IPSec + iOS doesn't work

velter · March 13, 2014, 8:23am

Hi all. I have Mikrotik with RouterOS 6.10
Setting up the L2TP+IPSec server on it. My config is below
Connection from computer with winxp is ok.
Connection from IPhone gives this in log:
09:52:55 ipsec,debug no suitable proposal found.
09:52:55 ipsec,debug failed to get valid proposal.
09:52:55 ipsec,debug failed to pre-process ph1 packet (side: 1, status 1).
09:52:55 ipsec,debug phase1 negotiation failed.
Full log:
log.txt (52.3 KB)
Config:
export-ipsec.rsc (8.26 KB)
Short config:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-128-ctr
/ip pool
add name=l2tp-pool ranges=192.168.100.2-192.168.100.200
/ppp profile
add change-tcp-mss=yes local-address=192.168.100.1 name=l2tp remote-address=\
    l2tp-pool
/interface l2tp-server server
set authentication=pap,chap,mschap1 default-profile=l2tp enabled=yes \
    keepalive-timeout=15 max-mru=1418 max-mtu=1418
/ip address
add address=192.168.88.1/24 comment=Settings_Port interface=eth12-192.168.88 \
    network=192.168.88.0
add address=192.168.0.1/24 comment="AMIGO LAN" interface=eth1-192.168.0 \
    network=192.168.0.0
add address=192.168.3.1/24 interface=eth2-192.168.3 network=192.168.3.0
add address=91.196.229.6/30 comment=Stels interface=eth10-Stels network=\
    91.196.229.4
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input comment=Accept_established_connections connection-state=\
    established
add chain=forward connection-state=established
add chain=input comment=Accept_related_connections connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment=Drop_invalid_connections \
    connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment=Allow_UDP protocol=udp
add chain=forward protocol=udp
add chain=forward comment="Amigo Traffic" dst-address=192.168.0.0/16 \
    src-address=192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for Amigo networks" \
    out-interface=eth10-Stels src-address=192.168.0.0/16
/ip ipsec peer
add enc-algorithm=aes-256 generate-policy=port-override nat-traversal=yes \
    secret=topsecret
/ip route
add distance=1 gateway=91.196.229.5
add distance=1 dst-address=192.168.1.0/24 gateway=172.17.17.21
add distance=1 dst-address=192.168.10.0/24 gateway=172.17.17.13
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=client1 password=secret1 profile=l2tp service=l2tp
/system logging
add topics=ipsec
add disabled=yes topics=l2tp
/system ntp client
set enabled=yes mode=unicast primary-ntp=62.149.0.30
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR

Please, help

rextended · March 13, 2014, 8:53am

Find what algorithms can use iOS

/ppp profile
add change-tcp-mss=yes local-address=192.168.100.1 name=l2tp remote-address=l2tp-pool use-encryption=yes

/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=l2tp enabled=yes keepalive-timeout=15 max-mru=1450 max-mtu=1450 mrru=1614

velter · March 13, 2014, 9:06am

set authentication=pap,chap,mschap1,mschap1

you’re using mschap1 two times, is it ok?
You mean mschap2?

normis · March 13, 2014, 9:08am

Apple writes

iOS works with VPN servers that support the following protocols and authentication methods:

L2TP/IPSec with user authentication by MS-CHAPV2 Password, RSA SecurID or CryptoCard, and machine authentication by shared secret.

You have
/interface l2tp-server server set authentication=pap,chap,mschap1Have you tried
/interface l2tp-server server set authentication=mschap2 ?

velter · March 13, 2014, 9:11am

Turned on mschap2, everything is the same. Failed to get valid proposal

rextended · March 13, 2014, 9:14am

yes a misspelling, mschap2 (i fix my post)

normis give you the list of supported authentication methods on iOS, mschap2 must be on.

velter · March 13, 2014, 9:21am

Sorry for desinformation.
When i use 3des encryption in Peers - everything is ok from computer. From iphone connetction doesn’t work
When i use aes256 encryption in Peers - Connection doesn’t work from computer and iphone.
The error is the same. No suitable proposal found.

Turned on mschap2. Doesn’t work

normis · March 13, 2014, 9:23am

Some other stuff from the internet, what the iOS wants to see:

dh-group: modp1024
hash-algorithm: sha1
Encryption algorithm: AES / 256 bits (other interneet place says 128, so try both )
auth-method: pre-shared-key-xauth

velter · March 13, 2014, 9:28am

/ip ipsec proposal
set [ find default=yes ] enc-algorithms="3des,aes-128-cbc,aes-192-cbc,aes-256-\
    cbc,aes-128-ctr,aes-192-ctr,aes-256-ctr"

[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled 
 0   address=0.0.0.0/0 passive=no port=500 auth-method=pre-shared-key 
     secret="topsecret" generate-policy=port-override exchange-mode=main 
     send-initial-contact=yes nat-traversal=yes proposal-check=obey 
     hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d 
     lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

Tried aes-128 and aes-256. Doesn’t work on both comp an iphone. On computer works only with 3des encryption.

normis · March 13, 2014, 9:30am

The idea is to disable the 3des and others, leave only the one that iOS supports

velter · March 13, 2014, 9:30am

Also, Changelog of 6.10 says, that aes-256 doesn’t work.
http://www.mikrotik.com/download/CHANGELOG_6

rextended · March 13, 2014, 9:31am

Try:

/ip ipsec proposal
set [ find default=yes ] pfs-group=modp1024 auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc,aes-128-ctr,aes-192-ctr,aes-256-ctr

Or:

/ip ipsec proposal
set [ find default=yes ] pfs-group=modp1024 auth-algorithms=null enc-algorithms=aes-128-gcm,aes-192-gcm,aes-256-gcm

normis · March 13, 2014, 9:32am

try v6.11 for now. what architecture do you need?

velter · March 13, 2014, 9:34am

You mean in proposal?
Ok, making that:

[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1
enc-algorithms=aes-128-cbc,aes-128-ctr lifetime=30m pfs-group=modp1024
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=0.0.0.0/0 passive=no port=500 auth-method=pre-shared-key
secret=“topsecret” generate-policy=port-override exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] >

and it doesn’t work

normis · March 13, 2014, 9:35am

we will make a setup like that here, and test. meanwhile, let me know which device you use, and I will give you v6.11 with the 256 bit fix.

velter · March 13, 2014, 9:37am

i use ROS on Mikrotik CCR1016-12G

normis · March 13, 2014, 9:39am

I can’t say if this is the bug that causes your problem, we will test it locally anyway, but now you can just try this:
http://www.mikrotik.com/download/share/routeros-tile-6.11.npk

velter · March 13, 2014, 9:52am

Upgraded to 6.11. Tried aes-256. Error is the same

velter · March 14, 2014, 10:04am

Still no answer? ):

normis · March 14, 2014, 10:13am

We are replicating the setup.