TP Client active on your Network...
Also, check the profile for your L2TP Client, make sure Change TCP mss is set to yes. Also try without encryption in case it is enabled...
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Thu Mar 10, 2016 9:48 pm

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 2:09 am

Zacharias thank for your presistent help!!
"make sure there is no other L2TP Client active on your Network..." - check
"make sure Change TCP mss is set to yes" - I'm not seeing seeing such an option or to disable encryption option

Your Firewall is fine...
When you try to connect to the Server, make sure there is no other L2TP Client active on your Network...
Also, check the profile for your L2TP Client, make sure Change TCP mss is set to yes. Also try without encryption in case it is enabled...
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 3:22 am

Go to PPP Profiles, double click the Profile used on your L2TP Client and you will find those attributes on the 1st and 2nd Tab...
Also, you could just try and remove the IPsecret from the L2TP Client and try without it... The server might be configured to allow the connection even without IPsec...
Top
 
lacibsd
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Thu Mar 10, 2016 9:48 pm

Re: MikroTik L2TP/IPSec client

Mon Apr 27, 2020 3:49 am

Thank you, I stepped away for now. I’m going to take a look probably later this week.
Top
Post Reply
  4. RouterOS
  5. General