Community discussions

 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

L2tp/IPsec is driving me crazy !!!!

Wed Mar 16, 2016 5:38 pm

I'm trying to setup an L2TP/IPsec connection from IPhone to RouterOS device

RouterOS device connectivity was done this way :


dsl_line-----------[public_static_IP ISP_ROUTER 10.0.0.1]----------[10.0.0.2(WAN) RouterOS_device 192.168.0.1/24(LAN) ]

all dsl traffic is NATted transparently to RouterOS WAN interface 10.0.0.2

I've set up L2TP server for ipsec use

I've setup an IPsec peer to generate dinamically a policy:

0 address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="mykey"
generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes
nat-traversal=yes hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5


When I try to connect from iPhone, a pair of installed SA (iphone>routeros and routeros>iphone) come up, but the one from WAN(10.0.0.2) to iPhone IP has 0 Current Bytes

L2TP log says tunnel receives no reply, disconnecting

It seems no packets are sent back to iPhone

Yesterday I had it working for a couple of minutes (my fault not to collect working configuration), now it isn't working anymore
tried tons of variations in settings

For information, despite the installed SAs are between WAN interface (10.0.0.2) and iPhone IP address, the automatically generated IPsec policy has the public DSL_LINE IP as src address and the iPhone one as dst address


Any idea on what to check , please ??


P.S. the installed SA with 0 Current Bytes also has NO Current Addtime
both are using port 4500
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: L2tp/IPsec is driving me crazy !!!!

Fri Mar 18, 2016 6:10 pm

Sorry for tedious requests....
Something is still not clear....
I don't understand why no traffic is passed back to initiator :

Scenario :

Image

On iPhone connection a dynamic policy is created :

Image

as well as a pair of SA :

Image

No traffic is present on "outgoing" SA

L2TP server (log) is answering back to iPhone but this doesn't receive back nothing

Note that policy on the "WAN" side , is refering to public ip address of dsl line, the SA instead, refers to WAN ip of routerboard itself (10.0.0.2)

Any outgoing NAT problem ? Any MTU problem ?
What should I check ?

Thank you
 
jaytcsd
Member Candidate
Member Candidate
Posts: 288
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: L2tp/IPsec is driving me crazy !!!!

Sat Mar 19, 2016 7:08 am

http://l2tp.patokatech.com/

winbox screen shots of my router, I can connect with my droid.
You have to allow your iphone's IP access with an input rule if you have a generic 'block all else' rule at the end of the list.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: L2tp/IPsec is driving me crazy !!!!

Sat Mar 19, 2016 8:24 pm

Thank you for reply
Your configuration is like mine....
Or at least like one of many I have tried
I suppose there are no nat or firewall/ports issues as for testing purpose only the masquerade rule is present, nothing blocked......

Any other idea ???
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: L2tp/IPsec is driving me crazy !!!!

Mon Mar 21, 2016 3:12 pm

Still one of hardest issue for me to solve.....

When a pair of SA are installed, i suppose Phase1 and Phase2 are correctly passed, isn't it ??

in fact, after this, the L2TP server builds a tunnel and starts to send multiple retry control messages from WAN 10.0.0.2 to iPhone ip address (as seen in log) but these packets don't reach iPhone, and i suppose don't even leave routeros machine
If so , some bytes counter would increase in mikrotik to iphone SA, that , instead, is still 0

As said no block rules are present in filtering, so all traffic is allowed for now
I don't think is a NAT issue as L2TP server has not yet released a private ip address to client
L2TP authentication phase hasn't arrived yet....

A second DSL line (1:1 natted as well) is connected to routerboard, trying to connect to that line produces the same behaviour....

Is it correct SA uses port 4500 even if NAT-T is disabled in peer ??

L2TP server starts to send ACK to client using WAN source port 1701 is it correct ?

I hope it is not an issue related to iOS or rOS release....

P.S.
I get the same behaviour if "use IPsec" flag is either set or not in L2TP server config !!! strange......
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: L2tp/IPsec is driving me crazy !!!!

Mon Mar 21, 2016 5:11 pm

Image


A step further....

looking at diagram above :

an ipsec policy is generated automatically src=1.2.3.4 dst=5.6.7.8

it works IF i manually add a second policy src=10.0.0.2 dst=5.6.7.8 NO template

obviously , iphone address 5.6.7.8 is dynamic so in real life I can't add it manually

If I add a policy src=0.0.0.0/0 dst=0.0.0.0/0 , template , same group as peer , it DOESN'T work !


I need a policy to be created automatically with mikrotik WAN as source and dynamic iPhone address as destination

is it possible in some way ???

Thank you
 
jaytcsd
Member Candidate
Member Candidate
Posts: 288
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: L2tp/IPsec is driving me crazy !!!!

Tue Mar 22, 2016 8:08 am

I will take a look tonight, been busy this week.
I know how frustrating this is, took me a month to get working.

One of my IPs changed last week, even though I changed the rules to reflect that, the tunnel only worked one way until I rebooted it.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: L2tp/IPsec is driving me crazy !!!!

Tue Mar 22, 2016 9:25 am

Thank you for interesting
I think , having a private subnet as MT wan to connect to transparently nat-ted ISP router is not uncommon, so my problem should't be so uncommon also
Probably there are some usual workarounds I'm not aware of.....
 
jaytcsd
Member Candidate
Member Candidate
Posts: 288
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: L2tp/IPsec is driving me crazy !!!!

Thu Apr 07, 2016 10:48 am

I got the flu and was offline for a week during recovery. Did you ever get your system working?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: L2tp/IPsec is driving me crazy !!!!

Thu Apr 07, 2016 10:59 am

Make sure L2TP packets leave the router with correct source address. If you have multiple gateways then probably you will have to force correct source address with a srcnat.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: L2tp/IPsec is driving me crazy !!!!

Thu Apr 07, 2016 5:39 pm

No further test are done.......

However , it seems there is not a src/dst issue

The only way to make the system work is creating manually a policy with MT wan as source (10.0.0.2) and iphone ip as destination (5.6.7.8 ) but this last one is dynamic, obviously....
This when a dynamic policy 1.2.3.4 => 5.6.7.8 has already been created at client connection.

In fact the 0.0.0.0/0 template policy, is needed to allow system to create dynamically a policy when needed.
The problem is the dynamically created policy has the DSL line public static ip address as SOURCE, when, instead, a policy with MT wan ip (10.0.0.2) is needed as SOURCE to make the whole thing works....

I do have multiple (two) gateways but I have disable the unused one as well disabled all mangle rules

Same behaviour

I think the problem is right on the wrong automatically created policy .....

What it leaves me disappointed , is the fact that nobody seems to have this issue,

Or better:
- people knows this scenario cannot work (stop)
- nobody is using my scenario
- it is succesfully used and I'm making some stupid mistake somewhere

Thank you for any suggestion you all can give me

Who is online

Users browsing this forum: MSN [Bot] and 149 guests