Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Post Reply
 
maretodoric
newbie
Topic Author
Posts: 31
Joined: Thu Aug 01, 2019 10:35 am

L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Mon Sep 30, 2019 1:06 pm

Hello everyone,

just as the title says, i am unable to establish VPN connection from my RB2011iLS-iN to L2TP VPN Server hosted on another MikroTik which i do not have access to, so not sure about model, but Server version has ROS Version 6.45.3, while my Client is on 6.45.6.
Credentials and IPSec key is fine, i can connect to VPN from a PC that is connected to MikroTik via LAN cable. But on that same mikrotik i cannot establish VPN Tunnel.

This is log file, if i haven't disabled connection at the end, it would go to endless loop.
Code: Select all
11:55:11 system,info,account user admin logged in via local
11:55:41 l2tp,ppp,info L2TP-Client: initializing...
11:55:41 l2tp,ppp,info L2TP-Client: connecting...
11:55:41 system,info device changed by admin 
11:55:44 ipsec,info initiate new phase 1 (Identity Protection): 192.168.226.11[500]<=>66.77.88.99[500] 
11:55:45 ipsec,info ISAKMP-SA established 192.168.226.11[4500]-66.77.88.99[4500] spi:714163d51181b8e5:d11180f6534519dd 
11:56:08 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:56:08 l2tp,ppp,info L2TP-Client: disconnected
11:56:08 l2tp,ppp,info L2TP-Client: initializing...
11:56:08 l2tp,ppp,info L2TP-Client: connecting...
11:56:08 l2tp,ppp,info L2TP-Client: terminating... - old tunnel is not closed yet
11:56:08 l2tp,ppp,info L2TP-Client: disconnected
11:56:09 l2tp,ppp,info L2TP-Client: initializing...
11:56:09 l2tp,ppp,info L2TP-Client: connecting...
11:56:33 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:56:33 l2tp,ppp,info L2TP-Client: disconnected
11:56:33 l2tp,ppp,info L2TP-Client: initializing...
11:56:33 l2tp,ppp,info L2TP-Client: connecting...
11:56:57 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:56:57 l2tp,ppp,info L2TP-Client: disconnected
11:56:58 ipsec,info ISAKMP-SA deleted 192.168.226.11[4500]-66.77.88.99[4500] spi:714163d51181b8e5:d11180f6534519dd rekey:1 
11:56:59 l2tp,ppp,info L2TP-Client: initializing...
11:56:59 l2tp,ppp,info L2TP-Client: connecting...
11:57:02 ipsec,info initiate new phase 1 (Identity Protection): 192.168.226.11[500]<=>66.77.88.99[500] 
11:57:04 ipsec,info ISAKMP-SA established 192.168.226.11[4500]-66.77.88.99[4500] spi:34b830b855bcde16:c8bb5d3958e91cf6 
11:57:26 l2tp,ppp,info L2TP-Client: terminating... - session closed
11:57:26 l2tp,ppp,info L2TP-Client: disconnected
11:57:27 ipsec,info ISAKMP-SA deleted 192.168.226.11[4500]-66.77.88.99[4500] spi:34b830b855bcde16:c8bb5d3958e91cf6 rekey:1 
11:57:29 l2tp,ppp,info L2TP-Client: initializing...
11:57:29 l2tp,ppp,info L2TP-Client: connecting...
11:57:32 ipsec,info initiate new phase 1 (Identity Protection): 192.168.226.11[500]<=>66.77.88.99[500] 
11:57:34 ipsec,info ISAKMP-SA established 192.168.226.11[4500]-66.77.88.99[4500] spi:1bb7eeeca022284e:72a3b896a65a993e 
11:57:45 l2tp,ppp,info L2TP-Client: terminating...
11:57:45 l2tp,ppp,info L2TP-Client: disabled
11:57:45 system,info device changed by admin 
11:57:46 ipsec,info ISAKMP-SA deleted 192.168.226.11[4500]-66.77.88.99[4500] spi:1bb7eeeca022284e:72a3b896a65a993e rekey:1
Any help would be greatly appreciated on this! Thanks in advance.
Top
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 129
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Mon Sep 30, 2019 1:22 pm

11:56:08 l2tp,ppp,info L2TP-Client: terminating... - old tunnel is not closed yet

Do you have an open connection on your PC?
You must close first.
Top
 
maretodoric
newbie
Topic Author
Posts: 31
Joined: Thu Aug 01, 2019 10:35 am

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Mon Sep 30, 2019 6:01 pm

I have made sure that i had the connection closed. And it definitely was closed when i was trying to connect to that VPN.
Top
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:
Contact Steveocee

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Mon Sep 30, 2019 6:15 pm

Ensure the server side has firewall open for IPSEC-ESP. As you are going through NAT it may be that NAT-T isn't working correctly.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Mon Sep 30, 2019 7:17 pm

Make sure UDP ports 500,4500 and 1701 are open on your server...
Double check your ipsec secret....
Top
 
maretodoric
newbie
Topic Author
Posts: 31
Joined: Thu Aug 01, 2019 10:35 am

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Mon Sep 30, 2019 7:47 pm

Ensure the server side has firewall open for IPSEC-ESP. As you are going through NAT it may be that NAT-T isn't working correctly.
But i can connect from laptop from same place just fine. So it should be ok. Right?
Setup is like this
Code: Select all
MikroTik VPN SERVER < - - - - - - - < INTERNET > - - - - - - - < Company Router > - - - - - - - < Office MikroTik + laptop and other devices donnected to it via Ethernet >
When i initiate L2TP Connection from Laptop to MikroTik VPN Server on other side, it works fine. Packet will go through Office MikroTik, then get NAT-ed and go outside of Company Router.
Why then it wouldn't work from Office MikroTik as L2TP Client?
Make sure UDP ports 500,4500 and 1701 are open on your server...
Double check your ipsec secret....
They are open, at least they should be since i can establish connection just fine via laptop, but not from MikroTik.
IPSec secret is OK, double-checked that multiple times.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Mon Sep 30, 2019 8:09 pm

Under L2TP server, IPsec is set to required or yes ?
Yes means the client can connect without IPsec while on required the client must provide the IPsec key...

Test it on both...
Top
 
maretodoric
newbie
Topic Author
Posts: 31
Joined: Thu Aug 01, 2019 10:35 am

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Tue Oct 01, 2019 1:23 am

I'm not sure about the settings on server since i do not have access to it. But if i remove IPSec key from VPN Config on a laptop, it will fail connection. So it has to be set to required.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Tue Oct 01, 2019 1:43 am

Ask for the log of the L2TP server the time you try to connect...
Top
 
maretodoric
newbie
Topic Author
Posts: 31
Joined: Thu Aug 01, 2019 10:35 am

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Tue Oct 01, 2019 2:01 am

I actually asked for a log couple of days ago when i noticed this issue on MT.
This is on the other side, i will have to type it in manually since i got a screenshot instead of paste.
Code: Select all
ipsec, error <src ip addr> failed to pre-process ph2 packet
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error no suitable proposals found
ipsec, error <src ip addr> failed to pre-process ph2 packet
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, error <src ip addr> peer sent packet for dead phase2
ipsec, info purging ISAKMP-SA <dst.ip> <=> <src ip addr> spi ...
ipsec, info ISAKMP-SA deleted .....
I will attach a screenshot with the log with sensitive info blurred, but as far as i understood it's pretty much it, goes into loop since my MT constantly keeps on retrying. But i doubt that it could be something on server side since i can connect from a laptop? Am i missing something?
You do not have the required permissions to view the files attached to this post.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Tue Oct 01, 2019 2:23 pm

As you can see the problem is with IPsec...
Top
 
maretodoric
newbie
Topic Author
Posts: 31
Joined: Thu Aug 01, 2019 10:35 am

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Tue Oct 01, 2019 3:59 pm

OK But what exactly with IPSec? The key set on mikrotik device is exactly the same as the one I've set on laptop. All client configuration:
- Server IP
- Username
- Password
- IPSec Key
Are consistent between L2TP config on laptop and L2TP-Client config on my MikroTik. So what exactly is the problem with IPSec? How do i figure that out? What is different on L2TP Client on MikroTik than the one on a laptop (OS: Fedora 29)
Top
 
maretodoric
newbie
Topic Author
Posts: 31
Joined: Thu Aug 01, 2019 10:35 am

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Tue Oct 01, 2019 4:42 pm

Ok, i had to do some deeper troubleshooting. I've enabled "ipsed,!debug" logging on my MT and found this inside logs:
faata, NO-PROPOSAL-CHOSEN notify message, phase1 should be deleted.

So I've checked debug logs on a laptop to see the negotiation and found that connection established using 3des-aes128 with modp2048 PFS Group. On MT client, by default it was set to modp1024 PFS Group and no 3des. After making those changes, i have managed to establish connection to VPN! Thanks for giving a helping hand everyone :)
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP (IPSec) connection fails from MikroTik Client to MikroTik Server

Tue Oct 01, 2019 6:19 pm

So I've checked debug logs on a laptop to see the negotiation and found that connection established using 3des-aes128 with modp2048 PFS Group. On MT client, by default it was set to modp1024 PFS Group and no 3des. After making those changes, i have managed to establish connection to VPN! Thanks for giving a helping hand everyone :)
Great to know :D :D
Top
Post Reply

Who is online

Users browsing this forum: STMT and 125 guests
  4. RouterOS
  5. Beginner Basics