IPSec/L2TP vpn connection starts but won't complete

RouterOS General
1

I am trying to get a L2TP/IPSEC vpn tunnel up and running between a Windows 7 laptop (client, dynamic public IP) and a RB450g (server, static public IP). I have followed the wiki and the VPN tunnel starts but then fails. In particular, once the laptop initiates the tunnel, I see it appear as a remote peer in IPSEC (so I assume Phase 1 works), but then it gets stuck.

During the connection attempt I see the following in the log:
21:18:19 l2tp,info first L2TP UDP packet received from 184.151.63.211
21:18:45 l2tp,info first L2TP UDP packet received from 184.151.63.211

While the tunnel connection is being attempted, I see a policy, remote peer, etc. Here are some details:
[admin@MikroTik] /ip ipsec> peer print
Flags: X - disabled
0 address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret=“12345” generate-policy=yes exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=no my-id-user-fqdn=“” hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024
lifetime=1d dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] /ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=192.168.1.157/32 src-port=any dst-address=173.239.164.xx/32 dst-port=any protocol=udp action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=192.168.1.157 sa-dst-address=173.239.164.xx proposal=default priority=2
[admin@MikroTik] /ip ipsec> remote-peers print
0 local-address=173.239.164.xx remote-address=184.151.63.211 state=established side=responder established=6s
[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
[admin@MikroTik] /ip ipsec> installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xBEF7E4F src-address=184.151.63.211 dst-address=173.239.164.xx auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key=“10fa676d99e335dfcb1f45a817db1b2863efbf07” enc-key=“f7435e12fca33db5834eb514d69f8f81dc22aa2353938f9b”
addtime=sep/03/2012 21:18:19 add-lifetime=48m/1h usetime=sep/03/2012 21:18:19 use-lifetime=0s/0s current-bytes=452
lifebytes=0/0

1 E spi=0xF40C98ED src-address=173.239.164.xx dst-address=184.151.63.211 auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key=“9ba02fc82b873cf98ccca877c599541eaf9612c4” enc-key=“21909e56c1c37d6f354971de379ec4aa670020ba5fa618b0”
add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=0/0

(Not sure if it’s an issue, but stats show packets coming in protocol 50/ESP, but none leaving protocol 50/ESP).

Can someone tell me how to make this tunnel work?

Thanks,
Michelle

2

Hi Michelle!

I had the same issue, try to move the firewall rules to the top for debugging… Also enable logging for ipsec, and you will get some more info whats going on.. :slight_smile:

/ip firewall filter
add action=accept chain=input comment="L2TP VPN" disabled=no dst-address=\
    xx.xx.xx.xx dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment="L2TP VPN" disabled=no protocol=ipsec-esp
3

The problem was my PPP profile was requiring encryption (set to YES). Once I switched it back to DEFAULT then the connection succeeded.

I think this is because L2TP does not support encryption (it relies on IPSEC), so it failed.

4

Check your IPSec SA’s - to be sure they are doing encryption. IIRC setting the PPP policy to not use encryption caused the whole IPSec tunnel to be in the clear.

You’ll have double encryption, where the outer tunnel will be IPSec and the inner L2TP tunnel will use [whatever it’s called, I can’t recall.]
ESSP, or something. [Ah, MPPE - that’s what it’s called.]

I’ve asked, but have been unable to find a way to disable the MPPE on the inside L2TP tunnel. [Vista and higher won’t even use low security MPPE - without a registry hack. But even with that, I can’t get RoS to stop using MPPE on the inner tunnel.]

-Greg

5

i got the exact same problem when i try to connect my iphone6 via L2TP/IPsec over 3G … no luck…
PPTP works immediately over 3G

when my iph6 is connected to a WiFi then both works L2TP/IPsec and PPTP
i accept input for Protocol 51 (ipsec-ah) and Protocol 50 (ipsec-esp) and have opened the ports 500, 4500, 1701 for L2TP/IPsec and 1723 for PPTP VPN.

LOG output below and here are the firewall settings for the VPN connections:

[spippan@RB951_sp-private] /ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; accept WHITELIST ACL input
      chain=input action=accept src-address-list=whitelist log=no log-prefix="" 

 1    ;;; accept WHITELIST ACL forward
      chain=forward action=accept src-address-list=whitelist log=no log-prefix="" 

 2    ;;; ADMIN Blocked via ACL "admin_block"
      chain=input action=drop src-address-list=admin_block log=yes log-prefix="" 

 3    ;;; ADMIN Blocked via ACL "admin_block"
      chain=forward action=drop src-address-list=admin_block log=yes log-prefix="" 

 4    chain=input action=accept protocol=ipsec-ah src-address-list=!VPN_blacklist log=no log-prefix="" 

 5    chain=input action=accept protocol=ipsec-esp src-address-list=!VPN_blacklist log=no log-prefix="" 

 6    ;;; allow VPN from OFFICE HP
      chain=input action=accept protocol=udp src-address=62.218.xx.xx dst-port=1701 log=no log-prefix="" 

 7    ;;; allow VPN from OFFICE HP
      chain=input action=accept protocol=udp src-address=81.189.xx.xx dst-port=1701 log=no log-prefix="" 

 8    ;;; drop BLACKLISTED L2TP VPN connectors
      chain=input action=drop protocol=udp src-address-list=VPN_blacklist dst-port=1701 log=no log-prefix="" 

 9    chain=input action=add-src-to-address-list connection-state=new protocol=udp src-address-list=VPN_stage4 address-list=VPN_blacklist address-list-timeout=2w dst-port=1701 
      log=yes log-prefix="vpn_blacklisting>" 

10    chain=input action=add-src-to-address-list connection-state=new protocol=udp src-address-list=VPN_stage3 address-list=VPN_stage4 address-list-timeout=1m dst-port=1701 log=no 
      log-prefix="" 

11    chain=input action=add-src-to-address-list connection-state=new protocol=udp src-address-list=VPN_stage2 address-list=VPN_stage3 address-list-timeout=1m dst-port=1701 log=no 
      log-prefix="" 

12    chain=input action=add-src-to-address-list connection-state=new protocol=udp src-address-list=VPN_stage1 address-list=VPN_stage2 address-list-timeout=1m dst-port=1701 log=no 
      log-prefix="" 

13    chain=input action=add-src-to-address-list connection-state=new protocol=udp address-list=VPN_stage1 address-list-timeout=1m dst-port=1701 log=no log-prefix="" 

14    ;;; ***allow L2TP ports
      chain=input action=accept connection-state=new protocol=udp dst-port=500,4500,1701 log=yes log-prefix="L2TP>>>" 

15    ;;; drop BLACKLISTED PPTP VPN connectors
      chain=input action=drop protocol=tcp src-address-list=VPN_blacklist dst-port=1723 log=no log-prefix="" 

16    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=VPN_stage3 address-list=VPN_blacklist address-list-timeout=2w dst-port=1723 
      log=yes log-prefix="vpn_blacklisting>" 

17    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=VPN_stage2 address-list=VPN_stage3 address-list-timeout=1m dst-port=1723 log=no 
      log-prefix="" 

18    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=VPN_stage1 address-list=VPN_stage2 address-list-timeout=1m dst-port=1723 log=no 
      log-prefix="" 

19    chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=VPN_stage1 address-list-timeout=1m dst-port=1723 log=no log-prefix="" 

20    ;;; ***allow PPTP port(s)
      chain=input action=accept connection-state=new protocol=tcp dst-port=1723 log=yes log-prefix="PPTP>>>"

here the log output as i tested it on 3G and WiFi (successful connects via Wifi; VPN user = spippan_iphone)

13:03:28 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 213.162.68.132:62512->194.118.129.75:500, len 528 
13:03:29 l2tp,info first L2TP UDP packet received from 213.162.68.132 
13:03:29 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 213.162.68.132:56050->194.118.129.75:1701, len 96 
13:04:22 l2tp,info first L2TP UDP packet received from 213.162.68.132 
13:04:23 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 213.162.68.132:53121->194.118.129.75:1701, len 96 
13:05:27 wireless,info F0:D1:A9:2F:9E:C6@WLAN: connected 
13:05:50 wireless,info F0:D1:A9:2F:9E:C6@WLAN: disconnected, received disassoc: sending station leaving (8) 
13:05:50 wireless,info WLAN: data from unknown device F0:D1:A9:2F:9E:C6, sent deauth 
13:05:51 system,info ppp profile <VPN-sp> changed by spippan 
13:05:59 l2tp,info first L2TP UDP packet received from 213.162.68.132 
13:05:59 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 213.162.68.132:54479->194.118.129.75:1701, len 96 
13:06:27 l2tp,info first L2TP UDP packet received from 213.162.68.132 
13:06:27 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 213.162.68.132:65025->194.118.129.75:1701, len 96 
13:06:39 system,info ppp profile <VPN-sp> changed by spippan 
13:06:56 l2tp,info first L2TP UDP packet received from 213.162.68.132 
13:06:56 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 213.162.68.132:61800->194.118.129.75:1701, len 96 
13:07:28 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 81.189.xx.xx:500->194.118.129.75:500, len 528 
13:07:28 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 81.189.xx.xx:4500->194.118.129.75:4500, len 140 
13:07:29 l2tp,info first L2TP UDP packet received from 81.189.xx.xx 
13:07:30 l2tp,ppp,info,account spippan_iphone logged in, 10.20.30.210 
13:07:30 l2tp,ppp,info L2TP_spippan_iphone: authenticated 
13:07:30 l2tp,ppp,info L2TP_spippan_iphone: connected 
13:08:02 l2tp,ppp,info L2TP_spippan_iphone: terminating... 
13:08:02 l2tp,ppp,info,account spippan_iphone logged out, 32 1534 207 10 6 
13:08:02 l2tp,ppp,info L2TP_spippan_iphone: disconnected 
13:08:03 system,info ipsec proposal default changed by spippan 
13:08:11 l2tp,info first L2TP UDP packet received from 213.162.68.132 
13:08:11 firewall,info L2TP>>> input: in:PPTP_A1_DSL out:(none), proto UDP, 213.162.68.132:64398->194.118.129.75:1701, len 96 
13:08:37 system,info ipsec proposal default changed by spippan 
13:08:43 pptp,info TCP connection established from 213.162.68.132 
13:08:43 pptp,ppp,info,account spippan_iphone logged in, 10.20.30.210 
13:08:43 pptp,ppp,info <pptp-spippan_iphone>: authenticated 
13:08:44 pptp,ppp,info <pptp-spippan_iphone>: using encoding - MPPE128 stateless 
13:08:45 pptp,ppp,info <pptp-spippan_iphone>: connected 
13:09:31 system,info filter rule changed by spippan 
13:09:33 pptp,ppp,info <pptp-spippan_iphone>: terminating... - disconnected 
13:09:33 pptp,ppp,info,account spippan_iphone logged out, 50 1558 100 13 8 
13:09:33 pptp,ppp,info <pptp-spippan_iphone>: disconnected 
13:09:39 pptp,info TCP connection established from 213.162.68.132 
13:09:39 firewall,info PPTP>>> input: in:PPTP_A1_DSL out:(none), proto TCP (SYN), 213.162.68.132:26799->194.118.129.75:1723, len 64 
13:09:40 pptp,ppp,info,account spippan_iphone logged in, 10.20.30.210 
13:09:40 pptp,ppp,info <pptp-spippan_iphone>: authenticated 
13:09:40 pptp,ppp,info <pptp-spippan_iphone>: using encoding - MPPE128 stateless 
13:09:41 pptp,ppp,info <pptp-spippan_iphone>: connected 
13:10:50 wireless,info F0:D1:A9:2F:9E:C6@WLAN: connected 
13:11:04 wireless,info F0:D1:A9:2F:9E:C6@WLAN: disconnected, received disassoc: sending station leaving (8) 
13:11:04 wireless,info WLAN: data from unknown device F0:D1:A9:2F:9E:C6, sent deauth 
13:11:55 pptp,ppp,info <pptp-spippan_iphone>: terminating... 
13:11:55 pptp,ppp,info,account spippan_iphone logged out, 136 1558 100 13 8 
13:11:55 pptp,ppp,info <pptp-spippan_iphone>: disconnected 
13:12:06 system,info,account user spippan logged in from 10.20.30.200 via telnet