Hi everyone,
I have (used to have) a working L2TP/IPSec setup that was working fine up to now, when I have noticed this problem.
This config is using couple of profiles to allow site-to-site (using another MK as VPN client) and road warrior access.
I’m not using it all the time so it’s difficult for me to say when it started having this issue.
However 2 major changes have been made so far: installing ROS 6.47 (on both MKs) and playing little bit with firewall raw rules, to test some config.
Basically either from RW clients or MK client, when I issue the connection to VPN, the connection goes up and stays for about a minute or so, then it disconnects.
Below the main config on the MK at server side.
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-bcp-vpn-server enabled=yes \
ipsec-secret="xxxxxxx" mrru=1600 use-ipsec=\
required
/ppp profile
add comment="L2TP Road Warrior Client-VPN profile" dns-server=\
208.67.222.222 local-address=10.5.5.5 name=l2tp-rw-client-vpn \
remote-address=vpn-rw-client-pool use-encryption=required
add bridge=bridge-vpn-lan comment="L2TP BCP-VPN Server" dns-server=\
208.67.222.222 name=l2tp-bcp-vpn-server
use-encryption=required
/ppp secret
add comment="L2TP Road Warrior Admin access" name=xxxxx profile=\
l2tp-rw-client-vpn service=l2tp
add comment="L2TP BCP Server" name=yyyyy profile=\
l2tp-bcp-vpn-server service=l2tp
/ip firewall filter
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="IPSec UDP port" dst-port=500 \
in-interface=ether1-WAN1 log-prefix=level3-access protocol=udp \
src-address-list=l3_secure
add action=accept chain=input comment="IPSec/NAT UDP port" dst-port=4500 \
in-interface=ether1-WAN1 log-prefix=access-udp-4500 protocol=udp \
src-address-list=l3_secure
add action=accept chain=input comment="L2TP UDP port" dst-port=1701 \
in-interface=ether1-WAN1 ipsec-policy=in,ipsec log-prefix=l2tp-allowed \
protocol=udp src-address-list=L2TP_Allowed
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment=\
"defconf: drop all not coming from local interfaces" in-interface-list=\
!INTIF
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment=\
"defcon: drop non routable IP's from WAN" in-interface=ether1-WAN1 \
src-address-list=not_valid_internet
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=drop chain=prerouting comment="drop WAN connections from 'spamBL' b\
lacklisted hosts <- Src. Address List: spamBL" in-interface=ether1-WAN1 \
log-prefix=drop-spamBL src-address-list=spamBL
add action=drop chain=prerouting comment="drop WAN connections from 'intruseBL\
' blacklisted hosts <- Src. Address List: intruseBL" in-interface=\
ether1-WAN1 log=yes log-prefix=drop-intruseBL src-address-list=intruseBL
add action=drop chain=prerouting comment="drop common UDP ports from WAN" \
dst-port=161,5060 in-interface=ether1-WAN1 protocol=udp
add action=drop chain=prerouting comment="drop common TCP ports from WAN" \
dst-port=20,21,22,80,8291 in-interface=ether1-WAN1 log-prefix=drop-ftp \
protocol=tcp
add action=drop chain=bad_tcp comment="defconf: block portscanner" protocol=\
tcp psd=21,3s,3,1
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT via WAN1" \
ipsec-policy=out,none out-interface=ether1-WAN1
add action=masquerade chain=srcnat comment="NAT via WAN2" out-interface=\
ether2-WAN2
Here the LOG from client side.
LOG
08:57:42 ipsec,info initiate new phase 1 (Identity Protection): 192.168.0.10[500]<=>X.Y.Z.W[500]
08:57:44 ipsec,info ISAKMP-SA established 192.168.0.10[4500]-X.Y.Z.W[4500] spi:65b96d9c95d88b82:3715ac688098467b
08:57:47 l2tp,ppp,info l2tp-bcp-client: authenticated
08:57:47 l2tp,ppp,info l2tp-bcp-client: connected
08:59:02 l2tp,ppp,info l2tp-bcp-client: terminating... - session closed
08:59:02 l2tp,ppp,info l2tp-bcp-client: disconnected
08:59:02 l2tp,ppp,info l2tp-bcp-client: disabled
08:59:03 ipsec,info ISAKMP-SA deleted 192.168.0.10[4500]-X.Y.Z.W[4500] spi:65b96d9c95d88b82:3715ac688098467b rekey: 1
It looks like after the connection is established, something goes in timeout or becomes irresponsive even though the connection is stable.
I’m not sure whether this might be some issue with new ROS since several things have changed on IPSec side; I didn’t try to remove all from IPSec/PPP to re-create the whole config from scratch as I wanted to see whether the problem might lay somewhere else.
EDIT: finally I’ve found the issue.
For some reason after that the connection was established, the address-list that bans IPs attempting access to UDP-4500 was adding my client’s IP into it; therefore the rule in raw was acting immediately killing the connection. What is strange is that such part of my setup didn’t change in a while, but most likely this situation was not noted before. And also the other MK client was killed in about a minute, while RW clients were lasting up to 3 minutes before the connection was killed. So something has changed somewhere and this was not covered by the initial setup to protect accessing port 4500. But it is now.
Armando.