l2tp over ipsec connection from android

RouterOS General
1

Hello everybody
You will think that this topic is repeated but I checked every related topic to solve my problem and no solution.

I have a mikrotik with os version 6.28 that has real IP configured on the gateway interface I configured the ipsec peer as below from the following link http://forum.mikrotik.com/t/solved-l2tp-ipsec-with-android/61619/1

address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 
      auth-method=pre-shared-key secret="VPNpass" generate-policy=port-override 
      policy-template-group=default exchange-mode=main-l2tp 
      send-initial-contact=no nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d dpd-interval=15s 
      dpd-maximum-failures=3

and here is the proposal configuration:

name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m 
      pfs-group=modp1024

it works well from my android device, still need to test it from ios device.
here is the log

08:58:25 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256
08:58:26 l2tp,info first L2TP UDP packet received from x.x.x.x
08:58:26 l2tp,ppp,info,account l2tp logged in, 10.50.50.4
08:58:26 l2tp,ppp,info : authenticated
08:58:26 l2tp,ppp,info : connected
the ipsec sa is working in both directions
Capture.PNG
i made the same configuration on another router that has virtual ip published using fortigate. it is accepting pptp tunnels with no problems.
it just gives the following log:
08:59:25 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256
08:59:26 l2tp,info first L2TP UDP packet received from x.x.x.x
08:59:47 l2tp,info first L2TP UDP packet received from x.x.x.x
09:00:09 l2tp,info first L2TP UDP packet received from x.x.x.x

and on my android device it gives unsuccessful
I tried to disable all firewall rules and keep only these:

 0    chain=input action=log protocol=udp 
      in-interface=ether1-ToFortiGate src-port=500,1701,4500 log=yes 
      log-prefix="" 

 1    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 2    chain=input action=accept protocol=udp port=4500 log=no log-prefix="" 

 3    chain=input action=accept protocol=udp port=500 log=no log-prefix="" 

 4    chain=input action=accept protocol=udp port=1701 log=no log-prefix=""

The ipsec sa is working in one direction only from my real ip connecting to mikrotik (172.16.16.1 is the virtual ip published on the fortigate that is working with no problems with pptp connections)
Capture2.PNG
Please help with detailed solution because I didn’t leave any topic without reading and trying to understand what is happening.
Thanks

2

Hi,

I am not sure that the fortigate will “passtrough” the IPSEC-traffiic, maybe there is a special option for this. By the way. the Error in your log says that you device tries sha256, but you use sha1 in your config.

But the real problem could be that both devices are behind NAT. I dont know any way to make this work with mikrotik. I have read that there are some scripted solutions where you replace the Peer IPs of the IPSEC.

greets

3

I think when ipsec error is being shown in the log of the mikrotik then the ipsec traffic is be passing to it and no problem in Fortigate.

the error shown is bypassed and connection is being established with no problems on the 1st mikrotik router that has a real ip.

Today also I tested the ios 10 and it connected with no problems on the 1st router that is giving that ipsec error.

The problem is related to NAT but I am not sure how to fix it if you can help me.
Thanks.

4

This error appear because peer loops through all possible algorithm combinations advertised by remote peer until supported one is matched. We slightly changed logs in latest rc version, so that this error is not printed in cases when the tunnel is established.