ROS L2TP/IPSec server for OSX Mojave client

humbfig · December 14, 2018, 3:05pm

Hi
I have been trying for 2 weeks to setup a road warrior L2TP/IPSec server on my hap ac (RB962UiGS-5HacT2HnT ; v6.43.7) so I can connect my macbook Mojave (10.14.1). The Mikrotik stands behind my ISP Gateway router, which I can not discard due to a proprietary WAN authentication. Anyway, I’m pretty confident on my nating and firewalling abilities.
I’ve read every wiki out there and tried almost all setup combinations. All I can get is 4 816B UDP packets arriving at port 500 followed by the usual “The L2TP-VPN server did not respond.”

So, has anyone successfully connected a OSX Mojave to a L2TP/IPSec ROS server?
Also, how can I obtain logs from the Mikrotik? I added a rule with the topics ipsec, l2tp and ppp, but nothing shows up. The only time something shows up on the logs is when I try to connect from within the Mikrotik’s LAN. In that case the mikrotik receives 1 packet in port 500 and another in port 4500 (140B) and the log shows:

Screen Shot 2018-12-14 at 14.49.46.png

pcunite · December 30, 2018, 4:38am

Let’s get extended logging going so you can see more info:

/system logging add topics=ipsec,!packet

humbfig · December 30, 2018, 4:59am

Thanks for your answer. I was already thinking this forum needed a secret cool handshake that I don’t know…
By now I’ve given up on L2TP/IPSec (also had given up on OpenVPN a few months ago!).
I managed to set up an ikev2 that’s working well with my macbook (not with my phone though…), and I erased all L2TP confs.
But again, thank you for being available to help!

dhanie99 · June 6, 2019, 3:30am

Let’s get extended logging going so you can see more info:
/system logging add topics=ipsec,!packet
Thanks for your answer. I was already thinking this forum needed a secret cool handshake that I don’t know…
By now I’ve given up on L2TP/IPSec (also had given up on OpenVPN a few months ago!).
I managed to set up an ikev2 that’s working well with my macbook (not with my phone though…), and I erased all L2TP confs.
But again, thank you for being available to help!

do you mind share your config with ikev2 ?

kalamaja · June 6, 2019, 6:30am

I’m using Mikrotik L2TP/IPSec VPN with macOS Mojave/Win10/iOS12/Android9 and they all work like a charm with builtin functionality. My configuration:

/ip pool add name=vpn-pool ranges=192.168.89.2-192.168.89.254
/ppp secret add name=VpnUser password=VpnPassword profile=default-encryption
/ppp profile set [ find name=default-encryption ] local-address=192.168.89.1 remote-address=vpn-pool use-compression=yes
/interface l2tp-server server set authentication=mschap2 default-profile=default-encryption enabled=yes ipsec-secret=MySecret keepalive-timeout=10 max-mru=1460 max-mtu=1460 use-ipsec=yes

/ip firewall nat add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.89.0/24
/ip firewall filter add action=accept chain=input dst-port=22,8888,8291 log=yes log-prefix=“VPN ADMIN” protocol=tcp src-address=192.168.89.0/24 comment=“allow ssh,webadmin,winbox from VPN”

/ip firewall filter
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500 protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp

humbfig · June 6, 2019, 11:05am

Let’s get extended logging going so you can see more info:
/system logging add topics=ipsec,!packet
Thanks for your answer. I was already thinking this forum needed a secret cool handshake that I don’t know…
By now I’ve given up on L2TP/IPSec (also had given up on OpenVPN a few months ago!).
I managed to set up an ikev2 that’s working well with my macbook (not with my phone though…), and I erased all L2TP confs.
But again, thank you for being available to help!
do you mind share your config with ikev2 ?

I followed several guides and experimented changing many parameters. The only configuration I could show would be the very last one, if I had not erased it…