Community discussions

MikroTik App
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Unable to make L2TP over IPSec work from Android / iOS / OS X to RouterOS (error phase1 negotiation failed)

Thu Mar 10, 2016 7:28 am

Hi everyone!

I would appreciate any help in trying to figure out how to make L2TP over IPSec work from OS X / iOS / Android to RouterOS. I have read carefully http://wiki.mikrotik.com/wiki/Manual:In ... pSec_setup and tried everything I could think of, but no luck :(

From Android on LTE (with VPN set up as L2TP/IPSec PSK), it just says "Unsuccessful" and in the router log there's this:
mar/09 21:16:38 l2tp,info first L2TP UDP packet received from 208.54.5.143 
mar/09 21:17:08 ipsec,error phase1 negotiation failed due to time up <REDACTED>[500]<=>208.54.5.143[39651] 46c4187051d96c96:84c6820a29b4ce7d 
From iOS on LTE (with VPN set up as L2TP), it says "the server did not respond" and a similar message in the router log:
mar/09 21:28:09 ipsec,error phase1 negotiation failed due to time up <REDACTED>[500]<=>172.56.30.230[22919] b42d9e6b6f8ae59f:0d5fa9c08b716d06
FWIW I have PPTP working fine from iOS / Android / OS X either on WiFi or LTE networks.

Thanks in advance!

PS: I don't recall ever modifying anything in IPSec.
Router: CRS125-24G-1S-2HnD-IN
Firmware: 3.24
OS: v6.34.2
PPTP Server
            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
L2TP Server
            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
          use-ipsec: yes
       ipsec-secret: <REDACTED>
IP Addresses
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                  
 0   192.168.1.1/24     192.168.1.0     ether2-master                                                                                                              
 1 D <REDACTED>/22   <REDACTED>     WAN                                                                                                                        
DHCP
Flags: X - disabled, I - invalid 
 #   NAME                                 INTERFACE                                 RELAY           ADDRESS-POOL                                 LEASE-TIME ADD-ARP
 0   default                              LAN                                                       dhcp                                         1h        
DHCP Network
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN                                                                                       
 0 192.168.1.0/24     192.168.1.1     192.168.1.1    
Firewall Filters
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; Allow PPTP from WAN (TCP)
      chain=input action=accept protocol=tcp in-interface=WAN dst-port=1723 log=no log-prefix="" 

 2    ;;; Allow PPTP from WAN (GRE)
      chain=input action=accept protocol=gre in-interface=WAN log=no log-prefix="" 

 3    ;;; Allow L2TP from WAN (UDP)
      chain=input action=accept protocol=udp in-interface=WAN dst-port=500,1701,4500 log=no log-prefix="" 

 4    ;;; Allow L2TP from WAN (ESP)
      chain=input action=accept protocol=ipsec-esp in-interface=WAN log=no log-prefix="" 

 5    ;;; Allow established and related connections from WAN
      chain=input action=accept connection-state=established,related in-interface=WAN log=no log-prefix="" 

 6    ;;; Drop everything else from WAN
      chain=input action=drop in-interface=WAN log=no log-prefix="" 

 7    ;;; See http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 8    ;;; See http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 9    ;;; Allow Foscam / NTP to WAN
      chain=forward action=accept protocol=udp src-address-list=FOSCAM in-interface=LAN out-interface=WAN dst-port=123 log=no log-prefix="" 

10    ;;; Drop Foscam / everything else to WAN
      chain=forward action=reject reject-with=icmp-network-unreachable src-address-list=FOSCAM in-interface=LAN out-interface=WAN log=no log-prefix=""
NAT (excluding dynamic from UPnP)
 0    ;;; Masquerade VPN traffic
      chain=srcnat action=masquerade src-address=192.168.1.200-192.168.1.249 log=no log-prefix="" 

 1    ;;; Source NAT
      chain=srcnat action=masquerade out-interface=WAN log=no log-prefix="" 

 2    ;;; Hairpin NAT
      chain=srcnat action=masquerade protocol=tcp dst-address=192.168.1.10 out-interface=LAN dst-port=2012,6690,8383 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.10 protocol=tcp dst-address=192.168.1.1 in-interface=LAN dst-port=2012,6690,8383 log=no log-prefix="" 

 4    ;;; SFTP
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=2012 protocol=tcp in-interface=WAN dst-port=2012 log=no log-prefix="" 

 5    ;;; Cloud Station
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=6690 protocol=tcp in-interface=WAN dst-port=6690 log=no log-prefix="" 

 6    ;;; Comics
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=8383 protocol=tcp in-interface=WAN dst-port=8383 log=no log-prefix="" 

 7    ;;; Surveillance Station
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=9901 protocol=tcp in-interface=WAN dst-port=9191 log=no log-prefix="" 

 8    ;;; Video Station
      chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=9008 protocol=tcp in-interface=WAN dst-port=9898 log=no log-prefix="" 

 9    ;;; Jenkins - Linux
      chain=dstnat action=dst-nat to-addresses=192.168.1.83 to-ports=8080 protocol=tcp in-interface=WAN dst-port=23248 log=no log-prefix="" 

10    ;;; Jenkins - Apple
      chain=dstnat action=dst-nat to-addresses=192.168.1.81 to-ports=8080 protocol=tcp in-interface=WAN dst-port=23516 log=no log-prefix="" 

11    ;;; Jenkins - Windows
      chain=dstnat action=dst-nat to-addresses=192.168.1.82 to-ports=8080 protocol=tcp in-interface=WAN dst-port=23745 log=no log-prefix="" 
PPP Secrets
Flags: X - disabled 
 #   NAME                             SERVICE CALLER-ID                          PASSWORD                          PROFILE                          REMOTE-ADDRESS 
 0   vpn                              any                                        <REDACTED>              default             
PPP Profiles
Flags: * - default 
 0 * name="default" local-address=192.168.1.1 remote-address=vpn use-mpls=no use-compression=yes use-encryption=required only-one=no change-tcp-mss=yes use-upnp=no 
     address-list="" dns-server=192.168.1.1 on-up="" on-down="" 

 1 * name="default-encryption" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default 
     address-list="" on-up="" on-down="" 
IP Pools
0 dhcp                                                             192.168.1.100-192.168.1.199    
1 vpn                                                              192.168.1.200-192.168.1.249    
IPSec Policies
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/32 protocol=all proposal=default template=yes 
IPSec Peers
Flags: X - disabled, D - dynamic 
 0  D address=::/0 local-address=:: passive=yes port=500 auth-method=pre-shared-key secret="24nCkFTvddjPon" generate-policy=port-strict 
      policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: Unable to make L2TP over IPSec work from Android / iOS / OS X to RouterOS (error phase1 negotiation failed)

Thu Mar 10, 2016 11:04 am

Screen prints of my router for L2TP, not fancy but should get you going.
http://l2tp.patokatech.com/

My droid works fine, but I have to allow my IP in my input rules before I can access the VPN. The last 2 times I ran whatismyip.com my Verizon droid came up with an IPv6 address, so I temporarily disable the drop all else rule on WAN input.
It's not convenient and I think someone here came up with a workaround script but I can find it now.

My droid is set to L2TP/IPsec PSK, L2TP and IPsec identifier not used, pre-shared key is used.
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: Unable to make L2TP over IPSec work from Android / iOS / OS X to RouterOS (error phase1 negotiation failed)

Thu Mar 10, 2016 4:22 pm

Thanks, I'll have a look.
 
martino
just joined
Posts: 1
Joined: Wed Mar 02, 2016 11:44 pm

Re: Unable to make L2TP over IPSec work from Android / iOS / OS X to RouterOS (error phase1 negotiation failed)

Sat Mar 19, 2016 11:48 pm

Hello Swisspol,

Did you make it working? I have already spent few weeks to find working solution L2TP on Iphone IOS 9.2 with no luck :-(
 
jebz
Member Candidate
Member Candidate
Posts: 287
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: Unable to make L2TP over IPSec work from Android / iOS / OS X to RouterOS (error phase1 negotiation failed)

Sun Mar 20, 2016 3:13 am

I initially used a you tube video of l2tp/ipsec to assist -
https://www.youtube.com/watch?v=cgfXs6ZJrgs
But it appears to have gone offline. I did miss the firewall rules configuration.
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp
Another site I've used is -
http://www.nasa-security.net/mikrotik/m ... ith-ipsec/
This warns of iPhone issues and helps work round these.
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: Unable to make L2TP over IPSec work from Android / iOS / OS X to RouterOS (error phase1 negotiation failed)

Sun Mar 20, 2016 4:00 am

I stopped trying after some time, it was taking too much time to setup, so I'm using PPTP for the time being.

Who is online

Users browsing this forum: cedie, sindy and 68 guests