L2TP/IPSec VPN access for Mac OS X 10.5 client
RouterOS general discussion

6 posts   •   Page 1 of 1
mrstroob
just joined
 
Posts: 3
Joined: Fri Mar 20, 2009 12:47 am

L2TP/IPSec VPN access for Mac OS X 10.5 client

by mrstroob » Fri Mar 20, 2009 12:54 am

Hello,

I cannot for the life of me get L2TP w/ IPSec working. I've read all the wiki docs and almost all of the forum threads by those with similar issues and still cannot get it working.

I am trying to setup VPN access to connect from my MacBook Pro laptop to RB500, running latest ROS 3.22 (so NOT router to router like most of the docs describe). MacBook is running OS X 10.5 which supports L2TP/IPSec out of the box.

Enabled L2TP Server:
Code: Select all
/interface l2tp-server server> export
# mar/19/2009 19:57:04 by RouterOS 3.22
# software id = xxxxxxx
#
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=yes max-mru=1460 max-mtu=1460 \
    mrru=disabled


(NOTE: I did not create a new L2TP Server "interface", just enabled the server with the "enabled=yes" - not sure the difference)

Added PPP secret:
Code: Select all
/ppp secret> export
# mar/19/2009 19:54:10 by RouterOS 3.22
# software id = xxxxxx
#
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.1.160 name=stroob \
    password=****** profile=default-encryption remote-address=192.168.1.161 routes="" service=l2tp


Not too sure if the IP values are correct. My network is 192.168.1.0 and I want the connecting VPN client to use an internal address.

Added IPSec peer:
Code: Select all
/ip ipsec peer> export
# mar/19/2009 19:55:39 by RouterOS 3.22
# software id = xxxxxxx
#
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
    lifetime=1d nat-traversal=no proposal-check=obey secret=****** send-initial-contact=yes


I then configure Mac for L2TP/IPSec, enter public IP, user, pass, secret. When I connect, I see traffic on the UDP ports in MT. Mac first attempts to connect to port 1701, then a second request to port 500, then after about 10 seconds I get a vague "connection failed, check settings".

Another question is how can I see debug-level info about this connection in ROS? I'd probably be able to figure it out if I could get this info. I added a logging rule for topics "l2tp, ipsec, ppp" with action "memory" but I don't see output in the log window.

Code: Select all
Firewall rules:
# mar/19/2009 17:45:32 by RouterOS 3.22
# software id = xxxxxxx
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow already-established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow UDP" disabled=no protocol=udp
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="Allow access from LAN" disabled=no src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else" disabled=no
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=foward comment="Allow already-established connections" connection-state=established disabled=no
add action=drop chain=forward comment="Drop bogons" disabled=no src-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=224.0.0.0/3
add action=drop chain=forward comment="" disabled=no dst-address=224.0.0.0/3
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan0
add action=dst-nat chain=dstnat comment=server1 disabled=no dst-port=922 in-interface=wan0 protocol=tcp to-addresses=\
    192.168.1.150 to-ports=22
add action=dst-nat chain=dstnat comment=server2 disabled=no dst-port=924 in-interface=wan0 protocol=tcp to-addresses=\
    192.168.2.3 to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

mrstroob
just joined
 
Posts: 3
Joined: Fri Mar 20, 2009 12:47 am

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

by mrstroob » Sat Mar 21, 2009 9:47 pm

Bump :D - Any ideas on either setting up the VPN or why I cannot get any debug-level logging to try and troubleshoot myself? I'd just like to get some visibility as to what's going on and why it's failing. Thanks!

omni1504
just joined
 
Posts: 2
Joined: Fri Mar 20, 2009 8:49 am

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

by omni1504 » Mon Apr 06, 2009 6:11 pm

Hello! Does anybody have any updates on this problem?

Mac OS X client says
23:33:53 ipsec the length in the isakmp header is too big.

Regards, Amir.

Lefteris
newbie
 
Posts: 28
Joined: Mon Jul 27, 2009 1:24 pm

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

by Lefteris » Thu Oct 22, 2009 1:35 pm

Seems like even now with ROS v4.1 and Mac OS X 10.6 the problem still remains. Has anyone ever had any success with L2TP/IPSec and Mac OS X?

User avatar
chatur
just joined
 
Posts: 2
Joined: Sun Dec 06, 2009 8:41 pm
Location: Lalitpur, Nepal

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

by chatur » Sun Dec 06, 2009 8:47 pm

It is working fine on RouterOS 4.0beta2.

Added IPSec peer as:
Code: Select all
/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
    enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
    **** send-initial-contact=yes


not as:
Code: Select all
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
    enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
    **** send-initial-contact=yes

paulmuk
just joined
 
Posts: 4
Joined: Wed Oct 13, 2010 1:10 pm

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

by paulmuk » Wed Oct 13, 2010 1:19 pm

I'm also having trouble with ROS v4.1 and Mac OS X 10.6.

It appears that the IPSec part is working, but not the L2TP/PPP side. According to my OSX logs....

13/10/2010 11:01:04 pppd[2113] IPSec connection established
13/10/2010 11:01:24 pppd[2113] L2TP cannot connect to the server

Has anyone got any tips?

6 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Neilson and 43 guests

It is currently Mon Dec 22, 2014 5:45 am