It seems from the log that the issue surrounds Policy…I selected no policy generated. Please view my log as well as the policy tab screen shot…thank you.
Okay, after examining the log further, it seems that the issue is with L2TP and IPsec never got a chance to do its thing because the L2TP server closed the connection. I am connecting a tablet with Android 4.2, and it seems to just repeating the process…see screen shot from the log. I double checked every and just can’t seem to make it work. I would like to hear from Mikrotik support…please! It’s very frustrating.
Note: All packets are IPIP encapsulated in tunnel mode, and their new IP header’s src-address and dst-address are set to sa-src-address and sa-dst-address values of this policy. If you do not use tunnel mode (id est you use transport mode), then only packets whose source and destination addresses are the same as sa-src-address and sa-dst-address can be processed by this policy. Transport mode can only work with packets that originate at and are destined for IPsec peers (hosts that established security associations). To encrypt traffic between networks (or a network and a host) you have to use tunnel mode.
Typically in RoadWarrior setups as this it is impossible to know from which address user will connect, so we need to set up generate-policy parameter on the server side. However this leads to other problems, client can generate any policy and access any network in the office. Even set 0.0.0.0/0 and deny internet access to office workers.
Mode Conf, policy group and policy templates will allow us to overcome these problems.
IpSec Server Config
At first we need a pool from which RoadWarrior will will get an address. Typically in office you set up DHCP server for local workstations, the same DHCP pool can be used.
/ip pool
add name=ipsec-RW ranges=192.168.77.2-192.168.77.254
Next we need to set up what settings to send to the client using Mode Conf.
/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=
10.5.8.0/24,192.168.55.0/24
As you can see we specified from which pool to give out address and two allowed subnets.
Now to allow only specific source/destination address in generated policies we will use policy group and create policy templates:
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec policy
add dst-address=192.168.77.0/24 group=RoadWarrior src-address=10.5.8.0/24
template=yes
add dst-address=10.5.8.0/24 group=RoadWarrior src-address=192.168.77.0/24
template=yes
add dst-address=192.168.77.0/24 group=RoadWarrior src-address=192.168.55.0/24
template=yes
Now we just add xauth users and peer with enabled Mode Conf and policy group.
/ip ipsec user
add name=user1 password=123
add name=user2 password=234
/ip ipsec peer
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg
policy-group=RoadWarrior secret=123 passive=yes
Apple iOS (iPhone/iPad) Client
For iOS devices to be able to connect, proposal changes are needed:
does not work with 3des encryption algorithm, aes-128/256 works
auth algorithm must be sha1
PFS group must be none
lifetime must be 8 hours
Example of valid proposal configuration for iOS devices:
/ip ipsec proposal
set default enc-algorithms=aes-128-cbc,aes-256-cbc lifetime=8h
pfs-group=none
Android Client Notes
Android devices are trying to add policy with destination 0.0.0.0/0, so you have to make sure that correct policy template is added.
In our case we need to add:
/ip ipsec policy
add group=RoadWarrior src-address=192.168.77.0/24 dst-address=0.0.0.0/0 template=yes
This is were the problem gets frustrating as the roadwarrior example uses known IP addresses. RouterOS v6.12 changes the way most instructions on setting up L2TP over IPsec. If I select anything than no policy, I can not select tunnel mode. However, selecting no policy seems to create a policy issue when one tries to connect. Also, I don’t want a pool of IP addresses because I am the only one that will connect to my home office…maybe with different devices (IOS, MacOS, Andriod), but it will always be a single connection from an unknown IP address to my home office at a time. I even tried my configuration with NAT traversal…no luck. I downloaded Supout.rif and when I opened with TextEdit (MacOS), it’s just a bunch of nothing…why it can’t be a readable rich text file? So, I couldn’t share.
Can anyone set up a roadwarrior configuration example using RouterOS v6.12. It’s unclear from the Wiki: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec that one needs to set up the same user and password in L2TP in IPsec> user. That seems to defeat the pre-shared key.
I am so confused and wish to receive help…thanks!
Well of course I am extremely not happy learning that after spending so much time trying to resolve VPN issue only to read here:
http://forum.mikrotik.com/t/known-issues-and-bugs-a-list/71473/1
There is an issue with the L2TP server…it has bugs. Three days ago after receiving no response I made a decision and bought a Cisco VPN router. Then last night I saw the above post. It is not cool to waste one’s time by delivering an incomplete software version then failed to offer support…please see screen shot of April 29. This below is from the same log on that day.
