I am trying to get a MT-MT VPN working but I ran into some snags.
1) I first tried to set up a L2TP VPN. After configuring it all it still did not work so I used the packet sniffer. What I saw was that the client was sending connect data (normal) but the server would respond on another of the public IPs. It would not respond on the same IP that it received the connect request. If I disabled the public IP on the server it would just pick another. For testing, I changed the client IP to the one the server had picked and the connection was established. I tried setting the local IP in the profile and in secret but it had no effect. I only have srcnat and no masquerede. What is wrong?
2) I removed the L2TP and then tried a OVPN connection. I could get it to connect but it would immediately disconnect. On the server using WinBox I could see the OVPN connection being created in the PPP->interface window and then it would disappear, over and over. It would happen so fast, but you could see it flickering.
Thanks for any help. The MT box is otherwise working great and I'd like to get a MT-MT VPN going.
Re: Problems with VPN
Here is my L2TP config:
Like I said before, the VPN itself works fine. The only problem is that the IP I tell the client to connect to is not the one I want to use. The server seems to respond using any external IP it likes, here is the client log:
You can see that it is connecting to .194 but the server is responding on .249. If I set the client to send on .249 it works. If I disable .249 on the server it just picks another outgoing ip. How can I force the server to use a certain IP?
Code: Select all
[admin@client] /ip route> export
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
xxx.xxx.43.32 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=192.168.0.0/16 gateway=\
192.168.90.254 scope=30 target-scope=10
[admin@client] /interface l2tp-client> export
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \
connect-to=xxx.xxx.105.194 dial-on-demand=yes disabled=no max-mru=1460 \
max-mtu=1460 mrru=disabled name=officevpn password=\
"secret" profile=default-encryption user=\
office
[admin@client] /ppp> export
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" local-address=\
10.69.99.254 name=default-encryption only-one=default remote-address=\
192.168.90.254 use-compression=default use-encryption=required \
use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
[admin@server] /interface l2tp-server> export
/interface l2tp-server
add comment="" disabled=no name=officevpn user=office
/interface l2tp-server server
set authentication=chap,mschap2 default-profile=default-encryption enabled=yes \
max-mru=1460 max-mtu=1460 mrru=disabled
[admin@server] /ppp> export
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=required \
use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id=xxx.xxx.43.34 comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 local-address=192.168.90.254 name=office password=\
"secret" profile=default-encryption \
remote-address=10.69.99.254 routes="10.69.0.0/16 10.69.99.254 1" service=\
any
Code: Select all
07:33:58 l2tp,debug,packet sent control message to xxx.xxx.105.194:1701
07:33:58 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
07:33:58 l2tp,debug,packet (M) Message-Type=SCCRQ
07:33:58 l2tp,debug,packet (M) Protocol-Version=0x01:00
07:33:58 l2tp,debug,packet (M) Framing-Capabilities=0x1
07:33:58 l2tp,debug,packet (M) Bearer-Capabilities=0x0
07:33:58 l2tp,debug,packet Firmware-Revision=0x1
07:33:58 l2tp,debug,packet (M) Host-Name="client"
07:33:58 l2tp,debug,packet Vendor-Name="MikroTik"
07:33:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=52
07:33:58 l2tp,debug,packet (M) Receive-Window-Size=4
07:33:58 l2tp,debug,packet rcvd control message from xxx.xxx.105.249:1701
07:33:58 l2tp,debug,packet tunnel-id=52, session-id=0, ns=0, nr=1
07:33:58 l2tp,debug,packet (M) Message-Type=SCCRP
07:33:58 l2tp,debug,packet (M) Protocol-Version=0x01:00
07:33:58 l2tp,debug,packet (M) Framing-Capabilities=0x1
07:33:58 l2tp,debug,packet (M) Bearer-Capabilities=0x0
07:33:58 l2tp,debug,packet Firmware-Revision=0x1
07:33:58 l2tp,debug,packet (M) Host-Name="server"
07:33:58 l2tp,debug,packet Vendor-Name="MikroTik"
07:33:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=115
07:33:58 l2tp,debug,packet (M) Receive-Window-Size=4
07:33:58 l2tp,debug received SCCRP before SCCRQ, rejecting
Re: Problems with VPN
So, is the L2TP problem a bug? Does anyone else have L2TP working with multiple IPs on the outgoing subnet?
Re: Problems with VPN
Well the L2TP problem still exists. I guess nobody else has this problem based on the lack of response. The L2TP server seems to respond on the "preferred source" address from the IP routing table even if the client connected to a different IP. This seems like a bug.
I've mostly figured out the OpenVPN for my MT-MT VPN. This does not exhibit the problem with the IP address of the response being different, it will respond on the same address that the client connects with, as expected.
I've mostly figured out the OpenVPN for my MT-MT VPN. This does not exhibit the problem with the IP address of the response being different, it will respond on the same address that the client connects with, as expected.
Re: Problems with VPN
I am on RouterOS 3.29 and am also experiencing the problem of l2tp server responding on random external ip's ignoring the ip it came in on.
Unfortunately I can't get away from having multiple external IP's in my setup so have to use a different vpn solution
Unfortunately I can't get away from having multiple external IP's in my setup so have to use a different vpn solution
Re: Problems with VPN
just tried upgrading to 4.0 on both ends with same problem.
Re: Problems with VPN
I just sent an email to support so we'll see what they think.
-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Re: Problems with VPN
Bump for me to. I was having the same problem when trying L2TP/Ipsec. The policy generated in IPSEC clearly showed the nat IP, but L2TP is responding and banging the firewall protecting the client side.
FWIW, the client side firewall I was testing with was a RB433.
FWIW, the client side firewall I was testing with was a RB433.
Re: Problems with VPN
Hi,
after some nice email conversation I wrote this mail to the MikroTik Support Team:
after some nice email conversation I wrote this mail to the MikroTik Support Team:
And I got the following answer:Hi Support Team,
NAT-T is enabled on the MikroTik router.
Yesterday I tested 3 times the L2TP/IPSec connection form the Windows XP SP3 Client-PC to the MikroTik Router (VPN Server), while changing the NAT-T-Registry-Parameter "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec" in Windows XP, set the "AssumeUDPEncapsulationContextOnSendRule" to 0, 1 or 2 and restarted the IPSec service on the Windows XP PC (see http://support.microsoft.com/kb/926179/en-us).
It doesn't matter if the Parameter "AssumeUDPEncapsulationContextOnSendRule" is set or which value it has.
The L2TP/IPSec connection is not working.
Reason:
IKE connection comes in via UDP/500 (because my SOHO-NAT-Router leaves the port as it is) into the MikroTik Router.
The MikroTik Router is not recognizing that the connecting IPSec peer (Windows XP PC) is behind a NAT-Router and is not forcing the Windows XP PC to connect via UDP/4500 (NAT-T). So the IKE connection is not changing to the NAT-T mode. The IPSec connection (ESP) is established while the IPSec peer addresses are the Public IP's of the MikroTik Router and the Windows XP Client (here the Public IP of the NAT-Router of course). The IPSec Policy inside the MikroTik Router is created automatically and uses as SA Source IP the PRIVATE IP (e.g. 192.168.10.5) of the Windows XP Client.
So what happens now is that the IPSec Tunnel is "ready" but the L2TP connection to the L2TP server on the MikroTik Router is comming from the PUBLIC IP of the Windows XP Client, while the IPSec SA is using the PRIVATE IP. The MikroTik Router is not securing the L2TP answering packets. You can see this on the NAT-Router (Windows XP client behind) while doing a paket captureing. The L2TP answer packets are coming directly to the PUBLIC IP (so reaching directly the NAT Router).
[...]
[...]
Thank you very much for the description. Right now I understand where is the problem.
Currently there is issue with NAT-T and generate-policy. The policy is being generated for private IP address of the router, you should add manually additional policy with src-address=your_MikroTik_router dst-address=your_NAT_router
Either use static /ip ipsec policy.
We are working on the solution for this problem.
[...]