Community discussions

MikroTik App
 
allogic
just joined
Topic Author
Posts: 4
Joined: Tue Jan 12, 2021 3:06 pm

Issue with ANY VPN Server atempt for home/remote access.

Sat May 29, 2021 9:05 am

Hi all,

Love the work your all doing here ;)

So...I have this issue where no matter which VPN configuration I use I cannot get more than 1 packet showing in the firewall.

(I'm aware that pptp is not secure & once I can get further than this then everything will be changed to l2tp.)

Debug log shows :
07:21:55 pptp,info TCP connection established from 80.241.242.16
07:21:56 pptp,debug,packet rcvd Start-Control-Connection-Request from 80.241.242.16
07:21:56 pptp,debug,packet protocol-version=0x0100
07:21:56 pptp,debug,packet framing-capabilities=3
07:21:56 pptp,debug,packet bearer-capabilities=3
07:21:56 pptp,debug,packet maximum-channels=1
07:21:56 pptp,debug,packet firmware-revision=0
07:21:56 pptp,debug,packet host-name=anonymous
07:21:56 pptp,debug,packet vendor-name=
07:21:56 pptp,debug,packet sent Start-Control-Connection-Reply to 80.241.242.16
07:21:56 pptp,debug,packet protocol-version=0x0100
07:21:56 pptp,debug,packet result-code=1
07:21:56 pptp,debug,packet error-code=0
07:21:56 pptp,debug,packet framing-capabilities=2
07:21:56 pptp,debug,packet bearer-capabilities=0
07:21:56 pptp,debug,packet maximum-channels=0
07:21:56 pptp,debug,packet firmware-revision=1
07:21:56 pptp,debug,packet host-name=MikroTik
07:21:56 pptp,debug,packet vendor-name=MikroTik
07:21:56 pptp,debug,packet rcvd Outgoing-Call-Request from 80.241.242.16
07:21:56 pptp,debug,packet call-id=38518
07:21:56 pptp,debug,packet call-serial-number=30547
07:21:56 pptp,debug,packet minimum-bps=1000
07:21:56 pptp,debug,packet maximum-bps=100000000
07:21:56 pptp,debug,packet bearer-type=3
07:21:56 pptp,debug,packet framing-type=3
07:21:56 pptp,debug,packet packet-recv-window-size=8192
07:21:56 pptp,debug,packet packet-processing-delay=0
07:21:56 pptp,debug,packet phone-number-length=0
07:21:56 pptp,debug,packet phone-number=
07:21:56 pptp,debug,packet subaddress=
07:21:56 pptp,ppp,debug <0>: LCP lowerup
07:21:56 pptp,ppp,debug <0>: LCP open
07:21:56 pptp,debug,packet sent Outgoing-Call-Reply to 80.241.242.16
07:21:56 pptp,debug,packet call-id=0
07:21:56 pptp,debug,packet peers-call-id=38518
07:21:56 pptp,debug,packet result-code=1
07:21:56 pptp,debug,packet error-code=0
07:21:56 pptp,debug,packet cause-code=0
07:21:56 pptp,debug,packet connect-speed=100000
07:21:56 pptp,debug,packet packet-recv-window-size=100
07:21:56 pptp,debug,packet packet-processing-delay=0
07:21:56 pptp,debug,packet physical-channel-id=0

07:21:56 firewall,info my-pptp input: in:t-mobile out:(unknown 0), src-mac 00:0e:00:00:00:04, proto TCP (SYN), 80.241.242.16:38518->192.168.2.254:1723, NAT 80.241.242.16:38518->(xx.xx.189.108:1723->192.168.2.254:1723), len 60

07:21:56 pptp,ppp,debug <0>: LCP timer
07:21:56 pptp,ppp,debug,packet <0>: sent LCP ConfReq id=0x1
07:21:56 pptp,ppp,debug,packet <mru 1430>
07:21:56 pptp,ppp,debug,packet <magic 0x4d4c27d4>
07:21:56 pptp,ppp,debug,packet <auth mschap2>
07:21:58 pptp,ppp,debug <0>: LCP timer
07:21:58 pptp,ppp,debug,packet <0>: sent LCP ConfReq id=0x2
07:21:58 pptp,ppp,debug,packet <mru 1430>
07:21:58 pptp,ppp,debug,packet <magic 0x4d4c27d4>
07:21:58 pptp,ppp,debug,packet <auth mschap2>
07:21:59 pptp,ppp,debug <0>: LCP timer
07:21:59 pptp,ppp,debug,packet <0>: sent LCP ConfReq id=0x3
07:21:59 pptp,ppp,debug,packet <mru 1430>
07:21:59 pptp,ppp,debug,packet <magic 0x4d4c27d4>
07:21:59 pptp,ppp,debug,packet <auth mschap2>

*then normal operations*

07:21:59 dns,packet --- got query from 192.168.2.8:18164:
07:21:59 dns,packet id:c295 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
07:21:59 dns,packet question: desktop.tidal.com:A:IN
My Filter rule will show Bytes received as 60b and 1 packet. Nothing else.

The funny thing is if I connect to my Wifi and try the same connection from my phone, the pptp profile connects no problem, see below.
07:22:36 pptp,info TCP connection established from 192.168.2.12
07:22:36 pptp,debug,packet rcvd Start-Control-Connection-Request from 192.168.2.12
07:22:36 pptp,debug,packet protocol-version=0x0100
07:22:36 pptp,debug,packet framing-capabilities=3
07:22:36 pptp,debug,packet bearer-capabilities=3
07:22:36 pptp,debug,packet maximum-channels=1
07:22:36 pptp,debug,packet firmware-revision=0
07:22:36 pptp,debug,packet host-name=anonymous
07:22:36 pptp,debug,packet vendor-name=
07:22:36 pptp,debug,packet sent Start-Control-Connection-Reply to 192.168.2.12
07:22:36 pptp,debug,packet protocol-version=0x0100
07:22:36 pptp,debug,packet result-code=1
07:22:36 pptp,debug,packet error-code=0
07:22:36 pptp,debug,packet framing-capabilities=2
07:22:36 pptp,debug,packet bearer-capabilities=0
07:22:36 pptp,debug,packet maximum-channels=0
07:22:36 pptp,debug,packet firmware-revision=1
07:22:36 pptp,debug,packet host-name=MikroTik
07:22:36 pptp,debug,packet vendor-name=MikroTik
07:22:36 pptp,debug,packet rcvd Outgoing-Call-Request from 192.168.2.12
07:22:36 pptp,debug,packet call-id=46422
07:22:36 pptp,debug,packet call-serial-number=19673
07:22:36 pptp,debug,packet minimum-bps=1000
07:22:36 pptp,debug,packet maximum-bps=100000000
07:22:36 pptp,debug,packet bearer-type=3
07:22:36 pptp,debug,packet framing-type=3
07:22:36 pptp,debug,packet packet-recv-window-size=8192
07:22:36 pptp,debug,packet packet-processing-delay=0
07:22:36 pptp,debug,packet phone-number-length=0
07:22:36 pptp,debug,packet phone-number=
07:22:36 pptp,debug,packet subaddress=
07:22:36 pptp,ppp,debug <2>: LCP lowerup
07:22:36 pptp,ppp,debug <2>: LCP open
07:22:36 pptp,debug,packet sent Outgoing-Call-Reply to 192.168.2.12
07:22:36 pptp,debug,packet call-id=2
07:22:36 pptp,debug,packet peers-call-id=46422
07:22:36 pptp,debug,packet result-code=1
07:22:36 pptp,debug,packet error-code=0
07:22:36 pptp,debug,packet cause-code=0
07:22:36 pptp,debug,packet connect-speed=100000
07:22:36 pptp,debug,packet packet-recv-window-size=100
07:22:36 pptp,debug,packet packet-processing-delay=0
07:22:36 pptp,debug,packet physical-channel-id=0
07:22:36 pptp,ppp,debug,packet <2>: rcvd LCP ConfReq id=0x1
07:22:36 pptp,ppp,debug,packet <mru 1400>
07:22:36 pptp,ppp,debug,packet <asyncmap 0x0>
07:22:36 pptp,ppp,debug,packet <magic 0x138b5052>
07:22:36 pptp,ppp,debug,packet <pcomp>
07:22:36 pptp,ppp,debug,packet <accomp>
07:22:36 pptp,ppp,debug,packet <2>: sent LCP ConfReq id=0x1
07:22:36 pptp,ppp,debug,packet <mru 1430>
07:22:36 pptp,ppp,debug,packet <magic 0x2d520cf9>
07:22:36 pptp,ppp,debug,packet <auth mschap2>
07:22:36 pptp,ppp,debug,packet <2>: sent LCP ConfRej id=0x1
07:22:36 pptp,ppp,debug,packet <asyncmap 0x0>
07:22:36 pptp,ppp,debug,packet <pcomp>
07:22:36 pptp,ppp,debug,packet <accomp>
07:22:36 pptp,ppp,debug,packet <2>: rcvd LCP ConfAck id=0x1
07:22:36 pptp,ppp,debug,packet <mru 1430>
07:22:36 pptp,ppp,debug,packet <magic 0x2d520cf9>
07:22:36 pptp,ppp,debug,packet <auth mschap2>
07:22:36 pptp,ppp,debug,packet <2>: rcvd LCP ConfReq id=0x2
07:22:36 pptp,ppp,debug,packet <mru 1400>
07:22:36 pptp,ppp,debug,packet <magic 0x138b5052>
07:22:36 pptp,ppp,debug,packet <2>: sent LCP ConfAck id=0x2
07:22:36 pptp,ppp,debug,packet <mru 1400>
07:22:36 pptp,ppp,debug,packet <magic 0x138b5052>
07:22:36 pptp,ppp,debug <2>: LCP opened
07:22:36 pptp,ppp,debug,packet <2>: sent CHAP Challenge id=0x1
07:22:36 pptp,ppp,debug,packet <challenge len=16>
07:22:36 pptp,ppp,debug,packet <name MikroTik>
07:22:36 pptp,ppp,debug,packet <2>: rcvd CHAP Response id=0x1
07:22:36 pptp,ppp,debug,packet <response len=49>
07:22:36 pptp,ppp,debug,packet <name vpn>
07:22:36 pptp,ppp,info,account vpn logged in, 192.168.2.76 from 192.168.2.12
07:22:36 pptp,ppp,debug,packet <2>: sent CHAP Success id=0x1
07:22:36 pptp,ppp,debug,packet S=F8CCBBC0B33B3997062AEB87FD0B23CC1A11A567
07:22:36 pptp,ppp,info pptp-in1: authenticated
07:22:36 pptp,ppp,debug <2>: IPCP lowerup
07:22:36 pptp,ppp,debug <2>: IPCP open
07:22:36 pptp,ppp,debug,packet <2>: sent IPCP ConfReq id=0x1
07:22:36 pptp,ppp,debug,packet <addr 192.168.2.75>
07:22:36 pptp,ppp,debug <2>: IPV6CP open
07:22:36 pptp,ppp,debug <2>: MPLSCP lowerup
07:22:36 pptp,ppp,debug <2>: MPLSCP open
07:22:36 pptp,ppp,debug,packet <2>: sent MPLSCP ConfReq id=0x1
07:22:36 pptp,ppp,debug <2>: BCP open
07:22:36 pptp,ppp,debug <2>: CCP lowerup
07:22:36 pptp,ppp,debug <2>: CCP open
07:22:36 pptp,ppp,debug,packet <2>: sent CCP ConfReq id=0x1
07:22:36 pptp,ppp,debug,packet <mppe 1000040>
07:22:36 pptp,ppp,debug,packet <2>: rcvd LCP ProtRej id=0x3
07:22:36 pptp,ppp,debug,packet 82 81 01 01 00 04
07:22:36 pptp,ppp,debug,packet <2>: rcvd CCP ConfReq id=0x1
07:22:36 pptp,ppp,debug,packet <mppe 1000060>
07:22:36 pptp,ppp,debug,packet <2>: sent CCP ConfNak id=0x1
07:22:36 pptp,ppp,debug,packet <mppe 1000040>
07:22:36 pptp,ppp,debug,packet <2>: rcvd IPCP TermAck id=0x1
07:22:36 pptp,ppp,debug,packet <2>: rcvd CCP ConfAck id=0x1
07:22:36 pptp,ppp,debug,packet <mppe 1000040>
07:22:36 pptp,ppp,debug,packet <2>: rcvd CCP ConfReq id=0x2
07:22:36 pptp,ppp,debug,packet <mppe 1000040>
07:22:36 pptp,ppp,debug,packet <2>: sent CCP ConfAck id=0x2
07:22:36 pptp,ppp,debug,packet <mppe 1000040>
07:22:36 pptp,ppp,debug <2>: CCP opened
07:22:36 pptp,ppp,info pptp-in1: using encoding - MPPE128 stateless
07:22:36 pptp,ppp,debug,packet <2>: rcvd IPCP ConfReq id=0x1
07:22:36 pptp,ppp,debug,packet <addr 0.0.0.0>
07:22:36 pptp,ppp,debug,packet <comp VJ f 1>
07:22:36 pptp,ppp,debug,packet <ms-dns 0.0.0.0>
07:22:36 pptp,ppp,debug,packet <ms-dns 0.0.0.0>
07:22:36 pptp,ppp,debug,packet <2>: sent IPCP ConfRej id=0x1
07:22:36 pptp,ppp,debug,packet <comp VJ f 1>
07:22:36 pptp,ppp,debug,packet <ms-dns 0.0.0.0>
07:22:36 pptp,ppp,debug,packet <2>: rcvd IPCP ConfReq id=0x2
07:22:36 pptp,ppp,debug,packet <addr 0.0.0.0>
07:22:36 pptp,ppp,debug,packet <ms-dns 0.0.0.0>
07:22:36 pptp,ppp,debug,packet <2>: sent IPCP ConfNak id=0x2
07:22:36 pptp,ppp,debug,packet <addr 192.168.2.76>
07:22:36 pptp,ppp,debug,packet <ms-dns 192.168.2.254>
07:22:36 pptp,ppp,debug,packet <2>: rcvd IPCP ConfReq id=0x3
07:22:36 pptp,ppp,debug,packet <addr 192.168.2.76>
07:22:36 pptp,ppp,debug,packet <ms-dns 192.168.2.254>
07:22:36 pptp,ppp,debug,packet <2>: sent IPCP ConfAck id=0x3
07:22:36 pptp,ppp,debug,packet <addr 192.168.2.76>
07:22:36 pptp,ppp,debug,packet <ms-dns 192.168.2.254>
07:22:36 firewall,info my-pptp input: in:bridge out:(unknown 0), src-mac 4e:0f:6c:f0:06:5d, proto TCP (SYN), 192.168.2.12:46422->192.168.2.254:1723, NAT 192.168.2.12:46422->(xx.xx.189.108:1723->192.168.2.254:1723), len 60
07:22:37 pptp,ppp,debug <2>: IPCP timer
07:22:37 pptp,ppp,debug,packet <2>: sent IPCP ConfReq id=0x2
07:22:37 pptp,ppp,debug,packet <addr 192.168.2.75>
07:22:37 pptp,ppp,debug,packet <2>: rcvd IPCP ConfAck id=0x2
07:22:37 pptp,ppp,debug,packet <addr 192.168.2.75>
07:22:37 pptp,ppp,debug <2>: IPCP opened
07:22:37 pptp,ppp,info pptp-in1: connected

07:22:40 pptp,ppp,debug,packet <2>: rcvd LCP TermReq id=0x4
07:22:40 pptp,ppp,debug,packet MPPE disabled
07:22:40 pptp,ppp,debug <2>: LCP closed
07:22:40 pptp,ppp,debug <2>: CCP lowerdown
07:22:40 pptp,ppp,debug <2>: CCP closed
07:22:40 pptp,ppp,debug <2>: BCP lowerdown
07:22:40 pptp,ppp,debug <2>: BCP down event in starting state
07:22:40 pptp,ppp,debug <2>: IPCP lowerdown
07:22:40 pptp,ppp,debug <2>: IPCP closed
07:22:40 pptp,ppp,debug <2>: IPV6CP lowerdown
07:22:40 pptp,ppp,debug <2>: IPV6CP down event in starting state
07:22:40 pptp,ppp,debug <2>: MPLSCP lowerdown
07:22:40 pptp,ppp,debug,packet <2>: sent LCP TermAck id=0x4
07:22:40 pptp,ppp,debug <2>: LCP lowerdown
07:22:40 pptp,ppp,debug <2>: CCP close
07:22:40 pptp,ppp,debug <2>: BCP close
07:22:40 pptp,ppp,debug <2>: IPCP close
07:22:40 pptp,ppp,debug <2>: IPV6CP close
07:22:40 pptp,ppp,debug <2>: MPLSCP close
07:22:40 pptp,ppp,info pptp-in1: terminating...
07:22:40 pptp,ppp,debug <2>: LCP lowerdown
07:22:40 pptp,ppp,debug <2>: LCP down event in starting state
07:22:40 pptp,ppp,info,account vpn logged out, 4 6393 6145 57 43 from 192.168.2.12
07:22:40 pptp,ppp,info pptp-in1: disconnected
My Firewall rules are pretty basic.
Flags: X - disabled, I - invalid, D - dynamic
D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=""

X ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

X ;;; Accept PPTP from outside
chain=input action=accept protocol=tcp dst-port=1723 log=yes log-prefix="my-pptp"

X ;;; Allow L2TP VPN
chain=input action=accept protocol=udp port=500,1701,4500 log=yes log-prefix="vpn-in"

X ;;; Allow IPsec ESP
chain=input action=accept protocol=ipsec-esp log=yes log-prefix="vpn-in"

X ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500

;;; allow IKE
chain=input action=accept protocol=udp dst-port=500

X chain=input action=accept protocol=gre log=no log-prefix=""

;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Any help would greatly be appreciated!

Who is online

Users browsing this forum: bashay8, dmconde, haedertowfeq and 53 guests