L2TP/IPsec packet is retransmitted

majorlogic · September 16, 2022, 5:49am

Hello, I’ve tried to setup L2TP/IPsec vpn on my router. I can successfully access them through my LAN but when I tried to access them through 4G it fails.

My log below:

13:13:49 ipsec,info respond new phase 1 (Identity Protection): xxx.xxx.xxx.xxx[500]<=>175.176.67.122[28729] 
13:13:52 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 
13:13:55 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 
13:13:58 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 
13:14:01 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 
13:14:04 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 
13:14:19 l2tp,info first L2TP UDP packet received from 175.176.67.122 
13:14:49 ipsec,error phase1 negotiation failed due to time up xxx.xxx.xxx.xxx[500]<=>175.176.67.122[28729] dbaab16a73dbc420:29
d30f82da568583

Where x is my static IP and 175.176.67.122 is my ip from 4G

below is my config for my L2TP/IPsec packet

/ip pool
add name=vpn-ipsec ranges=192.168.3.2-192.168.3.100
/ip firewall filter
add action=fasttrack-connection chain=forward comment=DNS dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward dst-port=53 protocol=udp
add action=accept chain=input comment="Allow L2PT / IPSEC VPN access\"" dst-port=500,1701,4500 in-interface=\
    pppoe-WAN log=yes protocol=udp
add action=accept chain=input in-interface=pppoe-WAN protocol=ipsec-esp
add action=accept chain=input in-interface=pppoe-WAN protocol=ipsec-ah
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-WAN
/interface l2tp-server server
set allow-fast-path=yes default-profile=l2tp-vpn enabled=yes use-ipsec=required
/ppp profile
add change-tcp-mss=yes local-address=192.168.3.1 name=l2tp-vpn remote-address=vpn-ipsec

Am I missing something?

sindy · September 16, 2022, 7:02am

First of all, your firewall doesn’t protect the Mikrotik itself from remote connections to its management interfaces (ssh, winbox, webfig) or from acting as a DNS attack amplifier, because there is no action=drop rule in chain input of /ip firewall filter. In RouterOS, the default action in all chains is accept, so whatever is not matched by one of your accept rules is accepted anyway. Even for the LAN devices, a NAT on WAN does not substitute proper firewall rules in chain forward.

Second, the log suggests that the device connected to 4G doesn’t receive the responses from the Mikrotik, which makes it retransmit the initial request.

So I would sniff the traffic on the WAN interface, matching on the 4G IP address, to see whether the Mikrotik actually responds or not, and if it does, what is the size of the response packets and whether they are fragmented.

If the connecting client doesn’t have a 4G modem directly on itself but is connected to it via Ethernet or WiFi, I would also sniff on the client using tcpdump or Wireshark, matching on the public address of the Mikrotik, to see whether the responses from Mikrotik reach the client or not.

Znevna · September 16, 2022, 9:08am

Some packets, you’re missing some packets.

pe1chl · September 16, 2022, 9:12am

My experience is that this issue is caused by (CG)NAT routers on the path maintaining incorrect state or making incorrect port translations.
The remote sends you the IPsec packet but it does not receive the reply on the port number where it is listening.
You can already guess that is wrong by looking at: xxx.xxx.xxx.xxx[500]<=>175.176.67.122[28729]. that 28729 should be 500 as well, but NAT has translated it. The NAT should translate it back to 500 but does not do that correctly, e.g. when two different connections were made.

When this happens only occasionally (and especially during testing when you are trying different scenarios like breaking the connection after it was established), it can sometimes help to shut the client down for a couple of minutes and then starting it again. The incorrect NAT rule has expired by then (usually after 3 or 5 minutes).
When keeping the client on (and trying), the bad situation persists.

majorlogic · September 17, 2022, 4:53am

Btw, thanks for all the answers above and an update here is that it worked I disable my main ISP (I have dual isp, main ISP is on ether1 and DHCP while ether6 is ppp client with static ip) so basically if ether1 is enabled it will retransmit the data.

below is script:

Znevna · September 17, 2022, 5:47am

You did not mention a dual wan setup…

majorlogic · September 17, 2022, 10:19am

yeah, I forgot to mention it on my first post. It was 2 am already so maybe I was prolly brain dead.

sindy · September 17, 2022, 10:27am

That changes a lot. Normally I would just refer to this, but for your case, it is a bit more complicated as you use connection marks for QoS purposes, and in the RouterOS implementation, a single connection cannot have more than a single connection mark. So you’d need to use aggregate connection marks to use them for both QoS treatment and policy routing.

So for your case, I suggest the following routing rule:
/ip route rule add src-address=ip.of.pppoe.wan action=lookup-only-in-table table=useonly_globe

As your Mikrotik acts as a responder (server) in the L2TP/IPsec connections, it sends the response traffic from the IP address to which the initial request of a given connection has arrived. So this rule will make sure that whatever is sent from the IP address of the PPP WAN will be routed through that interface. Without this rule, the response packets from that address are sent via ether1, and some ISP along the path drops them because they have an unexpected source address - if nothing else, the NAT at the initiator (client) end will drop them as they do not match any existing pinhole.

majorlogic · September 17, 2022, 11:29am

thanks, sindy. You’ve helped me twice in a row in both my problems I posted here in mikrotik forum. You’re a life-saver!