Community discussions

 
User avatar
mrdo1k
just joined
Topic Author
Posts: 9
Joined: Mon Jan 16, 2017 10:47 am

"Simple IPsec configuration in QuickSet" for iPhone VPN

Wed Jan 18, 2017 11:24 am

I read the short description in the Mikrotik Newletter issues #73 and the link regarding VPN from iPhone to Mikrotik router and have a new HEXr3 upgraded to v6.38.1 stable. Its running as router in an almost default configuration apart from a change to DHCP pool address range. I used quickset when setting up, made the changes to DHCP pool and few other minor things and enabled the VPN in Quickset because I would like to able to do VPN from my iPhone (IOS 10.2).

Expected (and hoped) this to working out of the box as per Mikrotik Newletter issues #73 but thats not the case.

Below is my configuration and when I try to start VPN on my iPhone, i get the errror "The L2TPVPN server did not respond...". I get nothing in the logfiles. Can anybody body help out on what I am missing in my configuration or how I do debug this furhter? Any help is very welcome!
 /export
# jan/17/2017 17:57:03 by RouterOS 6.38
# software id = V422-8VDT
#
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/ip pool
add name=dhcp ranges=192.168.1.40-192.168.1.99
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface l2tp-server server
set enabled=yes ipsec-secret=MyVerySecetPassword use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=0.89.168.192-255.89.168.192
/ppp secret
add name=vpn password=MySecretPassword
/system clock
set time-zone-name=Europe/Copenhagen
/system routerboard settings
# Warning: memory overclocked
set memory-frequency=1200DDR
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
 
User avatar
mrdo1k
just joined
Topic Author
Posts: 9
Joined: Mon Jan 16, 2017 10:47 am

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Wed Jan 18, 2017 8:59 pm

So back home and located on the LAN side of the router - trying to do a VPN connect towards my WAN address by accident and everything suddenly works and I get the following my log
19:53:44 ipsec,info respond new phase 1 (Identity Protection): 212.237.97.139[500]<=>192.168.1.95[500]
19:53:44 ipsec,info ISAKMP-SA established 212.237.97.139[500]-192.168.1.95[500] spi:e6d44bdae33f6b96:990589e3576908a9
19:53:45 l2tp,info first L2TP UDP packet received from 192.168.1.95
19:53:45 l2tp,ppp,info,account vpn logged in, 192.168.89.255
19:53:45 l2tp,ppp,info <l2tp-vpn>: authenticated
19:53:45 l2tp,ppp,info <l2tp-vpn>: connected
19:53:52 l2tp,ppp,info <l2tp-vpn>: terminating...
19:53:52 l2tp,ppp,info,account vpn logged out, 7 76542 142699 658 514
19:53:52 l2tp,ppp,info <l2tp-vpn>: disconnected
19:53:52 ipsec,info purging ISAKMP-SA 212.237.97.139[500]<=>192.168.1.95[500] spi=e6d44bdae33f6b96:990589e3576908a9.
19:53:53 ipsec,info ISAKMP-SA deleted 212.237.97.139[500]-192.168.1.95[500] spi:e6d44bdae33f6b96:990589e3576908a9 rekey:1
But when trying from the outside toward my public WAN address it get nothing at all in the log file, so apparently this is filtered in the firewall - what am I missing?
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Wed Jan 18, 2017 9:33 pm

Firewall rule for ipsec.
The hint is in your first 2 log entries.
 
User avatar
mrdo1k
just joined
Topic Author
Posts: 9
Joined: Mon Jan 16, 2017 10:47 am

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Wed Jan 18, 2017 9:47 pm

Got it - thanks

When added allow rule from UDP port 500 and UDP port 4500 then everything works. This should in my view have been done by the QuickSet VPN option...
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Wed Jan 18, 2017 9:57 pm

Quickset is currently more of an initial setup tool. Making changes with it, especially after making any manual changes can have unexpected results.
 
User avatar
mrdo1k
just joined
Topic Author
Posts: 9
Joined: Mon Jan 16, 2017 10:47 am

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Wed Jan 18, 2017 10:11 pm

Quickset is currently more of an initial setup tool. Making changes with it, especially after making any manual changes can have unexpected results.
Fair enough if that was the case, but have you read how Mikrotik describes the feature? From http://download2.mikrotik.com/news/news_73.pdf

It sounds a lot like it's supposed to be a wizard-like setup and i had done a change to a DHCP pool before using it, but it didn't stop Quickset doing 95% of the job... but why leave out the last 5%?
Since Apple removed support for the less secure PPTP VPN in all it’s software updates, you might be wondering how to con gure the superior IPsec for your home or o ce device. Well, we have some great news! As a lesser known feature, IPsec server can be enabled with just one click in the QuickSet interface. If you have used only QuickSet to set up your device, and it has a public IP address, all you need to do is click the “VPN access” checkbox and enter a password in the password eld. IPsec server is now running, and your Apple device
just needs a new VPN connection with type “L2TP” and password and secret to be the same as you entered in your QuickSet password eld. The connection address can be the IP address of the router, or the mynetname DNS name that the QuickSet will show (handy if your IP changes often).
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Thu Jan 19, 2017 4:29 am

Quickset runs a basic script file, much like the terminal command of /import that imports a .rsc file that is just a list of terminal commands. The script will run all the way through as long as all the interfaces names, IP addresses, DHCP Server and Pools, etc.. are at their default values. If you change any of these, the script will run until it hits one of these changes. This will create an error and the script will stop. That is why it partially setup. If the error occurred at the beginning of the script, nothing would have been setup.

Also note the fourth sentence in the newsletter about the feature:
If you have used only QuickSet to set up your device, and it has a public IP address, all you need to do is click the “VPN access” checkbox and enter a password in the password eld.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1310
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Thu Jan 19, 2017 10:18 am

Got it - thanks

When added allow rule from UDP port 500 and UDP port 4500 then everything works. This should in my view have been done by the QuickSet VPN option...
I did end up exactly with the same problem. And also agree that this should have been done in quick set. If not add the rules, there should be a warning that you need to open this and this port to make it work.

PS I also needed UDP 1701 open to get the L2TP IPSEC to work.

Here: http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
It shows whats needed like this:
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp
But I do not need this add chain=input protocol=ipsec-esp. Works fine without it.
Last edited by Jotne on Thu Jan 19, 2017 10:30 am, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24272
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Thu Jan 19, 2017 10:29 am

Yes, currently QuickSet can only work reliably if you use ONLY QuickSet for your configuration. If you have done any changes outside it, results can vary.
No answer to your question? How to write posts
 
ronniee
Member Candidate
Member Candidate
Posts: 123
Joined: Sun Jan 15, 2006 9:32 pm

Re: "Simple IPsec configuration in QuickSet" for iPhone VPN

Sat Jul 22, 2017 1:25 am

fine this quickset VPN section
but is unusabe if you have custom settings on the router
can u make a separate VPN setup wizzard?
or this is a mikrotik rule, routeros configuration isn't for everyone

ps. can be a solution, to put a ex. "view script" button in Quickset VPN section
and how want to use, can copy and import without apply all Quickset page, and flush custom setup

Who is online

Users browsing this forum: MSN [Bot] and 132 guests