I am trying to make it work a VPN between a Mikrotik RB1100AHx4 and mobile devices outside, throught Internet
I can connect with Windows Phone and Android 7, but I couldnt with Android 6, I don’t know why, my knowledge about vpn and ipsec is poor
I am getting the following error when try to connect an Android 6 device:
09:44:05 ipsec,info respond new phase 1 (Identity Protection): 190.111.232.39[500]<=>186.22.160.185[1011]
09:44:05 ipsec,info ISAKMP-SA established 190.111.232.39[4500]-186.22.160.185[10554] spi:b1c0bff4414d0093:1f73d26c1490fa3b
09:44:07 l2tp,info first L2TP UDP packet received from 186.22.160.185
09:44:26 l2tp,ppp,info L2TP-Server: terminating… - peer is not responding
09:44:26 l2tp,ppp,info,account Mobile logged out, 1689 11925 99495 116 153
09:44:26 l2tp,ppp,info L2TP-Server: disconnected
I have the following settings:
/interface l2tp-server
add name=L2TP-Server user=Mobile
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes
ipsec-secret=654321 max-mru=1460 max-mtu=1460 use-ipsec=required
I just tried with iOS and connected succesfully, it seems the problem is only with Android 6 or older
Other question:
I have created a L2TP server interface, when I connect the first client to VPN, this interface appears like running, but when I connect a second client, appears a new Dynamic interface, why?
Sorry, new update
In IOS I can connect to VPN but few minutes after it disconnects by itself
I tried to connect in a notebook with Windows 10 and I could connect, but when I tried again it remains in “Connecting”, nothing changed in the RB
Log again shows “peer is not responding”
I’m not sure what’s the problem with Android 6, because my 6.0.1 (Sony Xperia Z2) works just fine. Have you touched the default settings of the default proposal on Mikrotik side?
If all the clients you try to connect are seen as coming from behind the same public address and you don’t keep an approx. five minutes guard time between attempts, expect problems as the disconnection may not be clean and some remainders of the previous connection may exist until they time out.
Regarding the server interface - for each client connection, an individual interface is dynamically created at server side, or the statically defined interface associated to the name of the connected user. If you use the same username for all connections and “one connection per user” is not set to yes, I can imagine that a dynamic interface is created even though a static one is defined rather than rejecting the connection.
I think I touched the default settings of the default proposal on Mikrotik side, following a guide to make it work, I will look for the original values and will try to copy them to the Mikrotik with the VPN.
All my test were from the same public IP, maybe this is the problem, I will try to disconnect all devices, wait 5 minutes and connect another device to test, but it is weird that allways the same device keeps connected and the same device keep disconnecting
About the server interface I did not know the behavior, but some guys recommend to add a static interface for make it easier to make firewall rules. Now, if I need to have 10 users, if I give to all the same user and I set “one connection per user” I think just 1 user could be connected at the same time, if not, I will have 10 different interfaces, this dont make sense for me, but no problem for now, I need to make it work and so far dont need to créate a firewall rule.
I will let you know the results
Interesting, in which language Damián is written this way? I only know one.
“one connection per user” means exactly that, one connection per /ppp secret item. So if two devices attempt to connect using the same credentials, the second attempt is rejected.
To link static interface names to user names only makes sense when you need specific firewall rules to be used for the clients.
If you intend to have several devices connected from behind the same public address at least once in a blue moon, you’ll have to bite your way through this article.
Damián is writen in spanish, my main language, my english is not so good.
About the static interface, never mind that question was just to know
About the many devices behind a nat with the same public IP dont worry, I am using the same connection for testing purpose only
I disconnected all devices, waited more than 5 minutes, set the default values for the default proposal, waited again more than 5 minutes and tried to connect again with my Android 6 device, did not work, any idea?
Sorry, I want to check if the settings in my Android device is ok:
Name: Just a name
Type: L2TP/IPSec PSK
Server address: Just the public IP of the routerboard with the VPN Server
L2TP Secret: 123456 (The password for the unique username I configured in “Secrets”)
IPSec Identifier: (Not used)
IPSec pre shared key: 654321 (IPSec password)
When I try to connect with these settings, keep 3 seconds in “Connecting” and later appears “With error” without more details
As there is no specific field for the username, I’m afraid you have to put the “user” from Mikrotik’s “secret” to the “Name” field of the Android configuration.
Wrong. Leave the “L2TP Secret:” empty, and when you attempt to connect, it should ask you for both username and password which will be matched to those from the “secret”.
Yes, when I try to connect it ask me for username and password, however, I dont think it is about username or password the error because of the Mikrotik log
Another question, so far more important for me:
How can I set to clients to force to use the vpn default Gateway?
Wrong question The right question is how to make the clients not use the VPN to connect everywhere. At least on Android and Windows, as soon as the tunnel establishes, it becomes the default gateway and there is no way to change that.
There actually would be if Mikrotik would support DHCP option 121 and DHCPINFORM message in combination with L2TP, but it doesn’t, and it would only work for Windows. Android does not send the DHCPINFORM.
Sorry about the delay,
My boss asked me to take another issue. I am back now.
So, I just realiced that my Gateway is VPN Server Router although I dont know why, in my network adapter I have the same Gateway than before and the vpn adapter has no default Gateway, anyway, so far I dont care about that.
What I try to figure out, is why happen the following:
I added static DNS name that match with a specific private IP on the office where the VPN Server is. Supouse the static name is “Alpha”
I ping Alpha from my router and it resolve the IP correctly, and the ping answer without a problem
I try to ping Alpha from my computer (In other office), connected with the VPN, an it does not resolve the IP
What is more, if I do a nslookup in my Windows, and use the VPN Server as DNS, I neither can resolve Alpha IP
Is there a way to resolve a name in the other side of the VPN? I need to make it work
To resolve a static name added to a local DNS server, you have to ask that local server. I didn’t try whether there is a way to force the IP address of a DNS server to L2TP clients from the L2TP server, but as the default route is forced, it might be possible to redirect and DNS request coming from the client by an /ip firewall nat rule on the server (action=dst-nat chain=dstnat protocol=udp dst-port=53 to-addresses=the.ip.of.local.dns.server)
Very good!!!
The DNS Server is the Mikrotik router itself (With the L2TP Server), I added a rule to allow input traffic in the UDP port 53 with the VPN network as src-address, thanks.
I just see that I can ping it using for example “Alpha.” (With a dot at the end) instead of “Alpha”, so there is no problem
I also checked again the connection with an iPhone, and now it stay connected (about 25 minutes connected without a disconnection), before it disconnected allways in about 5 minutes because there were many devices connected from the same public IP (Just for testing)
I still need to make it work a software throught the VPN but so far everything what I need is working fine.
You helped a lot, you are a goddess, thanks a lot!!!
The right question is how to make the clients not use the VPN to connect everywhere. At least on Android and Windows, as soon as the tunnel establishes, it becomes the default gateway and there is no way to change that.