L2TP/IPSec VPN with MacOSX and iOS

trunet · October 16, 2014, 7:37pm

Hi,

I’m following your http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#L2TP.2FIpSec_setup tutorial, however I’m getting stuck on error. I followed exactly steps as showed on that example. Any clues???

I started receiving:

16:25:29 ipsec,error failed to pre-process ph2 packet.

So, I enabled debug and I’m getting this prior to that error:

16:33:07 ipsec,debug,packet 80050001 03000018 05030000 80010001 80020e10 80040002 80050002 00000018 
16:33:07 ipsec,debug,packet 06030000 80010001 80020e10 80040002 80050001 
16:33:07 ipsec,debug,packet begin. 
16:33:07 ipsec,debug,packet seen nptype=2(prop) 
16:33:07 ipsec,debug,packet succeed. 
16:33:07 ipsec,debug,packet proposal #1 len=172 
16:33:07 ipsec,debug,packet begin. 
16:33:07 ipsec,debug,packet seen nptype=3(trns) 
16:33:07 ipsec,debug,packet seen nptype=3(trns) 
16:33:07 ipsec,debug,packet seen nptype=3(trns) 
16:33:07 ipsec,debug,packet seen nptype=3(trns) 
16:33:07 ipsec,debug,packet seen nptype=3(trns) 
16:33:07 ipsec,debug,packet seen nptype=3(trns) 
16:33:07 ipsec,debug,packet succeed. 
16:33:07 ipsec,debug,packet transform #1 len=28 
16:33:07 ipsec,debug,packet type=SA Life Type, flag=0x8000, lorv=seconds 
16:33:07 ipsec,debug,packet type=SA Life Duration, flag=0x8000, lorv=3600 
16:33:07 ipsec,debug,packet life duration was in TLV. 
16:33:07 ipsec,debug,packet type=Encryption Mode, flag=0x8000, lorv=Transport 
16:33:07 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=256 
16:33:07 ipsec,debug,packet type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
16:33:07 ipsec,debug,packet transform #2 len=28 
16:33:07 ipsec,debug,packet type=SA Life Type, flag=0x8000, lorv=seconds 
16:33:07 ipsec,debug,packet type=SA Life Duration, flag=0x8000, lorv=3600 
16:33:07 ipsec,debug,packet life duration was in TLV. 
16:33:07 ipsec,debug,packet type=Encryption Mode, flag=0x8000, lorv=Transport 
16:33:07 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=256 
16:33:07 ipsec,debug,packet type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
16:33:07 ipsec,debug,packet transform #3 len=28 
16:33:07 ipsec,debug,packet type=SA Life Type, flag=0x8000, lorv=seconds 
16:33:07 ipsec,debug,packet type=SA Life Duration, flag=0x8000, lorv=3600 
16:33:07 ipsec,debug,packet life duration was in TLV. 
16:33:07 ipsec,debug,packet type=Encryption Mode, flag=0x8000, lorv=Transport 
16:33:07 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128 
16:33:07 ipsec,debug,packet type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
16:33:07 ipsec,debug,packet transform #4 len=28 
16:33:07 ipsec,debug,packet type=SA Life Type, flag=0x8000, lorv=seconds 
16:33:07 ipsec,debug,packet type=SA Life Duration, flag=0x8000, lorv=3600 
16:33:07 ipsec,debug,packet life duration was in TLV. 
16:33:07 ipsec,debug,packet type=Encryption Mode, flag=0x8000, lorv=Transport 
16:33:07 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128 
16:33:07 ipsec,debug,packet type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
16:33:07 ipsec,debug,packet transform #5 len=24 
16:33:07 ipsec,debug,packet type=SA Life Type, flag=0x8000, lorv=seconds 
16:33:07 ipsec,debug,packet type=SA Life Duration, flag=0x8000, lorv=3600 
16:33:07 ipsec,debug,packet life duration was in TLV. 
16:33:07 ipsec,debug,packet type=Encryption Mode, flag=0x8000, lorv=Transport 
16:33:07 ipsec,debug,packet type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
16:33:07 ipsec,debug,packet transform #6 len=24 
16:33:07 ipsec,debug,packet type=SA Life Type, flag=0x8000, lorv=seconds 
16:33:07 ipsec,debug,packet type=SA Life Duration, flag=0x8000, lorv=3600 
16:33:07 ipsec,debug,packet life duration was in TLV. 
16:33:07 ipsec,debug,packet type=Encryption Mode, flag=0x8000, lorv=Transport 
16:33:07 ipsec,debug,packet type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 
16:33:07 ipsec,debug,packet pair 1: 
16:33:07 ipsec,debug,packet  0x479ee8: next=(nil) tnext=0x47a670 
16:33:07 ipsec,debug,packet   0x47a670: next=(nil) tnext=0x47a688 
16:33:07 ipsec,debug,packet    0x47a688: next=(nil) tnext=0x47c268 
16:33:07 ipsec,debug,packet     0x47c268: next=(nil) tnext=0x47c280 
16:33:07 ipsec,debug,packet      0x47c280: next=(nil) tnext=0x47c298 
16:33:07 ipsec,debug,packet       0x47c298: next=(nil) tnext=(nil) 
16:33:07 ipsec,debug,packet proposal #1: 6 transform 
16:33:07 ipsec,debug no policy template matching! 
16:33:07 ipsec,error failed to pre-process ph2 packet.

[admin@trunetroutersp01] > /interface l2tp-server server print 
            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: pap,chap,mschap1,mschap2
  keepalive-timeout: 30
    default-profile: default-vpn
          use-ipsec: yes
       ipsec-secret: ***MASKED***

[admin@trunetroutersp01] > /ip ipsec peer print 
Flags: X - disabled, D - dynamic 
 0  D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key secret="***MASKED***" generate-policy=port-strict policy-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

trunet · October 20, 2014, 10:09pm

bump

trunet · October 21, 2014, 7:18pm

bump

TheFatal · October 21, 2014, 8:44pm

Here I’ve got it working with OSX and Iphone and android and using the following settings:

[admin@****] > /ppp profile print
Flags: * - default 


 1   name="L2TP VPN" bridge=bridge-local use-mpls=default 
     use-compression=default use-vj-compression=default 
     use-encryption=default only-one=default change-tcp-mss=yes 
     address-list="" dns-server=8.8.8.8,8.8.4.4

[admin@****] > /ppp secret print        
Flags: X - disabled 
 #   NAME        SERVICE CALLER-ID     PASSWORD     PROFILE     REMOTE-ADDRESS 
 0   Test ... l2tp                  Password  L2TP VPN    192.168.88.40

[admin@*****] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all 
       proposal=default template=yes

[admin@****] > /ip ipsec peer  print  
Flags: X - disabled, D - dynamic 
 0    address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 
      auth-method=pre-shared-key secret="*******" 
      generate-policy=port-override exchange-mode=main-l2tp 
      send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m 
      dpd-maximum-failures=5

[admin@****] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 


 5    ;;; VPN
      chain=input action=accept protocol=udp in-interface=Gateway-ETH10 
      dst-port=500 log=no log-prefix="" 

 6    chain=input action=accept protocol=udp in-interface=Gateway-ETH10 
      dst-port=1701 log=no log-prefix="" 

 7    chain=input action=accept protocol=udp in-interface=Gateway-ETH10 
      dst-port=4500 log=no log-prefix="" 

 8    chain=input action=accept protocol=ipsec-esp in-interface=Gateway-ETH10 
      log=no log-prefix=""

Hope this helps!

trunet · October 22, 2014, 4:48pm

are you using ROS 6.20?

TheFatal · October 22, 2014, 5:34pm

ROS 6.19

trunet · October 22, 2014, 5:52pm

worked perfectly, thank you very much.

However I think ROS has a bug on l2tp server use-ipsec=yes to auto-generate ipsec policy. It doesn’t work with any of the devices I have.

TheFatal · October 22, 2014, 8:34pm

no problem!

miguelcandia · December 17, 2014, 6:28am

Hi,

Have you tested on ROS 6.22?
MikroTik LAN IP is 172.16.48.254.
I have the following:

MKTK> ppp profile print
Flags: * - default
 1   name="VPN" local-address=172.16.48.254 remote-address=VPN use-mpls=default 
     use-compression=default use-vj-compression=default use-encryption=default 
     only-one=no change-tcp-mss=default address-list="" dns-server=172.16.48.14

Where VPN is an IP pool:

MKTK> ip pool print 
 # NAME                                           RANGES                         
 0 VPN                                            172.16.53.200-172.16.53.222

And ppp secret:

MKTK> ppp secret print
Flags: X - disabled 
 #   NAME       SERVICE CALLER-ID      PASSWORD      PROFILE      REMOTE-ADDRESS 
 0   user           l2tp                                password          VPN

Policy config:

MKTK> ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes

Peer config:

MKTK> ip ipsec peer print
Flags: X - disabled, D - dynamic
 1    address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 
      auth-method=pre-shared-key secret="Secret" 
      generate-policy=port-override policy-template-group=default 
      exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes 
      hash-algorithm=sha1 enc-algorithm=3des,aes-256 dh-group=modp1024 
      lifetime=1h dpd-interval=2m dpd-maximum-failures=5

Only difference I see is the bridge, but I’m not sure what could be wrong. Firewall has all the rules you posted. If you can help me I’d be really grateful!

Norman29 · October 23, 2016, 5:20pm

Thanks! a 2 year old post but i got my iPhone 7 working on VPN now

enggheisar · October 29, 2016, 4:36am

I have gor problem with mikrotik ip sec for Apple ios
the log :
Failed to get valid proposal
Failed to pre process ph1 packet(side :1,status : 1)
phase1 negotioation failed

what shall i do ?