Unable to make L2TP over IPSec work from Android / iOS / OS X to RouterOS (error phase1 negotiation failed)

swisspol · March 10, 2016, 5:28am

Hi everyone!

I would appreciate any help in trying to figure out how to make L2TP over IPSec work from OS X / iOS / Android to RouterOS. I have read carefully http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#L2TP.2FIpSec_setup and tried everything I could think of, but no luck

From Android on LTE (with VPN set up as L2TP/IPSec PSK), it just says “Unsuccessful” and in the router log there’s this:

mar/09 21:16:38 l2tp,info first L2TP UDP packet received from 208.54.5.143 
mar/09 21:17:08 ipsec,error phase1 negotiation failed due to time up <REDACTED>[500]<=>208.54.5.143[39651] 46c4187051d96c96:84c6820a29b4ce7d

From iOS on LTE (with VPN set up as L2TP), it says “the server did not respond” and a similar message in the router log:

mar/09 21:28:09 ipsec,error phase1 negotiation failed due to time up <REDACTED>[500]<=>172.56.30.230[22919] b42d9e6b6f8ae59f:0d5fa9c08b716d06

FWIW I have PPTP working fine from iOS / Android / OS X either on WiFi or LTE networks.

Thanks in advance!

PS: I don’t recall ever modifying anything in IPSec.

Router: CRS125-24G-1S-2HnD-IN
Firmware: 3.24
OS: v6.34.2

PPTP Server

            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default

L2TP Server

            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
          use-ipsec: yes
       ipsec-secret: <REDACTED>

IP Addresses

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                  
 0   192.168.1.1/24     192.168.1.0     ether2-master                                                                                                              
 1 D <REDACTED>/22   <REDACTED>     WAN

DHCP

Flags: X - disabled, I - invalid 
 #   NAME                                 INTERFACE                                 RELAY           ADDRESS-POOL                                 LEASE-TIME ADD-ARP
 0   default                              LAN                                                       dhcp                                         1h

DHCP Network

 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN                                                                                       
 0 192.168.1.0/24     192.168.1.1     192.168.1.1

Firewall Filters

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; Allow PPTP from WAN (TCP)
      chain=input action=accept protocol=tcp in-interface=WAN dst-port=1723 log=no log-prefix="" 

 2    ;;; Allow PPTP from WAN (GRE)
      chain=input action=accept protocol=gre in-interface=WAN log=no log-prefix="" 

 3    ;;; Allow L2TP from WAN (UDP)
      chain=input action=accept protocol=udp in-interface=WAN dst-port=500,1701,4500 log=no log-prefix="" 

 4    ;;; Allow L2TP from WAN (ESP)
      chain=input action=accept protocol=ipsec-esp in-interface=WAN log=no log-prefix="" 

 5    ;;; Allow established and related connections from WAN
      chain=input action=accept connection-state=established,related in-interface=WAN log=no log-prefix="" 

 6    ;;; Drop everything else from WAN
      chain=input action=drop in-interface=WAN log=no log-prefix="" 

 7    ;;; See http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 8    ;;; See http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 9    ;;; Allow Foscam / NTP to WAN
      chain=forward action=accept protocol=udp src-address-list=FOSCAM in-interface=LAN out-interface=WAN dst-port=123 log=no log-prefix="" 

10    ;;; Drop Foscam / everything else to WAN
      chain=forward action=reject reject-with=icmp-network-unreachable src-address-list=FOSCAM in-interface=LAN out-interface=WAN log=no log-prefix=""

NAT (excluding dynamic from UPnP)

 0    ;;; Masquerade VPN traffic
      chain=srcnat action=masquerade src-address=192.168.1.200-192.168.1.249 log=no log-prefix="" 

 1    ;;; Source NAT
      chain=srcnat action=masquerade out-interface=WAN log=no log-prefix="" 

 2    ;;; Hairpin NAT
      chain=srcnat action=masquerade protocol=tcp dst-address=192.168.1.10 out-interface=LAN dst-port=2012,6690,8383 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.10 protocol=tcp dst-address=192.168.1.1 in-interface=LAN dst-port=2012,6690,8383 log=no log-prefix="" 

 4    ;;; SFTP
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=2012 protocol=tcp in-interface=WAN dst-port=2012 log=no log-prefix="" 

 5    ;;; Cloud Station
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=6690 protocol=tcp in-interface=WAN dst-port=6690 log=no log-prefix="" 

 6    ;;; Comics
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=8383 protocol=tcp in-interface=WAN dst-port=8383 log=no log-prefix="" 

 7    ;;; Surveillance Station
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=9901 protocol=tcp in-interface=WAN dst-port=9191 log=no log-prefix="" 

 8    ;;; Video Station
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=9008 protocol=tcp in-interface=WAN dst-port=9898 log=no log-prefix="" 

 9    ;;; Jenkins - Linux
      chain=dstnat action=dst-nat to-addresses=192.168.1.83 to-ports=8080 protocol=tcp in-interface=WAN dst-port=23248 log=no log-prefix="" 

10    ;;; Jenkins - Apple
      chain=dstnat action=dst-nat to-addresses=192.168.1.81 to-ports=8080 protocol=tcp in-interface=WAN dst-port=23516 log=no log-prefix="" 

11    ;;; Jenkins - Windows
      chain=dstnat action=dst-nat to-addresses=192.168.1.82 to-ports=8080 protocol=tcp in-interface=WAN dst-port=23745 log=no log-prefix=""

PPP Secrets

Flags: X - disabled 
 #   NAME                             SERVICE CALLER-ID                          PASSWORD                          PROFILE                          REMOTE-ADDRESS 
 0   vpn                              any                                        <REDACTED>              default

PPP Profiles

Flags: * - default 
 0 * name="default" local-address=192.168.1.1 remote-address=vpn use-mpls=no use-compression=yes use-encryption=required only-one=no change-tcp-mss=yes use-upnp=no 
     address-list="" dns-server=192.168.1.1 on-up="" on-down="" 

 1 * name="default-encryption" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default 
     address-list="" on-up="" on-down=""

IP Pools

0 dhcp                                                             192.168.1.100-192.168.1.199    
1 vpn                                                              192.168.1.200-192.168.1.249

IPSec Policies

Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/32 protocol=all proposal=default template=yes

IPSec Peers

Flags: X - disabled, D - dynamic 
 0  D address=::/0 local-address=:: passive=yes port=500 auth-method=pre-shared-key secret="24nCkFTvddjPon" generate-policy=port-strict 
      policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

jaytcsd · March 10, 2016, 9:04am

Screen prints of my router for L2TP, not fancy but should get you going.
http://l2tp.patokatech.com/

My droid works fine, but I have to allow my IP in my input rules before I can access the VPN. The last 2 times I ran whatismyip.com my Verizon droid came up with an IPv6 address, so I temporarily disable the drop all else rule on WAN input.
It’s not convenient and I think someone here came up with a workaround script but I can find it now.

My droid is set to L2TP/IPsec PSK, L2TP and IPsec identifier not used, pre-shared key is used.

swisspol · March 10, 2016, 2:22pm

Thanks, I’ll have a look.

martino · March 19, 2016, 9:48pm

Hello Swisspol,

Did you make it working? I have already spent few weeks to find working solution L2TP on Iphone IOS 9.2 with no luck

jebz · March 20, 2016, 1:13am

I initially used a you tube video of l2tp/ipsec to assist -
https://www.youtube.com/watch?v=cgfXs6ZJrgs
But it appears to have gone offline. I did miss the firewall rules configuration.

/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp

Another site I’ve used is -
http://www.nasa-security.net/mikrotik/mikrotik-l2tp-with-ipsec/
This warns of iPhone issues and helps work round these.

swisspol · March 20, 2016, 2:00am

I stopped trying after some time, it was taking too much time to setup, so I’m using PPTP for the time being.