Hi,
No matter what i try, i can't get IPSec working with iOS.
Where should i start?
Re: Help with Ipsec and iOS
1) Make sure you are running latest RouterOS
There has been many IPSec fixes recently.
2) Enable IPSec logging:
3) Post your "/ip ipsec export" here
Maybe it's something simple we can spot just from the export.
There has been many IPSec fixes recently.
2) Enable IPSec logging:
Code: Select all
/system logging
add topics=ipsec,!debugMaybe it's something simple we can spot just from the export.
Re: Help with Ipsec and iOS
14:12:50 ipsec,info respond new phase 1 (Identity Protection): xx.xx.x.68[500]<=>xx.xx.x.209[500]
14:12:50 ipsec received Vendor ID: RFC 3947
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:12:50 ipsec
14:12:50 ipsec received long Microsoft ID: FRAGMENTATION
14:12:50 ipsec Fragmentation enabled
14:12:50 ipsec received Vendor ID: DPD
14:12:50 ipsec 5.186.56.209 Selected NAT-T version: RFC 3947
14:12:50 ipsec sent phase1 packet xx.xx.x.68[500]<=>xx.xx.x.209[500] 86011f62568df6a4:1701528c16a6459d
14:12:50 ipsec 87.116.7.68 Hashing xx.xx.x.68[500] with algo #2
14:12:50 ipsec NAT-D payload #0 verified
14:12:50 ipsec 5.186.56.209 Hashing xx.xx.x.209[500] with algo #2
14:12:50 ipsec NAT-D payload #1 doesn't match
14:12:50 ipsec NAT detected: PEER
14:12:50 ipsec 5.186.56.209 Hashing xx.xx.x.209[500] with algo #2
14:12:50 ipsec 87.116.7.68 Hashing xx.xx.x.68[500] with algo #2
14:12:50 ipsec Adding remote and local NAT-D payloads.
14:12:50 ipsec sent phase1 packet xx.xx.x.68[500]<=>xx.xx.x.209[500] 86011f62568df6a4:1701528c16a6459d
14:12:50 ipsec NAT-T: ports changed to: xx.xx.x.209[4500]<=>xx.xx.x.68[4500]
14:12:50 ipsec KA list add: xx.xx.x.68[4500]->xx.xx.x.209[4500]
14:12:50 ipsec xx.xx.x.209 ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
14:12:50 ipsec,info ISAKMP-SA established xx.xx.x.68[4500]-xx.xx.x.209[4500] spi:86011f62568df6a4:1701528c16a6459d
14:12:51 ipsec respond new phase 2 negotiation: xx.xx.x.68[4500]<=>xx.xx.x.209[4500]
14:12:51 ipsec searching for policy for selector: xx.xx.x.68:1701 ip-proto:17 <=> xx.xx.x.209:65242 ip-proto:17
14:12:51 ipsec generating policy
14:12:51 ipsec Adjusting my encmode UDP-Transport->Transport
14:12:51 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2)
14:12:51 ipsec authtype mismatched: my:hmac-sha256 peer:hmac-sha1
14:12:51 ipsec sent phase2 packet xx.xx.x.68[4500]<=>xx.xx.x.209[4500] 86011f62568df6a4:1701528c16a6459d:000060b7
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4
14:12:51 l2tp,info first L2TP UDP packet received from xx.xx.x.209
14:12:51 ipsec purged IPsec-SA proto_id=ESP spi=0xaddadc4
14:12:51 ipsec purged IPsec-SA proto_id=ESP spi=0xd337886
14:12:51 ipsec removing generated policy
14:12:51 ipsec,info purging ISAKMP-SA xx.xx.x.68[4500]<=>xx.xx.x.209[4500] spi=86011f62568df6a4:1701528c16a6459d.
14:12:51 ipsec purged ISAKMP-SA xx.xx.x.68[4500]<=>xx.xx.x.209[4500] spi=86011f62568df6a4:1701528c16a6459d.
14:12:51 ipsec,info ISAKMP-SA deleted xx.xx.x.68[4500]-xx.xx.x.209[4500] spi:86011f62568df6a4:1701528c16a6459d rekey:1
14:12:50 ipsec received Vendor ID: RFC 3947
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:12:50 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:12:50 ipsec
14:12:50 ipsec received long Microsoft ID: FRAGMENTATION
14:12:50 ipsec Fragmentation enabled
14:12:50 ipsec received Vendor ID: DPD
14:12:50 ipsec 5.186.56.209 Selected NAT-T version: RFC 3947
14:12:50 ipsec sent phase1 packet xx.xx.x.68[500]<=>xx.xx.x.209[500] 86011f62568df6a4:1701528c16a6459d
14:12:50 ipsec 87.116.7.68 Hashing xx.xx.x.68[500] with algo #2
14:12:50 ipsec NAT-D payload #0 verified
14:12:50 ipsec 5.186.56.209 Hashing xx.xx.x.209[500] with algo #2
14:12:50 ipsec NAT-D payload #1 doesn't match
14:12:50 ipsec NAT detected: PEER
14:12:50 ipsec 5.186.56.209 Hashing xx.xx.x.209[500] with algo #2
14:12:50 ipsec 87.116.7.68 Hashing xx.xx.x.68[500] with algo #2
14:12:50 ipsec Adding remote and local NAT-D payloads.
14:12:50 ipsec sent phase1 packet xx.xx.x.68[500]<=>xx.xx.x.209[500] 86011f62568df6a4:1701528c16a6459d
14:12:50 ipsec NAT-T: ports changed to: xx.xx.x.209[4500]<=>xx.xx.x.68[4500]
14:12:50 ipsec KA list add: xx.xx.x.68[4500]->xx.xx.x.209[4500]
14:12:50 ipsec xx.xx.x.209 ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
14:12:50 ipsec,info ISAKMP-SA established xx.xx.x.68[4500]-xx.xx.x.209[4500] spi:86011f62568df6a4:1701528c16a6459d
14:12:51 ipsec respond new phase 2 negotiation: xx.xx.x.68[4500]<=>xx.xx.x.209[4500]
14:12:51 ipsec searching for policy for selector: xx.xx.x.68:1701 ip-proto:17 <=> xx.xx.x.209:65242 ip-proto:17
14:12:51 ipsec generating policy
14:12:51 ipsec Adjusting my encmode UDP-Transport->Transport
14:12:51 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2)
14:12:51 ipsec authtype mismatched: my:hmac-sha256 peer:hmac-sha1
14:12:51 ipsec sent phase2 packet xx.xx.x.68[4500]<=>xx.xx.x.209[4500] 86011f62568df6a4:1701528c16a6459d:000060b7
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4
14:12:51 l2tp,info first L2TP UDP packet received from xx.xx.x.209
14:12:51 ipsec purged IPsec-SA proto_id=ESP spi=0xaddadc4
14:12:51 ipsec purged IPsec-SA proto_id=ESP spi=0xd337886
14:12:51 ipsec removing generated policy
14:12:51 ipsec,info purging ISAKMP-SA xx.xx.x.68[4500]<=>xx.xx.x.209[4500] spi=86011f62568df6a4:1701528c16a6459d.
14:12:51 ipsec purged ISAKMP-SA xx.xx.x.68[4500]<=>xx.xx.x.209[4500] spi=86011f62568df6a4:1701528c16a6459d.
14:12:51 ipsec,info ISAKMP-SA deleted xx.xx.x.68[4500]-xx.xx.x.209[4500] spi:86011f62568df6a4:1701528c16a6459d rekey:1
Re: Help with Ipsec and iOS
# sep/18/2017 14:16:33 by RouterOS 6.40.3
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = xxxxxx
/ip ipsec policy group
add name=ipsec+l2tp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des pfs-group=none
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=ltp-proposal pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=\
port-override lifetime=8h policy-template-group=ipsec+l2tp secret=xxxx
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 group=ipsec+l2tp src-address=0.0.0.0/0
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = xxxxxx
/ip ipsec policy group
add name=ipsec+l2tp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des pfs-group=none
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=ltp-proposal pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=\
port-override lifetime=8h policy-template-group=ipsec+l2tp secret=xxxx
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 group=ipsec+l2tp src-address=0.0.0.0/0
Re: Help with Ipsec and iOS
It seems IPSec works, and clients can't connect L2TP.
We see in the log:
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4
14:12:51 l2tp,info first L2TP UDP packet received from xx.xx.x.209
So client actually starts the L2TP tunnel establishment within IPSec, but that fails.
It would seem issue is in L2TP configuration.
We see in the log:
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886
14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4
14:12:51 l2tp,info first L2TP UDP packet received from xx.xx.x.209
So client actually starts the L2TP tunnel establishment within IPSec, but that fails.
It would seem issue is in L2TP configuration.
Re: Help with Ipsec and iOS
My PPP configuration is:
# sep/18/2017 14:34:01 by RouterOS 6.40.3
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = XXXX
/ppp profile
add change-tcp-mss=yes dns-server=172.16.110.41,172.16.110.88 local-address=\
172.16.110.1 name=pptp-profile remote-address="VPN Pool" use-encryption=yes
add change-tcp-mss=yes dns-server=172.16.110.41 local-address=172.16.110.1 name=\
l2tp-profile remote-address="VPN Pool" use-encryption=yes
/ppp aaa
set use-radius=yes
/ppp l2tp-secret
add secret=xxx
/ppp secret
add name=vpn password=xxx profile=l2tp-profile service=l2tp
# sep/18/2017 14:34:01 by RouterOS 6.40.3
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = XXXX
/ppp profile
add change-tcp-mss=yes dns-server=172.16.110.41,172.16.110.88 local-address=\
172.16.110.1 name=pptp-profile remote-address="VPN Pool" use-encryption=yes
add change-tcp-mss=yes dns-server=172.16.110.41 local-address=172.16.110.1 name=\
l2tp-profile remote-address="VPN Pool" use-encryption=yes
/ppp aaa
set use-radius=yes
/ppp l2tp-secret
add secret=xxx
/ppp secret
add name=vpn password=xxx profile=l2tp-profile service=l2tp
Re: Help with Ipsec and iOS
just go to ppp menu and select interface, click l2tp server and select Use IPsec:yes there.. write your IPsec Secret than finish...I use this way and its work with my ios devices.
Re: Help with Ipsec and iOS
Your PPP profile is wrong.My PPP configuration is:
...
Use it like this:
Code: Select all
/ppp profile
add change-tcp-mss=no dns-server=x.x.x.x local-address=x.x.x.x name=VPN remote-address=VPN_Users use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-upnp=noNotice the "use-encryption=no". This is VERY important.
This is PPP encryption, the MPPE standard.
You do NOT want to use this, since the L2TP traffic is encrypted using IPSec.
IPSec is not the problem in his setup, we can see that from the logs.just go to ppp menu and select interface, click l2tp server and select Use IPsec:yes there.. write your IPsec Secret than finish...I use this way and its work with my ios devices.
Doing what you say would not help.
Re: Help with Ipsec and iOS
Im sory, I did not checkIPSec is not the problem in his setup, we can see that from the logs.just go to ppp menu and select interface, click l2tp server and select Use IPsec:yes there.. write your IPsec Secret than finish...I use this way and its work with my ios devices.
Doing what you say would not help.
Re: Help with Ipsec and iOS
Weird still not working..
Code: Select all
# sep/18/2017 16:14:07 by RouterOS 6.40.3
# software id = SJ7X-4JYM
#
# model = CCR1036-8G-2S+
# serial number = xxx
/ppp profile
add change-tcp-mss=no dns-server=172.16.110.41,172.16.110.88 local-address=\
172.16.110.1 name=VPN remote-address="VPN Pool" use-compression=no \
use-encryption=no use-mpls=no use-upnp=no
Code: Select all
16:09:02 firewall,info output: in:(none) out:OUTSIDE_TDC_116, proto UDP, x.x.x.10:49175->255.255.255.255:5678, len 148
16:09:02 firewall,info srcnat: in:(none) out:OUTSIDE_TDC_116, proto UDP, x.x.x.10:49175->255.255.255.255:5678, len 148
16:09:02 firewall,info input: in:OUTSIDE_TDC_116 out:(none), proto UDP, x.x.x.10:49175->255.255.255.255:5678, len 148
16:09:06 ipsec,info respond new phase 1 (Identity Protection): x.x.x.68[500]<=>x.x.x.209[500]
16:09:06 ipsec received Vendor ID: RFC 3947
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:09:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:09:06 ipsec
16:09:06 ipsec received long Microsoft ID: FRAGMENTATION
16:09:06 ipsec Fragmentation enabled
16:09:06 ipsec received Vendor ID: DPD
16:09:06 ipsec x.x.x.209 Selected NAT-T version: RFC 3947
16:09:06 ipsec sent phase1 packet x.x.x.68[500]<=>x.x.x.209[500] 3756d843bc7ecabe:82c0fc782d7744e1
16:09:06 ipsec x.x.x.68 Hashing x.x.x.68[500] with algo #2
16:09:06 ipsec NAT-D payload #0 verified
16:09:06 ipsec x.x.x.209 Hashing x.x.x.209[500] with algo #2
16:09:06 ipsec NAT-D payload #1 doesn't match
16:09:06 ipsec NAT detected: PEER
16:09:06 ipsec x.x.x.209 Hashing x.x.x.209[500] with algo #2
16:09:06 ipsec x.x.x.68 Hashing x.x.x.68[500] with algo #2
16:09:06 ipsec Adding remote and local NAT-D payloads.
16:09:06 ipsec sent phase1 packet x.x.x.68[500]<=>x.x.x.209[500] 3756d843bc7ecabe:82c0fc782d7744e1
16:09:06 ipsec NAT-T: ports changed to: x.x.x.209[4500]<=>x.x.x.68[4500]
16:09:06 ipsec KA list add: x.x.x.68[4500]->x.x.x.209[4500]
16:09:06 ipsec x.x.x.209 ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
16:09:06 ipsec,info ISAKMP-SA established x.x.x.68[4500]-x.x.x.209[4500] spi:3756d843bc7ecabe:82c0fc782d7744e1
16:09:07 ipsec respond new phase 2 negotiation: x.x.x.68[4500]<=>x.x.x.209[4500]
16:09:07 ipsec searching for policy for selector: x.x.x.68:1701 ip-proto:17 <=> x.x.x.209:50967 ip-proto:17
16:09:07 ipsec generating policy
16:09:07 ipsec Adjusting my encmode UDP-Transport->Transport
16:09:07 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2)
16:09:07 ipsec authtype mismatched: my:hmac-sha256 peer:hmac-sha1
16:09:07 ipsec sent phase2 packet x.x.x.68[4500]<=>x.x.x.209[4500] 3756d843bc7ecabe:82c0fc782d7744e1:0000379d
16:09:07 ipsec IPsec-SA established: ESP/Transport x.x.x.209[4500]->x.x.x.68[4500] spi=0x188fac7
16:09:07 ipsec IPsec-SA established: ESP/Transport x.x.x.68[4500]->x.x.x.209[4500] spi=0xe02de91
16:09:07 l2tp,info first L2TP UDP packet received from x.x.x.209
16:09:07 ipsec purged IPsec-SA proto_id=ESP spi=0xe02de91
16:09:07 ipsec purged IPsec-SA proto_id=ESP spi=0x188fac7
16:09:07 ipsec removing generated policy
16:09:07 ipsec,info purging ISAKMP-SA x.x.x.68[4500]<=>x.x.x.209[4500] spi=3756d843bc7ecabe:82c0fc782d7744e1.
16:09:07 ipsec purged ISAKMP-SA x.x.x.68[4500]<=>x.x.x.209[4500] spi=3756d843bc7ecabe:82c0fc782d7744e1.
16:09:07 ipsec,info ISAKMP-SA deleted x.x.x.68[4500]-x.x.x.209[4500] spi:3756d843bc7ecabe:82c0fc782d7744e1 rekey:1
16:09:07 ipsec KA remove: x.x.x.68[4500]->x.x.x.209[4500]
Re: Help with Ipsec and iOS
You can turn off logging for IPSec, we see that works.
Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.
Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.
Re: Help with Ipsec and iOS
Ahh off course.You can turn off logging for IPSec, we see that works.
Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.
Code: Select all
16:40:16 system,info log rule changed by admin
16:40:20 ipsec,info respond new phase 1 (Identity Protection): x.x.x.68[500]<=>x.x.x.209[500]
16:40:20 ipsec,info ISAKMP-SA established x.x.x.68[4500]-x.x.x.209[4500] spi:a57b264a1eb913a2:1983540a2e149f4c
16:40:21 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:40:21 l2tp,debug,packet (M) Message-Type=SCCRQ
16:40:21 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:40:21 l2tp,debug,packet (M) Framing-Capabilities=0x3
16:40:21 l2tp,debug,packet (M) Host-Name=0x43:69:70:00
16:40:21 l2tp,debug,packet (M) Assigned-Tunnel-ID=38
16:40:21 l2tp,debug,packet (M) Receive-Window-Size=4
16:40:21 l2tp,info first L2TP UDP packet received from x.x.x.209
16:40:21 l2tp,debug tunnel 15 entering state: wait-ctl-conn
16:40:21 l2tp,debug,packet sent control message to x.x.x.209:51671 from x.x.x.68:1701
16:40:21 l2tp,debug,packet tunnel-id=38, session-id=0, ns=0, nr=1
16:40:21 l2tp,debug,packet (M) Message-Type=SCCRP
16:40:21 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:40:21 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:40:21 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:40:21 l2tp,debug,packet Firmware-Revision=0x1
16:40:21 l2tp,debug,packet (M) Host-Name="MikroTik"
16:40:21 l2tp,debug,packet Vendor-Name="MikroTik"
16:40:21 l2tp,debug,packet (M) Assigned-Tunnel-ID=15
16:40:21 l2tp,debug,packet (M) Receive-Window-Size=4
16:40:21 l2tp,debug,packet (M) Challenge=0xa0:40:4f:c8:fb:b7:03:8c:1b:4d:da:13:e1:d0:f9:9a
16:40:21 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet tunnel-id=15, session-id=0, ns=1, nr=1
16:40:21 l2tp,debug,packet (M) Message-Type=SCCCN
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping
16:40:21 l2tp,debug,packet sent control message to x.x.x.209:51671 from x.x.x.68:1701
16:40:21 l2tp,debug,packet tunnel-id=38, session-id=0, ns=1, nr=2
16:40:21 l2tp,debug,packet (M) Message-Type=StopCCN
16:40:21 l2tp,debug,packet (M) Result-Code=1
16:40:21 l2tp,debug,packet (M) Assigned-Tunnel-ID=15
16:40:21 l2tp,debug tunnel 15 entering state: stopping
16:40:21 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet tunnel-id=15, session-id=0, ns=2, nr=1
16:40:21 l2tp,debug,packet (M) Message-Type=ICRQ
16:40:21 l2tp,debug,packet (M) Assigned-Session-ID=832
16:40:21 l2tp,debug,packet (M) Call-Serial-Number=1
16:40:21 l2tp,debug tunnel 15 received message in stopping state, dropping
16:40:21 ipsec,info purging ISAKMP-SA x.x.x.68[4500]<=>x.x.x.209[4500] spi=a57b264a1eb913a2:1983540a2e149f4c.
16:40:21 ipsec,info ISAKMP-SA deleted x.x.x.68[4500]-x.x.x.209[4500] spi:a57b264a1eb913a2:1983540a2e149f4c rekey:1
16:40:21 l2tp,debug,packet rcvd control message (ack) from x.x.x.209:51671 to x.x.x.68:1701
16:40:21 l2tp,debug,packet tunnel-id=15, session-id=0, ns=3, nr=2
16:40:21 l2tp,debug tunnel 15 entering state: dead
16:40:22 l2tp,debug,packet rcvd control message from x.x.x.209:51671 to x.x.x.68:1701
16:40:22 l2tp,debug,packet tunnel-id=15, session-id=0, ns=2, nr=2
16:40:22 l2tp,debug,packet (M) Message-Type=ICRQ
16:40:22 l2tp,debug,packet (M) Assigned-Session-ID=832
16:40:22 l2tp,debug,packet (M) Call-Serial-Number=1
Re: Help with Ipsec and iOS
This would be the issue:
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping
Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping
Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.
Re: Help with Ipsec and iOS
The L2TP secret is required.This would be the issue:
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping
Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.
If i remove it, and try to connect i get the message "The IPsec shared secret is missing."
Re: Help with Ipsec and iOS
There is a difference between IPSec PSK (pre-shared key), and the L2TP secret.The L2TP secret is required.
If i remove it, and try to connect i get the message "The IPsec shared secret is missing."
You need to use the IPSec PSK (the one configured in "/ip ipsec peer"), but you must not use the L2TP secret.
Re: Help with Ipsec and iOS
Ahh in my configuration the two are the same, can that be the problem?There is a difference between IPSec PSK (pre-shared key), and the L2TP secret.The L2TP secret is required.
If i remove it, and try to connect i get the message "The IPsec shared secret is missing."
You need to use the IPSec PSK (the one configured in "/ip ipsec peer"), but you must not use the L2TP secret.
Re: Help with Ipsec and iOS
EDIT:Ahh in my configuration the two are the same, can that be the problem?
Try to configure the L2TP secret in "/ppp l2tp-secret".
Make sure it's the same as the IPSec PSK in "/ip ipsec peer".
Then make sure it's the same in your client.
Re: Help with Ipsec and iOS
Deleted the PPP LT2P Secrets, then its working..
So if PPP L2TP Secret is present, then its not working, even if its the same secret as IPSEC secret
So many thank you!
So if PPP L2TP Secret is present, then its not working, even if its the same secret as IPSEC secret
So many thank you!
Re: Help with Ipsec and iOS
Wow! I can't say how much I have been struggling with this. Removing the L2TP secret solved my problem. I now can connect with OS X 10.13!EDIT:Ahh in my configuration the two are the same, can that be the problem?
Try to configure the L2TP secret in "/ppp l2tp-secret".
Make sure it's the same as the IPSec PSK in "/ip ipsec peer".
Then make sure it's the same in your client.
Many thanks!!