Community discussions

 
eggzlot
just joined
Topic Author
Posts: 9
Joined: Thu Dec 14, 2017 2:20 am

iOS VPN Issues

Wed Jan 17, 2018 7:08 pm

So I am a newbie with Mikrotik so any help in layman terms would be appreciated :D
Current set up is with Verizon Fios
Ont > ethernet > fios router actiontec > mikrotik
nothing is plugged into the fios router, just serving as the Moca bridge for the cable boxes
I have 2 Cisco switches (sg300 and sg220), 1 is plugged into the Tik and one is plugged into the first cisco switch.

I can do a PPTP VPN without a problem but having issues with L2TP/iOS access. I did some googling, found some other threads but never really saw a resolution I could understand.

Can anyone help provide a solution?

Thank you!
 
eggzlot
just joined
Topic Author
Posts: 9
Joined: Thu Dec 14, 2017 2:20 am

Re: iOS VPN Issues

Fri Jan 19, 2018 9:53 pm

just wanted to bump - anyone have any insight?
I am not married to L2TP, ikev2 would be fine as well. Just looking for the ability to remotely access some of my system when I am out and about away from home.
 
sindy
Forum Guru
Forum Guru
Posts: 3906
Joined: Mon Dec 04, 2017 9:19 pm

Re: iOS VPN Issues

Sat Jan 20, 2018 3:25 am

The author of this topic seems to have succeeded with L2TP connection of an iOS client to Mikrotik. While I seem to be responsible for his Mikrotik configuration to finally start working, I have no clue what wizardry was needed on the iOS side, so you'll have to ask him.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: iOS VPN Issues

Sat Jan 20, 2018 3:12 pm

It's not that complicated to connect iOS device to MikroTik over L2TP/IPsec tunnel.
Post your export here by executing command:
/export hide-sensitive
 
eggzlot
just joined
Topic Author
Posts: 9
Joined: Thu Dec 14, 2017 2:20 am

Re: iOS VPN Issues

Sat Jan 20, 2018 11:19 pm

I am super new per my first line in my original post - how do I run a script?
 
eggzlot
just joined
Topic Author
Posts: 9
Joined: Thu Dec 14, 2017 2:20 am

Re: iOS VPN Issues

Sun Jan 21, 2018 12:47 am

Also if I understood the other post, at least parts of it, he was using a modem and put it in bridge mode or something. I have a friend, more technical than me with some Tik experience who explained it as thus:

----
You are behind a Firewall/NAT from Verizon. Verizon is not allowing the vpn policy and peer to pass thru to the Tik. That is where the problem is.

I use IPhone and Comcast modem and connect to my home with zero problems using L2TP with IPSec. Comcast provides router/modem combos but during install, you request their device to be in Bridge mode, which shuts down any Firewall/NAT on that device. Basically it’s used as a pass thru device. My Tik provides all protection.
----
I believe I cannot set it up like he sets up his because I want to use the Fios Mobile Apps so I need the fios router on normal mode, not in bridge mode.
Does that make more sense?
 
sindy
Forum Guru
Forum Guru
Posts: 3906
Joined: Mon Dec 04, 2017 9:19 pm

Re: iOS VPN Issues

Sun Jan 21, 2018 12:26 pm

Does that make more sense?
Yes. However, I'm from the old school which has taught us that a title is something that should briefly summarize what the rest is about. So your title was implying that everything works except the iOS side configuration :-)

Layman's reading of a text dealing with a subject he has not met before usually becomes a lot more effective if he looks up unknown abbreviations and terms in the internet. So I'll try to put it simple but will not explain each term, OK?

So now everything turns around two simple questions:
  • do you have enough permissions do any configuration of the fios router at all?
  • does your fios router have a public IP address on its internet-facing interface?
If the answer to any of these two questions is "no", full stop.

Otherwise, what you need is to set up "tunnelling" or "port forwarding" (different vendors name the same thing different names) for UDP ports 500, 1701 and 4500 from the internet-facing interface of the fios router to the private IP address it assigns to your Mikrotik. So when a UDP packet comes to the fios router from the internet to any of these ports, the fios router doesn't attempt to handle it on its own and forwards it to the same port on Mikrotik's internet-facing address. And, symetrically, when the Mikrotik sends a packet from any of these ports towards internet, the fios router lets it pass through, just changing its source address from the Mikrotik's one to its own one.

Or, if there is a setting like "DMZ" (de-militarized zone) on the fios router, you can use that one to do about the same for all ports of all protocols, except those which the fios router uses itself. Be sure that you have firewall rules active on your Mikrotik if you want/have to use the DMZ mode. But be aware that DMZ is not the same as bridge mode, NAT will still be active.

If you succeed here, the standard "L2TP with use-ipsec=yes" configuration of your Mikrotik should work. On the iOS device, you would just indicate the public IP address of the fios router as "server" in the VPN configuration of your Apple device.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
eggzlot
just joined
Topic Author
Posts: 9
Joined: Thu Dec 14, 2017 2:20 am

Re: iOS VPN Issues

Tue Jan 23, 2018 5:16 am

Thanks @sindy
I have those ports forwarded already on the Fios router. The rule is GRE, ESP, AH, UDP Any > 500, UDP Any > 4500 and UDP Any > 1701
on the Fios UI I went and set up the Tik as DMZ, so the Tik has a 192.168.x.x address on the fios network so I put that into the DMZ set up. The tik spits out 10.x.x.x for my home network.

not sure what you mean by L2TP with use-ipsec=yes - when I google that I got some long scripting stuff from the Wiki that is past my knowledge.

I went into Secrets on the UI, I've created a few profiles, some with "any" and some specific to "l2tp". The any profiles I can connect with an Android device though on Android I did set up PPTP. so that is why that works. On the any or l2tp specific profiles I tried to connect with my iOS and no luck. I swapped out the server name (the cloud name I got from tik) for my IP address but that did not work (I thought that is what you referenced below). on the profiles on the secrets tab all I do is select enabled, add a username (Name), a password, a service...profile I leave as default, local address I put in the tik address that it is serving up (again the fios broadcasts 192.168.x.x. so the tik is at 192.168.x.x. but in this field I put in 10.13.x.x which is how I pull up the Tik UI), for remote address I put in my public IP address. I leave Routes blank, caller ID blank, as well as the limit on bytes in/out.

It is working for PPTP, just not L2TP.

I have RSA SecurID off, the password and secret on the iOS interface I believe is the same so I put the same thing down. I have send all traffic selected. And for Proxy I have it as off (vs Manual or Auto)

Am I on the right path?
 
sindy
Forum Guru
Forum Guru
Posts: 3906
Joined: Mon Dec 04, 2017 9:19 pm

Re: iOS VPN Issues

Tue Jan 23, 2018 10:29 am

I have those ports forwarded already on the Fios router. The rule is GRE, ESP, AH, UDP Any > 500, UDP Any > 4500 and UDP Any > 1701
on the Fios UI I went and set up the Tik as DMZ
If you have DMZ set for Tik's 192.168.x.x (internet-facing) address, there is no need to use port forwarding rules.
If you wouldn't use DMZ, out of all your port-forwarding rules only those UDP Any -> (500,1701,4500) would be necessary for L2TP over IPsec, as in this case, the L2TP is tunnelled inside ESP which itself is tunnelled inside UDP.

not sure what you mean by L2TP with use-ipsec=yes - when I google that I got some long scripting stuff from the Wiki that is past my knowledge
Well, I've used a scripting notation for an item which is available as a drop-down menu in WinBox (the application for Tik configuration) and WebFig (Tik's configuration web interface). So about L2TP/IPsec from scratch:
  • unless you have some reason not to do so, remove any IPsec configurations you may have done, keep just the default ones in place (policy template & proposal), remove any peer eventually created; if you have a reason not to do so, say something about it
  • go PPP->L2TP server, check the checkbox "Enabled", choose "required" in "Use IPsec" and fill in the "secret" accordingly. This will create a dynamic IPsec peer configuration with the necessary settings.

I went into Secrets on the UI...
I swapped out the server name (the cloud name I got from tik) for my IP address...
On the profiles on the secrets tab all I do is select enabled, add a username (Name), a password, a service...profile I leave as default, local address I put in the tik address that it is serving up (again the fios broadcasts 192.168.x.x. so the tik is at 192.168.x.x. but in this field I put in 10.13.x.x which is how I pull up the Tik UI),
for remote address I put in my public IP address
The first bold point - should not matter. I've just tested that Mikrotik's cloud DNS service registers the public address through which the Mikrotik is visible to the world, it just murmurs internally that the address differs from its own one so something may not work as expected.
The second bold point is wrong. The remote address is what will be assigned to the client once he authorizes. So you can either use the name of the dhcp pool matching the 10.13.x.x subnet, or a particular address from there.

I have RSA SecurID off, the password and secret on the iOS interface I believe is the same so I put the same thing down.
Wrong. The secret must match the one you have set at the L2TP server page of your Tik (must be the same at all your iPhones), while the password is the one you have set at the PPP secrets page individually per user (representing a device, i.e. each of your iPhones should use a different username and password, otherwise they would fight for the same address).


One more point - if you have configured a bridge for your 10.13.x.x subnet, double-check that Tik's IP address from this subnet is attached to the bridge, not to one of its member Ethernet interfaces. If it is not, change that. Then, go to the settings of the bridge and change the ARP setting from "enabled" to "proxy-arp".
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: MSN [Bot] and 95 guests