L2TP/IPSEC on mobile drops connection

RouterOS General
1

I am experiencing an odd set of circumstances. I have an L2TP/IPSEC that I use for Site-To-Site connections, general windows VPN, as well as mobile VPN connections. I have absolutely no issues when it comes to the windows VPN or the Site-To-Site connections. They establish and everything works correctly.

Site-To-Site connections (non-restricted) are on the 172.16.0.0/24 subnet
Site-To-Site connections (restricted) are on the 172.48.0.0/24 subnet
Windows VPN connections fall within 172.32.0.10 - 172.32.0.50
Mobile VPN connections fall within 172.32.0.51 - 172.32.0.100

The mobile VPN connection will establish and connect to the system. Then all of my VPN functionalities will work perfectly for 15-45 seconds. Then all of the sudden nothing will load. The connection remains established/connected. And since it is a gateway connection all functionality on the phone is lost. If I disconnect the VPN and reconnect, same thing, I will have 15-45 seconds of successful ability to use anything I would normally be able to use before the connection drops again.

Any thoughts you have would be appreciated. Thanks!

2

Did you check the log on your router for any errors ?

3

Sounds real familiar to this …
http://forum.mikrotik.com/t/ipsec-l2tp-discconect-after-one-minute/134756/1

But I cannot confirm that it is the same. In terms of logging do you have a recommendation on how to isolate logging for one individual device?

The standard logging is passing details from multiple site locations at once. Nearly impossible to dig through all the traffic to pick out the bits associated with this one device. Before it clears the screen.

Update: Upon checking the issue appears to be very similar. When connecting on the mobile device the interface is shown on the interface list. For about 15-35 seconds before the interface drops off of the list which is the exact same time I loose connectivity on the phone. Even though the phone still says connected and it is no longer listed as an active connection under PPP. But under the IPsec policies I can see the PH2 state as established for the destination address the phone is coming from and listed as a remote peer.

4

It’s not nearly impossible, it’s absolutely impossible. The way is
/log print follow-only file=ipsec-l2tp-log where topics~“ipsec|l2tp”
Now switch the VPN on the mobile, wait until the connection succeeds and drops, break the /log print command, download the file, and use a text editor to search for the client IP address. And yes, it’s a PITA to read it if several clients are connected as it’s full of keepalive messages.

5

That was highly helpful - thank you!

# nov/18/2019 14:33:51 by RouterOS 6.44.5
# software id = 1SBQ-KUIK
#
14:33:55 ipsec,info respond new phase 1 (Identity Protection): REMOVED-PRIVATE[500]<=>REMOVED-PRIVATE[16186] 
14:33:55 ipsec,info ISAKMP-SA established REMOVED-PRIVATE[4500]-REMOVED-PRIVATE[54294] spi:ab0fc199b48d074b:4e952075cdf09c15 
14:33:57 l2tp,info first L2TP UDP packet received from REMOVED-PRIVATE 
14:33:57 l2tp,ppp,info,account admin_bypass logged in, 172.32.0.100 
14:33:57 l2tp,ppp,info <l2tp-admin_bypass-1>: authenticated 
14:33:57 l2tp,ppp,info <l2tp-admin_bypass-1>: connected 
14:35:09 l2tp,ppp,info <l2tp-admin_bypass>: terminating... - hungup 
14:35:09 l2tp,ppp,info,account admin_bypass logged out, 84 13986 62438 69 350 
14:35:09 l2tp,ppp,info <l2tp-admin_bypass>: disconnected 
14:35:21 l2tp,ppp,info <l2tp-admin_bypass-1>: terminating... - hungup 
14:35:21 l2tp,ppp,info,account admin_bypass logged out, 84 579775 13370106 7052 11270 
14:35:21 l2tp,ppp,info <l2tp-admin_bypass-1>: disconnected

With that logging I would say we are looking at the same issue.

As a side note this is also an Android phone. Running 10 on a Pixel 3.

6

For the record please follow this issue here:
http://forum.mikrotik.com/t/ipsec-l2tp-discconect-after-one-minute/134756/37

I will mark this as the correct answer for this post.

7

Am i the only one that cant see what the solution was ?

8

There is no solution yet, and still a long way is ahead. Stay tuned there but it’s a bit like traditional Japanese theatre so far.