MikroTik

Community discussions
https://forum.mikrotik.com/

Help with Ipsec and iOS

https://forum.mikrotik.com/viewtopic.php?t=125752

Page 1 of 1

Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 2:48 pm
by djec
Hi,

No matter what i try, i can't get IPSec working with iOS.

Where should i start?

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 3:04 pm
by tomaskir
1) Make sure you are running latest RouterOS
There has been many IPSec fixes recently.

2) Enable IPSec logging:

Code: Select all

/system logging
add topics=ipsec,!debug
3) Post your "/ip ipsec export" here
Maybe it's something simple we can spot just from the export.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 3:15 pm
by djec
14:12:50 ipsec,info respond new phase 1 (Identity Protection): xx.xx.x.68[500]<=>xx.xx.x.209[500]
14:12:50 ipsec received Vendor ID: RFC 3947
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:12:50 ipsec
14:12:50 ipsec received long Microsoft ID: FRAGMENTATION
14:12:50 ipsec Fragmentation enabled
14:12:50 ipsec received Vendor ID: DPD
14:12:50 ipsec 5.186.56.209 Selected NAT-T version: RFC 3947
14:12:50 ipsec sent phase1 packet xx.xx.x.68[500]<=>xx.xx.x.209[500] 86011f62568df6a4:1701528c16a6459d
14:12:50 ipsec 87.116.7.68 Hashing xx.xx.x.68[500] with algo #2
14:12:50 ipsec NAT-D payload #0 verified
14:12:50 ipsec 5.186.56.209 Hashing xx.xx.x.209[500] with algo #2
14:12:50 ipsec NAT-D payload #1 doesn't match
14:12:50 ipsec NAT detected: PEER
14:12:50 ipsec 5.186.56.209 Hashing xx.xx.x.209[500] with algo #2
14:12:50 ipsec 87.116.7.68 Hashing xx.xx.x.68[500] with algo #2
14:12:50 ipsec Adding remote and local NAT-D payloads.
14:12:50 ipsec sent phase1 packet xx.xx.x.68[500]<=>xx.xx.x.209[500] 86011f62568df6a4:1701528c16a6459d
14:12:50 ipsec NAT-T: ports changed to: xx.xx.x.209[4500]<=>xx.xx.x.68[4500]
14:12:50 ipsec KA list add: xx.xx.x.68[4500]->xx.xx.x.209[4500]
14:12:50 ipsec xx.xx.x.209 ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
14:12:50 ipsec,info ISAKMP-SA established xx.xx.x.68[4500]-xx.xx.x.209[4500] spi:86011f62568df6a4:1701528c16a6459d
14:12:51 ipsec respond new phase 2 negotiation: xx.xx.x.68[4500]<=>xx.xx.x.209[4500]
14:12:51 ipsec searching for policy for selector: xx.xx.x.68:1701 ip-proto:17 <=> xx.xx.x.209:65242 ip-proto:17
14:12:51 ipsec generating policy
14:12:51 ipsec Adjusting my encmode UDP-Transport->Transport
14:12:51 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2)
14:12:51 ipsec authtype mismatched: my:hmac-sha256 peer:hmac-sha1
14:12:51 ipsec sent phase2 packet xx.xx.x.68[4500]<=>xx.xx.x.209[4500] 86011f62568df6a4:1701528c16a6459d:000060b7
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4
14:12:51 l2tp,info first L2TP UDP packet received from xx.xx.x.209
14:12:51 ipsec purged IPsec-SA proto_id=ESP spi=0xaddadc4
14:12:51 ipsec purged IPsec-SA proto_id=ESP spi=0xd337886
14:12:51 ipsec removing generated policy
14:12:51 ipsec,info purging ISAKMP-SA xx.xx.x.68[4500]<=>xx.xx.x.209[4500] spi=86011f62568df6a4:1701528c16a6459d.
14:12:51 ipsec purged ISAKMP-SA xx.xx.x.68[4500]<=>xx.xx.x.209[4500] spi=86011f62568df6a4:1701528c16a6459d.
14:12:51 ipsec,info ISAKMP-SA deleted xx.xx.x.68[4500]-xx.xx.x.209[4500] spi:86011f62568df6a4:1701528c16a6459d rekey:1

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 3:17 pm
by djec
# sep/18/2017 14:16:33 by RouterOS 6.40.3
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = xxxxxx
/ip ipsec policy group
add name=ipsec+l2tp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des pfs-group=none
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=ltp-proposal pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=\
port-override lifetime=8h policy-template-group=ipsec+l2tp secret=xxxx
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 group=ipsec+l2tp src-address=0.0.0.0/0

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 3:20 pm
by tomaskir
It seems IPSec works, and clients can't connect L2TP.

We see in the log:
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4
14:12:51 l2tp,info first L2TP UDP packet received from xx.xx.x.209

So client actually starts the L2TP tunnel establishment within IPSec, but that fails.

It would seem issue is in L2TP configuration.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 3:34 pm
by djec
My PPP configuration is:

# sep/18/2017 14:34:01 by RouterOS 6.40.3
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = XXXX
/ppp profile
add change-tcp-mss=yes dns-server=172.16.110.41,172.16.110.88 local-address=\
172.16.110.1 name=pptp-profile remote-address="VPN Pool" use-encryption=yes
add change-tcp-mss=yes dns-server=172.16.110.41 local-address=172.16.110.1 name=\
l2tp-profile remote-address="VPN Pool" use-encryption=yes
/ppp aaa
set use-radius=yes
/ppp l2tp-secret
add secret=xxx
/ppp secret
add name=vpn password=xxx profile=l2tp-profile service=l2tp

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 4:34 pm
by amt
just go to ppp menu and select interface, click l2tp server and select Use IPsec:yes there.. write your IPsec Secret than finish...I use this way and its work with my ios devices.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 4:36 pm
by tomaskir
My PPP configuration is:
...
Your PPP profile is wrong.

Use it like this:

Code: Select all

/ppp profile
add change-tcp-mss=no dns-server=x.x.x.x local-address=x.x.x.x name=VPN remote-address=VPN_Users use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-upnp=no
Change neccessary things (such as DNS server, local and remove addresses, etc.).

Notice the "use-encryption=no". This is VERY important.
This is PPP encryption, the MPPE standard.

You do NOT want to use this, since the L2TP traffic is encrypted using IPSec.
just go to ppp menu and select interface, click l2tp server and select Use IPsec:yes there.. write your IPsec Secret than finish...I use this way and its work with my ios devices.
IPSec is not the problem in his setup, we can see that from the logs.
Doing what you say would not help.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 4:53 pm
by amt
just go to ppp menu and select interface, click l2tp server and select Use IPsec:yes there.. write your IPsec Secret than finish...I use this way and its work with my ios devices.
IPSec is not the problem in his setup, we can see that from the logs.
Doing what you say would not help.
Im sory, I did not check

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 5:15 pm
by djec
Weird still not working..
Code: Select all
# sep/18/2017 16:14:07 by RouterOS 6.40.3
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = xxx
/ppp profile
add change-tcp-mss=no dns-server=172.16.110.41,172.16.110.88 local-address=\
    172.16.110.1 name=VPN remote-address="VPN Pool" use-compression=no \
    use-encryption=no use-mpls=no use-upnp=no
Code: Select all
16:09:02 firewall,info output: in:(none) out:OUTSIDE_TDC_116, proto UDP, x.x.x.10:49175->255.255.255.255:5678, len 148
16:09:02 firewall,info srcnat: in:(none) out:OUTSIDE_TDC_116, proto UDP, x.x.x.10:49175->255.255.255.255:5678, len 148
16:09:02 firewall,info input: in:OUTSIDE_TDC_116 out:(none), proto UDP, x.x.x.10:49175->255.255.255.255:5678, len 148
16:09:06 ipsec,info respond new phase 1 (Identity Protection): x.x.x.68[500]<=>x.x.x.209[500]
16:09:06 ipsec received Vendor ID: RFC 3947
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:09:06 ipsec
16:09:06 ipsec received long Microsoft ID: FRAGMENTATION
16:09:06 ipsec Fragmentation enabled
16:09:06 ipsec received Vendor ID: DPD
16:09:06 ipsec x.x.x.209 Selected NAT-T version: RFC 3947
16:09:06 ipsec sent phase1 packet x.x.x.68[500]<=>x.x.x.209[500] 3756d843bc7ecabe:82c0fc782d7744e1
16:09:06 ipsec x.x.x.68 Hashing x.x.x.68[500] with algo #2
16:09:06 ipsec NAT-D payload #0 verified
16:09:06 ipsec x.x.x.209 Hashing x.x.x.209[500] with algo #2
16:09:06 ipsec NAT-D payload #1 doesn't match
16:09:06 ipsec NAT detected: PEER
16:09:06 ipsec x.x.x.209 Hashing x.x.x.209[500] with algo #2
16:09:06 ipsec x.x.x.68 Hashing x.x.x.68[500] with algo #2
16:09:06 ipsec Adding remote and local NAT-D payloads.
16:09:06 ipsec sent phase1 packet x.x.x.68[500]<=>x.x.x.209[500] 3756d843bc7ecabe:82c0fc782d7744e1
16:09:06 ipsec NAT-T: ports changed to: x.x.x.209[4500]<=>x.x.x.68[4500]
16:09:06 ipsec KA list add: x.x.x.68[4500]->x.x.x.209[4500]
16:09:06 ipsec x.x.x.209 ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
16:09:06 ipsec,info ISAKMP-SA established x.x.x.68[4500]-x.x.x.209[4500] spi:3756d843bc7ecabe:82c0fc782d7744e1
16:09:07 ipsec respond new phase 2 negotiation: x.x.x.68[4500]<=>x.x.x.209[4500]
16:09:07 ipsec searching for policy for selector: x.x.x.68:1701 ip-proto:17 <=> x.x.x.209:50967 ip-proto:17
16:09:07 ipsec generating policy
16:09:07 ipsec Adjusting my encmode UDP-Transport->Transport
16:09:07 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2)
16:09:07 ipsec authtype mismatched: my:hmac-sha256 peer:hmac-sha1
16:09:07 ipsec sent phase2 packet x.x.x.68[4500]<=>x.x.x.209[4500] 3756d843bc7ecabe:82c0fc782d7744e1:0000379d
16:09:07 ipsec IPsec-SA established: ESP/Transport x.x.x.209[4500]->x.x.x.68[4500] spi=0x188fac7
16:09:07 ipsec IPsec-SA established: ESP/Transport x.x.x.68[4500]->x.x.x.209[4500] spi=0xe02de91
16:09:07 l2tp,info first L2TP UDP packet received from x.x.x.209
16:09:07 ipsec purged IPsec-SA proto_id=ESP spi=0xe02de91
16:09:07 ipsec purged IPsec-SA proto_id=ESP spi=0x188fac7
16:09:07 ipsec removing generated policy
16:09:07 ipsec,info purging ISAKMP-SA x.x.x.68[4500]<=>x.x.x.209[4500] spi=3756d843bc7ecabe:82c0fc782d7744e1.
16:09:07 ipsec purged ISAKMP-SA x.x.x.68[4500]<=>x.x.x.209[4500] spi=3756d843bc7ecabe:82c0fc782d7744e1.
16:09:07 ipsec,info ISAKMP-SA deleted x.x.x.68[4500]-x.x.x.209[4500] spi:3756d843bc7ecabe:82c0fc782d7744e1 rekey:1
16:09:07 ipsec KA remove: x.x.x.68[4500]->x.x.x.209[4500]

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 5:25 pm
by tomaskir
You can turn off logging for IPSec, we see that works.

Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 5:41 pm
by djec
You can turn off logging for IPSec, we see that works.

Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.
Ahh off course.
Code: Select all

16:40:16 system,info log rule changed by admin
16:40:20 ipsec,info respond new phase 1 (Identity Protection): x.x.x.68[500]<=>x.x.x.209[500]
16:40:20 ipsec,info ISAKMP-SA established x.x.x.68[4500]-x.x.x.209[4500] spi:a57b264a1eb913a2:1983540a2e149f4c
16:40:21 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
16:40:21 l2tp,debug,packet     (M) Message-Type=SCCRQ
16:40:21 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:40:21 l2tp,debug,packet     (M) Framing-Capabilities=0x3
16:40:21 l2tp,debug,packet     (M) Host-Name=0x43:69:70:00
16:40:21 l2tp,debug,packet     (M) Assigned-Tunnel-ID=38
16:40:21 l2tp,debug,packet     (M) Receive-Window-Size=4
16:40:21 l2tp,info first L2TP UDP packet received from x.x.x.209
16:40:21 l2tp,debug tunnel 15 entering state: wait-ctl-conn
16:40:21 l2tp,debug,packet sent control message to x.x.x.209:51671 from x.x.x.68:1701
16:40:21 l2tp,debug,packet     tunnel-id=38, session-id=0, ns=0, nr=1
16:40:21 l2tp,debug,packet     (M) Message-Type=SCCRP
16:40:21 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:40:21 l2tp,debug,packet     (M) Framing-Capabilities=0x1
16:40:21 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
16:40:21 l2tp,debug,packet     Firmware-Revision=0x1
16:40:21 l2tp,debug,packet     (M) Host-Name="MikroTik"
16:40:21 l2tp,debug,packet     Vendor-Name="MikroTik"
16:40:21 l2tp,debug,packet     (M) Assigned-Tunnel-ID=15
16:40:21 l2tp,debug,packet     (M) Receive-Window-Size=4
16:40:21 l2tp,debug,packet     (M) Challenge=0xa0:40:4f:c8:fb:b7:03:8c:1b:4d:da:13:e1:d0:f9:9a
16:40:21 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet     tunnel-id=15, session-id=0, ns=1, nr=1
16:40:21 l2tp,debug,packet     (M) Message-Type=SCCCN
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping
16:40:21 l2tp,debug,packet sent control message to x.x.x.209:51671 from x.x.x.68:1701
16:40:21 l2tp,debug,packet     tunnel-id=38, session-id=0, ns=1, nr=2
16:40:21 l2tp,debug,packet     (M) Message-Type=StopCCN
16:40:21 l2tp,debug,packet     (M) Result-Code=1
16:40:21 l2tp,debug,packet     (M) Assigned-Tunnel-ID=15
16:40:21 l2tp,debug tunnel 15 entering state: stopping
16:40:21 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet     tunnel-id=15, session-id=0, ns=2, nr=1
16:40:21 l2tp,debug,packet     (M) Message-Type=ICRQ
16:40:21 l2tp,debug,packet     (M) Assigned-Session-ID=832
16:40:21 l2tp,debug,packet     (M) Call-Serial-Number=1
16:40:21 l2tp,debug tunnel 15 received message in stopping state, dropping
16:40:21 ipsec,info purging ISAKMP-SA x.x.x.68[4500]<=>x.x.x.209[4500] spi=a57b264a1eb913a2:1983540a2e149f4c.
16:40:21 ipsec,info ISAKMP-SA deleted x.x.x.68[4500]-x.x.x.209[4500] spi:a57b264a1eb913a2:1983540a2e149f4c rekey:1
16:40:21 l2tp,debug,packet rcvd control message (ack) from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet     tunnel-id=15, session-id=0, ns=3, nr=2
16:40:21 l2tp,debug tunnel 15 entering state: dead
16:40:22 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:22 l2tp,debug,packet     tunnel-id=15, session-id=0, ns=2, nr=2
16:40:22 l2tp,debug,packet     (M) Message-Type=ICRQ
16:40:22 l2tp,debug,packet     (M) Assigned-Session-ID=832
16:40:22 l2tp,debug,packet     (M) Call-Serial-Number=1

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 5:53 pm
by tomaskir
This would be the issue:
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping

Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 6:06 pm
by djec
This would be the issue:
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping

Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.
The L2TP secret is required.

If i remove it, and try to connect i get the message "The IPsec shared secret is missing."

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 6:13 pm
by tomaskir
The L2TP secret is required.

If i remove it, and try to connect i get the message "The IPsec shared secret is missing."
There is a difference between IPSec PSK (pre-shared key), and the L2TP secret.

You need to use the IPSec PSK (the one configured in "/ip ipsec peer"), but you must not use the L2TP secret.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 6:20 pm
by djec
The L2TP secret is required.

If i remove it, and try to connect i get the message "The IPsec shared secret is missing."
There is a difference between IPSec PSK (pre-shared key), and the L2TP secret.

You need to use the IPSec PSK (the one configured in "/ip ipsec peer"), but you must not use the L2TP secret.
Ahh in my configuration the two are the same, can that be the problem?

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 6:27 pm
by tomaskir
Ahh in my configuration the two are the same, can that be the problem?
EDIT:
Try to configure the L2TP secret in "/ppp l2tp-secret".
Make sure it's the same as the IPSec PSK in "/ip ipsec peer".

Then make sure it's the same in your client.

Re: Help with Ipsec and iOS

Posted: Mon Sep 18, 2017 8:00 pm
by djec
Deleted the PPP LT2P Secrets, then its working..

So if PPP L2TP Secret is present, then its not working, even if its the same secret as IPSEC secret :)

So many thank you! :D

Re: Help with Ipsec and iOS

Posted: Tue Nov 07, 2017 1:36 pm
by asle
Ahh in my configuration the two are the same, can that be the problem?
EDIT:
Try to configure the L2TP secret in "/ppp l2tp-secret".
Make sure it's the same as the IPSec PSK in "/ip ipsec peer".

Then make sure it's the same in your client.
Wow! I can't say how much I have been struggling with this. Removing the L2TP secret solved my problem. I now can connect with OS X 10.13!
Many thanks!!
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/