MikroTik

Hello,
I just set up a CHR in a VPS, and I found a bug.

From any RB l2tp client with ipsec just wont connect to the CHR, also from the CHR l2tp client wont connet to any RB. I tested from my windows laptop I can connect to CHR with built in l2tp ipsec driver and of course I can connect to a RB also.

So I set up a CHR on my computer (in a virtualbox vm), no configuration, no firewall rules, just l2tp server with one profile and from a RB (nor 5009, or ac2) I can not connect to this server, and from this CHR I can not connect a RB. (Every mikrotik is on a local network, no firewall rules) From my laptop I can connect to CHR and RBs also.

Last test was, from my virtualized CHR I can connect to the CHR in the VPS !!!, so between two CHR everything is OK, between computer and CHR is ok, but between CHR and a RB there is a problem !! I tested the latest 6.49.2 CHR and latest 7.1.1 CHR too. CHR version 7 also can connect to CHR version 6.

I assume the problem comes from ipsec, phase 1 negotiation maybe, without ipsec l2tp just works ok.

Could you provide any log or error?

There is nothing informative in the log

client side:
initializing...
connecting...
init new pahase 1
terminating...-session closed
disconnected

End it starts from initializing again..

server side:
respond new phase 1
ISAKMP-SA established
purging ISAKMP-SA
ISAKMP-SA deleted
first L2TP UDP paket received from ...

are you sure this is all you get ? for 1 L2TP connection, I will have more than 25 lines in the log even if it fails.

Yes, so strange.

Please test it. I have more than 500 customer, mostly use l2tp to connect their router or to my router and there are more than 50 RB-s which connect to my router via l2tp ipsec.
As you can see I am not virgin setting up this kind of connection.

This is my first CHR and I could not connect to or from it via l2tp ipsec with RBs. But from a computer or a virtualized CHR I could. ?!

I have a CHR with L2TP setup and I also have an RB2011 I can confirm everything works.
I think it's better to have a firewall with established and related accept in input and forward chain also accept for 1701 500 4500 and IPsec ESP protocol 50 in input chain.

I testen on a local network with no firewall rules, no other config. (no default config off course)

So I dont understand your advise

I'm saying it's better to have a firewall with what l2tp will use as allowed.
as you can see there is no bug regarding this issue.

This is not a CHR version !! You have an x86 version.



Must see on the title bar like this :

What's the difference in l2tp implantation?
I think both of them have the same daemon.

Try it. CHR wont connect. I dont know why, it is a bug, I think

I think it's better to post your config.
L2TP is a very old protocol I'm sure if there was a bug, It had been reported and fixed so far.

TRY IT !

@engiman

Maybe I should downgrade CHR.. 6.49.2 and 7.1.1 did not work here.

let me upgrade cuz I don't think that's the problem.

CHR 6.48.6 works OK.

as you can see I'm at the latest V6 so 6.49.2 and 7.1.1 are also working.

Tested from a RB1100AHx4 to a CHR on a ESXI 7 VM. Both on RoS 6.49.2
All good. Both ways.
You are missing/messing something in your config.

You are missing/messing something in your config.

Since the same config works for the OP in 6.48.6 but doesn't in 6.49.2 and 7.1.1, I'd assume some encryption algo or alike to behave different between the versions, depending on CPU architecture. So I'd suggest to compare the /ip ipsec profile and /ip ipsec proposal rows both of you use. RB1100AHx4 is an ARM architecture like hAP ac², so this should not explain the difference.

I downgraded my CHR to 6.48.6 and now it works as I expected. No configuration has changed. So must be something bug..

Working fine for me: CHR <-> HexS, both on ROS 7.1.1

You are missing/messing something in your config.

Since the same config works for the OP in 6.48.6 but doesn't in 6.49.2 and 7.1.1, I'd assume some encryption algo or alike to behave different between the versions, depending on CPU architecture. So I'd suggest to compare the /ip ipsec profile and /ip ipsec proposal rows both of you use. RB1100AHx4 is an ARM architecture like hAP ac², so this should not explain the difference.

OK, thanks everybody, there is no bug. My VPS provider has a special DDOS filter, for a test I asked them to turn off, and tadaam !
So they made an exception for my VPS IP, filter must be turned off for eternity.

However there were some strange thing, I do not understand why it worked after downgraded CHR, and how it worked from my laptop and not worked from main router, and worked from a router behind my NAT, but I think all of them caused the DDOS filter rules which is now off.

I also updated my oracle virtual box to the latest, now everything works in my test environment too.