L2TP with RADIUS

inny007 · Wed Apr 10, 2019 10:52 am

Hi!

What I'm trying to achive:
- VPN acces to local network (L2TP, IPSec)
- authentication by Active Directory accounts

What have I done so far:
- Create RADIUS Server on Windows Server 2019
- it is possible to connect via 'standard' MikroTik account

What is not working:
- No acces to local network (from device connected via VPN)
- No access to internet (from device connected via VPN)
- RADIUS is not working properly (I've recive message 'The remote connection aws dnieded, because the user name and pasword combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server")

I was using some tutorials, but in every tutorial I've got different advices. I'm not a network-guy, just developer, who have to configure simple company network.

Here is configuration, I would really appreciate Your help fixing and setting it up.

AD/DNS Server: 192.168.7.70
Router IP: 192.168.7.1

/interface bridge
add admin-mac=74:4D:28:24:69:0B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=*** use-peer-dns=yes user=***
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=poland disabled=no distance=indoors frequency=2447 \
    frequency-mode=regulatory-domain mode=ap-bridge ssid=*** \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    *** wpa2-pre-shared-key=***
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.7.200-192.168.7.254
add name=VPN ranges=192.168.7.150-192.168.7.199
add name=VMs ranges=192.168.7.100-192.168.7.149
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=192.168.7.70 local-address=192.168.7.150 name=Vpn-clients \
    remote-address=VPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=Vpn-clients enabled=yes \
    ipsec-secret=test use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.7.1/24 comment=defconf interface=ether2 network=\
    192.168.7.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.7.0/24 comment=defconf gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.7.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1 out-interface-list=WAN
/ip ssh
set allow-none-crypto=yes
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=192.168.7.149 name=test password=test profile=\
    default-encryption remote-address=192.168.7.151
/radius
add address=192.168.7.70 called-id=192.168.7.70 domain=agilerolocal.pl \
    secret=AgileroSecret123 service=ppp src-address=192.168.7.1
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add topics=firewall
add topics=debug
add topics=l2tp
add topics=ipsec
add topics=l2tp
add topics=radius
add topics=ipsec,!packet
add topics=!pppoe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

karlisi · Wed Apr 10, 2019 11:44 am

For Mikrotik and Windows AD integration I used this tutorial
https://mivilisnet.wordpress.com/2018/1 ... indows-ad/

karlisi · Wed Apr 10, 2019 11:48 am

Unable to access LAN from VPN client
viewtopic.php?t=85962

inny007 · Wed Apr 10, 2019 12:18 pm

Unable to access LAN from VPN client
viewtopic.php?t=85962

You are the best, now I have access to local resources.

I still have a problem with RADIUS. I've used the same tutorial, but something is wrong.
When i enter to RADIUS settings in webfig there are Pending 0, Requests 0 etc, so it looks like a problem in router L2TP configuration.

EDIT:

Below logs:

13:12:54 l2tp,debug,packet rcvd control message from 37.47.100.44:1701 to 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
13:12:54 l2tp,debug,packet     (M) Message-Type=SCCRQ 
13:12:54 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
13:12:54 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
13:12:54 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
13:12:54 l2tp,debug,packet     Firmware-Revision=0xa00 
13:12:54 l2tp,debug,packet     (M) Host-Name="AG1.domainlocal.pl" 
13:12:54 l2tp,debug,packet     Vendor-Name="Microsoft" 
13:12:54 l2tp,debug,packet     (M) Assigned-Tunnel-ID=21 
13:12:54 l2tp,debug,packet     (M) Receive-Window-Size=8 
13:12:54 l2tp,info first L2TP UDP packet received from 37.47.100.44 
13:12:54 l2tp,debug tunnel 62 entering state: wait-ctl-conn 
13:12:54 l2tp,debug,packet sent control message to 37.47.100.44:1701 from 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=21, session-id=0, ns=0, nr=1 
13:12:54 l2tp,debug,packet     (M) Message-Type=SCCRP 
13:12:54 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
13:12:54 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
13:12:54 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
13:12:54 l2tp,debug,packet     Firmware-Revision=0x1 
13:12:54 l2tp,debug,packet     (M) Host-Name="MikroTik" 
13:12:54 l2tp,debug,packet     Vendor-Name="MikroTik" 
13:12:54 l2tp,debug,packet     (M) Assigned-Tunnel-ID=62 
13:12:54 l2tp,debug,packet     (M) Receive-Window-Size=4 
13:12:54 l2tp,debug,packet rcvd control message from 37.47.100.44:1701 to 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=1, nr=1 
13:12:54 l2tp,debug,packet     (M) Message-Type=SCCCN 
13:12:54 l2tp,debug tunnel 62 entering state: estabilished 
13:12:54 l2tp,debug,packet sent control message (ack) to 37.47.100.44:1701 from 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=21, session-id=0, ns=1, nr=2 
13:12:54 l2tp,debug,packet rcvd control message from 37.47.100.44:1701 to 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=2, nr=1 
13:12:54 l2tp,debug,packet     (M) Message-Type=ICRQ 
13:12:54 l2tp,debug,packet     (M) Assigned-Session-ID=1 
13:12:54 l2tp,debug,packet     (M) Call-Serial-Number=0 
13:12:54 l2tp,debug,packet     (M) Bearer-Type=0x2 
13:12:54 l2tp,debug,packet     1(vendor-id=311)=0xd0:a6:c5:c6:34:d0:da:40:b3:87:37:da:b8:f0:7b:d3 
13:12:54 l2tp,debug session 1 entering state: wait-connect 
13:12:54 l2tp,debug,packet sent control message to 37.47.100.44:1701 from 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=21, session-id=1, ns=1, nr=3 
13:12:54 l2tp,debug,packet     (M) Message-Type=ICRP 
13:12:54 l2tp,debug,packet     (M) Assigned-Session-ID=1 
13:12:54 l2tp,debug,packet rcvd control message from 37.47.100.44:1701 to 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=62, session-id=1, ns=3, nr=2 
13:12:54 l2tp,debug,packet     (M) Message-Type=ICCN 
13:12:54 l2tp,debug,packet     (M) Tx-Connect-Speed-BPS=72200000 
13:12:54 l2tp,debug,packet     (M) Framing-Type=0x1 
13:12:54 l2tp,debug,packet     Proxy-Authen-Type=4 
13:12:54 l2tp,debug session 1 entering state: established 
13:12:54 l2tp,debug,packet sent control message (ack) to 37.47.100.44:1701 from 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=21, session-id=0, ns=2, nr=4 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP lowerup 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP open 
13:12:54 l2tp,debug,packet rcvd control message (ack) from 37.47.100.44:1701 to 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=4, nr=2 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd LCP ConfReq id=0x0 
13:12:54 l2tp,ppp,debug,packet    <mru 1400> 
13:12:54 l2tp,ppp,debug,packet    <magic 0x4a193c8f> 
13:12:54 l2tp,ppp,debug,packet    <pcomp> 
13:12:54 l2tp,ppp,debug,packet    <accomp> 
13:12:54 l2tp,ppp,debug,packet    <callback 0x06> 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: sent LCP ConfReq id=0x1 
13:12:54 l2tp,ppp,debug,packet    <mru 1450> 
13:12:54 l2tp,ppp,debug,packet    <magic 0x4d427964> 
13:12:54 l2tp,ppp,debug,packet    <auth  mschap2> 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: sent LCP ConfRej id=0x0 
13:12:54 l2tp,ppp,debug,packet    <pcomp> 
13:12:54 l2tp,ppp,debug,packet    <accomp> 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd LCP ConfAck id=0x1 
13:12:54 l2tp,ppp,debug,packet    <mru 1450> 
13:12:54 l2tp,ppp,debug,packet    <magic 0x4d427964> 
13:12:54 l2tp,ppp,debug,packet    <auth  mschap2> 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd LCP ConfReq id=0x1 
13:12:54 l2tp,ppp,debug,packet    <mru 1400> 
13:12:54 l2tp,ppp,debug,packet    <magic 0x4a193c8f> 
13:12:54 l2tp,ppp,debug,packet    <callback 0x06> 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: sent LCP ConfAck id=0x1 
13:12:54 l2tp,ppp,debug,packet    <mru 1400> 
13:12:54 l2tp,ppp,debug,packet    <magic 0x4a193c8f> 
13:12:54 l2tp,ppp,debug,packet    <callback 0x06> 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP opened 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: sent CHAP Challenge id=0x1 
13:12:54 l2tp,ppp,debug,packet     <challenge len=16> 
13:12:54 l2tp,ppp,debug,packet     <name MikroTik> 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd LCP Ident id=0x3 
13:12:54 l2tp,ppp,debug,packet     <magic 0x4a193c8f> 
13:12:54 l2tp,ppp,debug,packet     MSRAS-0-AG1 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd LCP Ident id=0x2 
13:12:54 l2tp,ppp,debug,packet     <magic 0x4a193c8f> 
13:12:54 l2tp,ppp,debug,packet     MSRASV5.20 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd LCP Ident id=0x4 
13:12:54 l2tp,ppp,debug,packet     <magic 0x4a193c8f> 
13:12:54 l2tp,ppp,debug,packet     \D0\A6\C5\C64\D0\DA@\B3\877\DA\B8\F0{\D3 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd CHAP Response id=0x1 
13:12:54 l2tp,ppp,debug,packet     <response len=49> 
13:12:54 l2tp,ppp,debug,packet     <name DOMAINLOCAL\name.surname> 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: sent CHAP Failure id=0x1 
13:12:54 l2tp,ppp,debug,packet     E=691 R=0 C=E71055BFF1495C9F3A007C9A2212001D V=3 M=bad username or password 
13:12:54 l2tp,ppp,error <37.47.100.44>: user name.surname authentication failed - radius timeout 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP close 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP closed 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: sent LCP TermReq id=0x2 
13:12:54 l2tp,ppp,debug,packet     user name.surname authentication failed - radius timeout 
13:12:54 l2tp,ppp,debug,packet  <37.47.100.44>: rcvd LCP TermAck id=0x2 
13:12:54 l2tp,ppp,debug,packet     user name.surname authentication failed - radius timeout 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP lowerdown 
13:12:54 l2tp,ppp,debug <37.47.100.44>: CCP close 
13:12:54 l2tp,ppp,debug <37.47.100.44>: BCP close 
13:12:54 l2tp,ppp,debug <37.47.100.44>: IPCP close 
13:12:54 l2tp,ppp,debug <37.47.100.44>: IPV6CP close 
13:12:54 l2tp,ppp,debug <37.47.100.44>: MPLSCP close 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP lowerdown 
13:12:54 l2tp,ppp,debug <37.47.100.44>: LCP down event in initial state 
13:12:54 l2tp,debug,packet rcvd control message from 37.47.100.44:1701 to 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=62, session-id=1, ns=4, nr=2 
13:12:54 l2tp,debug,packet     (M) Message-Type=CDN 
13:12:54 l2tp,debug,packet     (M) Result-Code=3 
13:12:54 l2tp,debug,packet         Error-Code=0 
13:12:54 l2tp,debug,packet     (M) Assigned-Session-ID=1 
13:12:54 l2tp,debug,packet sent control message (ack) to 37.47.100.44:1701 from 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=21, session-id=0, ns=2, nr=5 
13:12:54 l2tp,debug session 1 entering state: stopping 
13:12:54 l2tp,debug session 1 entering state: dead 
13:12:54 l2tp,debug,packet sent control message to 37.47.100.44:1701 from 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=21, session-id=0, ns=2, nr=5 
13:12:54 l2tp,debug,packet     (M) Message-Type=StopCCN 
13:12:54 l2tp,debug,packet     (M) Result-Code=1 
13:12:54 l2tp,debug,packet     (M) Assigned-Tunnel-ID=62 
13:12:54 l2tp,debug tunnel 62 entering state: stopping 
13:12:54 l2tp,debug,packet rcvd control message from 37.47.100.44:1701 to 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=5, nr=2 
13:12:54 l2tp,debug,packet     (M) Message-Type=StopCCN 
13:12:54 l2tp,debug,packet     (M) Assigned-Tunnel-ID=21 
13:12:54 l2tp,debug,packet     (M) Result-Code=6 
13:12:54 l2tp,debug,packet         Error-Code=0 
13:12:54 l2tp,debug,packet sent control message (ack) to 37.47.100.44:1701 from 185.3.113.7:1701 
13:12:54 l2tp,debug,packet     tunnel-id=21, session-id=0, ns=3, nr=6 
13:12:54 l2tp,debug tunnel 62 entering state: dead

So radius timeout is the reason. How to fix that?

inny007 · Fri Apr 12, 2019 9:26 am

Can anyone help me?

karlisi · Fri Apr 12, 2019 10:22 am

If L2TP client is Windows, run this command in Windows administrative command window (cmd -> run as administrator), then restart Windows:

reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

inny007 · Fri Apr 12, 2019 11:10 am

Thank You for Your answer, unfortunatelly nothing changed, when I'm trying to log in in log appears:

10:03:26 l2tp,ppp,debug,packet  <37.47.65.10>: rcvd CHAP Response id=0x1 
10:03:26 l2tp,ppp,debug,packet     <response len=49> 
10:03:26 l2tp,ppp,debug,packet     <name DOMAINLOCAL\name.surname> 
10:03:27 l2tp,ppp,debug,packet  <37.47.65.10>: sent CHAP Failure id=0x1 
10:03:27 l2tp,ppp,debug,packet     E=691 R=0 C=CE3A3E24935FBBC97F062DA010A1CF08 V=3 M=bad username or password 
10:03:27 l2tp,ppp,error <37.47.65.10>: user name.surname authentication failed - radius timeout 
10:03:27 l2tp,ppp,debug <37.47.65.10>: LCP close 
10:03:27 l2tp,ppp,debug <37.47.65.10>: LCP closed 
10:03:27 l2tp,ppp,debug,packet  <37.47.65.10>: sent LCP TermReq id=0x3 
10:03:27 l2tp,ppp,debug,packet     user name.surname authentication failed - radius timeout 
10:03:27 l2tp,ppp,debug,packet  <37.47.65.10>: rcvd LCP TermAck id=0x3 
10:03:27 l2tp,ppp,debug,packet     user name.surname authentication failed - radius timeout

And all counters in RADIUS tab does not increase.

W guess, I found a reason - I can't ping my AD Server (192.168.7.70) using udp 1812/1813.

Could You help me create firewall rules?

inny007 · Mon Apr 15, 2019 9:26 am

Can anyone help me?

It is really important for me to make it work, I ran out of ideas.

karlisi · Mon Apr 15, 2019 5:46 pm

Try to use simpler RADIUS configuration

/radius
add address=192.168.7.70 secret=AgileroSecret123 service=ppp src-address=192.168.7.1

I can't ping my AD Server (192.168.7.70) using udp 1812/1813

You tried this from Mikrotik?

L2TP with RADIUS

L2TP with RADIUS

Re: L2TP with RADIUS

Re: L2TP with RADIUS

Re: L2TP with RADIUS

Re: L2TP with RADIUS

Re: L2TP with RADIUS

Re: L2TP with RADIUS

Re: L2TP with RADIUS

Re: L2TP with RADIUS

Who is online