Community discussions

MUM Europe 2020
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Problem with L2PT VPN  [SOLVED]

Fri Jan 12, 2018 5:23 pm

Hi i'm trying to configure a VPN L2PT for connect my outside device to my Mikrotik

I receive this message when i'm trying to connect

"failed to pre-process ph2 packet"
"peer sent packet for dead phase 2"


This is /export

set allow-remote-requests=yes
/ip dns static
add address=192.168.98.4 name=router
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input dst-port=500,4500,1701 ingress-priority=0 priority=0 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward connection-state=established,related dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=forward connection-state=established,related dst-address=192.168.98.0/24 src-address=192.168.54.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=192.168.98.0/24
add action=accept chain=forward dst-address=192.168.98.0/24 src-address=192.168.5.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!mactel
add action=accept chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=srcnat comment=NAT_Velletri dst-address=192.168.5.0/24 src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1 out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.54.0/24 dst-address-list=212.210.227.1 src-address=192.168.98.0/24 src-address-list=79.58.99.100
/ip ipsec peer
add address=xx/32 comment=VPN_Tivoli dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=xx/32 comment=VPN_Velletri dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override
/ip ipsec policy
set 0 disabled=yes
add comment=VPN_Tivoli dst-address=192.168.54.0/24 sa-dst-address=xx sa-src-address=xx0 src-address=192.168.98.0/24 tunnel=yes
add comment=VPN_Velletri dst-address=192.168.5.0/24 sa-dst-address=xx sa-src-address=xx src-address=192.168.98.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=fabio service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel
Last edited by ibrahimovich87 on Mon Jan 15, 2018 9:55 pm, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Sun Jan 14, 2018 6:11 pm

You must first have 'Input' 'rules, then' Output 'and' Forward '.
This is not correct. The order of rules is important but only within a chain. Whether a particular incoming packet will be processed by input chain or forward chain depends on its destination address, not on order of rules.

@ibrahimovich, I cannot see any "/interface l2tp-server" in your Mikrotik configuration export, so it cannot work as you expect. Please follow the relevant manual page - after removing your manually created "/ip ipsec peer" with "address=0.0.0.0/0" as it would prevent the "/interface l2tp-server add" from creating a dynamic peer configuration. There is a note in the manual that care must be taken if other IPsec configuration is used, which is your case, but as your existing configuration identifies the peers with individual addresses, the automatically generated peer won't shadow them.

Create the "plain" configuration first and then modify it to the "road warrior" one. The road warrior example alone does not contain all settings.
Last edited by sindy on Sun Jan 14, 2018 6:54 pm, edited 1 time in total.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Sun Jan 14, 2018 7:25 pm

"not correct" means that it creates an impression that the particular order in which two rules in different chains are configured affects which of these two rules will be applied to a packet. This is not true, so rearranging the rules will not help the topic author deal with his issue.

It definitely is a good practice to keep rules of the same chain together in the configuration, and also to keep the chains in some systematic order (input-output-forward) in all configurations, because it makes the configuration better readable for humans. Following such practice makes it easier for you to review someone else's configuration, and for someone else to review your configuration (where that someone else is often actually yourself several months older). However, RouterOS itself only cares about the order of rules in the same chain, as I wrote. Stating something else may cause doubts and misunderstandings about the concept for less experienced users.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Sun Jan 14, 2018 9:02 pm

... Finally, "drop All" 'forward' is specified. Agree?
I'm a bit afraid that we hijack the topic from the OP, maybe we should move somewhere else with this discussion? I agree with part of your points, and I disagree with other ones.

Imagine the following set of five filter rules. In a chaotic configuration, they could be arranged the following way:

forward rule 1
input rule 1
forward rule 2
input rule 2
forward rule 3

In an orderly configuration, they would be arranged like this:

input rule 1
input rule 2
forward rule 1
forward rule 2
forward rule 3

Now there are two theoretical possibilities:
  • either the RouterOS evaluates all the rules top to bottom, which means that "forward rule 3" is evaluated as the 5th one in both cases, so where exactly the two input rules were located among the previous four rules has no effect to the throughput,
  • or the RouterOS actually converts the configuration into internal lists of rules which are built separately for each chain, and in such case the forward rule 3 is always evaluated as the 3rd one because, for a packet coming from outside the RB and routed outside the RB again, the rule evaluation starts from forward rule 1 and the input rules are not evaluated at all for that packet, so again the position of the two input rules in the configuration script has no effect on the throughput.

I totally agree with you that order of rules within a given chain is important - just think of putting the "drop" or "accept" rule which matches to any packet (no matching conditions specified) as the first one to a given chain, if you do so, all the other rules in that chain become irrelevant because none of them will ever be evaluated.

Now, to use your own example, try to do the following:
  • make sure that ssh service is enabled on a test RouterBoard and that you can connect to it from your PC.
  • next, disconnect that RouterBoard from internet to stay secure and configure its firewall with only the two following rules (just disable the rest for a moment):
    /ip firewall filter
    add chain=input dst-address=LAN-IP-of-the-RB dst-port=80 action=accept
    add chain=forward action=drop
    
Now try to establish a new SSH connection to LAN-IP-of-the-RB again. You will get connected to the RB
  • despite the "drop everything" rule in the forward chain - because packets to RB's own addresses are not handled by "forward" chain, only by "input", and
  • despite the fact that ssh listens at port 22 while you have only accepted packets to port 80 in the "input" chain - because packets not matching to any rule in their chain are accepted by default.

So to answer your question - yes, I do keep my configurations readable by putting rules belonging to the same chain all together, but when I review someone else's ones, I do not rely on the author to follow this habit so I do not stop searching for "input" rules as soon as I get to the first rule belonging to another chain. And (maybe I should be shy to do that?), I follow the input - forward - output order in my configurations, because this is the order in which iptables on linux list the rules.

So again - I'm all for keeping the firewall configurations clean and orderly, but I disagree that putting a forward rule before an input rule can change anything about the system behaviour. And I disagree with confusing newbies by suggesting changes to configuration which are irrelevant to their problem.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 11:05 am

Hi guys,

this is my L2TP server configuration (sorry but i can't do the export)
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 11:43 am

Can't do because you don't know how to do that from Winbox or can't do because it is administratively prohibited?

Whatever, the configuration export you've provided earlier contains a static peer configuration with "address=0.0.0.0/0". The L2TP server with IPsec set to "yes" or "required" (the latter should be used to prevent L2TP connections without IPsec from being set up unless you really want to support them too) creates a dynamic peer configuration with all the necessary settings for L2TP over IPsec mode and also with "address=0.0.0.0/0" setting.

Now as the statically configured peer is the first one in the list, it is used to handle the incoming requests from unknown-in-advance IP addresses rather than the dynamically configured one, because among all peers whose "address" parameter matches the source IP of the request, the one with longest mask is chosen; if the mask length is the same for several peers, their order decides.

So please disable the statically configured peer with "address=0.0.0.0/0" (unless that would cut your management connection) and try to connect the client again.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 12:21 pm

Can't do because you don't know how to do that from Winbox or can't do because it is administratively prohibited?

Whatever, the configuration export you've provided earlier contains a static peer configuration with "address=0.0.0.0/0". The L2TP server with IPsec set to "yes" or "required" (the latter should be used to prevent L2TP connections without IPsec from being set up unless you really want to support them too) creates a dynamic peer configuration with all the necessary settings for L2TP over IPsec mode and also with "address=0.0.0.0/0" setting.

Now as the statically configured peer is the first one in the list, it is used to handle the incoming requests from unknown-in-advance IP addresses rather than the dynamically configured one, because among all peers whose "address" parameter matches the source IP of the request, the one with longest mask is chosen; if the mask length is the same for several peers, their order decides.

So please disable the statically configured peer with "address=0.0.0.0/0" (unless that would cut your management connection) and try to connect the client again.
Can't because how do it,

"creates a dynamic peer configuration with all the necessary settings for L2TP over IPsec mode and also with "address=0.0.0.0/0" setting."

So how doing it? (i'm sorry but i'm very new with all this configuration) i've disabled the statically peer and this is the settings (i'm setting L2PT Server in Use Ipsec=required)
/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps country=italy distance=indoors frequency=2422 \
    mode=ap-bridge name=Miko rate-set=configured ssid=Miko wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=@alicebiz.routed
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des lifetime=0s
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TP \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.98.150-192.168.98.190
add name=VPN_Pool ranges=192.168.98.70-192.168.98.85
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.98.4 name=\
    L2TP-IN-Profile remote-address=VPN_Pool
add name=profile1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=Miko
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=mactel
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-IN-Profile enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=Miko list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=\
    192.168.98.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
    192.168.98.4 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.4 name=router
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input dst-port=500,4500,1701 ingress-priority=0 \
    priority=0 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.98.0/24 src-address=192.168.54.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=\
    192.168.98.0/24
add action=accept chain=forward dst-address=192.168.98.0/24 src-address=\
    192.168.5.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!mactel
add action=accept chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.54.0/24 src-address=\
    192.168.98.0/24
add action=accept chain=srcnat comment=NAT_Velletri dst-address=192.168.5.0/24 \
    src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    pppoe-out1 out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.54.0/24 \
    dst-address-list=2XX src-address=192.168.98.0/24 \
    src-address-list=XX
/ip ipsec peer
add address=XX/32 comment=VPN_Tivoli dh-group=modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=XX2/32 comment=VPN_Velletri dh-group=modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 disabled=yes enc-algorithm=\
    aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=\
    port-override local-address=192.168.98.4
/ip ipsec policy
set 0 disabled=yes
add comment=VPN_Tivoli dst-address=192.168.54.0/24 sa-dst-address=XX \
    sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
add comment=VPN_Velletri dst-address=192.168.5.0/24 sa-dst-address=XX \
    sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=fabio profile=L2TP-IN-Profile service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 12:38 pm

Well, in your today's export I can see, at the peer in question, "disabled=yes" which was not there in your first export, so I guess you've found how to disable it.

Now, "/ip ipsec peer print" should show the static peers and also the dynamic one created by the L2TP server. If the dynamic peer is not there, the L2TP server has not created it, so try to disable and then re-enable the L2TP server. If it is there, please replace all passwords with xxxxxx and paste here the output for all peers, not just the dynamic one.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 12:40 pm

Well, in your today's export I can see, at the peer in question, "disabled=yes" which was not there in your first export, so I guess you've found how to disable it.

Now, "/ip ipsec peer print" should show the static peers and also the dynamic one created by the L2TP server. If the dynamic peer is not there, the L2TP server has not created it, so try to disable and then re-enable the L2TP server. If it is there, please replace all passwords with xxxxxx and paste here the output for all peers, not just the dynamic one.
Yes it's created
[admin@MikroTik] >> /ip ipsec  peer print    
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; VPN_Tivoli
       address=xxx/32 auth-method=pre-shared-key secret="xx" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

 1     ;;; VPN_Velletri
       address=xxx/32 auth-method=pre-shared-key secret="xx*" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

 2  DR address=::/0 passive=yes auth-method=pre-shared-key secret="xx" generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 12:42 pm

OK. And if you try to connect your client now, you still get the same log messages like you did before or something else?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 12:46 pm

OK. And if you try to connect your client now, you still get the same log messages like you did before or something else?
"Failed to pre-process ph2 packet"
"peer sent packet for dead phase2"
Last edited by ibrahimovich87 on Mon Jan 15, 2018 12:48 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 12:48 pm

What kind of remote device do you try to connect?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 12:49 pm

What kind of remote device do you try to connect?
Iphone 5s and i'm trying with Windows 10 too...same error

this is the report
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 1:00 pm

OK, we're getting somewhere :-) The lines right before the red one saying "Failed to pre-process ph2 packet" are important:
no template matches
failed to get proposal for responder

A look at your exported config shows the following:
/ip ipsec policy
set 0 disabled=yes
So the default policy template referring to default IPsec proposal is disabled. Try
/ip ipsec policy set 0 disabled=no
(or use mouse to re-enable the template) and try to connect the phone again.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 1:03 pm

OK, we're getting somewhere :-) The lines right before the red one saying "Failed to pre-process ph2 packet" are important:
no template matches
failed to get proposal for responder

A look at your exported config shows the following:
/ip ipsec policy
set 0 disabled=yes
So the default policy template referring to default IPsec proposal is disabled. Try
/ip ipsec policy set 0 disabled=no
(or use mouse to re-enable the template) and try to connect the phone again.
Ok connected but now i have other problem, if i'm trying to connect via RDP to a remote Server i canno't connect it

The 192.168.98.4 IP it's my Mikrotik router Ip, it's correct that i receive this ip?
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 1:20 pm

That IP in the log says that out of all the Mikrotik's own IPs, this one receives the IPsec packets from the client, so it is fine. You should see somewhere in the ppp server window that client Fabio is connected and which IP address it has been assigned (or use "/interface l2tp-server print"). Also deep in the iPhone's menu you might be able to see the IP you've received.

Now can you use something else than RDP to test whether the iPhone can connect at least somewhere? E.g., the web interface of Mikrotik itself but when the iPhone is connected to such a network that it would be sure that it cannot get there any other way than via the tunnel?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 1:29 pm

That IP in the log says that out of all the Mikrotik's own IPs, this one receives the IPsec packets from the client, so it is fine. You should see somewhere in the ppp server window that client Fabio is connected and which IP address it has been assigned (or use "/interface l2tp-server print"). Also deep in the iPhone's menu you might be able to see the IP you've received.

Now can you use something else than RDP to test whether the iPhone can connect at least somewhere? E.g., the web interface of Mikrotik itself but when the iPhone is connected to such a network that it would be sure that it cannot get there any other way than via the tunnel?
the ip it's 192.168.98.70 see this stranger things...

First...connect L2PT VPN.....when i'm connected...i'm try to connect via RDP to my server and i can connect it too...if i close RDP connection (but not VPN) and i'm retry to connect to my server VIA rdp...not possibile to connect it
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 1:36 pm

192.168.98.4 is Mikrotik
192.168.98.70 is the client via L2TP
what is the IP of the server and how is it connected to the Mikrotik?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 1:38 pm

192.168.98.4 is Mikrotik
192.168.98.70 is the client via L2TP
what is the IP of the server and how is it connected to the Mikrotik?
192.168.98.222
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 1:53 pm

So everything in the same subnet except that the server is on the LAN and the client is connected via L2TP.

Normally, I would expect that the end of this manual chapter is relevant, you have to permit proxy-arp functionality at the LAN interface to which the server is connected, but your configuration export says:
/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes name=bridge
What is unusual, though, is that the IP address of the Mikrotik itself, 192.168.98.4, is assigned to "ether2" which itself is a member interface of a bridge named "bridge". So please activate safe mode and change the interface for that IP address from "ether2-master" to "bridge". That change should not break anything but better safe than sorry.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 2:04 pm

So everything in the same subnet except that the server is on the LAN and the client is connected via L2TP.

Normally, I would expect that the end of this manual chapter is relevant, you have to permit proxy-arp functionality at the LAN interface to which the server is connected, but your configuration export says:
/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes name=bridge
What is unusual, though, is that the IP address of the Mikrotik itself, 192.168.98.4, is assigned to "ether2" which itself is a member interface of a bridge named "bridge". So please activate safe mode and change the interface for that IP address from "ether2-master" to "bridge". That change should not break anything but better safe than sorry.
So i've activated safe mode, how do i do the other?
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 2:14 pm

Safe mode can only be activated in one management session. So if you have activated it somewhere else than in console (the command line window), deactivate it there, then press Ctrl-X in console window, you should see <SAFE> in the prompt.

Then, "/ip address print" shows you all IP addresses with line numbers starting from 0 in the leftmost column. Find the number of 192.168.98.4, you will use it to replace N in the command below:

/ip address set N interface=bridge

Then, do "/ip address print" again to see the change and make sure that you haven't lost connection.
If you get the response and see that the interface has changed, you may press Ctrl-X again to make the change permanent and try again the RDP disconnection and re-connection.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 3:57 pm

Safe mode can only be activated in one management session. So if you have activated it somewhere else than in console (the command line window), deactivate it there, then press Ctrl-X in console window, you should see <SAFE> in the prompt.

Then, "/ip address print" shows you all IP addresses with line numbers starting from 0 in the leftmost column. Find the number of 192.168.98.4, you will use it to replace N in the command below:

/ip address set N interface=bridge

Then, do "/ip address print" again to see the change and make sure that you haven't lost connection.
If you get the response and see that the interface has changed, you may press Ctrl-X again to make the change permanent and try again the RDP disconnection and re-connection.
Seems to be all ok!!! THANK YOU!! VERY VERY TJANK YOUI!!!!!
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 4:48 pm

Prego/нема на чему.
If a topic's initial issue got resolved, it is a good idea to mark the final answer as "solved" so that other people searching the forum can see that. I assume only the OP (original poster) may set such verdict.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Mon Jan 15, 2018 9:58 pm

Prego/нема на чему.
If a topic's initial issue got resolved, it is a good idea to mark the final answer as "solved" so that other people searching the forum can see that. I assume only the OP (original poster) may set such verdict.
Hi sindy...i've got problem connecting from my home with windows 10.....first time i'm connected but i can't login to my server, i'm tried too many times to ping server but only timeout....after 10 minutes ad a lots of manual disconnection to VPN i finally logged in my server....
I'm ping from my server to my VPN IP (assigned ip) and it's not possibile,
I'm trying to connect via Winbox using internal IP but it's not possibile
Now it's disconnecting (from server) and i canno't logging in
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Tue Jan 16, 2018 1:56 pm

You haven't written whether the problem at home is only with Win10 or also with the iPhone. If iPhone works both at home and in the office/school, the issue may be related to difference between iOS and Windows in handling L2TP over IPsec; if none of the two works at home, something regarding the network may be related.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Tue Jan 16, 2018 5:56 pm

You haven't written whether the problem at home is only with Win10 or also with the iPhone. If iPhone works both at home and in the office/school, the issue may be related to difference between iOS and Windows in handling L2TP over IPsec; if none of the two works at home, something regarding the network may be related.
I've tried to connect Via Phone via my network and all it's fine, if i connect via my network with my PC had this problem
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Tue Jan 16, 2018 6:18 pm

OK. So it looks like the client on the PC has an issue, or maybe your home router does? If you do not try to connect the iPhone at home and start with the Windows machine at once, 24 hours after the last connection of the iPhone, does the problem also exist?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Tue Jan 16, 2018 6:46 pm

Ok,

i've got same problem if i will try to connect via Iphone using 4G connection....i can connect to VPN but i cannot connect to my server the second time i've tried
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Tue Jan 16, 2018 6:58 pm

OK. Try to create a new IP subnet at the Mikrotik which will only be used for the L2TP connection, so that packets between devices on local LAN and L2TP clients would be routed rather than bridged. If that helps, the issue is somehow related to ARP proxying. If so, you may either keep it that way or try to find out what's wrong with the arp proxying.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Wed Jan 17, 2018 8:43 am

One more idea, maybe you simply haven't left the safe mode before logging off the RouterBoard or disconnecting after you have changed the interface to which your LAN IP is attached, so it got back to "ether2" from "bridge"? The safe mode works exactly that way - if the management session where the safe mode was activated gots broken in any way, even by a clean logout, all changes made since activation of safe mode are reverted.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Wed Jan 17, 2018 10:09 am

One more idea, maybe you simply haven't left the safe mode before logging off the RouterBoard or disconnecting after you have changed the interface to which your LAN IP is attached, so it got back to "ether2" from "bridge"? The safe mode works exactly that way - if the management session where the safe mode was activated gots broken in any way, even by a clean logout, all changes made since activation of safe mode are reverted.
I've change nothing and for now with my phone it's working...i've to test this evening at home....i have to see other?
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Wed Jan 17, 2018 10:14 am

what is the result of "/ip address export" right now?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Wed Jan 17, 2018 1:08 pm

what is the result of "/ip address export" right now?
/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=192.168.98.0
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Wed Jan 17, 2018 1:47 pm

So what I've suspected has really happened. You've made the change in safe mode, but you haven't pressed the Ctrl-X again to leave the safe mode before leaving the session, and so the change got rolled back.

So repeat the steps described in post #26 of this topic, except that after changing the initerface to which the IP address is bound, you will first leave the safe mode and only after doing that leave the management session.

This should be enough. If evening shows that it was not, you'll have to add the second subnet as suggested in post #34.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Wed Jan 17, 2018 3:45 pm

So what I've suspected has really happened. You've made the change in safe mode, but you haven't pressed the Ctrl-X again to leave the safe mode before leaving the session, and so the change got rolled back.

So repeat the steps described in post #26 of this topic, except that after changing the initerface to which the IP address is bound, you will first leave the safe mode and only after doing that leave the management session.

This should be enough. If evening shows that it was not, you'll have to add the second subnet as suggested in post #34.
It seems to be ok,

thi evening i will try it at home, sorry but i'm ver very newbie with routing and mikrotik in general
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Thu Jan 18, 2018 4:20 pm

So what I've suspected has really happened. You've made the change in safe mode, but you haven't pressed the Ctrl-X again to leave the safe mode before leaving the session, and so the change got rolled back.

So repeat the steps described in post #26 of this topic, except that after changing the initerface to which the IP address is bound, you will first leave the safe mode and only after doing that leave the management session.

This should be enough. If evening shows that it was not, you'll have to add the second subnet as suggested in post #34.
Very thank you ;-)

can i write in PVT for another question?
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2PT VPN

Thu Jan 18, 2018 5:19 pm

can i write in PVT for another question?
Yes, if you know how. I cannot use the "contact XXX" link at your user page and haven't found any setting relevant to private message permission in the outgoing direction - in incoming direction, I have them permitted by default. Maybe you have forbidden it in your own settings, maybe I have not enough karma to do so. No idea.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ibrahimovich87
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Jun 22, 2017 6:10 pm

Re: Problem with L2PT VPN

Fri Jan 19, 2018 11:35 am

can i write in PVT for another question?
Yes, if you know how. I cannot use the "contact XXX" link at your user page and haven't found any setting relevant to private message permission in the outgoing direction - in incoming direction, I have them permitted by default. Maybe you have forbidden it in your own settings, maybe I have not enough karma to do so. No idea.
Don't know....ok i'll open another Thread

Who is online

Users browsing this forum: No registered users and 26 guests