Problem with Linux and win10 roadwarriors L2TP+IPSeC VPN

nixv · November 1, 2019, 8:02pm

Hi there!

I have a problem and it’s driving me crazy…
I can’t connect linux and win10 clients with my basic L2TP+IpSeC VPN
android and windows 7 clients connect without problems
I was looking for a lot but I can’t make it work
double check the configuration
just in case, update to the latest version of routerOS

Here’s the config:

Mikrotik

/ip ipsec proposal
set [ find default=yes ] enc-algorithm=3des

/ip pool
add name=vpn-pool ranges=10.10.10.86-10.10.10.100

/ppp profile
set *0 local-address=10.10.10.85 remote-address=vpn-pool

/interface l2tp-server server
set authentication=mschap default-profile=default enable=yes ipse-secret=xxxxxxx use-ipsec=required

/ppp secret
add name=user1 password=Password1

/system logging
add topics=ipsec,!debug

Linux client config

Requirements:

apt-get install network-manager-l2tp-gnome network-manager-strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins

Config NetworkManager:

Name: vpn
Gateway: x.x.x.x
User name: User1
Password: Password1

IpSec Settings:

[*]Enable Ipsec tunnel to L2TP host
General:
Pre-shared key: xxxxxx
Advanced:
Phase 1 Algorithms: 3des-sha1-modp1024
Phase 2 Algorithms: 3des-sha1

The connection fails in phase 2

Any ideas?

Thanks in advance!!!
Nicolas.

Zacharias · November 2, 2019, 8:55pm

Is your MikroTik router behind NAT or you have PPPoE client configured? In simple words, does your MikroTik router have a public IP ?

Are ports UDP 500, 4500, 1701 accepted in firewall ?

nixv · November 4, 2019, 1:38pm

Thanx for the reply!

and yes, I have a public ip and the rules allowed in the firewall

/ip firewall filter
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp

Zacharias · November 4, 2019, 1:48pm

Check your log… what does it say ?

nixv · November 6, 2019, 1:36pm

here goes an android client that works

10:13:42 ipsec,info respond new phase 1 (Identity Protection): Y.Y.Y.Y[500]<=>X.X.X.X[32773] 
10:13:42 ipsec received Vendor ID: RFC 3947 
10:13:42 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
10:13:42 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
10:13:42 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
10:13:42 ipsec received long Microsoft ID: FRAGMENTATION 
10:13:42 ipsec Fragmentation enabled 
10:13:42 ipsec received Vendor ID: DPD 
10:13:42 ipsec X.X.X.X Selected NAT-T version: RFC 3947 
10:13:42 ipsec invalied hash algorithm=5. 
10:13:42 ipsec invalied hash algorithm=5. 
10:13:42 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[32773] c65c8701759ed3bf:e027d8c97a981129 
10:13:42 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
10:13:42 ipsec NAT-D payload #0 verified 
10:13:42 ipsec X.X.X.X Hashing X.X.X.X[32773] with algo #2  
10:13:42 ipsec NAT-D payload #1 doesn't match 
10:13:42 ipsec NAT detected: PEER 
10:13:42 ipsec X.X.X.X Hashing X.X.X.X[32773] with algo #2  
10:13:42 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
10:13:42 ipsec Adding remote and local NAT-D payloads. 
10:13:42 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[32773] c65c8701759ed3bf:e027d8c97a981129 
10:13:42 ipsec NAT-T: ports changed to: X.X.X.X[32774]<=>Y.Y.Y.Y[4500] 
10:13:42 ipsec KA list add: Y.Y.Y.Y[4500]->X.X.X.X[32774] 
10:13:42 ipsec,info ISAKMP-SA established Y.Y.Y.Y[4500]-X.X.X.X[32774] spi:c65c8701759ed3bf:e027d8c97a981129 
10:13:43 ipsec respond new phase 2 negotiation: Y.Y.Y.Y[4500]<=>X.X.X.X[32774] 
10:13:43 ipsec invalid auth algorithm=6. 
10:13:43 ipsec invalid auth algorithm=6. 
10:13:43 ipsec invalid auth algorithm=6. 
10:13:43 ipsec invalid auth algorithm=6. 
10:13:43 ipsec searching for policy for selector: Y.Y.Y.Y:1701 ip-proto:17 <=> X.X.X.X ip-proto:17 
10:13:43 ipsec generating policy 
10:13:43 ipsec Adjusting my encmode UDP-Transport->Transport 
10:13:43 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:13:43 ipsec authtype mismatched: my:hmac-sha1 peer:hmac-sha512 
10:13:43 ipsec sent phase2 packet Y.Y.Y.Y[4500]<=>X.X.X.X[32774] c65c8701759ed3bf:e027d8c97a981129:ee20c275  
10:13:43 ipsec IPsec-SA established: ESP/Transport X.X.X.X[32774]->Y.Y.Y.Y[4500] spi=0x8718e8c 
10:13:43 ipsec IPsec-SA established: ESP/Transport Y.Y.Y.Y[4500]->X.X.X.X[32774] spi=0xaaf563c 
10:13:44 l2tp,info first L2TP UDP packet received from X.X.X.X 
10:13:44 l2tp,ppp,info,account nico logged in, 10.10.10.88 
10:13:44 l2tp,ppp,info <l2tp-nico>: authenticated 
10:13:44 l2tp,ppp,info <l2tp-nico>: connected

here goes a linux client that doesn’t

10:26:22 ipsec,info respond new phase 1 (Identity Protection): Y.Y.Y.Y[500]<=>X.X.X.X[500] 
10:26:22 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
10:26:22 ipsec received Vendor ID: DPD 
10:26:22 ipsec received long Microsoft ID: FRAGMENTATION 
10:26:22 ipsec Fragmentation enabled 
10:26:22 ipsec received Vendor ID: RFC 3947 
10:26:22 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
10:26:22 ipsec X.X.X.X Selected NAT-T version: RFC 3947 
10:26:22 ipsec Adding xauth VID payload. 
10:26:22 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] a0eb115a29ca6d7c:79e2cea68331cc35 
10:26:22 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
10:26:22 ipsec NAT-D payload #0 verified 
10:26:22 ipsec X.X.X.X Hashing X.X.X.X[500] with algo #2  
10:26:22 ipsec NAT-D payload #1 verified 
10:26:22 ipsec NAT not detected  
10:26:22 ipsec X.X.X.X Hashing X.X.X.X[500] with algo #2  
10:26:22 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
10:26:22 ipsec Adding remote and local NAT-D payloads. 
10:26:22 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] a0eb115a29ca6d7c:79e2cea68331cc35 
10:26:22 ipsec,info ISAKMP-SA established Y.Y.Y.Y[500]-X.X.X.X[500] spi:a0eb115a29ca6d7c:79e2cea68331cc35 
10:26:22 ipsec respond new phase 2 negotiation: Y.Y.Y.Y[500]<=>X.X.X.X[500] 
10:26:22 ipsec searching for policy for selector: Y.Y.Y.Y:1701 <=> X.X.X.X 
10:26:22 ipsec generating policy 
10:26:22 ipsec sent phase2 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] a0eb115a29ca6d7c:79e2cea68331cc35:e057e7a4 
10:26:22 ipsec IPsec-SA established: ESP/Transport X.X.X.X[500]->Y.Y.Y.Y[500] spi=0x18b3682 
10:26:22 ipsec IPsec-SA established: ESP/Transport Y.Y.Y.Y[500]->X.X.X.X[500] spi=0xcfa5ee2d 
10:26:36 ipsec purged IPsec-SA proto_id=ESP spi=0xcfa5ee2d 
10:26:36 ipsec purged IPsec-SA proto_id=ESP spi=0x18b3682 
10:26:36 ipsec removing generated policy 
10:26:36 ipsec,info purging ISAKMP-SA Y.Y.Y.Y[500]<=>X.X.X.X[500] spi=a0eb115a29ca6d7c:79e2cea68331cc35. 
10:26:36 ipsec purged ISAKMP-SA Y.Y.Y.Y[500]<=>X.X.X.X[500] spi=a0eb115a29ca6d7c:79e2cea68331cc35. 
10:26:36 ipsec,info ISAKMP-SA deleted Y.Y.Y.Y[500]-X.X.X.X[500] spi:a0eb115a29ca6d7c:79e2cea68331cc35 rekey:1

on the client side…

xl2tpd[22701]: death_handler: Fatal signal 15 recieved
xl2tpd[22701]: Connection 0 closed to Y.Y.Y.Y, port 1701 (Server closing)

and the windows that doesn’t work either

10:46:07 ipsec,info respond new phase 1 (Identity Protection): Y.Y.Y.Y[500]<=>X.X.X.X[500] 
10:46:07 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY 
10:46:07 ipsec received Vendor ID: RFC 3947 
10:46:07 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
10:46:07 ipsec received Vendor ID: FRAGMENTATION 
10:46:07 ipsec Fragmentation enabled 
10:46:07 ipsec X.X.X.X Selected NAT-T version: RFC 3947 
10:46:07 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] cf6633a4f713f0d0:acb849674e6706b7 
10:46:07 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
10:46:07 ipsec NAT-D payload #0 verified 
10:46:07 ipsec X.X.X.X Hashing X.X.X.X[500] with algo #2  
10:46:07 ipsec NAT-D payload #1 verified 
10:46:07 ipsec NAT not detected  
10:46:07 ipsec X.X.X.X Hashing X.X.X.X[500] with algo #2  
10:46:07 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
10:46:07 ipsec Adding remote and local NAT-D payloads. 
10:46:07 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] cf6633a4f713f0d0:acb849674e6706b7 
10:46:08 ipsec,info ISAKMP-SA established Y.Y.Y.Y[500]-X.X.X.X[500] spi:cf6633a4f713f0d0:acb849674e6706b7 
10:46:08 ipsec respond new phase 2 negotiation: Y.Y.Y.Y[500]<=>X.X.X.X[500] 
10:46:08 ipsec searching for policy for selector: Y.Y.Y.Y:1701 ip-proto:17 <=> X.X.X.X:1701 ip-proto:17 
10:46:08 ipsec generating policy 
10:46:08 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:46:08 ipsec trns_id mismatched: my:3DES peer:AES-CBC 
10:46:08 ipsec sent phase2 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] cf6633a4f713f0d0:acb849674e6706b7:00000001 
10:46:08 ipsec IPsec-SA established: ESP/Transport X.X.X.X[500]->Y.Y.Y.Y[500] spi=0x46eec3b 
10:46:08 ipsec IPsec-SA established: ESP/Transport Y.Y.Y.Y[500]->X.X.X.X[500] spi=0x31c281e8 
10:46:43 ipsec purged IPsec-SA proto_id=ESP spi=0x31c281e8 
10:46:43 ipsec purged IPsec-SA proto_id=ESP spi=0x46eec3b 
10:46:43 ipsec removing generated policy 
10:46:43 ipsec,info purging ISAKMP-SA Y.Y.Y.Y[500]<=>X.X.X.X[500] spi=cf6633a4f713f0d0:acb849674e6706b7. 
10:46:43 ipsec purged ISAKMP-SA Y.Y.Y.Y[500]<=>X.X.X.X[500] spi=cf6633a4f713f0d0:acb849674e6706b7. 
10:46:43 ipsec,info ISAKMP-SA deleted Y.Y.Y.Y[500]-X.X.X.X[500] spi:cf6633a4f713f0d0:acb849674e6706b7 rekey:1

Zacharias · November 6, 2019, 2:00pm

Have you changed anything inside the ipsec configuration ?
It seems the problem is with the ipsec encryption algorithm…

nixv · November 6, 2019, 3:15pm

nop
why do you think the problem is the ipsec encryption algorithm?
in the case where the log show something it is with the android client but it works

In cases that do not connect, the l2tp does not start

sindy · November 7, 2019, 9:40pm

Because the log says that the encryption algorithm available at responder (Tik) side doesn’t match the one available at initiator (Win10) side:

10:46:08 ipsec trns_id mismatched: my:3DES peer:AES-CBC

Which is imposed by this setting (as it appears in the export, it is a non-default one):
/ip ipsec proposal
set [ find default=yes ] enc-algorithm=3des

So to make it work, add aes-cbc-128, aes-cbc-256 to the enc-algorithm list.

Each of the clients you’ve listed has a different set of supported encryption algorithms. 3DES is not considered a secure encryption method any more, so while Win7 embedded VPN client still supports it, the Win10 one doesn’t. The good news is that both Android and Win7 can use aes-cbc as well so there is no need to permit 3DES at the Tik. Always use the most advanced algorithm supported by all your devices and disable all the weaker ones; if the most advanced algorithm supported by some device is 3DES, it’s time to replace that device or not use it as a VPN client.

That’s no surprise. Until the IPsec SA comes up, the L2TP packets cannot get through.

nixv · November 8, 2019, 1:20pm

you’re right! I didn’t see that in the logs
I have added the encryption algorithm but it did not work in either case (win10 and linux)
I send you the logs

09:48:19 ipsec,info respond new phase 1 (Identity Protection): Y.Y.Y.Y[500]<=>X.X.X.X[500] 
09:48:19 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY 
09:48:19 ipsec received Vendor ID: RFC 3947 
09:48:19 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
09:48:19 ipsec received Vendor ID: FRAGMENTATION 
09:48:19 ipsec Fragmentation enabled 
09:48:19 ipsec X.X.X.X Selected NAT-T version: RFC 3947 
09:48:19 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] 56bc407c268f94ca:1a9df3754725545f 
09:48:19 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
09:48:19 ipsec NAT-D payload #0 verified 
09:48:19 ipsec X.X.X.X Hashing X.X.X.X[500] with algo #2  
09:48:19 ipsec NAT-D payload #1 verified 
09:48:19 ipsec NAT not detected  
09:48:19 ipsec X.X.X.X Hashing X.X.X.X[500] with algo #2  
09:48:19 ipsec Y.Y.Y.Y Hashing Y.Y.Y.Y[500] with algo #2  
09:48:19 ipsec Adding remote and local NAT-D payloads. 
09:48:19 ipsec sent phase1 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] 56bc407c268f94ca:1a9df3754725545f 
09:48:20 ipsec,info ISAKMP-SA established Y.Y.Y.Y[500]-X.X.X.X[500] spi:56bc407c268f94ca:1a9df3754725545f 
09:48:20 ipsec respond new phase 2 negotiation: Y.Y.Y.Y[500]<=>X.X.X.X[500] 
09:48:20 ipsec searching for policy for selector: Y.Y.Y.Y:1701 ip-proto:17 <=> X.X.X.X:1701 ip-proto:17 
09:48:20 ipsec generating policy 
09:48:20 ipsec sent phase2 packet Y.Y.Y.Y[500]<=>X.X.X.X[500] 56bc407c268f94ca:1a9df3754725545f:00000001 
09:48:20 ipsec IPsec-SA established: ESP/Transport X.X.X.X[500]->Y.Y.Y.Y[500] spi=0x2ce69f9 
09:48:20 ipsec IPsec-SA established: ESP/Transport Y.Y.Y.Y[500]->X.X.X.X[500] spi=0x6633617e 
09:48:55 ipsec purged IPsec-SA proto_id=ESP spi=0x6633617e 
09:48:55 ipsec purged IPsec-SA proto_id=ESP spi=0x2ce69f9 
09:48:55 ipsec removing generated policy 
09:48:55 ipsec,info purging ISAKMP-SA Y.Y.Y.Y[500]<=>X.X.X.X[500] spi=56bc407c268f94ca:1a9df3754725545f. 
09:48:55 ipsec purged ISAKMP-SA Y.Y.Y.Y[500]<=>X.X.X.X[500] spi=56bc407c268f94ca:1a9df3754725545f. 
09:48:55 ipsec,info ISAKMP-SA deleted Y.Y.Y.Y[500]-X.X.X.X[500] spi:56bc407c268f94ca:1a9df3754725545f rekey:1

thank you very much for answering

sindy · November 8, 2019, 2:46pm

OK. Now your log shows the following:

09:48:20 ipsec IPsec-SA established: ESP/Transport X.X.X.X[500]->Y.Y.Y.Y[500] spi=0x2ce69f9
09:48:20 ipsec IPsec-SA established: ESP/Transport Y.Y.Y.Y[500]->X.X.X.X[500] spi=0x6633617e
… 35 seconds silence …
09:48:55 ipsec purged IPsec-SA proto_id=ESP spi=0x6633617e
09:48:55 ipsec purged IPsec-SA proto_id=ESP spi=0x2ce69f9

Hence establishment of the IPsec layer has been successful but a) either the L2TP didn’t negotiate properly or b) it was unable to negotiate properly because the communication did not get through.

So a bit of theory: if there is no NAT between the IPsec peers, the control communication between them uses UDP port 500 at both peers, and the actual payload is transported using a dedicated protocol called ESP (or another one called AH, doesn’t matter here). But ESP doesn’t have the notion of a “port”, hence it cannot be NATed. So while establishing the control connection, the peers check for presence of NAT at both ends and if detected at either (or both), they switch over to using port UDP 4500 for both the control communication and the transport - in this mode, the ESP is encapsulated into UDP prior to sending, and the control (IKE) packets are distinguished from the transport (ESP) packets coming in the same UDP flow by means of a distinictive field at the beginning of the UDP’s payload.

Why I mention this is that when you look at log from the working case (Android), you can see that the log shows that this NAT-traversal mode has been chosen:
10:13:43 ipsec IPsec-SA established: ESP/Transport X.X.X.X[32774]->Y.Y.Y.Y[4500] spi=0x8718e8c
10:13:43 ipsec IPsec-SA established: ESP/Transport Y.Y.Y.Y[4500]->X.X.X.X[32774] spi=0xaaf563c

In the same log, you can also see 10:13:44 l2tp,info first L2TP UDP packet received from X.X.X.X, which suggests that L2TP events are being logged. Since an equivalent message is missing in the log from Windows after augmenting the encryption-algorithm list, I conclude that variant b) above is the reason why it doesn’t work. And the root cause is that the ESP packets are only sent if they have a payload to carry, so the Tik acting as L2TP server does not send them until it needs to transport a response to a received L2TP initial packet, and thus it does not drill a pinhole for the ESP packets coming from the remote peer in its firewall.

So check your /ip firewall filter rules in chain=input, and right before the rule permitting incoming connections to UDP ports 500 and 4500, add another rule permitting incoming connections using protocol ESP:
/ip firewall filter add chain=input protocol=ipsec-esp action=accept place-before=[find chain=input dst-port~“4500”].

If you don’t plan to ever connect peers having their own public IP (i.e. without a NAT at their end) in the real deployment, i.e. if you only connect them while testing the setup at home, you can also skip this step and try to connect the Win10 machine and the Linux machine from behind a NAT.

nixv · November 14, 2019, 12:44pm

Wow!
thank you very much for the theory
there was the problem
At some point I mistakenly deleted the line in the firewall and the tree wouldn’t let me see the forest …
Thank you very very much sindy!!!

dkilis · August 5, 2020, 5:54am

Hi Zacharias,

If the Mikrotik router is behind NAT (namely Netgear C7000v2 modem/router), and I am experiencing the same problem with win7/10, is there a way to resolve the situation?

Thanks.
Danny

sindy · August 11, 2020, 6:04pm

I’m not @Zacharias, but I think you may be interested in this thread.