Community discussions

MikroTik App
 
AlexPopov
just joined
Topic Author
Posts: 5
Joined: Wed May 16, 2012 9:58 am

L2TP IPSec VPN not working from W10 (other Windows connects OK)

Wed Mar 25, 2020 3:23 pm

Good day!
RB2011UiAS ROS 6.46.4

I've set up a VPN connection to my corporate gateway RB2011 with L2Tp and IPSec
My client is W10 PC and when I connect VPN nothing happens (Connecting...) after entering credentials.

Strage thing is that another client with Windows PC connects sucessfully


L2TP config:
/ppp profile
add bridge=bridge-local change-tcp-mss=yes dns-server=<DNS1 IP Addr>,<DNS2 IP Addr> local-address=<Core GW IP> name=l2tp remote-address=vpn.it.adm \
use-compression=yes use-encryption=yes
add bridge=bridge-local change-tcp-mss=yes dns-server=<DNS1 IP Addr>,<DNS2 IP Addr> local-address=<Core GW IP> name="l2tp-2 (sub)" remote-address=\
vpn.it.sub use-compression=yes use-encryption=yes
/ppp secret
add name=user123 password=1234567 profile=l2tp service=l2tp
add name=user456 password=1234567 profile="l2tp-2 (sub)" service=l2tp



IPSec config: (AA.AAA.AAA.AA - gateway Internet IP address)
/ip ipsec mode-config
add address-pool=vpn.it.adm name=cfg1
/ip ipsec profile
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_1
add dh-group=modp1024 name=profile_2 nat-traversal=no
/ip ipsec peer
add address=AA.AAA.AAA.AA/32 name=peer3 profile=profile_2
# This entry is unreachable
add name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add enc-algorithms=3des name=proposal1 pfs-group=none
/ip ipsec identity
# address ID must be used in main mode or use my-id=auto!
add generate-policy=port-override mode-config=cfg1 my-id=user-fqdn peer=peer1 remote-id=ignore secret=123
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer3 secret=test
add auth-method=pre-shared-key-xauth password=123 username=user1
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 proposal=proposal1 src-address=0.0.0.0/0
add dst-address=XXX.XXX.XXX.0/24 peer=peer3 sa-dst-address=AA.AAA.AAA.AA sa-src-address=0.0.0.0 src-address=XXX.XXX.XXX.0/24 tunnel=yes



Log: (AA.AAA.AAA.A - my "real" Internet IP address, BBB.BBB.BBB.BB - client IP address

16:00:57 ipsec,info respond new phase 1 (Identity Protection): AA.AAA.AAA.A[500]<=>BBB.BBB.BBB.BB[27097]
16:00:58 ipsec,info ISAKMP-SA established AA.AAA.AAA.A[4500]-BBB.BBB.BBB.BB[46871] spi:07e02ea806179125:b1
fbf4fae1bac4fc
16:00:59 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:00:59 l2tp,debug,packet (M) Message-Type=SCCRQ
16:00:59 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:00:59 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:00:59 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:00:59 l2tp,debug,packet Firmware-Revision=0xa00
16:00:59 l2tp,debug,packet (M) Host-Name="nb01.tstp.int"
16:00:59 l2tp,debug,packet Vendor-Name="Microsoft"
16:00:59 l2tp,debug,packet (M) Assigned-Tunnel-ID=19
16:00:59 l2tp,debug,packet (M) Receive-Window-Size=8
16:00:59 l2tp,info first L2TP UDP packet received from BBB.BBB.BBB.BB
16:00:59 l2tp,debug tunnel 7 entering state: wait-ctl-conn
16:00:59 l2tp,debug,packet sent control message to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=19, session-id=0, ns=0, nr=1
16:00:59 l2tp,debug,packet (M) Message-Type=SCCRP
16:00:59 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:00:59 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:00:59 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:00:59 l2tp,debug,packet Firmware-Revision=0x1
16:00:59 l2tp,debug,packet (M) Host-Name="gw1"
16:00:59 l2tp,debug,packet Vendor-Name="MikroTik"
16:00:59 l2tp,debug,packet (M) Assigned-Tunnel-ID=7
16:00:59 l2tp,debug,packet (M) Receive-Window-Size=4
16:00:59 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=7, session-id=0, ns=1, nr=1
16:00:59 l2tp,debug,packet (M) Message-Type=SCCCN
16:00:59 l2tp,debug tunnel 7 entering state: estabilished
16:00:59 l2tp,debug,packet sent control message (ack) to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=19, session-id=0, ns=1, nr=2
16:00:59 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=7, session-id=0, ns=2, nr=1
16:00:59 l2tp,debug,packet (M) Message-Type=ICRQ
16:00:59 l2tp,debug,packet (M) Assigned-Session-ID=1
16:00:59 l2tp,debug,packet (M) Call-Serial-Number=0
16:00:59 l2tp,debug,packet (M) Bearer-Type=0x2
16:00:59 l2tp,debug,packet 1(vendor-id=311)=0x59:45:ac:39:17:0e:4f:48:a7:37:ad:09:b3:31:fc:a8
16:00:59 l2tp,debug session 1 entering state: wait-connect
16:00:59 l2tp,debug,packet sent control message to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:00:59 l2tp,debug,packet tunnel-id=19, session-id=1, ns=1, nr=3
16:00:59 l2tp,debug,packet (M) Message-Type=ICRP
16:00:59 l2tp,debug,packet (M) Assigned-Session-ID=1
16:01:00 l2tp,debug,packet rcvd control message from BBB.BBB.BBB.BB:1701 to AA.AAA.AAA.A:1701
16:01:00 l2tp,debug,packet tunnel-id=7, session-id=1, ns=3, nr=2
16:01:00 l2tp,debug,packet (M) Message-Type=ICCN
16:01:00 l2tp,debug,packet (M) Tx-Connect-Speed-BPS=72200000
16:01:00 l2tp,debug,packet (M) Framing-Type=0x1
16:01:00 l2tp,debug,packet Proxy-Authen-Type=4
16:01:00 l2tp,debug session 1 entering state: established
16:01:00 l2tp,debug,packet sent control message (ack) to BBB.BBB.BBB.BB:1701 from AA.AAA.AAA.A:1701
16:01:00 l2tp,debug,packet tunnel-id=19, session-id=0, ns=2, nr=4
16:01:00 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP lowerup
16:01:00 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP open
16:01:01 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:01 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x1
16:01:01 l2tp,ppp,debug,packet <mru 1372>
16:01:01 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:01 l2tp,ppp,debug,packet <auth mschap2>
16:01:02 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:02 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x2
16:01:02 l2tp,ppp,debug,packet <mru 1372>
16:01:02 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:02 l2tp,ppp,debug,packet <auth mschap2>
16:01:03 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:03 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x3
16:01:03 l2tp,ppp,debug,packet <mru 1372>
16:01:03 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:03 l2tp,ppp,debug,packet <auth mschap2>
16:01:05 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:05 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x4
16:01:05 l2tp,ppp,debug,packet <mru 1372>
16:01:05 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:05 l2tp,ppp,debug,packet <auth mschap2>
16:01:09 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:09 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x5
16:01:09 l2tp,ppp,debug,packet <mru 1372>
16:01:09 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:09 l2tp,ppp,debug,packet <auth mschap2>
16:01:14 l2tp,ppp,debug <BBB.BBB.BBB.BB>: LCP timer
16:01:14 l2tp,ppp,debug,packet <BBB.BBB.BBB.BB>: sent LCP ConfReq id=0x6
16:01:14 l2tp,ppp,debug,packet <mru 1372>
16:01:14 l2tp,ppp,debug,packet <magic 0x1062fc9c>
16:01:14 l2tp,ppp,debug,packet <auth mschap2>
 
szymonzdziabek
just joined
Posts: 10
Joined: Wed Mar 25, 2020 1:01 pm
Location: Poland

Re: L2TP IPSec VPN not working from W10 (other Windows connects OK)

Wed Mar 25, 2020 3:58 pm

Few days before I had the same issue (Windows 10 build 1909). Nothing was changed on the router side. Restarting router had no effect. I connected using my second PC with older build of Win10 with success. Next day everything were fine using any of my PC...
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1637
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: L2TP IPSec VPN not working from W10 (other Windows connects OK)

Thu Mar 26, 2020 3:11 am

Can possibly be two scenarios, one is a register change if any of the devices are behind NAT.

Other is you need to connect using start->settings->VPN->the VPN you want to connect and click on connect there
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
carl0s
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Thu Jun 25, 2009 7:18 pm

Re: L2TP IPSec VPN not working from W10 (other Windows connects OK)

Thu Mar 26, 2020 11:47 am

Other is you need to connect using start->settings->VPN->the VPN you want to connect and click on connect there
Yes I agree it is this. Common Windows 10 problem. Usually after connecting once this long-winded way, you can connect again via the network connections popup in the corner.
 
lferolm
just joined
Posts: 1
Joined: Thu Mar 26, 2020 3:21 pm

Re: L2TP IPSec VPN not working from W10 (other Windows connects OK)

Thu Mar 26, 2020 3:45 pm

Hi,

I'm having similar problem. Some W10 do not connect, other OS yes, like mac or mikrotik.

After some testing, if I disable IPSEC in mikrotik, it works with user/pass.

Using IPSEC, the behavior is that the W10 try to connect, the SA is established but no first packet received. In the SA, the W10 try to connect from 1701 and thats the reason of not finishing the connection and no packet is receive. Other OS try to use a different source port, for example mac use 52948, and it works. I do not now why W10 is not changing origin port for a different like W10 is the client and not the server.

Any ideas how to solve this?

thanks.
http://ibb.co/hLfdTGD
https://ibb.co/6tNTq5C
Last edited by lferolm on Thu Mar 26, 2020 3:47 pm, edited 1 time in total.

Who is online

Users browsing this forum: anav, EdPa, Egert143, jamrobe, ryanwilliams83, sindy, Technetium and 57 guests