Hello,
I am trying to create a L2TP VPN for an iphone to connect back, and I am getting this error:
Here is how the proposals are setup:
Anyone know how to fix this?
Yes, that’s how mine’s configured.
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Apple_iOS_.28iPhone.2FiPad.29_Client
But enable ipsec debug logs to see exact proposal sent by the client.
Ok. I have set this profile exactly as described:
But, the log is now showing this:
Check and aes-128-cbc
Same, still error.
This setup works for me: http://forum.mikrotik.com/t/l2tp-ipsec-so-i-can-use-with-apple-sierra-and-ios/106921/5
Show us /ip ipsec policy print and which ROS version you are using?
[admin@FMT-ROUTER] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
-
- default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
[admin@FMT-ROUTER] >
ROS 6.41.2
- default
Any update on this? Here is what I have for proposal. Nothing seems to work.
Hello,
Just checking for any update on this. Thanks
You might try setting PFS Group=modp1024. That fixed mine when I had an error the other day.
Sorry, same issue.
A blind shot - is the public IP address to which you point your iPhone directly at the Mikrotik or is it up at some equipment between the Mikrotik and the internet and UDP ports 500 and 4500 are forwarded to the Mikrotik from there?
Second, maybe more important, your quotation from the log says:
encmode mismatched: my:Tunnel peer:Transport
.
I assume that you want the iPhone to access the whole LAN of your Mikrotik so Tunnel mode must be used; therefore, you have to use the same setting at the iPhone side. At Mikrotik side, the choice between tunnel and transport mode is an attribute of the policy, but I don’t where Apple has hidden that checkbox/drop-down menu.
Mikrotik is directly on the internet.
I am actually wanting the iphone to access the LAN and tunnel all internet traffic, but I will be fine with either.
Sorry, it was too late yesterday and haven’t realized that you actually use L2TP over IPsec, not just IPsec. In this case, the transport mode is used at IPsec level and the tunnelling functionality is provided by L2TP, so there is most likely something wrong in your Mikrotik configuration.
Please paste here the output of ****
/export hide-sensitive
after systematically replacing each public IP address you do not want to publish by a distinctive pattern such as
pub.lic.ip.1
,
pub.lic.ip.2
.
Here you go:
[admin@FMT-ROUTER] > /export hide-sensitive
# mar/19/2018 12:21:20 by RouterOS 6.42rc35
# software id = S6JE-ES6Y
#
# model = RouterBOARD 3011UiAS
/interface bridge
add admin-mac=CC:2D:E0:40:25:0F arp=proxy-arp auto-mac=no comment=defconf name=\
LAN
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=INTERNET
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether6 ] name=ether6-master
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=8h30m
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
add name=pool-ovpn ranges=10.255.255.2-10.255.255.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN name=defconf
/ppp profile
add local-address=10.255.255.1 name=Openvpn remote-address=pool-ovpn
set *FFFFFFFE local-address=192.168.2.1 remote-address=dhcp use-compression=yes
/routing ospf area
add area-id=0.0.0.255 name=area255
/interface bridge port
add bridge=LAN comment=defconf interface=ether2-master
add bridge=LAN comment=defconf interface=ether6-master
add bridge=LAN comment=defconf hw=no interface=sfp1
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=LAN list=discover
add interface=LAN list=mactel
add interface=LAN list=mac-winbox
add interface=INTERNET list=WAN
/interface ovpn-server server
set certificate=myCa cipher=aes256 default-profile=Openvpn enabled=yes netmask=\
32 port=8080
/interface pptp-server server
set authentication=chap,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2-master network=\
192.168.2.0
add address=x.x.x.x/25 interface=INTERNET network=x.x.x.x
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=INTERNET
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip dns static
add address=192.168.2.1 name=router
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8080 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
INTERNET
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=INTERNET
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
INTERNET
add action=accept chain=dstnat dst-port=8291 protocol=tcp
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=\
aes-256,aes-192,aes-128 exchange-mode=main-l2tp generate-policy=\
port-override hash-algorithm=md5 send-initial-contact=no
/ip route
add distance=1 gateway=x.x.x.x
add distance=1 dst-address=192.168.0.0/24 gateway=10.255.255.4
add distance=1 dst-address=192.168.1.0/24 gateway=10.255.255.3
add distance=1 dst-address=192.168.5.0/24 gateway=10.255.255.2
/ip service
set www address=0.0.0.0/0
set winbox address=0.0.0.0/0
/ppp secret
add name=vpn
add name=Openvpn-MLM profile=Openvpn remote-address=10.255.255.2
add name=Openvpn-WYN profile=Openvpn remote-address=10.255.255.3
add name=Openvpn-INS profile=Openvpn remote-address=10.255.255.4
/routing ospf network
add area=area255 network=10.255.255.0/24
add area=area255 network=192.168.5.0/24
/system clock
set time-zone-name=America/Chicago
/system identity
set name=FMT-ROUTER
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.30
/system package update
set channel=release-candidate
/system routerboard settings
set boot-protocol=dhcp silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
[admin@FMT-ROUTER] >
As expected… if you now use ****
/ip ipsec peer print
, you should see two peers with
address=0.0.0.0/0
, one created manually using
/ip ipsec peer add address=0.0.0.0/0 dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=\
aes-256,aes-192,aes-128 exchange-mode=main-l2tp generate-policy=\
port-override hash-algorithm=md5 send-initial-contact=no
and the other one created dynamically by checking “use IPsec” in L2TP configuration. If so, the incoming request from iPhone is first caught by the manually created one, and the auto-generated policy is then used, which is incompatible with the one used at the iPhone side.
So if ****
/ip ipsec peer print
really shows two peers, please disable the manually configured one and try to connect the iPhone again.
I think we are really close here, but the same issue. I did indeed find the 2 peers, but I disabled one:
However, the same error as before appears.
These are not same peers. The first one is IPv4, the second one is IPv6.