L2TP IPSec VPN = not working.

Hell0Kitty · June 5, 2015, 12:51pm

IPSec_log_.txt
I can’t connect to my VPN(L2TP IPSec) from my iPhone.

Connection failed after this
Jun/04/2015 21:49:54 ipsec,error phase1 negotiation failed due to time up “My ext. static IP(WAN)”[500]<=>“Random dynamic IP, any devices can try connect”[1197] 86dd3e3d2affc4f8:67c23982425b761b
As if authentication fails on IPSec to continue to put in L2TP tunnel.
Time on the router and on the same iPhone. In the statistics of IPSec Peer Connected seen that there is a connection that to my external address from another address (Cell 3G). Passwords for L2TP and IPSec did just that to test. The rules Firewall packages running on the rule where the port 500 UDP. Package on regulation to UDP 1701 and 4500, and ipsec-esp packages 0.
Log IPSec in atachments

I tried to disable and enable the “tunnel” clean aes256 and install it. NAT-T and off. Not what helps. Where to drip? And then the logs do not understand, like, not what is not visible.

Just a couple of questions to the following conditions that must be given to anyone (with an unknown IP) access to LAN itself.
WAN - XXXX - white static IP address; Bridge-local - local net 192.168.1.0/24; DHCP - 192.168.1.2-254.

Local Address - What is it? This is the local address of the router? Do I need to enter it? What to enter?
Remote Address - What is it? Address of \ which should get the device that connects to a VPN? Do I need to enter it? What to enter? Is it possible to specify the DHCP pool if a lot of devices, or you can specify a static IP of 192.168.1.0/24 subnet?

Local Address - What is it? Do I need to enter it? And what to enter?
Remote Address - What is it? Do I need to enter it? And what to enter?

Address - the IP address of the device that you want to give access and to put in a tunnel? Ie 0.0.0.0/0 when any unknown device may try to join?
Local Address - What is it? Do I need to enter it? And what to enter?

Src. Address - What is it? Do I need to enter it? And what to enter? :: / 0 - leave the default?
Dst. Address - What is it? Do I need to enter it? And what to enter? :: / 0 - leave the default?

SA Src. Address - What is it? Do I need to enter it? And what to enter? 0.0.0.0 - left by default?
SA Dst. Address - What is it? Do I need to enter it? And what to enter? 0.0.0.0 - left by default?

Me read a bunch of articles, wiki, guides for configuring L2TP -IPSec, all the same. Apparently very little that is where “tuning” about which simply forget to mention in the description of the setting. And because of that, I do not what does not go

PS: I use this and this guide.

mrz · June 5, 2015, 12:59pm

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ipsec.2FL2TP_behind_NAT
Also all properties are described in reference tables.

Hell0Kitty · June 5, 2015, 1:14pm

Thx. But i see and read http://wiki.mikrotik.com/wiki/Manual:IP/IPsec and this don’t solved my problem.
Rly need good answer from appreciatory and well knowledgeable man.

wcsnet · June 6, 2015, 11:54am

I also tried l2tp config for ios but could never get it to work pptp works fine thougj

Sent from my iPhone using Tapatalk

Hell0Kitty · June 9, 2015, 6:23am

There is at least one expert or a professional who can paint everything clearly and to help solve the problem? Ready for a gratuity.
Three days changed the configuration and testing, and fail.

mikelynchgames · August 5, 2015, 3:37am

I have the same issue as the original poster:

ipsec,error phase1 negotiation failed due to time up

and the same random ip after my external IP. Is this due to a filter issue maybe?

Hell0Kitty · August 31, 2015, 11:31am

I search my problem and i fix her. Error in firewall rules, i add three filter for UDP 4500, UDP 500 and UDP 1701. But need add one filter for all port together for one rules. And VPN working

Jivo · January 28, 2016, 9:00pm

Hello,

If I undestood you right, you say that you have fixed the problem by combining the spec for all three ports in one rule?
It does not make sense to me. Have anyone else solved this problem in this way?

I also have 3 separate rules - something I consider a good practice because traffic is counted separately. It works after router restart, than IPSec tunnel dies after some time, then again it works after reboot.

If rules were wrong, those would be wrong all the time, wouldn’t they?

jaytcsd · January 30, 2016, 6:17am

/ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic

;;; L2TP
chain=input action=accept protocol=udp src-port=500,1701,4500 log=no
log-prefix=“”

this works just as well as 3 separate rules, one for each port.

MadEngineer · January 30, 2016, 6:33am

https://www.nasa-security.net/mikrotik/mikrotik-l2tp-with-ipsec/