Community discussions

MikroTik App
 
joffrey575
just joined
Topic Author
Posts: 19
Joined: Sun Jun 16, 2019 3:43 pm

L2TP VPN classic configuration

Thu Oct 29, 2020 10:15 pm

L2TP VPN classic configuration

I want to do a secure VPN for my home network.

It's important to notice that my router already have L2TP client interface with another Network Access Provider by BGP.

I'm stuck on the following problem :

LOGS
ipsec,debug add payload of len 52, next type 13 
ipsec,debug add payload of len 16, next type 13 
ipsec,debug add payload of len 16, next type 13 
ipsec,debug add payload of len 20, next type 0 
ipsec,debug 148 bytes from 45.13.94.170[500] to 77.204.176.9[1525] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec sent phase1 packet 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec,info the packet is retransmitted by 77.204.176.9[1525]. 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec,info the packet is retransmitted by 77.204.176.9[1525]. 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec,info the packet is retransmitted by 77.204.176.9[1525]. 
ipsec,debug 148 bytes from 45.13.94.170[500] to 77.204.176.9[1525] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec resent phase1 packet 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec,info the packet is retransmitted by 77.204.176.9[1525]. 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec,debug deleted the retransmission packet to 77.204.176.9[1525]. 
ipsec,info the packet is retransmitted by 77.204.176.9[1525]. 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 77.204.176.9 malformed cookie received. it has to be as the initiator. 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,debug 148 bytes from 45.13.94.170[500] to 77.204.176.9[1525] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec resent phase1 packet 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 77.204.176.9 malformed cookie received. it has to be as the initiator. 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 77.204.176.9 malformed cookie received. it has to be as the initiator. 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,debug ===== received 724 bytes from 77.204.176.9[1525] to 45.13.94.170[500] 
ipsec,debug 77.204.176.9 malformed cookie received. it has to be as the initiator. 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
l2tp,info first L2TP UDP packet received from 77.204.176.9
l2tp,debug tunnel 38 entering state: wait-ctl-conn 
l2tp,debug tunnel 38 entering state: dead 
ipsec,debug 148 bytes from 45.13.94.170[500] to 77.204.176.9[1525] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec resent phase1 packet 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2
ipsec,debug 148 bytes from 45.13.94.170[500] to 77.204.176.9[1525] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec resent phase1 packet 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,debug 148 bytes from 45.13.94.170[500] to 77.204.176.9[1525] 
ipsec,debug 1 times of 148 bytes message will be sent to 77.204.176.9[1525] 
ipsec resent phase1 packet 45.13.94.170[500]<=>77.204.176.9[1525] 1ddabfc337ad5334:27ab8ad322357ad2 
ipsec,error phase1 negociation failed due to time up 45.13.94.170[500]<=>77.204.176.9[1525]1ddabfc337ad5334:27ab8ad322357ad2
---------------------

At the end of the post, my full configuration.

But before, i give some supposed problem to be fixed if possible.

I have already check :
-NAT table => no action = dst-nat
-routing BGP (network, peer) and routing filter

Maybe the problem come from /ip firewall mangle but i don't know what do exactly this rules :
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes src-address=10.0.19.0/24
add action=change-mss chain=forward new-mss=1410 out-interface=l2tp1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
add action=change-mss chain=forward in-interface=l2tp1 new-mss=1410 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
Or this ?
/ip settings
set accept-redirects=yes accept-source-route=yes
Or /routing bgp instance ?
set default disabled=yes
add as=65103 client-to-client-reflection=no name=AS65015_V4 redistribute-other-bgp=yes router-id=10.0.19.1 routing-table=vpn
---------------------

MY FULL CONFIGURATION
# oct/29/2020 20:24:38 by RouterOS 6.46.4
# software id = 6HR7-IG6H
#
# model = RBD52G-5HacD2HnD
# serial number = B4A00XXXXXXXXX

/interface bridge
add name=Loopback0
add name=bridge1

/interface wireless
set [ find default-name=wlan2 ] country=france disabled=no mode=ap-bridge \
    ssid=home_jo_5Ghz

/interface list
add name=WAN

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity=""

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=france disabled=no \
    frequency=2437 mode=ap-bridge security-profile=profile1 ssid=home_jo \
    wps-mode=disabled


/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec peer
# This entry is unreachable
add name=l2tpserver passive=yes

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des

/ip pool
add name=LAN ranges=10.0.19.10-10.0.19.200

/ip dhcp-server
add address-pool=LAN disabled=no interface=bridge1 name=LAN

/ppp profile
add local-address=10.0.19.1 name=ipsec_vpn

/interface l2tp-client
add allow=mschap2 allow-fast-path=yes connect-to=80.57.167.30 disabled=no \
    name=l2tp0 profile=default user=jo_cust
add allow=mschap2 allow-fast-path=yes connect-to=80.57.167.31 disabled=no \
    name=l2tp1 profile=default user=jo_cust

/routing bgp instance
set default disabled=yes
add as=65103 client-to-client-reflection=no name=AS65015_V4 \
    redistribute-other-bgp=yes router-id=10.0.19.1 routing-table=vpn
add as=65103 client-to-client-reflection=no name=AS65015_V6 \
    redistribute-other-bgp=yes router-id=10.1.0.212

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1

/ip settings
set accept-redirects=yes accept-source-route=yes

/interface l2tp-server server
set default-profile=ipsec_vpn enabled=yes use-ipsec=required

/interface list member
add interface=l2tp0 list=WAN
add interface=l2tp1 list=WAN

/ip address
add address=10.0.19.1/24 interface=bridge1 network=10.0.19.0
add address=45.13.94.170 interface=Loopback0 network=45.13.94.170

/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no

/ip dhcp-server lease
add address=10.0.29.200 mac-address=70:85:C2:B5:A5:74 server=LAN
add address=10.0.19.11 mac-address=E0:CB:4E:06:4A:F5 server=LAN

/ip dhcp-server network
add address=10.0.19.0/24 dns-server="80.67.169.12,80.67.169.40,37.187.16.17,52\
    .174.55.168,85.159.213.210,193.183.98.154" gateway=10.0.19.1 netmask=24

/ip dns
set servers="80.67.169.12,80.67.169.40,37.187.16.17,52.174.55.168,85.159.213.2\
    10,193.183.98.154"

/ip firewall filter
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
    disabled=yes dst-port=500,1701,4500 protocol=udp
add action=accept chain=input disabled=no protocol=ipsec-esp
add action=accept chain=input disabled=no protocol=ipsec-ah
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=forward
add action=accept chain=output

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes \
    src-address=10.0.19.0/24
add action=change-mss chain=forward new-mss=1410 out-interface=l2tp1 \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
add action=change-mss chain=forward in-interface=l2tp1 new-mss=1410 \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535

/ip firewall nat
add action=src-nat chain=srcnat comment="L2TP MILKYWAN" out-interface=l2tp0 \
    src-address=10.0.19.0/24 to-addresses=45.13.94.170
add action=src-nat chain=srcnat comment="L2TP MILKYWAN" out-interface=l2tp1 \
    src-address=10.0.19.0/24 to-addresses=45.13.94.170

...

add action=dst-nat chain=dstnat comment="HTTPS - server" dst-address=\
    45.13.94.170 dst-port=443 protocol=tcp to-addresses=10.0.29.200 \
    to-ports=443
add action=dst-nat chain=dstnat comment="HTTP - server" dst-address=\
    45.13.94.170 dst-port=80 protocol=tcp to-addresses=10.0.29.200 to-ports=\
    80
add action=dst-nat chain=dstnat comment="MAIL_MTP - server" dst-address=\
    45.13.94.170 dst-port=25 protocol=tcp to-addresses=10.0.29.200 to-ports=\
    25
add action=dst-nat chain=dstnat comment="MAIL_SMTPS - server" dst-address=\
    45.13.94.170 dst-port=465 protocol=tcp to-addresses=10.0.29.200 \
    to-ports=465
add action=dst-nat chain=dstnat comment="MAIL_SMTP - server" dst-address=\
    45.13.94.170 dst-port=587 protocol=tcp to-addresses=10.0.29.200 \
    to-ports=587
add action=dst-nat chain=dstnat comment="SSH - server" dst-address=\
    45.13.94.170 dst-port=4447 protocol=tcp to-addresses=10.0.29.200 \
    to-ports=4447
add action=dst-nat chain=dstnat comment="SSH - server" disabled=yes \
    dst-address=45.13.94.170 dst-port=4500 protocol=tcp to-addresses=\
    10.0.19.11 to-ports=4500

...

add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=src-nat chain=srcnat out-interface-list=WAN to-addresses=\
    45.13.94.170
add action=masquerade chain=srcnat comment=HAIRPIN-NAT dst-address=\
    10.0.19.0/24 src-address=10.0.19.0/24

/ip ipsec identity
add generate-policy=port-override peer=l2tpserver

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip route rule
add action=lookup-only-in-table dst-address=10.0.19.0/24 table=main

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip smb shares
set [ find default=yes ] directory=/pub

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

/ipv6 address
add address=XXXXXXXXXXXXXXXXXX interface=bridge1
add address=XXXXXXXXXXXXXXXXXXXX advertise=no interface=l2tp0
add address=XXXXXXXXXXXXXXXXXXXX advertise=no interface=l2tp1

/ppp secret
add local-address=10.0.19.1 name=jo profile=ipsec_vpn remote-address=\
    10.0.29.210 service=l2tp

/routing bgp network
add network=10.0.19.0/24 synchronize=no
add network=XXXXXXXXXXXXXXXXXXXX synchronize=no
add network=45.13.94.170/32 synchronize=no

/routing bgp peer
add in-filter=transit-in-57159-brs-v4 instance=AS65103_V4 name=\
    "Transit: MilkyWan brs [IPv4]" out-filter=transit-out-57159-brs-v4 \
    remote-address=10.1.0.123 remote-as=65006 ttl=default
add address-families=ipv6 in-filter=transit-in-57159-brs-v6 instance=\
    AS65103_V6 name="Transit: MilkyWan BRS [IPv6]" out-filter=\
    transit-out-57159-brs-v6 remote-address=2a0b:cbc0:1::111 remote-as=65006 \
    ttl=default
add address-families=ipv6 in-filter=transit-in-57159-vnx-v6 instance=\
    AS65103_V6 name="Transit: MilkyWan VNX (Backup) [IPv6]" out-filter=\
    transit-out-57159-vnx-v6 remote-address=2a0b:cbc0:1::115 remote-as=65002 \
    ttl=default
add in-filter=transit-in-57159-vnx-v4 instance=AS65103_V4 name=\
    "Transit: MilkyWan vnx [IPv4]" out-filter=transit-out-57159-vnx-v4 \
    remote-address=10.1.0.127 remote-as=65002 ttl=default

/routing filter
add action=accept chain=transit-in-57159-vnx-v4 set-bgp-prepend=2
add chain=---
add action=accept chain=transit-out-57159-vnx-v4 prefix=10.0.19.0/24 \
    set-bgp-prepend=2
add action=accept chain=transit-out-57159-vnx-v4 prefix=45.13.94.170 \
    set-bgp-prepend=2
add action=discard chain=transit-out-57159-vnx-v4
add chain=---
add action=accept chain=transit-in-57159-vnx-v6 set-bgp-prepend=2
add chain=---
add action=accept chain=transit-out-57159-vnx-v6 prefix=2a0b:cbc0:1116::/48 \
    set-bgp-prepend=2
add action=discard chain=transit-out-57159-vnx-v6
add chain=---
add chain=---
add chain=---
add action=accept chain=transit-in-57159-brs-v4
add chain=---
add action=accept chain=transit-out-57159-brs-v4 prefix=10.0.19.0/24
add action=accept chain=transit-out-57159-brs-v4 prefix=45.13.94.170
add action=discard chain=transit-out-57159-brs-v4
add chain=---
add action=accept chain=transit-in-57159-brs-v6
add chain=---
add action=accept chain=transit-out-57159-brs-v6 prefix=XXXXXXXXXXXXXXXXXX
add action=discard chain=transit-out-57159-brs-v6

/system clock
set time-zone-name=Europe/Paris

/system logging
add topics=ipsec,!packet
add topics=l2tp,!packet

/system routerboard settings
set auto-upgrade=yes boot-protocol=dhcp silent-boot=yes
Thanks a lot
 
joffrey575
just joined
Topic Author
Posts: 19
Joined: Sun Jun 16, 2019 3:43 pm

Re: L2TP VPN classic configuration

Sat Oct 31, 2020 4:44 pm

Who can help me about a VPN L2TP ?
 
dvl666
just joined
Posts: 1
Joined: Sun Nov 01, 2020 6:21 pm

Re: L2TP VPN classic configuration

Sun Feb 21, 2021 6:50 pm

I also have a similar issue - where the connection is not happening on the default ports - giving the same error.
Strangely my config works on other 2 hap & hap ac2 routers.

Someone please help.

Who is online

Users browsing this forum: apo357, Baidu [Spider], kennethtipton, smitas3400, tdw, Znevna and 169 guests