MikroTik

I'm using macs and an iPhone to connect home from the road.

I also have an L2TP tunnel to another premises that is more or less permanently up. That one is coming from a Mikrotik box. That one works. The one thing that seems a little odd is that it logs a lot of:

15:41:09 ipsec,debug,packet 224 bytes message received from {TUNNEL_CLIENT}[500] to {MY_IP}[500]
15:41:09 ipsec,debug not acceptable Aggressive mode

It does that once every few seconds. Despite that, the tunnel is up and traffic is flowing fine.

The problem is the other clients.

I can connect just fine anytime within the first, oh, I dunno, call it an hour or so after the mikrotik box is rebooted. After that, connection attempts time out.

I swear, this used to be working just fine and I haven't changed anything. They just time out.

The failures look more or less like this:

15:45:53 ipsec,debug,packet getsockmyaddr {MY_IP}[500]
15:45:53 ipsec,debug,packet 236 bytes from {MY_IP}[500] to {CLIENT_IP}[37650]
15:45:53 ipsec,debug,packet sockname {MY_IP}[500]
15:45:53 ipsec,debug,packet send packet from {MY_IP}[500]
15:45:53 ipsec,debug,packet send packet to {CLIENT_IP}[37650]
15:45:53 ipsec,debug,packet src4 {MY_IP}[500]
15:45:53 ipsec,debug,packet dst4 {CLIENT_IP}[37650]
15:45:53 ipsec,debug,packet 1 times of 236 bytes message will be sent to {CLIENT_IP}[37650]
15:45:53 ipsec,debug,packet 2bf1af44 418514eb e5fbc64c d46f4e44 04100200 00000000 000000ec 0a000084
15:45:53 ipsec,debug,packet 605791bd 5edbbd8d ff8ff436 814f1884 1d9507e5 154cd04d e5349620 558df333
15:45:53 ipsec,debug,packet dc8c1b07 59a5dae2 2fa0f379 03bb6dda fb519748 3254b399 1c1e3512 0deb0f6d
15:45:53 ipsec,debug,packet abf2f867 9f536614 0e7bbce3 ea1d541c a79e
15:45:53 ipsec,debug,packet e54a f6572064 afaf2e92 a4d23440
15:45:53 ipsec,debug,packet 2d10f035 379eb0c3 9f72e193 a4921a58 cac99a96 d42488fa 3f0f8f5a 8a79f0b8
15:45:53 ipsec,debug,packet 1400001c ac594f6a 773afbaf a9b4464d f63445a6 d0950972 fbb10f66 14000018
15:45:53 ipsec,debug,packet 55880497 9d279922 16cc4db4 dc822898 84230fbe 00000018 df7d6042 432921fc
15:45:53 ipsec,debug,packet 25a7c4e8
15:45:53 ipsec,debug,packet 269fdbe4 68958178
15:45:53 ipsec,debug,packet resend phase1 packet 2bf1af44418514eb:e5fbc64cd46f4e44

It does that, pausing between each, until the attempt dies.



# jun/28/2011 15:48:14 by RouterOS 5.4
# software id = IFTQ-0ULI
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=\
modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=1m \
dpd-maximum-failures=3 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
sha1 lifebytes=0 lifetime=4h my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey \
send-initial-contact=no

# jun/28/2011 15:49:09 by RouterOS 5.4
# software id = IFTQ-0ULI
#
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=yes max-mru=1460 \
max-mtu=1460 mrru=1600



# jun/28/2011 15:49:35 by RouterOS 5.4
# software id = IFTQ-0ULI
#
/ppp profile
set default change-tcp-mss=yes local-address={ROUTER_LAN_ADDRESS} name=default only-one=default remote-address=\
VPN use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
add bridge="EoIP bridge" change-tcp-mss=default name=bridge only-one=default use-compression=default \
use-encryption=yes use-ipv6=yes use-mpls=default use-vj-compression=default
set default-encryption address-list=VPN change-tcp-mss=yes local-address={ROUTER_LAN_ADDRESS} name=\
default-encryption only-one=default remote-address=VPN use-compression=default use-encryption=yes \
use-ipv6=yes use-mpls=default use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no

I'll leave out /ppp secrets except to say that there's nothing interesting there, except that the user of the fixed client (that is working) is using the bridge profile.

# jun/28/2011 15:53:01 by RouterOS 5.4
# software id = IFTQ-0ULI
#
/ip firewall filter
add action=accept chain=forward disabled=no protocol=icmp
add action=accept chain=forward connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=forward connection-state=related disabled=no in-interface=ether1-gateway
add action=reject chain=forward disabled=no in-interface=ether1-gateway reject-with=\
icmp-network-unreachable
add action=accept chain=input disabled=no in-interface=ether1-gateway protocol=icmp
add action=accept chain=input connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input connection-state=related disabled=no in-interface=ether1-gateway
add action=accept chain=input disabled=no dst-port=500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=no dst-port=1701 in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=no dst-port=4500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=no in-interface=ether1-gateway protocol=ipsec-esp
add action=log chain=input disabled=no in-interface=ether1-gateway log-prefix=""
add action=reject chain=input disabled=no in-interface=ether1-gateway reject-with=\
icmp-network-unreachable

On the mac side, i simply see


Jun 29 13:55:18 nsayer-osx racoon[21158]: Connecting.
Jun 29 13:55:18 nsayer-osx racoon[21158]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Jun 29 13:55:18 nsayer-osx racoon[21158]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Jun 29 13:55:18 nsayer-osx racoon[21158]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Jun 29 13:55:18 nsayer-osx racoon[21158]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Jun 29 13:55:18 nsayer-osx racoon[21158]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Jun 29 13:55:21 nsayer-osx racoon[21158]: IKE Packet: transmit success. (Phase1 Retransmit).
Jun 29 13:55:36 nsayer-osx racoon[21158]: IKE Packet: transmit success. (Phase1 Retransmit).
Jun 29 13:55:48 nsayer-osx racoon[21158]: IKEv1 Phase1: maximum retransmits. (Phase1 Maximum Retransmits).
Jun 29 13:55:48 nsayer-osx racoon[21158]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Jun 29 13:55:48 nsayer-osx racoon[21158]: Disconnecting. (Connection tried to negotiate for, 0.034599 seconds).
Jun 29 13:55:48 nsayer-osx racoon[21158]: IKE Phase1 Failure-Rate Statistic. (Failure-Rate = 100.000).

Has anyone gotten this working *reliably* on a mac?

I've upgraded to ROS 5.5 and it hasn't helped. My mac is running 10.6.8.

I'm going to have to fall back to PPTP for now, I guess. That seems to work without any issues.

Bueller?

With help from support, I believe I've gotten closer. I discovered a dynamic dstnat rule for UDP port 4500. I think it was put there by a UPnP client. I deleted it and added a static "accept" rule. The only question left is whether that is sufficient to block UPnP from attempting to offer that port or not.

I also needed to set the pfs group on the proposal to "none" to make MacOS X happy.

The remaining mystery is how to set the Mikrotik L2TP client to use exchange-mode "main" instead of aggressive. I'm not convinced that that tunnel is actually being encrypted by IPSEC.

I believe I've gotten myself asymptotically close now.

In order for ROS to configure IPSEC along with L2TP, you have to add a static policy. Having done that, I do see SAs on each end.

Something is still attempting to send aggressive mode IPSec packets to my server from that same address. I suppose it's possible they might be some other device behind the same NAT, because the remote office 450G is now connecting correctly.

nsayer,

I am attempting to setup an LT2P/IPSec VPN as well; can you give me an export of your static policy? I attempted to add one and now I am locked out of my router until this evening until I can remove it on my home network.

Thanks!

I'm experiencing the same loop of "resend phase1 packet". But my clients are dynamic (road warrior) so I don't think a static policy will work.

Could you post your policy?