MikroTik

Hello all,

I'm running a CRS109-8G-1S-2HnD with ROS 6.38.5 Stable, and I'm not able to connect to my fellow VPN Provider.
Actually I tested lot of solution, but SSTP/OVPN version on this OS are not compatible with requested feature of my provider (eg : OVPN-TLS auth). PPTP seemed to be bugged on mikrotik last version so forgot too. Then, I decided to go for L2TP/IPSec-psk. But it doesn't work neither or I'm nearly to get it working :

The IPSEC tunnel is correctly established, so first part is OK, but the L2TP tunnel won't establish, see log hereunder :
PP.PP.PP.PP is my provider's public IP address
MM.MM.MM.MM is my public IP address

==========================
20:32:21 l2tp,ppp,info l2tp-out1-adsl: initializing...
20:32:21 l2tp,ppp,info l2tp-out1-adsl: connecting...
20:32:21 system,info device changed by admin
20:32:21 l2tp,debug tunnel 1 entering state: wait-ctl-reply
20:32:21 l2tp,debug,packet sent control message to PP.PP.PP.PP:1701 from 0.0.0.0:1701
20:32:21 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
20:32:21 l2tp,debug,packet (M) Message-Type=SCCRQ
20:32:21 l2tp,debug,packet (M) Protocol-Version=0x01:00
20:32:21 l2tp,debug,packet (M) Framing-Capabilities=0x1
20:32:21 l2tp,debug,packet (M) Bearer-Capabilities=0x0
20:32:21 l2tp,debug,packet Firmware-Revision=0x1
20:32:21 l2tp,debug,packet (M) Host-Name="MikroTik"
20:32:21 l2tp,debug,packet Vendor-Name="MikroTik"
20:32:21 l2tp,debug,packet (M) Assigned-Tunnel-ID=1
20:32:21 l2tp,debug,packet (M) Receive-Window-Size=4
20:32:21 ipsec,info initiate new phase 1 (Identity Protection): MM.MM.MM.MM[500]<=>PP.PP.PP.PP[500]
20:32:22 ipsec,info ISAKMP-SA established MM.MM.MM.MM[500]-PP.PP.PP.PP[500] spi:432019bbc4367960:dd5c09db0d1881e7
20:32:22 l2tp,debug,packet sent control message to PP.PP.PP.PP:1701 from 0.0.0.0:1701
20:32:22 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
20:32:22 l2tp,debug,packet (M) Message-Type=SCCRQ
20:32:22 l2tp,debug,packet (M) Protocol-Version=0x01:00
20:32:22 l2tp,debug,packet (M) Framing-Capabilities=0x1
20:32:22 l2tp,debug,packet (M) Bearer-Capabilities=0x0
20:32:22 l2tp,debug,packet Firmware-Revision=0x1
20:32:22 l2tp,debug,packet (M) Host-Name="MikroTik"
20:32:22 l2tp,debug,packet Vendor-Name="MikroTik"
20:32:22 l2tp,debug,packet (M) Assigned-Tunnel-ID=1
20:32:22 l2tp,debug,packet (M) Receive-Window-Size=4
20:32:23 l2tp,debug,packet sent control message to PP.PP.PP.PP:1701 from 0.0.0.0:1701
20:32:23 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
20:32:23 l2tp,debug,packet (M) Message-Type=SCCRQ
20:32:23 l2tp,debug,packet (M) Protocol-Version=0x01:00
20:32:23 l2tp,debug,packet (M) Framing-Capabilities=0x1
20:32:23 l2tp,debug,packet (M) Bearer-Capabilities=0x0
20:32:23 l2tp,debug,packet Firmware-Revision=0x1
20:32:23 l2tp,debug,packet (M) Host-Name="MikroTik"
20:32:23 l2tp,debug,packet Vendor-Name="MikroTik"
20:32:23 l2tp,debug,packet (M) Assigned-Tunnel-ID=1
20:32:23 l2tp,debug,packet (M) Receive-Window-Size=4
20:32:25 l2tp,debug,packet sent control message to PP.PP.PP.PP:1701 from 0.0.0.0:1701
20:32:25 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
20:32:25 l2tp,debug,packet (M) Message-Type=SCCRQ
20:32:25 l2tp,debug,packet (M) Protocol-Version=0x01:00
20:32:25 l2tp,debug,packet (M) Framing-Capabilities=0x1
20:32:25 l2tp,debug,packet (M) Bearer-Capabilities=0x0
20:32:25 l2tp,debug,packet Firmware-Revision=0x1
20:32:25 l2tp,debug,packet (M) Host-Name="MikroTik"
20:32:25 l2tp,debug,packet Vendor-Name="MikroTik"
20:32:25 l2tp,debug,packet (M) Assigned-Tunnel-ID=1
20:32:25 l2tp,debug,packet (M) Receive-Window-Size=4
20:32:25 l2tp,debug,packet rcvd control message from PP.PP.PP.PP:1701 to MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=1, session-id=0, ns=0, nr=1
20:32:25 l2tp,debug,packet (M) Message-Type=SCCRP
20:32:25 l2tp,debug,packet (M) Protocol-Version=0x01:00
20:32:25 l2tp,debug,packet (M) Framing-Capabilities=0x3
20:32:25 l2tp,debug,packet (M) Bearer-Capabilities=0x0
20:32:25 l2tp,debug,packet (M) Firmware-Revision=0x690
20:32:25 l2tp,debug,packet (M) Host-Name="fr14.nordvpn.com"
20:32:25 l2tp,debug,packet (M) Vendor-Name="xelerance.com"
20:32:25 l2tp,debug,packet (M) Assigned-Tunnel-ID=34438
20:32:25 l2tp,debug,packet (M) Receive-Window-Size=4
20:32:25 l2tp,debug tunnel 1 entering state: established
20:32:25 l2tp,debug,packet sent control message to PP.PP.PP.PP:1701 from MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=34438, session-id=0, ns=1, nr=1
20:32:25 l2tp,debug,packet (M) Message-Type=SCCCN
20:32:25 l2tp,debug session 1 entering state: wait-reply
20:32:25 l2tp,debug,packet rcvd control message (ack) from PP.PP.PP.PP:1701 to MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=1, session-id=0, ns=0, nr=1
20:32:25 l2tp,debug,packet sent control message (ack) to PP.PP.PP.PP:1701 from MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=34438, session-id=0, ns=3, nr=1
20:32:25 l2tp,debug,packet rcvd control message (ack) from PP.PP.PP.PP:1701 to MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=1, session-id=0, ns=1, nr=2
20:32:25 l2tp,debug,packet sent control message to PP.PP.PP.PP:1701 from MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=34438, session-id=0, ns=2, nr=1
20:32:25 l2tp,debug,packet (M) Message-Type=ICRQ
20:32:25 l2tp,debug,packet (M) Assigned-Session-ID=1
20:32:25 l2tp,debug,packet (M) Call-Serial-Number=0
20:32:25 l2tp,debug,packet (M) Bearer-Type=0x0
20:32:25 l2tp,debug,packet rcvd control message from PP.PP.PP.PP:1701 to MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=1, session-id=1, ns=1, nr=3
20:32:25 l2tp,debug,packet (M) Message-Type=ICRP
20:32:25 l2tp,debug,packet (M) Assigned-Session-ID=39732
20:32:25 l2tp,debug session 1 entering state: established
20:32:25 l2tp,debug,packet sent control message to PP.PP.PP.PP:1701 from MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=34438, session-id=39732, ns=3, nr=2
20:32:25 l2tp,debug,packet (M) Message-Type=ICCN
20:32:25 l2tp,debug,packet (M) Framing-Type=0x1
20:32:25 l2tp,debug,packet (M) Tx-Connect-Speed-BPS=100000000
20:32:25 l2tp,debug,packet rcvd control message (ack) from PP.PP.PP.PP:1701 to MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=1, session-id=0, ns=2, nr=3
20:32:25 l2tp,debug,packet rcvd control message (ack) from PP.PP.PP.PP:1701 to MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=1, session-id=1, ns=2, nr=4
20:32:25 l2tp,ppp,debug l2tp-out1-adsl: LCP lowerup
20:32:25 l2tp,ppp,debug l2tp-out1-adsl: LCP open
20:32:25 l2tp,ppp,debug,packet l2tp-out1-adsl: sent LCP ConfReq id=0x1
20:32:25 l2tp,ppp,debug,packet <mru 1450>
20:32:25 l2tp,ppp,debug,packet <magic 0x29713c39>
20:32:25 l2tp,debug,packet rcvd control message from PP.PP.PP.PP:1701 to MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=1, session-id=1, ns=2, nr=4
20:32:25 l2tp,debug,packet (M) Message-Type=CDN
20:32:25 l2tp,debug,packet (M) Result-Code=1
20:32:25 l2tp,debug,packet Error-Code=0
20:32:25 l2tp,debug,packet (M) Assigned-Session-ID=39732
20:32:25 l2tp,debug,packet sent control message (ack) to PP.PP.PP.PP:1701 from MM.MM.MM.MM:1701
20:32:25 l2tp,debug,packet tunnel-id=34438, session-id=0, ns=4, nr=3
20:32:25 l2tp,debug session 1 entering state: stopping
20:32:25 l2tp,debug session 1 entering state: dead
==================================

I really can't figure out what's wrong, but from my I see there is no authentication phase in the L2TP connection, there should be a mschap exchange at least.
Here's the configuration :

/interface l2tp-client
add allow=chap,mschap2 connect-to=PP.PP.PP.PP ipsec-secret=******** keepalive-timeout=disabled name=l2tp-out1-adsl password=pass profile=nordvpn use-ipsec=yes user=username
/ppp profile
add name=nordvpn use-compression=yes use-encryption=yes use-mpls=no

I really would like to get it working !!
Already spent a lot of time on it, trying different parameters, read lot of forum page...
Thanks for your help !!

Hello,

Finally I got it working. Just change the destination server... The one I choosed for test seems not to accept L2TP session... So, tried to another one and it's OK.

Hello,

Finally I got it working. Just change the destination server... The one I choosed for test seems not to accept L2TP session... So, tried to another one and it's OK.

I've been trying for a week now. Do you have some sort of write-up or know of a site I can reference? I have the L2TP client set up but I don't think I have the IPSec setup correctly.

Sorry for my late answer, finally this is quite easy.

Create a new L2TP interface.

Put a name
Connect To : Provider server IP/DNS
User : username
Password : yourpassword
Profile : default-encryption
Use IPsec : tick Use IPSec (this will automatically generate IPSEC Policy)
IPsec Secret : IPSEC shared key
Allow
mschap2 mschap1
chap pap

This mostly the default options.

Then allow incoming/outgoing port for L2TP/IPSEC : udp/4500,500,1701 on your outside interface (watchout to input/output chain).

Then you can test, this new interface should go UP at this point.
After that you need to adapt your NAT masquerade and firewall rules to go through this new interface.

have good time

Hi All,

Is L2TP/IPSEC currently working with NordVPN for anybody, on a Mikrotik router? Can you share your configuration for that?

Thanks much.

According to this:
https://nordvpn.com/tutorials/

it supports OVPN TCP, PPTP, IKE2, L2TP/Ipsec.

All of these protocols are supported by RouterOS, so can be used with nordvpn.

According to this:
https://nordvpn.com/tutorials/

it supports OVPN TCP, PPTP, IKE2, L2TP/Ipsec.

All of these protocols are supported by RouterOS, so can be used with nordvpn.

According to that site, Mikrotik supports PPTP only.
I've tried to set up the others - no success.
From what I gathered, the version of Open VPN currently present in the RouterOS is an old one, it does not support the method used by NordVPN.
IKE2/IPSEC gives the authentication failure.
L2TP/IPSEC does not work either (in a different way)

Ok, OVPN,from config examples, appears to be using tls-auth in addition to username/password as well as comp-lzo. So this will not work.

ike2 uses eap-mschap2 as client authentication, so this also will not work.

But there is no reason why L2TP/Ipsec will not work.

...
But there is no reason why L2TP/Ipsec will not work.

Good! Tried setting up in different ways, still no luck. something (some parameter?) is bring it all sideways.. For example, have set up a l2tp client requiring IPSEC => the IPSEC set up is dynamic, IPSEC policy status progresses up to "msg1 sent", l2tp logs show that control message to x.x.x.x:1701 from 0.0.0.0:1701 is sent several times but then no replies are received and the tunnel state goes to dead as no replies are received..

... the IPSEC set up is dynamic, IPSEC policy status progresses up to "msg1 sent", ..

Let me add that the SAs stay in the larval state.

Thanks.

Hi,
firstly sory for my bad English,
How to member dynamic l2tp(adsl) interface to vrf? or radius attibute ?

Hi All,

I still cannot make it work with NordVPN. My L2TP/IPSEC setup works fine with another VPN service; Windows10 VPN client works fine on L2TP/IPSEC with NordVPN.

So

Is L2TP/IPSEC currently working with NordVPN for anybody, on a Mikrotik router? Can you share your configuration for that?

Thanks!

Hi,

I've finally succeeded to make it work!

However, the connection is *slow* ;-( l2tp/ipsec with the Windows 10 native VPN client works fine, providing a good speed.

Would anyone have a clue on what would be wrong in the setup?

Thanks!

Whatch out All NordVPN servers are not accepting L2TP/IPSec, so you may select the good servers with NordVPN selection tool.
I'm using nordVPN L2TP/IPSec for a year and a half now, it's working great !
But I can't really be accurate on speed result, my xDSL internet is high as 1,5 Mbps so I can't overload NorVPN server nor mikrotik CPU...