Community discussions

MikroTik App
 
mrstroob
just joined
Topic Author
Posts: 3
Joined: Thu Mar 19, 2009 11:47 pm

L2TP/IPSec VPN access for Mac OS X 10.5 client

Thu Mar 19, 2009 11:54 pm

Hello,

I cannot for the life of me get L2TP w/ IPSec working. I've read all the wiki docs and almost all of the forum threads by those with similar issues and still cannot get it working.

I am trying to setup VPN access to connect from my MacBook Pro laptop to RB500, running latest ROS 3.22 (so NOT router to router like most of the docs describe). MacBook is running OS X 10.5 which supports L2TP/IPSec out of the box.

Enabled L2TP Server:
/interface l2tp-server server> export
# mar/19/2009 19:57:04 by RouterOS 3.22
# software id = xxxxxxx
#
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=yes max-mru=1460 max-mtu=1460 \
    mrru=disabled
(NOTE: I did not create a new L2TP Server "interface", just enabled the server with the "enabled=yes" - not sure the difference)

Added PPP secret:
/ppp secret> export
# mar/19/2009 19:54:10 by RouterOS 3.22
# software id = xxxxxx
#
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.1.160 name=stroob \
    password=****** profile=default-encryption remote-address=192.168.1.161 routes="" service=l2tp
Not too sure if the IP values are correct. My network is 192.168.1.0 and I want the connecting VPN client to use an internal address.

Added IPSec peer:
/ip ipsec peer> export
# mar/19/2009 19:55:39 by RouterOS 3.22
# software id = xxxxxxx
#
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
    lifetime=1d nat-traversal=no proposal-check=obey secret=****** send-initial-contact=yes
I then configure Mac for L2TP/IPSec, enter public IP, user, pass, secret. When I connect, I see traffic on the UDP ports in MT. Mac first attempts to connect to port 1701, then a second request to port 500, then after about 10 seconds I get a vague "connection failed, check settings".

Another question is how can I see debug-level info about this connection in ROS? I'd probably be able to figure it out if I could get this info. I added a logging rule for topics "l2tp, ipsec, ppp" with action "memory" but I don't see output in the log window.
Firewall rules:
# mar/19/2009 17:45:32 by RouterOS 3.22
# software id = xxxxxxx
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow already-established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow UDP" disabled=no protocol=udp
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="Allow access from LAN" disabled=no src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else" disabled=no
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=foward comment="Allow already-established connections" connection-state=established disabled=no
add action=drop chain=forward comment="Drop bogons" disabled=no src-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=224.0.0.0/3
add action=drop chain=forward comment="" disabled=no dst-address=224.0.0.0/3
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan0
add action=dst-nat chain=dstnat comment=server1 disabled=no dst-port=922 in-interface=wan0 protocol=tcp to-addresses=\
    192.168.1.150 to-ports=22
add action=dst-nat chain=dstnat comment=server2 disabled=no dst-port=924 in-interface=wan0 protocol=tcp to-addresses=\
    192.168.2.3 to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
 
mrstroob
just joined
Topic Author
Posts: 3
Joined: Thu Mar 19, 2009 11:47 pm

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Sat Mar 21, 2009 8:47 pm

Bump :D - Any ideas on either setting up the VPN or why I cannot get any debug-level logging to try and troubleshoot myself? I'd just like to get some visibility as to what's going on and why it's failing. Thanks!
 
omni1504
just joined
Posts: 2
Joined: Fri Mar 20, 2009 7:49 am

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Mon Apr 06, 2009 6:11 pm

Hello! Does anybody have any updates on this problem?

Mac OS X client says
23:33:53 ipsec the length in the isakmp header is too big.

Regards, Amir.
 
Lefteris
newbie
Posts: 28
Joined: Mon Jul 27, 2009 1:24 pm

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Thu Oct 22, 2009 1:35 pm

Seems like even now with ROS v4.1 and Mac OS X 10.6 the problem still remains. Has anyone ever had any success with L2TP/IPSec and Mac OS X?
 
User avatar
chatur
just joined
Posts: 2
Joined: Sun Dec 06, 2009 7:41 pm
Location: Lalitpur, Nepal
Contact:

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Sun Dec 06, 2009 7:47 pm

It is working fine on RouterOS 4.0beta2.

Added IPSec peer as:
/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
    enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
    **** send-initial-contact=yes
not as:
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
    enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
    **** send-initial-contact=yes
 
paulmuk
just joined
Posts: 4
Joined: Wed Oct 13, 2010 1:10 pm

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Wed Oct 13, 2010 1:19 pm

I'm also having trouble with ROS v4.1 and Mac OS X 10.6.

It appears that the IPSec part is working, but not the L2TP/PPP side. According to my OSX logs....

13/10/2010 11:01:04 pppd[2113] IPSec connection established
13/10/2010 11:01:24 pppd[2113] L2TP cannot connect to the server

Has anyone got any tips?
 
MacFly
just joined
Posts: 2
Joined: Sat Jun 06, 2015 5:37 am

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Sat Jun 06, 2015 6:07 am

Searching and finding this old thread, I also cannot get a Mac OSX 10.10.3 to connect through a new RB951G-2HnD to a MacPro 10.9.5 Server v3.0.3 running L2TP VPN.

The Mac client logged:
Fri Jun 5 22:17:52 2015 : publish_entry SCDSet() failed: Success!
Fri Jun 5 22:17:52 2015 : publish_entry SCDSet() failed: Success!
Fri Jun 5 22:17:52 2015 : l2tp_get_router_address
Fri Jun 5 22:17:52 2015 : l2tp_get_router_address 192.168.1.1 from dict 1
Fri Jun 5 22:17:52 2015 : L2TP connecting to server '65.35.xxx.xxx' (65.35.xxx.xxx)...
Fri Jun 5 22:17:52 2015 : IPSec connection started
Fri Jun 5 22:17:52 2015 : IPSec phase 1 client started
Fri Jun 5 22:17:52 2015 : IPSec phase 1 server replied
Fri Jun 5 22:18:22 2015 : IPSec connection failed

The VPN has previously worked reliably with the same client through a WRT54G router running dd-WRT firmware, which had port forwarding on external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.

Being new to RouterOS v6.27, I wonder if anyone can please give me some pointers. I am using WebFig and CLI but could set up Winbox if necessary.

Thanks.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 257
Joined: Tue Dec 07, 2010 8:16 am

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Wed Jun 10, 2015 11:03 pm

Bump :D - Any ideas on either setting up the VPN or why I cannot get any debug-level logging to try and troubleshoot myself? I'd just like to get some visibility as to what's going on and why it's failing. Thanks!
If you go to System >Logging, then add to memory L2TP and IPsec...please see screen shot
Screen Shot 2015-06-10 at 2.57.55 PM.png
You do not have the required permissions to view the files attached to this post.
 
MacFly
just joined
Posts: 2
Joined: Sat Jun 06, 2015 5:37 am

Re: L2TP/IPSec VPN access for Mac OS X 10.5 client

Thu Jun 11, 2015 8:58 pm

This is what is currently working for me:

Router IP is 192.168.1.1
WAN IP is 65.35.xxx.xxx
LAN DHCP pool is 192.168.1.100 to 150 on router
Server IP is 192.168.1.11 for file sharing, DNS, FTP, VPN, and websites

Apple Server VPN:
Configure VPN for: L2TP
VPN Host Name: 192.168.1.11 (my Apple Server IP)
Shared Secret: (secret here)
Client Addresses: 2 for L2TP (Edit… used 2, starting at 192.168.1.151, not in my DHCP pool)
DNS Settings: 2 name servers, no domains (Edit… added IPs of my local and external DNS servers)
Routes: No routes configured

MacBook Network VPN(L2TP):
Server Address: 65.35.xxx.xxx (WAN IP address)
Account Name: (LAN username)
Authentication Settings… Password (LAN usename’s password)
Shared Secret: (secret here)

RouterBoard:
[admin@MikroTik] /ip firewall filter> print
 6    ;;; allow l2tp
      chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

[admin@MikroTik] /ip firewall nat> print
 0    ;;; masq. vpn traffic
      chain=srcnat action=masquerade protocol=ipsec-esp src-address=192.168.1.0/24 
      dst-address=192.168.1.11 log=yes log-prefix="masq vpn" 

[admin@MikroTik] /ip ipsec policy> print
 0 T * group=*2 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  D  src-address=192.168.1.100/32 src-port=any dst-address=65.35.xxx.xxx/32 dst-port=any 
       protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no 
       sa-src-address=192.168.1.151 sa-dst-address=65.35.xxx.xxx priority=2 

[admin@MikroTik] /ip ipsec peer> print
 0    address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret=“secret here” generate-policy=port-override policy-template-group=*2 
      exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=disable-dpd 
      dpd-maximum-failures=5 

[admin@MikroTik] /ip ipsec proposal> print
 0  * name="default" auth-algorithms=sha1 enc-algorithms=des,3des,aes-128-cbc,aes-256-cbc 
      lifetime=30m pfs-group=modp1024
There was some discussion about Groups in this post: http://forum.mikrotik.com/viewtopic.php?f=2&t=88033

Any comments on malconfiguration or security holes would be appreciated.

Who is online

Users browsing this forum: hatred, mszru, Qanon and 74 guests