Community discussions

 
glucz
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Jun 06, 2007 10:25 pm

Finally l2tp/ipsec is compatible with windows ... or almost

Mon Jan 14, 2008 5:34 pm

I have been trying to find a solution to connect to a MT router from Windows using the built in l2tp client. From XP it was possible via turning off ipsec. This is not posible in VISTA however.

I have tried every possible scenario with routeros 2.9 but I think that it's not possible to connect the native windows client to 2.9 with ipsec enabled.... even though I see some vague mention of success in these forums but no details whatsoever even though a lot of people are asking for them.

Finally I noticed however that 3.0 is able to receive connections from the native windows clients with ipsec enabled. I only tried the preshared key option...

before I go any further I want to say that I did find a problem and maybe someone from Mikrotik can help... The first connection is an immediate success, but after I log out I can log back in only 48 minutes later. I know why this is but I don't know how to fix this (please read on)

So here is the scenario

--------------------------------
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=0.0.0.0/0:500 auth-method=pre-shared-key secret="xxxxx"
generate-policy=yes exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1m lifebytes=1024

[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=aes-128,aes-192,aes-256
lifetime=1m pfs-group=modp1024

[admin@MikroTik] > ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 glucz any xxxx default 192.168.1.235
--------------------------------


with these settings I can log into microtik via ipsec/l2tp using the preshared key. The required policy will genate and the SA's will install automatically:

--------------------------------
[admin@MikroTik] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=192.168.1.118/32:any dst-address=192.168.1.234/32:any
protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=192.168.1.118 sa-dst-address=192.168.1.234
proposal=default priority=

[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xB393EA0 src-address=192.168.1.118 dst-address=192.168.1.234
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="0cced37bd18f267b7a176cb5deee371461e3fd84"
enc-key="a5687cdbb7906cd327033a5216aa5358" addtime=jan/14/2008 16:45:57
add-lifetime=48m/1h usetime=jan/14/2008 16:45:57 use-lifetime=0s/0s
current-bytes=148828 lifebytes=0/0

1 E spi=0x72986528 src-address=192.168.1.234 dst-address=192.168.1.118
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="22134735906b7fce129d47ce31680ee85e1f075b"
enc-key="d5dd6af0827c8b31cbe5c643ee5394a9" addtime=jan/14/2008 16:45:57
add-lifetime=48m/1h usetime=jan/14/2008 16:45:57 use-lifetime=0s/0s
current-bytes=133736 lifebytes=0/0
--------------------------------


The problem is that when I disconnect the l2tp connection in Windows the SA's will not delete themselves from the MT router. I don't know whether they should delete, but I know that windows will not be able to reconnect until they are gone.

Unfortunately SA's can't be deleted individually, but all at once using
ip ipsec installed-sa flush

at which point I'm able to log back in, but all other online ipsec enabled l2tp connections are destroyed as well.

I mentioned the 48minutes reconnect time .. this seems to be a random value, but in fact this is the default add-lifetime value above (soft limit) ... which cannot be changed at all. So either I wait 48 minutes or I flush SA's and destoy everyone else's connection.

Can anyone tell me whether the SA's not going away is a bug or a feature? and if it's a feature how can this mechanism be used properly with windows.

Thank you
GL




ps: I have an old pcengines wrap board that reboots itself every time an ipsec connection is made, but I'm able to connect and use the l2tp/ipsec connection via MT x86 an Athlon64 based PC ... so I don't know what the status of this feature might be on different kind of cpu's.
 
redkurawa
just joined
Posts: 14
Joined: Sat Apr 15, 2006 4:13 am
Contact:

Re: Finally l2tp/ipsec is compatible with windows ... or almost

Thu Jan 17, 2008 6:00 am

hi,

right now i use 2.4.50 and i can connect mikrotik to winxp with l2tp and ipsec enable
 
glucz
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Jun 06, 2007 10:25 pm

Re: Finally l2tp/ipsec is compatible with windows ... or almost

Thu Jan 17, 2008 12:47 pm

I also read maybe 1 more post like yours that it's working, but there are no details regarding the setup or the server hardware type - not to mention the client type. This is why I tried to give a clear description of what I'm doing, so there would be a thread that can help set up a working system for both XP and VISTA users.

I may have forgotten to write that what I detailed in the original post mostly applies to VISTA. Just tested and I seem to be able to connect / reconnect to RouterOS V3 from XP with both IPSEC disabled and ENABLED. So the original reconnect issue seems to be a problem mainly with VISTA.

GL
 
changeip
Forum Guru
Forum Guru
Posts: 3803
Joined: Fri May 28, 2004 5:22 pm

Re: Finally l2tp/ipsec is compatible with windows ... or almost

Thu Jan 17, 2008 7:54 pm

hi,

right now i use 2.4.50 and i can connect mikrotik to winxp with l2tp and ipsec enable
would you kindly post the xp configuration details as well as whats necessary on the RouterOS side?
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
redkurawa
just joined
Posts: 14
Joined: Sat Apr 15, 2006 4:13 am
Contact:

Re: Finally l2tp/ipsec is compatible with windows ... or almost

Fri Jan 18, 2008 1:25 pm

would you kindly post the xp configuration details as well as whats necessary on the RouterOS side?
I have make some tutorial in indonesia languange, but if you follow the picture and mikrotik command, i sure you can do it.

http://human.network.web.id/2008/01/15/ ... onnect-xp/

I have plan to write in wiki.mikrotik.com with english language
Last edited by redkurawa on Mon Jun 30, 2008 3:47 pm, edited 1 time in total.
 
jstaack
just joined
Posts: 1
Joined: Thu May 24, 2007 8:22 am

Re: Finally l2tp/ipsec is compatible with windows ... or almost

Sat Jan 26, 2008 7:16 am

I have make some tutorial in indonesia languange, but if you follow the picture and mikrotik command, i sure you can do it.

http://www.aquahobby.web.id/2008/01/15/ ... onnect-xp/

I have plan to write in wiki.mikrotik.com with english language
Your instructions worked for me. Thank you.
 
Rosacek
just joined
Posts: 7
Joined: Sun Apr 06, 2008 8:37 pm

Re: Finally l2tp/ipsec is compatible with windows ... or almost

Sat Oct 25, 2008 10:51 am

I have the same problem using L2TP/IPsec from Win to MK 3.15
XP works fine
Vista SP1 could connect, but when disconnecting, I cannot connect again till flushings SAs or need to wait about 1 hour for SA expiration.
I played two days with all the settings but nothing solved.

Have anybody found the solution for Vista?

Maybe this could be the explanation why, but without solution. Looks like Mikrotik guyes should improve IPsec from their side
http://support.microsoft.com/kb/942429/en-us

Who is online

Users browsing this forum: No registered users and 34 guests