L2TP/IPSec VPN - Cannot get past phase 1

RomanLis · November 26, 2023, 1:39pm

Hi guys!

After changing the office, Mikrotik doesn’t want to work as VPN server, although all the other functions, including Winbox, are working fine.
On the main router (I cannot get rid of it) there is a DMZ set up pointing to Mikrotik.

In the log, I see the following, and it stays without any changes before I cancel the connection:
respond new phase 1 (Identity Protection): 192.168.10.1[500]<=>“Client’s IP”[500]
After I cancel the connection, it purges the keys.

Please help me find out what’s going on.

Config is:

[x825k@Printer] /ip firewall filter>  /export
# nov/26/2023 15:33:10 by RouterOS 6.49.10
# software id = 8H31-ZK46
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = *
/interface bridge
add admin-mac=64:D1:54:A7:C2:63 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=\
    no_country_set distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
    ssid=XLS-Audit station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    country=no_country_set distance=indoors frequency=auto frequency-mode=manual-txpower mode=\
    ap-bridge ssid=MikroTik-A7C268 station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=*
/ip ipsec peer
# This entry is unreachable
add name=peer2 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
/ip pool
add name=default-dhcp ranges=192.168.68.50-192.168.68.254
add name=vpn_pool ranges=192.168.68.10-192.168.68.30
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sens\
    itive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=* \
    use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.68.1/24 comment=defconf interface=bridge network=192.168.68.0
add address=*.*.*.*(hidden by me)/24 interface=ether1 network=*.*.*.*(hidden by me)
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.68.0/24 comment=defconf gateway=192.168.68.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=L2TP port=1701,500,4500,1723,47 protocol=udp
add action=accept chain=input comment=L2TP protocol=ipsec-esp
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input log=yes log-prefix=vpn_drop_from_list src-address-list=vpn_block
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-override peer=peer2 remote-id=ignore secret=thiSiSSecr3t
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=* password=* profile=l2tp_profile service=l2tp
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=*
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

ghostinthenet · November 26, 2023, 9:21pm

It looks like your L2TP/IPSec server is behind NAT (the 192.168.10.1 address gives it away) and that’s going to complicate matters. The IPSec transport that L2TP uses doesn’t work well if the endpoint IDs don’t match the source addresses. If you can get a public address from your upstream router, that will help. If not, it can still be made to work, but we’ll have to use something other than the IP address for the L2TP server’s IKE ID.

sindy · November 27, 2023, 7:05pm

Are the clients Windows machines or something else? With the default settings, the Windows embedded VPN client does not like when the L2TP/IPsec server (responder) is behind a NAT on its own side. There are two ways to work that around, one is a registry settings that has to be done on each client, another one is to make the Mikrotik think it runs on the public IP of the outer router, both have been described here on the forum. However, if the clients are not Windows PCs, the cause is probably something else that would need a deeper analysis.

anav · November 27, 2023, 7:14pm

Since the need for VPN is not clear.
Which users are coming to the OFFICE and for what purposes??
Why do you hide a private IP address, assuming the upstream router handles the WAN connection and your WAN input is basically a LAN address on the subnet of the ISP router?
The other thing funky about that is you have both an IP address for your WAN but also use IP DCHP client, which one is it??

Have you considered wireguard vpn?

ghostinthenet · November 27, 2023, 7:23pm

Good spot.

They’ve got both a public (presumably) address assigned statically on the WAN and a DHCP client on the WAN. There’s no static default gateway defined, so the router is going to pick that up from DHCP… which means it’s going to go out via the private address that’s been assigned.

If a default route is defined using the public gateway and the DHCP client is disabled, that may be all they need.

anav · November 27, 2023, 7:57pm

Id rather not Crokinole my way into the OPs head… and will let the OP provided the actual information.