When I try to connect from iPhone, a pair of installed SA (iphone>routeros and routeros>iphone) come up, but the one from WAN(10.0.0.2) to iPhone IP has 0 Current Bytes
L2TP log says tunnel receives no reply, disconnecting
It seems no packets are sent back to iPhone
Yesterday I had it working for a couple of minutes (my fault not to collect working configuration), now it isn’t working anymore
tried tons of variations in settings
For information, despite the installed SAs are between WAN interface (10.0.0.2) and iPhone IP address, the automatically generated IPsec policy has the public DSL_LINE IP as src address and the iPhone one as dst address
Any idea on what to check , please ??
P.S. the installed SA with 0 Current Bytes also has NO Current Addtime
both are using port 4500
winbox screen shots of my router, I can connect with my droid.
You have to allow your iphone’s IP access with an input rule if you have a generic ‘block all else’ rule at the end of the list.
Thank you for reply
Your configuration is like mine…
Or at least like one of many I have tried
I suppose there are no nat or firewall/ports issues as for testing purpose only the masquerade rule is present, nothing blocked…
When a pair of SA are installed, i suppose Phase1 and Phase2 are correctly passed, isn’t it ??
in fact, after this, the L2TP server builds a tunnel and starts to send multiple retry control messages from WAN 10.0.0.2 to iPhone ip address (as seen in log) but these packets don’t reach iPhone, and i suppose don’t even leave routeros machine
If so , some bytes counter would increase in mikrotik to iphone SA, that , instead, is still 0
As said no block rules are present in filtering, so all traffic is allowed for now
I don’t think is a NAT issue as L2TP server has not yet released a private ip address to client
L2TP authentication phase hasn’t arrived yet…
A second DSL line (1:1 natted as well) is connected to routerboard, trying to connect to that line produces the same behaviour…
Is it correct SA uses port 4500 even if NAT-T is disabled in peer ??
L2TP server starts to send ACK to client using WAN source port 1701 is it correct ?
I hope it is not an issue related to iOS or rOS release…
P.S.
I get the same behaviour if “use IPsec” flag is either set or not in L2TP server config !!! strange…
Thank you for interesting
I think , having a private subnet as MT wan to connect to transparently nat-ted ISP router is not uncommon, so my problem should’t be so uncommon also
Probably there are some usual workarounds I’m not aware of…
Make sure L2TP packets leave the router with correct source address. If you have multiple gateways then probably you will have to force correct source address with a srcnat.
The only way to make the system work is creating manually a policy with MT wan as source (10.0.0.2) and iphone ip as destination (5.6.7.8 ) but this last one is dynamic, obviously…
This when a dynamic policy 1.2.3.4 => 5.6.7.8 has already been created at client connection.
In fact the 0.0.0.0/0 template policy, is needed to allow system to create dynamically a policy when needed.
The problem is the dynamically created policy has the DSL line public static ip address as SOURCE, when, instead, a policy with MT wan ip (10.0.0.2) is needed as SOURCE to make the whole thing works…
I do have multiple (two) gateways but I have disable the unused one as well disabled all mangle rules
Same behaviour
I think the problem is right on the wrong automatically created policy …
What it leaves me disappointed , is the fact that nobody seems to have this issue,
Or better:
people knows this scenario cannot work (stop)
nobody is using my scenario
it is succesfully used and I’m making some stupid mistake somewhere
