Latest MacOs 11 (Big Sur) and L2TP/IPsec

RouterOS General
1

Hi All,

Have a situation where a user has upgraded his MacOS laptop to the latest version. Since this unsolicited move, he is unable to browse the private network after he connects via an L2TP/IPsec VNP connection. The connection seems to be set up but he just cannot reach any internal IP address. Router is a CCR1046-12G-4S and VPN setup is straightforward. RouterOS is 6.47.2.

Any feedback welcome.

Rgds,
Mark.

2

Only a debug can say whether there this can be solved at Mikrotik side or not.

So open a command line window, make it as wide as your screen permits, and do the following:

  1. add the following to the Mikrotik configuration:
    /system logging
    add topics=ipsec,!packet
    add topics=l2tp
  2. run the following command:
    /log print follow-only file=l2tp-start where topics~“ipsec|l2tp”
  3. let the user connect to the L2TP network; one minute after the MAC says the connection is established, break the command above
  4. run /ip ipsec policy print detail and copy-paste the output somewhere
  5. check that a dynamically created interface named exists (or one with a static name is up if you have configured it like that).
  6. if it does, run /tool sniffer quick interface= and let the user try to ping first the address of the Mikrotik which you’ve set as local-address in that user’s /ppp secret row (or the relevant /ppp profile row), and then something in the internal network; once that fails, break this command. It may show no output at all, or some packets. Copy-paste the output somewhere if not empty
  7. now the user can disconnect the VPN connection

If the interface doesn’t exist, download the file named l2tp-start.txt from the router and start analysing it (or post it here if it doesn’t tell you enough, but be aware that obfuscating the visible occurrences of your public IP is not sufficient as the addresses can be found also in the hex dumps of the packets, so you have to remove these completely before posting. The obfuscation of visible IP addresses must be done in a responsible way, see my automatic signature below for a hint.

If the interface exists but no packets are seen to come by the sniffer, or if only pings to the Mikrotik’s own IP address are coming but not to other addresses, it’s most likely a routing issue at the MAC end. Or maybe Apple have started using the DHCPINFORM request to solicit a routing table via DHCP rather than just adding a default route via the tunnel; Mikrotik doesn’t support DHCPINFORM on L2TP.

If you can see the request packets to come but no responses to be sent back, it is likely a configuration issue at Mikrotik side.

3

OT regarding MacOS “Big Sur” first public version 11.0.1 that was released last week include major parts that are completely redone and is also affected by a series of severe bugs. I advise against upgrading until all serious issues are resolved. Also, it has a complete new GUI design that might not appeal to everyone.