PPTP iOS10

Hi all,

unfortunately Apple has removed my beautiful PPTP connection from the VPN list on my iPhone

I configured L2TP and the server is working fine in my LAN but is not working from outside.

• my Mikrotik router is behind my provider router (which does not support my needs)
• all needed ports are forwarded
• I can see packets comming on my input firewall rule but the L2TP server is not responding
• tried to NAT the ports to the router IP - no success

Do you have any ideas?

Yes, PPTP is not secure for a while now, so macOS, iOS and other operating systems are starting to remove it.

You can use L2TP or IPsec+L2TP, there are examples in our wiki.

Post your NAT and firewall config please.

Thanks for your answer.

Unfortunately I have not access to my RB at the moment. I will post the config on Saturday.

L2TP only is working on iOS? The profile requires a shared secret from IPsec…

No, iOS needs IPsec. Example here:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Apple_iOS_.28iPhone.2FiPad.29_Client

Actually L2TP+IPsec configuration is not too difficult.

1. Enable L2TP server,

/interface l2tp-server server
set authentication=mschap2 enabled=yes

2. Configure PPP profile,

/ppp profile
add change-tcp-mss=yes local-address=192.168.17.1 name=ipsec+L2TP remote-address=ipsec-pool use-encryption=yes

/ip pool
add name=ipsec-pool ranges=192.168.17.2-192.168.17.254

3. Create PPP secret,

/ppp secret
add name=sergejs password="routeros" profile=ipsec+L2TP service=l2tp

4. Add static PPP interface to manage firewall easily.

/interface l2tp-server add name=l_sergejs user=sergejs

The same configuration you have used for PPTP previously. Additional configuration that is required.

Create IPSec configuration:

1. setup

/ip ipsec policy group
add name=ipsec+l2tp

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des

I configure ip ipsec peer, as default algorithms does not work too good with all OS (that you configure on L2TP server IPSec configuration).

/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,aes-128 generate-policy=\
    port-strict secret=MikroTiKRouterOS

/ip ipsec policy
add dst-address=0.0.0.0/0 protocol=udp src-address=0.0.0.0/0 template=yes

On MACOS I configure L2TPoverIPSec.

1. user authentication password is from /ppp secret
2. machine authentication shared secret is from /ip ipsec peer.

P.S. The particular configuration works for MAC OS Sierra/Captain, IOS 10, Windows 8 and 10.

Thanks for your post.

I configured L2TP+IPsec using your suggestions. It seems that the packtes are now delivered to the Mikrotik router.

Nevertheless I get no connection (Log):

l2tp info: First L2TP UDP packet received from 80.x.x.x
IPsec error: phase 1 negotiation failed due to time up

Is it possible that L2TP is not working because my crappy provider router is not able to forward ESP? I’m only able to forward TCP and UDP (500, 1701 and 4500)

Thanks

presswu,

what OS do you use as client?
Do you have client or server behind ISP devices?

I tried to use iOS 10 and Windows 10 as a client.

My RB951G-2HnD (server) is behind a simple ISP VDSL router which is not able to operate in bridge mode.

For IPSec server located behind ISP router, you need to forward UDP 500, 4500 and ESP.
For phase1 issues, enabled “ipsec,debug” logs and post them here.

Hi!
What about more than one user in l2tp+ipsec config?
I have situation when 2nd l2tp+ipsec user dropping 1st user from MikroTik.

If both of them are behind NAT, this will happen. You need to make the tunnel on the router, instead of the client, or wait for new Kernel in RouterOS v7

I followed the tutorial closely, yet I still get this error in the log:

sep/18 00:49:07 ipsec,debug invalid length of payload
sep/18 00:49:07 ipsec,debug possible cause: wrong password

Although the password is definitely correct

One configuration step, that can be changed in your configuration.

Disable peer,

/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,aes-128 generate-policy=port-strict secret=MikroTiKRouterOS

and move this configuration to l2tp-server,

/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=RouterOS use-ipsec=yes

Steffen9000, please contact support (support@mikrotik.com) with radius,debug logs enabled, we will see what is wrong.

One configuration step, that can be changed in your configuration.

Disable peer,

/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,aes-128 generate-policy=port-strict secret=MikroTiKRouterOS

and move this configuration to l2tp-server,

/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=RouterOS use-ipsec=yes

Steffen9000, please contact support (support@mikrotik.com) with radius,debug logs enabled, we will see what is wrong.

sorry for re-raising this topic - but I still have a few questions about this.

Same scenario for myself:
I want to connect multiple! iOS/macOS/Android devices to my MikroTik router.

iOS >10 should support these protocols (all combined thankfully with IPsec encryption):

• L2TP/IPSec
• IKEv2/IPSec
• Cisco IPSec
• (my last resort would be a separate OpenVPN client app on each device, but i’d like it more to use an integrated OS solution)

1. Which VPN server setup do you recommend for mixed devices - “one-size-fits-all” ?

2. Did I get this right, that if my MikroTik router has a public IP address (no NAT/directly connected via PPPoE to a DSL modem), I can connect multiple devices with NAT e.g. via L2TP with IPsec? (instead of only 1 connection if both/server+client are NAT’d)

3. I had issues in the past, trying to configure L2TP+IPsec for any device (Mac, Windows or iOS), since there are various instructions out there, how to configure L2TP+IPsec - one tutorial says “check ‘use IPsec’ within the L2TP Server setup” .. another one says “this won’t work - create your own policy include ‘3des’” - which won’t work for iOS devices.
   => So is there any general instruction set for a viable L2TP+IPsec setup (e.g. for various devices like iOS, macOS, Windows, etc. aside) - or can I/do I have to configure multiple policies for all device sets?

Thanks for your help!

Most devices will support only “L2TP/IPSec”

The config example is above.

If the clients are all behind a MikroTik NAT, they will not be able to connect at the same time, to the same server.

Sorry - I’m a little bit slow in understanding this one ..

• Let’s assume all clients (personal devices) are behind some/whatever NAT, e.g. cell network/other personal Wi-Fi/… (no MikroTik here).
• The MikroTik router (hosting the L2TP/IPsec VPN server) acts as gateway router (directly connecting to the public internet via a PPPoE client) so the eth1-WAN interface will have the public IP address.

=> In this scenario multiple clients will be able to connect to the MikroTik VPN?

So, I actually need to skip “/ip ipsec peer” step at all?
Anyway, can’t get this working.
On router (RouterOS v6.36.3, 1100AHx2) there are errors like this:

19:11:17 ipsec,debug,packet such policy does not already exist: xxx/32[38126] xxx/32[1701] proto=udp dir=in
19:11:17 ipsec,debug,packet such policy does not already exist: xxx/32[1701] xxx/32[38126] proto=udp dir=out

on client (macOS Sierra):

Thu Sep 22 19:11:17 2016 : L2TP sent SCCRQ
Thu Sep 22 19:11:37 2016 : L2TP cannot connect to the server

Same problem here! @miks

MacOS El Capitan brings up the same error:

• L2TP sent SCCRQ
• L2TP cannot connect to the server

I tried both suggestions - 1) with a dedicated IPsec peer configuration for the secret .. and 2) using the integrated IPsec checkbox of the L2TP server with a secret.
Both ways don’t work in my case (just to keep it in mind: I have both sides / RouterOS server+MacOS client NATed)

miks,

if you put such configuration,
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=RouterOS use-ipsec=yes

then /ip ipsec peer configuration is not required.

miks and malstro, please post “ipsec,debug” output here, when client tries to establish L2TP/IPsec session.