PPP doesn't work for external connections

metrocitizen · June 9, 2014, 10:12am

Hello, so I can’t get any external computers to vpn to an RB1100ahx2 v5.26.

I’ve tried PPTP, and L2TP. PPTP seems to get further, but ultimately disconnects, saying en0(mac) is inconsistant.

L2TP fails with “could not connect to server”

I’ve opened all L2TP UDP Ports for input and output on the firewall.

I can connect from machines directly plugged into the RB.

For example…
Computer(ip 192.168.0.20) going through a router, being natted (ip 113.13.13.10) trying to vpn to a RB (ip 25.25.6.7) to get an internal ip (192.168.40.30) to RDS into another computer (192.168.40.20).
I’ve read many tuts and guides on how to set up PPTP and L2TP vpns (including IPsec). But no matter what I do, I always fail to connect to server. This is very frustrating as these are expensive routers, and if they can’t do something as simple as vpn into a network. I don’t see myself as a future customer of mikrotik.

But I do hope it’s my own ignorance that keeps me from seeing what the problem is. I’ll post up some logs, but it mostly says that it’s sending SCCRQ replies back to the clients global IP, but it never gets there. This has been tested on multiple computers.

Best Regards,
metrocitizen

wildflower42 · June 9, 2014, 9:44pm

Export your PPP, interface L2TP and PPTP configs, and firewall rules. Show us one connection attempt from your logs.

There is probably a rule or interface config setting which should not be set.

metrocitizen · June 10, 2014, 1:53am

Configurations, replaced sensitive details with generic details

PPP
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=\
    default
add change-tcp-mss=default dns-server=192.168.0.101,8.8.8.8 \
    local-address=192.168.0.1 name=user-profile only-one=default \
    remote-address=192.168.0.59 use-compression=default use-encryption=\
    default use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=\
    user password=pass profile=user-profile \
    routes="" service=any

L2TP
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=user-profile \
    enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=\
    disabled

PPTP
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=user-profile enabled=\
    yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

FIREWALL
/ip firewall address-list
add address=0.0.0.0/0 comment="all traffic" disabled=no list="all traffic"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=\
    "Router accepts ping request incoming WAN" disabled=no icmp-options=\
    8:0-255 in-interface="WAN ether11" protocol=icmp
add action=accept chain=input comment=\
    "Accept Toggle server for cacti on Wan (RB)" disabled=no dst-port=161 \
    in-interface="WAN ether11" protocol=udp src-address=50.97.252.151
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input disabled=no protocol=ipsec-ah
add action=accept chain=input disabled=no protocol=gre
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=output disabled=no dst-port=500 out-interface=\
    "WAN ether11" protocol=udp
add action=accept chain=output disabled=no dst-port=1701 out-interface=\
    "WAN ether11" protocol=tcp
add action=accept chain=output disabled=no dst-port=4500 out-interface=\
    "WAN ether11" protocol=udp
add action=accept chain=input comment="L2TP/IPSEC port 500 accept" disabled=\
    no dst-port=500 in-interface="WAN ether11" protocol=udp
add action=accept chain=input comment="L2TP/IPSEC port 1701 accept" disabled=\
    no dst-port=1701 in-interface="WAN ether11" protocol=udp
add action=accept chain=input comment="L2TP/IPSEC port 4500 accept" disabled=\
    no dst-port=4500 in-interface="WAN ether11" protocol=udp
add action=drop chain=input comment=\
    "Drop all new connections to router incoming WAN" connection-state=new \
    disabled=no in-interface="WAN ether11"
add action=drop chain=forward comment=\
    "Drop new connections from Tenant to LincMedia" connection-state=new \
    disabled=no in-interface="TennantLAN ether1" out-interface=\
    "LincMediaLAN ether6"
add action=accept chain=forward comment=\
    "Allow traffic from the IPSec Tunnel to the Tenant LAN" disabled=no \
    in-interface="WAN ether11" out-interface="TennantLAN ether1" src-address=\
    192.168.20.0/24
add action=accept chain=forward comment=\
    "Allow traffic from Gargamel to get to the LM LAN." disabled=no \
    out-interface="LincMediaLAN ether6" src-address=192.168.20.2
add action=drop chain=forward comment="Drop all new connections incoming WAN" \
    connection-state=new disabled=no in-interface="WAN ether11"
/ip firewall mangle
add action=accept chain=prerouting disabled=no
/ip firewall nat
add action=accept chain=srcnat comment="NAT Bypass Rule for IPSec Tunneling.  \
    Don't NAT traffic from the Tenant LAN to the remote Sonic LAN." disabled=\
    no dst-address=192.168.20.0/24 out-interface="WAN ether11" src-address=\
    10.10.10.0/24
add action=accept chain=srcnat comment="NAT Bypass Rule for IPSec Tunneling.  \
    Don't NAT traffic from the LM LAN to the remote Sonic LAN." disabled=no \
    dst-address=192.168.20.0/24 out-interface="WAN ether11" src-address=\
    192.168.0.0/23
add action=src-nat chain=srcnat comment="NAT from Tenant to WAN" disabled=no \
    dst-address=0.0.0.0/0 out-interface="WAN ether11" src-address=\
    10.10.10.0/24 to-addresses=124.39.174.122
add action=src-nat chain=srcnat comment="NAT from LINC Media to WAN" \
    disabled=no dst-address=0.0.0.0/0 out-interface="WAN ether11" \
    src-address=192.168.0.0/16 to-addresses=124.39.174.122
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

log file for l2tp connection failure.

Jun/09/2014 23:20:00 l2tp,debug,packet err_: rcvd control message from 126.65.146.143:1701
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     tunnel-id=0, session-id=0, ns=0, nr=0
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Message-Type=SCCRQ
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Protocol-Version=0x01:00
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Framing-Capabilities=0x1
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Bearer-Capabilities=0x0
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     Firmware-Revision=0x601
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Host-Name="PC-PC"
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     Vendor-Name="Microsoft"
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Assigned-Tunnel-ID=1
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Receive-Window-Size=8
Jun/09/2014 23:20:00 l2tp,info err_: first L2TP UDP packet received from 126.65.146.143
Jun/09/2014 23:20:00 l2tp,debug err_: tunnel 12 entering state: wait-ctl-conn
Jun/09/2014 23:20:00 l2tp,debug,packet err_: sent control message to 126.65.146.143:1701
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     tunnel-id=1, session-id=0, ns=0, nr=1
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Message-Type=SCCRP
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Protocol-Version=0x01:00
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Framing-Capabilities=0x1
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Bearer-Capabilities=0x0
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     Firmware-Revision=0x1
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Host-Name="MikroTik"
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     Vendor-Name="MikroTik"
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Assigned-Tunnel-ID=12
Jun/09/2014 23:20:00 l2tp,debug,packet err_:     (M) Receive-Window-Size=4
Jun/09/2014 23:20:01 l2tp,debug,packet err_: sent control message to 126.65.146.143:1701
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     tunnel-id=1, session-id=0, ns=0, nr=1
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     (M) Message-Type=SCCRP
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     (M) Protocol-Version=0x01:00
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     (M) Framing-Capabilities=0x1
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     (M) Bearer-Capabilities=0x0
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     Firmware-Revision=0x1
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     (M) Host-Name="MikroTik"
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     Vendor-Name="MikroTik"
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     (M) Assigned-Tunnel-ID=12
Jun/09/2014 23:20:01 l2tp,debug,packet err_:     (M) Receive-Window-Size=4
Jun/09/2014 23:20:02 l2tp,debug,packet err_: sent control message to 126.65.146.143:1701
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     tunnel-id=1, session-id=0, ns=0, nr=1
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     (M) Message-Type=SCCRP
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     (M) Protocol-Version=0x01:00
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     (M) Framing-Capabilities=0x1
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     (M) Bearer-Capabilities=0x0
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     Firmware-Revision=0x1
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     (M) Host-Name="MikroTik"
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     Vendor-Name="MikroTik"
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     (M) Assigned-Tunnel-ID=12
Jun/09/2014 23:20:02 l2tp,debug,packet err_:     (M) Receive-Window-Size=4
Jun/09/2014 23:20:04 l2tp,debug,packet err_: sent control message to 126.65.146.143:1701
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     tunnel-id=1, session-id=0, ns=0, nr=1
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     (M) Message-Type=SCCRP
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     (M) Protocol-Version=0x01:00
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     (M) Framing-Capabilities=0x1
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     (M) Bearer-Capabilities=0x0
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     Firmware-Revision=0x1
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     (M) Host-Name="MikroTik"
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     Vendor-Name="MikroTik"
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     (M) Assigned-Tunnel-ID=12
Jun/09/2014 23:20:04 l2tp,debug,packet err_:     (M) Receive-Window-Size=4
Jun/09/2014 23:20:08 l2tp,debug,packet err_: sent control message to 126.65.146.143:1701
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     tunnel-id=1, session-id=0, ns=0, nr=1
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     (M) Message-Type=SCCRP
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     (M) Protocol-Version=0x01:00
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     (M) Framing-Capabilities=0x1
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     (M) Bearer-Capabilities=0x0
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     Firmware-Revision=0x1
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     (M) Host-Name="MikroTik"
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     Vendor-Name="MikroTik"
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     (M) Assigned-Tunnel-ID=12
Jun/09/2014 23:20:08 l2tp,debug,packet err_:     (M) Receive-Window-Size=4
Jun/09/2014 23:20:16 l2tp,debug,packet err_: sent control message to 126.65.146.143:1701
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     tunnel-id=1, session-id=0, ns=0, nr=1
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     (M) Message-Type=SCCRP
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     (M) Protocol-Version=0x01:00
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     (M) Framing-Capabilities=0x1
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     (M) Bearer-Capabilities=0x0
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     Firmware-Revision=0x1
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     (M) Host-Name="MikroTik"
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     Vendor-Name="MikroTik"
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     (M) Assigned-Tunnel-ID=12
Jun/09/2014 23:20:16 l2tp,debug,packet err_:     (M) Receive-Window-Size=4
Jun/09/2014 23:20:24 l2tp,debug err_: tunnel 12 received no replies, disconnecting
Jun/09/2014 23:20:24 l2tp,debug err_: tunnel 12 entering state: dead

I’ve broken down once and disabled ALL firewall rules and had the same effect.