I am trying to connect to a VPN server (IPVanish.com) using a single L2TP/IPsec VPN and forward just my PC(192.168.88.247) and no other device through the tunnel, I’m having trouble with the VPN not the forwarding part. Any help is greatly appreciated, I like the Mikrotik but am getting rather frustrated after 12 hours of playing with just the vpn. I’m a bit clueless when it comes to IPSEC and L2TP unfortunately.
My setup is:
I have a cable router connecting to the internet getting WAN IP, I have only my Mikrotik RB751G (RouterOS 5.21) connected to this router (192.168.100.10 - static ip in CABLE LAN), with my PC (192.168.88.247 -static ip in Mikrotik LAN) connected to the MikroTik.
Unfortunately I have no DMZ options on the Cable Router. Sooo I have added the following firewall rules on the router to do port forwarding
CABLE router Firewall rules
Description Public Port Private Port Protocol Private IP
1.)PPTP(TCP:1723) 1723 1723 ~ 1723 TCP 192.168.100.10
2.) xxxx 50 ~ 51 50 ~ 51 TCP/UDP 192.168.100.10
3.) L2TP 1701 1701 ~ 1701 UDP 192.168.100.10
4.) ISAKMP 500 500 ~ 500 TCP/UDP 192.168.100.10
5.)4500 4500 4500 ~ 4500 TCP/UDP 192.168.100.10
6.)SSL 443 443 ~ 443 TCP/UDP 192.168.100.10
I appear to have a succesful IPsec connection (as long as the VPN isn’t connected first, suggesting I have something wrong in the policy, any ideas ?) and the L2TP vpn authenticates when enabled, but I don’t seem to get any RX packets but I can clearly see TX packets are going out this interface as intended from my PC.
Looking in the debug for L2tp I see that I am getting wrong tunnel ID messages. Any Ideas ?
see my censored config below
/ip ipsec peer> print
Flags: X - disabled
0 address=VPN-SERVER-IP/32 port=500 auth-method=pre-shared-key secret=“SECRET” generate-policy=yes exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes my-id-user-fqdn=“” hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.88.247/32 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=192.168.100.10 sa-dst-address=VPN-SERVER-IP proposal=default priority=0
when I check the SA’s I see
/ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x8732BAF src-address=VPN-SERVER-IP dst-address=192.168.100.10 auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“02ddf5e3314c80583e42226bd71d4c20f462bece” enc-key=“a17ed86a59748e5bead083f81e82e90167081f5ec182409ab3854c40542a5989”
add-lifetime=24m/30m
1 E spi=0xC7ED28C4 src-address=192.168.100.10 dst-address=VPN-SERVER-IP auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“c96cb67b00be8068e193f4880828496cb35d379d” enc-key=“bfd3a70f5241c373b558b9129cb9b52479d73643c8366a438623a1e83ed75eaf”
add-lifetime=24m/30m
Now the L2TP config
/interface l2tp-client add name=“vpn” max-mtu=1460 max-mru=1460 mrru=disabled connect-to=VPN-SERVER-IP user=“USERNAME” password=“PASS” profile=default-encryption add-default-route=no dial-on-demand=no allow=mschap2
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=yes src-address=192.168.88.247/32 dst-address=!192.168.88.0/24
/ip route add dst-address=0.0.0.0/0 gateway=vpn distance=1 scope=30 target-scope=10 routing-mark=vpn
/ip firewall nat add chain=srcnat action=masquerade out-interface=vpn
L2TP Debug:
vpn authenticates and then …
Jan/02/1970 00:26:32 l2tp,ppp,info vpn: connected
Jan/02/1970 00:26:33 l2tp,debug,packet rcvd control message from VPN-SERVER-IP:1701
Jan/02/1970 00:26:33 l2tp,debug,packet tunnel-id=1, session-id=0, ns=3, nr=4
Jan/02/1970 00:26:33 l2tp,debug,packet (M) Message-Type=StopCCN
Jan/02/1970 00:26:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=38176
Jan/02/1970 00:26:33 l2tp,debug,packet (M) Result-Code=1
Jan/02/1970 00:26:33 l2tp,debug,packet Error-Code=0
Jan/02/1970 00:26:33 l2tp,debug,packet Error-Message=“Timeout”
Jan/02/1970 00:26:33 l2tp,debug received message with wrong tunnel id, ignoring
Jan/02/1970 00:26:34 l2tp,debug,packet rcvd control message from VPN-SERVER-IP :1701
Jan/02/1970 00:26:34 l2tp,debug,packet tunnel-id=1, session-id=0, ns=3, nr=4
Jan/02/1970 00:26:34 l2tp,debug,packet (M) Message-Type=StopCCN
Jan/02/1970 00:26:34 l2tp,debug,packet (M) Assigned-Tunnel-ID=38176
Jan/02/1970 00:26:34 l2tp,debug,packet (M) Result-Code=1
Jan/02/1970 00:26:34 l2tp,debug,packet Error-Code=0
Jan/02/1970 00:26:34 l2tp,debug,packet Error-Message=“Timeout”
Jan/02/1970 00:26:34 l2tp,debug received message with wrong tunnel id, ignoring
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: LCP close
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: LCP closed
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: CCP lowerdown
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: BCP lowerdown
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: BCP down event in starting state
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: IPCP lowerdown
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: IPCP closed
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: IPV6CP lowerdown
Jan/02/1970 00:26:34 l2tp,ppp,debug vpn: MPLSCP lowerdown
Jan/02/1970 00:26:34 l2tp,ppp,debug,packet vpn: sent LCP TermReq id=0x3
Jan/02/1970 00:26:34 l2tp,ppp,debug,packet administrator request
Jan/02/1970 00:26:35 l2tp,debug,packet rcvd control message from VPN-SERVER-IP :1701
Jan/02/1970 00:26:35 l2tp,debug,packet tunnel-id=1, session-id=0, ns=3, nr=4
Jan/02/1970 00:26:35 l2tp,debug,packet (M) Message-Type=StopCCN
Jan/02/1970 00:26:35 l2tp,debug,packet (M) Assigned-Tunnel-ID=38176
Jan/02/1970 00:26:35 l2tp,debug,packet (M) Result-Code=1
Jan/02/1970 00:26:35 l2tp,debug,packet Error-Code=0
Jan/02/1970 00:26:35 l2tp,debug,packet Error-Message=“Timeout”
Jan/02/1970 00:26:35 l2tp,debug received message with wrong tunnel id, ignoring
Jan/02/1970 00:26:35 l2tp,ppp,debug vpn: LCP timer
Jan/02/1970 00:26:35 l2tp,ppp,debug,packet vpn: sent LCP TermReq id=0x4
Jan/02/1970 00:26:35 l2tp,ppp,debug,packet administrator request
Jan/02/1970 00:26:35 l2tp,ppp,debug,packet vpn: rcvd LCP TermAck id=0x4
Jan/02/1970 00:26:35 l2tp,ppp,debug vpn: LCP lowerdown
Jan/02/1970 00:26:35 l2tp,ppp,info vpn: terminating… - administrator request
Jan/02/1970 00:26:35 l2tp,debug,packet sent control message to VPN-SERVER-IP :1701
Jan/02/1970 00:26:35 l2tp,debug,packet tunnel-id=24084, session-id=23533, ns=4, nr=2
Jan/02/1970 00:26:35 l2tp,debug,packet (M) Message-Type=CDN
Jan/02/1970 00:26:35 l2tp,debug,packet (M) Result-Code=1
Jan/02/1970 00:26:35 l2tp,debug,packet (M) Assigned-Session-ID=1
Jan/02/1970 00:26:35 l2tp,debug session 1 entering state: stopping
Jan/02/1970 00:26:35 l2tp,ppp,debug vpn: LCP lowerdown
Jan/02/1970 00:26:35 l2tp,ppp,debug vpn: LCP down event in initial state
Jan/02/1970 00:26:35 l2tp,ppp,info vpn: disabled
I have gone through all the wiki L2TP/IPSEC stuff and can’t find anything on the internet that has helped, any pointers would help.
If you need any more info let me know.