Community discussions

MikroTik App
 
grol
just joined
Topic Author
Posts: 1
Joined: Sun Jun 13, 2021 9:25 pm

New created L2TP/IPSec VPN set up after Apple iOS/iPadOS 14 do not work

Sun Jun 13, 2021 9:40 pm

I have 2 customers with Mikrotik stuff I support via L2TP/IPSec VPN since over year and I am able to connect from my Windows 10/MacOS laptops and iPad - all with current, up to date operating system release.
Newly created (week ago) access for 3rd customers works on Windows 10/MacOS but do not work on iPadOS - 'server unreachable'
Apple support answer:
"This will need to be resolved by the server administrator.

We have upgraded the proposed ciphers in L2TP IPsec VPN to also propose SHA-256 for the Child SA in IPsec. The issue seems to be that the server is accepting SHA-256 cipher for the child but maybe dropping the ESP encrypted packets with SHA-256 HMAC. This maybe because the server is assuming a SHA-256 HMAC with 96 bits instead of the standard 128 bits. Switching the SHA-256 HMAC output from 96 to 128 bits should fix this issue.

Thank you for your feedback."

What and where should I change in RouterOS L2TP/IPSec configuration to make it working, I mean how to 'Switch the SHA-256 HMAC output from 96 to 128 bits'?
 
marcmerz
newbie
Posts: 26
Joined: Wed Jul 20, 2016 11:31 am

Re: New created L2TP/IPSec VPN set up after Apple iOS/iPadOS 14 do not work

Tue Sep 07, 2021 1:34 pm

I have exactly the same issue it seems.

A L2TP/IPSec Setup which did work for years now suddenly stopped working when i try to connect my iPhone (iOS 14.7.1) via LTE. The same setup does work when my iPhone is connected in another WLAN though.

Via LTE it keeps saying
the packet is retransmitted by <IP-Address>
and does not establish phase 2.
 
User avatar
PacketMangle
just joined
Posts: 14
Joined: Sat Dec 03, 2016 7:21 am

Re: New created L2TP/IPSec VPN set up after Apple iOS/iPadOS 14 do not work

Mon Mar 13, 2023 2:28 pm

In the hopes that it helps somebody in the future, I found that the fix to this problem in ROS6 was to disable 'SHA1' and enable 'SHA256' for the default IPSEC profile.

The default profile can be found from the top level menu, by navigating to: IP -> IPSec -> Proposal (tab) -> default

Who is online

Users browsing this forum: TeWe, UkRainUa and 85 guests