L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

maretodoric · September 30, 2019, 10:06am

Hello everyone,

just as the title says, i am unable to establish VPN connection from my RB2011iLS-iN to L2TP VPN Server hosted on another MikroTik which i do not have access to, so not sure about model, but Server version has ROS Version 6.45.3, while my Client is on 6.45.6.
Credentials and IPSec key is fine, i can connect to VPN from a PC that is connected to MikroTik via LAN cable. But on that same mikrotik i cannot establish VPN Tunnel.

This is log file, if i haven’t disabled connection at the end, it would go to endless loop.

11:55:11 system,info,account user admin logged in via local
11:55:41 l2tp,ppp,info L2TP-Client: initializing...
11:55:41 l2tp,ppp,info L2TP-Client: connecting...
11:55:41 system,info device changed by admin 
11:55:44 ipsec,info initiate new phase 1 (Identity Protection): 192.168.226.11[500]<=>66.77.88.99[500] 
11:55:45 ipsec,info ISAKMP-SA established 192.168.226.11[4500]-66.77.88.99[4500] spi:714163d51181b8e5:d11180f6534519dd 
11:56:08 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:56:08 l2tp,ppp,info L2TP-Client: disconnected
11:56:08 l2tp,ppp,info L2TP-Client: initializing...
11:56:08 l2tp,ppp,info L2TP-Client: connecting...
11:56:08 l2tp,ppp,info L2TP-Client: terminating... - old tunnel is not closed yet
11:56:08 l2tp,ppp,info L2TP-Client: disconnected
11:56:09 l2tp,ppp,info L2TP-Client: initializing...
11:56:09 l2tp,ppp,info L2TP-Client: connecting...
11:56:33 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:56:33 l2tp,ppp,info L2TP-Client: disconnected
11:56:33 l2tp,ppp,info L2TP-Client: initializing...
11:56:33 l2tp,ppp,info L2TP-Client: connecting...
11:56:57 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:56:57 l2tp,ppp,info L2TP-Client: disconnected
11:56:58 ipsec,info ISAKMP-SA deleted 192.168.226.11[4500]-66.77.88.99[4500] spi:714163d51181b8e5:d11180f6534519dd rekey:1 
11:56:59 l2tp,ppp,info L2TP-Client: initializing...
11:56:59 l2tp,ppp,info L2TP-Client: connecting...
11:57:02 ipsec,info initiate new phase 1 (Identity Protection): 192.168.226.11[500]<=>66.77.88.99[500] 
11:57:04 ipsec,info ISAKMP-SA established 192.168.226.11[4500]-66.77.88.99[4500] spi:34b830b855bcde16:c8bb5d3958e91cf6 
11:57:26 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:57:26 l2tp,ppp,info L2TP-Client: disconnected
11:57:27 ipsec,info ISAKMP-SA deleted 192.168.226.11[4500]-66.77.88.99[4500] spi:34b830b855bcde16:c8bb5d3958e91cf6 rekey:1 
11:57:29 l2tp,ppp,info L2TP-Client: initializing...
11:57:29 l2tp,ppp,info L2TP-Client: connecting...
11:57:32 ipsec,info initiate new phase 1 (Identity Protection): 192.168.226.11[500]<=>66.77.88.99[500] 
11:57:34 ipsec,info ISAKMP-SA established 192.168.226.11[4500]-66.77.88.99[4500] spi:1bb7eeeca022284e:72a3b896a65a993e 
11:57:45 l2tp,ppp,info L2TP-Client: terminating...
11:57:45 l2tp,ppp,info L2TP-Client: disabled
11:57:45 system,info device changed by admin 
11:57:46 ipsec,info ISAKMP-SA deleted 192.168.226.11[4500]-66.77.88.99[4500] spi:1bb7eeeca022284e:72a3b896a65a993e rekey:1

Any help would be greatly appreciated on this! Thanks in advance.

grusu · September 30, 2019, 10:22am

11:56:08 l2tp,ppp,info L2TP-Client: terminating… - old tunnel is not closed yet

Do you have an open connection on your PC?
You must close first.

maretodoric · September 30, 2019, 3:01pm

I have made sure that i had the connection closed. And it definitely was closed when i was trying to connect to that VPN.

Steveocee · September 30, 2019, 3:15pm

Ensure the server side has firewall open for IPSEC-ESP. As you are going through NAT it may be that NAT-T isn’t working correctly.

Zacharias · September 30, 2019, 4:17pm

Make sure UDP ports 500,4500 and 1701 are open on your server…
Double check your ipsec secret…

maretodoric · September 30, 2019, 4:47pm

But i can connect from laptop from same place just fine. So it should be ok. Right?
Setup is like this

MikroTik VPN SERVER < - - - - - - - < INTERNET > - - - - - - - < Company Router > - - - - - - - < Office MikroTik + laptop and other devices donnected to it via Ethernet >

When i initiate L2TP Connection from Laptop to MikroTik VPN Server on other side, it works fine. Packet will go through Office MikroTik, then get NAT-ed and go outside of Company Router.
Why then it wouldn’t work from Office MikroTik as L2TP Client?

They are open, at least they should be since i can establish connection just fine via laptop, but not from MikroTik.
IPSec secret is OK, double-checked that multiple times.

Zacharias · September 30, 2019, 5:09pm

Under L2TP server, IPsec is set to required or yes ?
Yes means the client can connect without IPsec while on required the client must provide the IPsec key…

Test it on both…

maretodoric · September 30, 2019, 10:23pm

I’m not sure about the settings on server since i do not have access to it. But if i remove IPSec key from VPN Config on a laptop, it will fail connection. So it has to be set to required.

Zacharias · September 30, 2019, 10:43pm

Ask for the log of the L2TP server the time you try to connect…

maretodoric · September 30, 2019, 11:01pm

I actually asked for a log couple of days ago when i noticed this issue on MT.
This is on the other side, i will have to type it in manually since i got a screenshot instead of paste.

ipsec, error <src ip addr> failed to pre-process ph2 packet
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error no suitable proposals found
ipsec, error <src ip addr> failed to pre-process ph2 packet
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, info purging ISAKMP-SA <dst.ip> <=> <src ip addr> spi ...
ipsec, info ISAKMP-SA deleted .....

I will attach a screenshot with the log with sensitive info blurred, but as far as i understood it’s pretty much it, goes into loop since my MT constantly keeps on retrying. But i doubt that it could be something on server side since i can connect from a laptop? Am i missing something?
viber image 2019-09-23 , 11.32.54.jpg

Zacharias · October 1, 2019, 11:23am

As you can see the problem is with IPsec…

maretodoric · October 1, 2019, 12:59pm

OK But what exactly with IPSec? The key set on mikrotik device is exactly the same as the one I’ve set on laptop. All client configuration:

Server IP
Username
Password
IPSec Key
Are consistent between L2TP config on laptop and L2TP-Client config on my MikroTik. So what exactly is the problem with IPSec? How do i figure that out? What is different on L2TP Client on MikroTik than the one on a laptop (OS: Fedora 29)

maretodoric · October 1, 2019, 1:42pm

Ok, i had to do some deeper troubleshooting. I’ve enabled “ipsed,!debug” logging on my MT and found this inside logs:
faata, NO-PROPOSAL-CHOSEN notify message, phase1 should be deleted.

So I’ve checked debug logs on a laptop to see the negotiation and found that connection established using 3des-aes128 with modp2048 PFS Group. On MT client, by default it was set to modp1024 PFS Group and no 3des. After making those changes, i have managed to establish connection to VPN! Thanks for giving a helping hand everyone

Zacharias · October 1, 2019, 3:19pm

Great to know