Community discussions

MikroTik App
 
osalfa
just joined
Topic Author
Posts: 4
Joined: Mon Dec 28, 2020 11:05 pm

L2TP/IPsec Android Second phase problem

Mon Dec 28, 2020 11:29 pm

Hello, I am writing to you with tears in my eyes ... I am a beginner with Mikrotik and I have spent a lot of time trying to set up a VPN connection from an Android phone to a Mikrotik hEX S device. I don't know what could be wrong. IPSEC second phase connection setup is not working properly. I can see in the logs that there is a long break and then the connection is terminated. I deleted all other settings from the device just to check it but still the same situation. Can anyone take a look at this and tell me what's wrong?
# dec/28/2020 21:52:53 by RouterOS 6.48
# software id = 205I-3FYC
#
# model = RB760iGS
# serial number = A8150A077589
/interface bridge
add admin-mac=74:4D:28:3C:C2:55 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.66.10-192.168.66.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.66.1 remote-address=vpn-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=wolskik
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add topics=l2tp,!debug
add topics=ipsec,!debug
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And logs:
22:20:54 ipsec,info respond new phase 1 (Identity Protection): 78.90.73.124[500]<=>6.134.249.213[14030] 
22:20:54 ipsec,info respond new phase 1 (Identity Protection): 78.90.73.124[500]<=>6.134.249.213[14030] 
22:20:54 ipsec received Vendor ID: RFC 3947 
22:20:54 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
22:20:54 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
22:20:54 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
22:20:54 ipsec received Vendor ID: FRAGMENTATION 
22:20:54 ipsec Fragmentation enabled 
22:20:54 ipsec received Vendor ID: DPD 
22:20:54 ipsec 6.134.249.213 Selected NAT-T version: RFC 3947 
22:20:54 ipsec sent phase1 packet 78.90.73.124[500]<=>6.134.249.213[14030] e582264f07577374:095fcb83b0297f02 
22:20:55 ipsec NAT detected: PEER 
22:20:55 ipsec Adding remote and local NAT-D payloads. 
22:20:55 ipsec sent phase1 packet 78.90.73.124[500]<=>6.134.249.213[14030] e582264f07577374:095fcb83b0297f02 
22:20:55 ipsec NAT-T: ports changed to: 6.134.249.213[4917]<=>78.90.73.124[4500] 
22:20:55 ipsec KA list add: 78.90.73.124[4500]->6.134.249.213[4917] 
22:20:55 ipsec,info ISAKMP-SA established 78.90.73.124[4500]-6.134.249.213[4917] spi:e582264f07577374:095fcb83b0297f02 
22:20:55 ipsec,info ISAKMP-SA established 78.90.73.124[4500]-6.134.249.213[4917] spi:e582264f07577374:095fcb83b0297f02 
22:20:56 ipsec respond new phase 2 negotiation: 78.90.73.124[4500]<=>6.134.249.213[4917] 
22:20:56 ipsec invalid auth algorithm=6. 
22:20:56 ipsec invalid auth algorithm=6. 
22:20:56 ipsec invalid auth algorithm=6. 
22:20:56 ipsec invalid auth algorithm=6. 
22:20:56 ipsec searching for policy for selector: 78.90.73.124:1701 ip-proto:17 <=> 6.134.249.213 ip-proto:17 
22:20:56 ipsec generating policy 
22:20:56 ipsec Adjusting my encmode UDP-Transport->Transport 
22:20:56 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
22:20:56 ipsec sent phase2 packet 78.90.73.124[4500]<=>6.134.249.213[4917] e582264f07577374:095fcb83b0297f02:0000d5c5 
22:20:56 ipsec IPsec-SA established: ESP/Transport 6.134.249.213[4917]->78.90.73.124[4500] spi=0x6540238 
22:20:56 ipsec IPsec-SA established: ESP/Transport 78.90.73.124[4500]->6.134.249.213[4917] spi=0x880946a 
22:21:54 ipsec purged IPsec-SA proto_id=ESP spi=0x880946a 
22:21:54 ipsec purged IPsec-SA proto_id=ESP spi=0x6540238 
22:21:54 ipsec removing generated policy 
22:21:54 ipsec,info purging ISAKMP-SA 78.90.73.124[4500]<=>6.134.249.213[4917] spi=e582264f07577374:095fcb83b0297f02. 
22:21:54 ipsec,info purging ISAKMP-SA 78.90.73.124[4500]<=>6.134.249.213[4917] spi=e582264f07577374:095fcb83b0297f02. 
22:21:54 ipsec purged ISAKMP-SA 78.90.73.124[4500]<=>6.134.249.213[4917] spi=e582264f07577374:095fcb83b0297f02. 
22:21:54 ipsec,info ISAKMP-SA deleted 78.90.73.124[4500]-6.134.249.213[4917] spi:e582264f07577374:095fcb83b0297f02 rekey:1 
22:21:54 ipsec,info ISAKMP-SA deleted 78.90.73.124[4500]-6.134.249.213[4917] spi:e582264f07577374:095fcb83b0297f02 rekey:1 
22:21:54 ipsec KA remove: 78.90.73.124[4500]->6.134.249.213[4917] 
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: L2TP/IPsec Android Second phase problem

Tue Dec 29, 2020 2:54 pm

Did you check threads like this? viewtopic.php?t=153546
 
osalfa
just joined
Topic Author
Posts: 4
Joined: Mon Dec 28, 2020 11:05 pm

Re: L2TP/IPsec Android Second phase problem

Tue Dec 29, 2020 9:42 pm

Thank you for your response. Yes, I have seen this topic. I have this rule in my firewall, but one thing is interesting. I can't see IPsec-ESP traffic at all, should I see something? Generally, I can see my connection in active peers, but it is closed after a minute.
Flags: X - disabled, I - invalid, D - dynamic 
 #    CHAIN                                                                                                                                                                                         ACTION                            BYTES         PACKETS
 0  D ;;; special dummy rule to show fasttrack counters
      forward                                                                                                                                                                                       passthrough                     311 254             685
 1    ;;; IPsec-ESP
      input                                                                                                                                                                                         accept                                0               0
 2    ;;; allow l2tp
      input                                                                                                                                                                                         accept                                0               0
 3    ;;; allow IPsec NAT
      input                                                                                                                                                                                         accept                            1 423               9
 4    ;;; allow IKE
      input                                                                                                                                                                                         accept                            1 008               2
 5    ;;; defconf: accept in ipsec policy
      forward                                                                                                                                                                                       accept                                0               0
 6    ;;; defconf: accept out ipsec policy
      forward                                                                                                                                                                                       accept                                0               0
 7    ;;; defconf: accept established,related,untracked
      input                                                                                                                                                                                         accept                           70 832             499
 8    ;;; defconf: drop invalid
      input                                                                                                                                                                                         drop                              1 370               9
 9    ;;; defconf: accept ICMP
      input                                                                                                                                                                                         accept                                0               0
10    ;;; defconf: accept to local loopback (for CAPsMAN)
      input                                                                                                                                                                                         accept                                0               0
11    ;;; defconf: drop all not coming from LAN
      input                                                                                                                                                                                         drop                             30 327             102
12    ;;; defconf: fasttrack
      forward                                                                                                                                                                                       fasttrack-connection             21 375             248
13    ;;; defconf: accept established,related, untracked
      forward                                                                                                                                                                                       accept                           21 375             248
14    ;;; defconf: drop invalid
      forward                                                                                                                                                                                       drop                                686              16
15    ;;; defconf: drop all from WAN not DSTNATed
      forward  
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: L2TP/IPsec Android Second phase problem

Wed Dec 30, 2020 1:08 pm

I suspect your Android device and Mikrotik does not have overlapping ciphers.

Anyway, enable "ipsec" logging in Mikrotik settings. Then try to connect using Android phone to VPN on Mikrotik router. Provide us logs. You should be able to see additional tag "debug" next to "ipsec" tag in the logs. It might hint you what's wrong.
 
osalfa
just joined
Topic Author
Posts: 4
Joined: Mon Dec 28, 2020 11:05 pm

Re: L2TP/IPsec Android Second phase problem

Wed Dec 30, 2020 10:21 pm

Sorry to answer so rarely, but I can only answer in the evenings. I have attached the log file. If you understand any of this, you are good ... I wonder if my service provider on a smart phone can block VPN?
You do not have the required permissions to view the files attached to this post.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: L2TP/IPsec Android Second phase problem

Thu Dec 31, 2020 10:18 am

Sorry to answer so rarely, but I can only answer in the evenings.
Not everyone has all day to spend on this forum :D

I can't tell what is wrong from the logs.

Unless someone else has anything to add, I would say - Android's native VPN is "faulty". I've had a colleague who was having similar kind of issues some time ago with native Android VPN. Quick Google also suggested this: As for your VPN problem, Android's built-in VPN service, from my experience, is pretty faulty. You might want to install an external VPN client off the Play Store. Instead I had more luck using IPSEC/IKE2 on Android using Strongswan client app. How confident do you feel to manually configure your router (instead of sticking to default configuration)? I could provide you some steps if you wish to try.

P.S. It's up to you, but I would suggest avoiding OpenVPN. It does work, but it's significantly slower than IPSEC.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPsec Android Second phase problem

Thu Dec 31, 2020 1:35 pm

Your log shows a successful establishment of Phase 2:
Dec/30/2020 21:12:01 ipsec IPsec-SA established: ESP/Transport 6.x.x.x[29681]->78.y.y.y[4500] spi=0x73dd67f
...
Dec/30/2020 21:12:01 ipsec IPsec-SA established: ESP/Transport 78.y.y.y[4500]->6.x.x.x[29681] spi=0xc917d0f
The reason you cannot see bare ESP packets is that there is NAT between the peers, at least at the mobile phone end. As ESP has no notion of ports, it has trouble passing through NAT, hence if the NAT is detected during Phase 1, the ESP packets get encapsulated into UDP, using the same ports at both peers like the Phase 1 exchange.

I can see L2TP log to be enabled in the configuration export, but with !debug. So change that to just l2tp and see what happens. I suppose the issue is not in the IPsec part but in the L2TP one.

There is a theoretical possibility to selectively block the ESP packets encapsulated in UDP and let the IKE ones pass through although the source and destination sockets are the same for both, but I don't expect an ISP in Poland to do this - it would be a waste of resources, and the ISP would have to have a strong motivation to do it (I cannot imagine anything but a government order).

You can sniff to file on Mikrotik's WAN - Wireshark will show you whether any UDP-encapsulated ESP packets are coming from the Android phone after Phase 1 (IKE) has finished its job. These should carry the L2TP initial packets. If they don't arrive, either your theory about ISP filtering is correct or, more likely, there is something wrong with the phone.

If it doesn't turn out to be an L2TP username/password misconfiguration, you can consider installing Strongswan on the phone rather than using the embedded VPN client, which may be buggy in your Android version.
 
osalfa
just joined
Topic Author
Posts: 4
Joined: Mon Dec 28, 2020 11:05 pm

Re: L2TP/IPsec Android Second phase problem

Fri Jan 01, 2021 2:05 pm

Thank you for your explanation. I use your advice, turn off !debug and see what the logs look like. It will also use another phone to test, good idea. I also read that my provider has such a paid VPN service, but it's hard to tell from its description whether this could be the cause, as if it could use VPN connections. As nothing will help I will use wireshark, but it's the most difficult option ;-). I'll let you know how I'm going to have something. Happy new year :-)..

Who is online

Users browsing this forum: mkx and 93 guests