L2TP/IPsec confiruration disables all connectivity

Marlon89 · Thu Mar 17, 2011 12:44 am

Following the wiki post "L2TP + IPSEC between Mikrotik router and a PC", I attempted to set up my own VPN server. When I add the IPsec policy, my x86 router running 5.0 RC7 loses all of its connections. To remedy this, I used the console to disable the policy, then all connections were restored on my LAN. Here is some information on my setup. If more info is needed, just let me know. Thanks!

For this one, I have the VPN connection, accessible from any address, on 192.168.1.80.

/ppp secret add caller-id="" comment="VPN" disabled=no limit-bytes-in=0 limit-bytes-out=0 localaddress=192.168.1.80 name=uname password=blah profile=default remote-address=0.0.0.0 routes="" service=l2tp

/interface l2tp-server add disabled=no name=l2tp-default user=uname

/interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryptionenabled=yes max-mru=1460 max-mtu=1460 mrru=disabled

/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithmsdes lifetime=30m name=default pfs-group=modp1024

Client, assigned 192.168.1.80, from any address can access all network resources.

/ip ipsec policy add action=encrypt disabled=no dst-address=192.168.1.0/24:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=0.0.0.0 sa-src-address=192.168.1.80 src-address=192.168.1.0/24:any tunnel=yes

Again, client can connect from any address.

/ip ipsec peer add address=0.0.0.0/0:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no proposal-check=obey secret=test send-initial-contact=yes

Marlon89 · Thu Mar 17, 2011 8:52 pm

Any advice for me on this, guys?

mikroguf · Fri Mar 18, 2011 12:31 am

If you are attempting to allow an L2TP/IPSec Client on any address to create a tunnel to your server, which is addressable on 192.168.1.80, then you have got yourself in a muddle. I recommend that you re-read the material, but also note that the link to which you refers talks about setting up a tunnel to a PC on a known IP address..

If you want to allow a tunnel from a PC on any address, I can offer some tips as follows:

1. In your /ppp secret config, local_address and remote_address are assigned to the two ends of the L2TP tunnel once it comes up ie they are the private addresses for the tunnel, not the external addresses as you have them

2. There is no need for an l2tp server config; remove it unless you specifically need to set up other configs (eg rules)

3. As your client will be connecting from an unknown address, you must use generate=yes in your ipsec peer config, so there is no need to define an ipsec policy - it will be generated for you. You should remove your policy.

I'm not sure why you are losing connectivity with your config, but try amending your config as above and see if the problem persists.

We've now done a lot of work with ROS and L2TP/IPSec, and it works great except for (a) XP clients behind NAT and (b) when using more than one Win7/Vista client at a time. We are hoping MT will fix these last bits up and await a progress update from their support team.

Marlon89 · Fri Mar 18, 2011 5:57 am

Thanks for your reply. Even after I follow your instructions, I cannot connect to the VPN. I cannot even telnet into port 500, so it sounds like the server is not running? I have added a firewall rule to forward the port.

Marlon89 · Sat Mar 19, 2011 9:47 pm

Guys, I have been tinkering with this some more, but t no avail. It would appear as though I have everything I need for my IPsec VPN to work, but still it would appear as though there is no service utilizing port 500. Any help will be greatly appreciated. Thanks.

andrewluck · Sun Mar 20, 2011 4:31 pm

ISAKMP uses UDP/500, that's why you can't connect using telnet.

Can you post your revised config's after following the instructions given by the previous poster.

Regards

Andrew

Marlon89 · Sun Mar 20, 2011 7:48 pm

I have attached my configuration below. Thanks for taking a look at it.

screenshot_20110320_000.png

screenshot_20110320_001.png

screenshot_20110320_002.png

andrewluck · Sun Mar 20, 2011 11:02 pm

Unfortunately, there's not enough information in the screen shots. Can you export your IPSEC, PPP and L2TP settings.

I normally deviate from the instructions in the wiki article for the L2TP server by enabling it, but not creating the server interface. I then create a bridge group with the internal ethernet interface and specify the bridge on the profile. This way, the L2TP server interfaces are created dynamically and any firewall rules can be applied to the bridge.

Andrew

Marlon89 · Sun Mar 20, 2011 11:23 pm

The person who first replied to my post told me that L2TP settings were not necessary, so I'm not sure what to provide you as far as that's concerned.

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
    name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
    enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no \
    proposal-check=obey secret=test send-initial-contact=yes

/ppp profile
set default change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-ipv6=yes use-mpls=default \
    use-vj-compression=default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=\
    default use-compression=default use-encryption=yes use-ipv6=yes use-mpls=\
    default use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" comment="Daniel s VPN" disabled=no limit-bytes-in=0 \
    limit-bytes-out=0 name=aoeu password=aoeuaoeu profile=\
    default routes="" service=l2tp

andrewluck · Mon Mar 21, 2011 12:36 am

The ipsec peer definition is incorrect; it should be

address=0.0.0.0/0:500

Make sure you don't have an IPSEC policy defined. In what follows, replace any addresses with your own.

Turn on the L2TP server:

/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=\
    yes max-mru=1460 max-mtu=1460 mrru=disabled

Define a bridge interface and add the internal ethernet interface to it:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=proxy-arp auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=1524 max-message-age=20s \
    mtu=1500 name=VPN-bridge priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
/interface bridge port add bridge=VPN-bridge comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=Internal path-cost=10 point-to-point=auto \
    priority=0x80

Put your internal interface address onto the bridge port (careful if this is the address you're using to access the router):

/ip address
add address=192.168.1.254/24 broadcast=192.168.1.255 comment="" disabled=no \
    interface=VPN-bridge network=192.168.1.0

Define a VPN client address pool:

/ip pool add name=vpn_pool ranges=192.168.1.200-192.168.1.240

Amend the default profile:

/ppp profile
set default bridge=VPN-bridge change-tcp-mss=yes comment="" local-address=\
    192.168.1.254 name=default only-one=default remote-address=vpn_pool \
    use-compression=default use-encryption=default use-vj-compression=default

I think that's it. I'll test this on my home router tomorrow.

Regards

Andrew

Marlon89 · Mon Mar 21, 2011 1:39 am

Works great...internally. I thought I had my port forwarding right, but I guess not. This is what I have:

add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=1701 in-interface=ether1 protocol=udp to-addresses=192.168.1.1 to-ports=1701

Thank you for helping me with this.

mikroguf · Tue Mar 22, 2011 3:17 am

Most client software will attempt to switch to NAT-T if it detects NAT in the path. So that means if you are using NAT, you need to configure your IPSec peer to use NAT-T.

Be aware though that not all clients are currently working with NAT-T. Windows XP, for instance, will not successfully establish an IPSec/L2TP VPN if there is NAT anywhere in the IP path.

L2TP/IPsec confiruration disables all connectivity

L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Re: L2TP/IPsec confiruration disables all connectivity

Who is online