Community discussions

MUM Europe 2020
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

[Solved] L2TP/IPSec with Android

Thu Nov 29, 2012 4:05 pm

Greetings guys,

I tried to get L2TP/IPSec working today with an android client. I have everything set up correctly I think, and it seems to be L2TP problem. Any help would be appreciated. Here is the config:
/interface l2tp-server server
set default-profile=L2TP enabled=yes

/ppp profile
add name=L2TP

/ppp secret
add local-address=10.0.31.1 name=tomas password=testpass profile=L2TP remote-address=10.0.31.33 service=l2tp

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=1h

/ip ipsec peer
add dpd-interval=15s dpd-maximum-failures=3 exchange-mode=main-l2tp \
    generate-policy=yes hash-algorithm=sha1 secret=VPNpass \
    send-initial-contact=no
Firewall is open for UDP500, UDP 1701, IPSec esp.

I have searched around and wasnt able to find an issue with the config. The IPSec seems to establish correctly with SAs and the dynamic generated policy. Any way I can troubleshoot this?

L2TP logs say:
15:00:22 l2tp,debug,packet sent control message to clientIP:35752 
15:00:22 l2tp,debug,packet     tunnel-id=27190, session-id=0, ns=0, nr=1 
15:00:22 l2tp,debug,packet     (M) Message-Type=SCCRP 
15:00:22 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
15:00:22 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
15:00:22 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
15:00:22 l2tp,debug,packet     Firmware-Revision=0x1 
15:00:22 l2tp,debug,packet     (M) Host-Name="host" 
15:00:22 l2tp,debug,packet     Vendor-Name="MikroTik" 
15:00:22 l2tp,debug,packet     (M) Assigned-Tunnel-ID=51 
15:00:22 l2tp,debug,packet     (M) Receive-Window-Size=4 
15:00:26 l2tp,debug,packet sent control message to clientIP:35752 
15:00:26 l2tp,debug,packet     tunnel-id=27190, session-id=0, ns=0, nr=1 
15:00:26 l2tp,debug,packet     (M) Message-Type=SCCRP 
15:00:26 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
15:00:26 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
15:00:26 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
15:00:26 l2tp,debug,packet     Firmware-Revision=0x1 
15:00:26 l2tp,debug,packet     (M) Host-Name="host" 
15:00:26 l2tp,debug,packet     Vendor-Name="MikroTik" 
15:00:26 l2tp,debug,packet     (M) Assigned-Tunnel-ID=51 
15:00:26 l2tp,debug,packet     (M) Receive-Window-Size=4 
15:00:34 l2tp,debug,packet sent control message to clientIP:35752 
15:00:34 l2tp,debug,packet     tunnel-id=27190, session-id=0, ns=0, nr=1 
15:00:34 l2tp,debug,packet     (M) Message-Type=SCCRP 
15:00:34 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
15:00:34 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
15:00:34 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
15:00:34 l2tp,debug,packet     Firmware-Revision=0x1 
15:00:34 l2tp,debug,packet     (M) Host-Name="host" 
15:00:34 l2tp,debug,packet     Vendor-Name="MikroTik" 
15:00:34 l2tp,debug,packet     (M) Assigned-Tunnel-ID=51 
15:00:34 l2tp,debug,packet     (M) Receive-Window-Size=4 
15:00:42 l2tp,debug tunnel 51 received no replies, disconnecting 
15:00:42 l2tp,debug tunnel 51 entering state: dead
Last edited by tomaskir on Tue Dec 04, 2012 2:59 pm, edited 1 time in total.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 6:06 pm

Not sure, but I suspect you have a firewall rule that's a problem.

Those IPSec packets are going to simply "show up" on the WAN interface with a source IP of whatever public IP they have.

If you sanitize input on the WAN side, you're going to find you need a rule like this on the WAN.

Allow any Source IP to any Destination IP.

Crazy and insecure to boot. [Lovely how Mikrotik implemented IPSec isn't it!]

The only way this isn't insane, security-wise, is if you're using NAT, otherwise you can't allow IPSec connections from any unknown IP. Since most anyone uses L2TP as a road-warrior connection type, this [not allowing connects from unknown IP's] obviously won't fly.

Try marking all your firewall rules as inactive and see if the traffic passes. I'd guess it does and then you'll need to decide if you can live with the botched train-wreck that is IPSec on Mikrotik. [Personally, I won't implement L2TP anywhere with MikroTik gear - I'm using OpenVPN - which is nearly as botched as IPSec, but is marginally better for RoadWarrior support.]

<sarcasm>
Mikrorik: Here's a hammer and an awl - would you like to smash your thumb or gouge your eyes out?
Me: How about I don't pick either.
Mikrotik: Nope - either the eyes or the thumb.
Me: [Grimace] Well, I guess the thumb then...
</sarcasm>

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 6:55 pm

Sorry man, but I really dont understand what you are talking about. The input or the forward chain?

On the input chain I have everything going through firewall correctly allowing UDP 500, UDP 1701, IPSec ESP. Packets are correctly increasing in the counter.
As for forward chain, since the L2TP tunnel wont establish, the forward chain isnt getting applied to packets yet.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 7:21 pm

The forward chain.

Just try what I said.
Either disable all the Forward rules, or put an allow all rule at the very top.

The packets ARE hitting the forward chain.

Your logs show the L2TP session not getting replied to, and I'm pretty sure that's the problem - it's getting killed.

---
Here's what happens.
-IPSec packet arrives.
[This is on input]
-ROS handles IPSec stuff, and dumps the unwrapped packed in the WAN interface. [Now you have an L2TP packet alone, instead of a IPSec wrapped L2TP packet.]
-Now you have a packet on the WAN that has a source address of say 4.3.2.1 - whatever the IP address of the L2TP client is...

-It's the L2TP session. It has to traverse the WAN interface and get to the L2TP server in ROS to get handled.

If you have a rule that blocks all unknown WAN IP's from traversing the WAN then the L2TP packets are getting killed.

---
Side-effect [This doesn't really have anything to do with your problem, but is a result of no IPSec policy match options.]

Since there's no IPSec policy match supported in ROS, you also can't make sure that all L2TP sessions actually came over IPSec. Thus someone could make mass runs against your L2TP server and attempt to break one of the PPP user credentials.

With an IPSec policy match you could make sure you don't allow unknown source IP's onto the LAN unless they ALSO came over the IPSec tunnel.

---
Just try what I've suggested, I think you'll find it fixes the problem, and then when you see what's going on, you'll understand better and can come back and discuss more if you need.

If it doesn't fix it, then it only cost you 3 minutes or so.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 7:28 pm

Just tested it and nope it doesnt help.

Also, any packet destined for the router itself is in the INPUT chain. You can try this yourself. Make a log rule on input for the L2TP server. Make a forward log rule for the L2TP. Connect to the L2TP server running on the router, and you will see only the input chain gets logged.

This is also explained in the packet flow diagram http://wiki.mikrotik.com/wiki/File:IP_final.png
As you can see from the packet flow, the packet simply goes through the INPUT chain twice, once while its IPSec encrypted, and second time when its unencrypted.

As for filtering the access to the L2TP server only for IPSec clients, yeah, I will have to look into how to secure that. First to get it working tho :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 7:32 pm

I was not thinking clearly. Also do the same for the input chain.

You're right, the L2TP traffic will be talking to the RB, so it's going to be on INPUT.
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 7:35 pm

I was describing things related to IPSec more generically - and how that can cause issues when used as a Road-Warrior setup. Since the IPSec traffic isn't flowing to the LAN side as the next step, but to the L2TP server on the RB, then it's the INPUT chain that matters.

Sorry...

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 7:40 pm

I made a log rule for the remote IP (much more secure then allowing all traffic on input) to see if any traffic from the remote IP is getting dropped. Its not. UDP 500, UDP 1701 and IPSec ESP are open to the remote IP, and nothing after that is getting logged as dropped.

Im pretty confident its not firewall that is making this not work.

On forward chain, even generally in IPSec and in this case too, you should always know the IP adress (range) of the other side, so securing it should not a problem either.
Here I know what IPs my L2TP server will assign to clients, so in forward, I have those IPs allowed to go into my LAN.

The mystery why L2TP is not building the tunnel with the Android client still remains tho :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 7:52 pm

On forward chain, even generally in IPSec and in this case too, you should always know the IP adress (range) of the other side, so securing it should not a problem either.
So your L2TP clients will always connect from known networks? Never from a hotel or coffee shop? [Good if that works for you. It's a lot more secure, but that certainly won't work for most, and won't for me.]

---
That aside...

Is there any chance a NAT/Mangle rule is hitting?
Anything non-default in routing?

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 8:05 pm

On forward chain, even generally in IPSec and in this case too, you should always know the IP adress (range) of the other side, so securing it should not a problem either.
So your L2TP clients will always connect from known networks? Never from a hotel or coffee shop? [Good if that works for you. It's a lot more secure, but that certainly won't work for most, and won't for me.]

---
That aside...

Is there any chance a NAT/Mangle rule is hitting?
Anything non-default in routing?

-Greg
No, IPSec will always be established from an unknown IP. But that is protected with a PSK and all the configs have to match on both sides. So IPSec will be availible on the router to the world. But that is secure, its IPSec. Besides, since I dont know the remote IP, there is no other way to do it.

L2TP will only be availible to IPSec connected clients. That can be scripted easily. Just get the peers IP with ":put [/ip ipsec remote-peers get [find] remote-address]" That will get you remote IPs of all clients that are properly connected with IPSec. So L2TP server will not be availible to the world, only to the clients which are properly connected through IPSec.

The L2TP server assigns an IP to its clients from a pool I specify in the L2TP profile. So in forward chain, the access to my LAN is secured with a firewall rule that only allows access to my LAN from the clients from this L2TP IP pool.

But yeah, I am currently looking at mangle and routing (have some of both) to see why it would make L2TP server not work. So far I cant see a reason why it doesnt work, but I will keep looking.

Any tips are welcome :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 8:23 pm

I don't have time to spend, but you don't understand how IPSec is handled by ROS.

Say someone connects from 4.3.2.1 via IPSec or L2TP [essentially the same] to your RB.

The IPSec traffic is handled and then a packet just appears on your WAN interface.

It's source IP is 4.3.2.1. [But if you don't know what IP addresses your IPSec/L2TP connections come from, use * instead of 4.3.2.1]

So, if you block ANY traffic from any publicly routed IP address on the WAN interface from FORWARD/INPUT you can't guarantee that IPSec or L2TP will work.

Normally, I'd have a Rule on Forward/Input that blocks all traffic from unknown IP's for any service I'm not opening to the public.
But with no IPSec policy match, I can't do this if I allow IPSec from unknown IP's.

Because I'm going to get a packet on the WAN from some unknown IP on a non-public service - say RDP.
If you capture and watch the traffic, you'll see what I'm talking about.

Here's what you'll see for a Road-warrior connect via IPSEC from 4.3.2.1 to an LAN station for RDP.
On the WAN interface I'll have a packet from
Scr-ip:4.3.2.1 with some source-port. [to] -> Some LAN IP, with RDP as the dst-port.

Without NAT you'd be *insane* to accept such a packet. With NAT it can't get to the LAN since there's no routing table to direct it. But it's only NAT that's protecting you, not your firewall rules.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 8:42 pm

I don't have time to spend, but you don't understand how IPSec is handled by ROS.

Say someone connects from 4.3.2.1 via IPSec or L2TP [essentially the same] to your RB.

The IPSec traffic is handled and then a packet just appears on your WAN interface.

It's source IP is 4.3.2.1. [But if you don't know what IP addresses your IPSec/L2TP connections come from, use * instead of 4.3.2.1]

So, if you block ANY traffic from any publicly routed IP address on the WAN interface from FORWARD/INPUT you can't guarantee that IPSec or L2TP will work.

Normally, I'd have a Rule on Forward/Input that blocks all traffic from unknown IP's for any service I'm not opening to the public.
But with no IPSec policy match, I can't do this if I allow IPSec from unknown IP's.

Because I'm going to get a packet on the WAN from some unknown IP on a non-public service - say RDP.
If you capture and watch the traffic, you'll see what I'm talking about.

Here's what you'll see for a Road-warrior connect via IPSEC from 4.3.2.1 to an LAN station for RDP.
On the WAN interface I'll have a packet from
Scr-ip:4.3.2.1 with some source-port. [to] -> Some LAN IP, with RDP as the dst-port.

Without NAT you'd be *insane* to accept such a packet. With NAT it can't get to the LAN since there's no routing table to direct it. But it's only NAT that's protecting you, not your firewall rules.

-Greg
Sorry, but I have a feeling you actually dont know how IPSec (or L2TP) work. So lets get this straight.

1) IPSec is not essentially the same as L2TP. If IPSec is in transport mode, its very different.
L2TP can be considered the same as IPSec only for IPSec tunnel mode, and then its still different.

2) Packets dont just appear on WAN interface. Look on the packet flow diagram to see how they are handled.
Explained in the packet flow diagram http://wiki.mikrotik.com/wiki/File:IP_final.png

Lets consider a scenario without NAT as you mentioned:

Scenario 1)
Client 4.3.2.1 (or any random IP) connect to L2TP concentrator. Since we dont know the remote IP, the L2TP has to be publicaly accessible. L2TP is however protected by username and password. Inside of the L2TP tunnel, the client gets an IP address from a pool YOU configure. That is how L2TP works.

Now in firewall you can actually filter. You would NOT allow
Scr-ip:4.3.2.1 with some source-port. [to] -> Some LAN IP, with RDP as the dst-port.

But you WOULD allow
Scr-ip:"L2TP IP of the client" with some source-port. [to] -> Some LAN IP, with RDP as the dst-port.

Scenario 2)
For IPSec tunnel mode
In tunnel mode, you know the IP that is behind the tunnel, since you HAVE TO configure it in IPSec policy. If you use "generate policy", the policy will be generated with proper IPs that are on the other side of the tunnel. Therefore, you can filter in firewall based on these IPs.

Scenario 3)
For IPSec transport mode
Again, you either know the remote IP (becuase you have to configure it in policy), or the policy is generated and you can get the IP from there. So again, you know the remote IP, and you can filter with it in firewall.

Please actually re-read my post from before, and you really should look more into how all this works. Same as you were thinking that L2TP traffic is in forward chain and you were wrong, you are wrong here as well. IPSec and L2TP are handled very well in Mikrotik, it seems you just have a big mess out of how it works.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 9:34 pm

Scenario 2)
For IPSec tunnel mode
In tunnel mode, you know the IP that is behind the tunnel, since you HAVE TO configure it in IPSec policy. If you use "generate policy", the policy will be generated with proper IPs that are on the other side of the tunnel. Therefore, you can filter in firewall based on these IPs.

Scenario 3)
For IPSec transport mode
Again, you either know the remote IP (becuase you have to configure it in policy), or the policy is generated and you can get the IP from there. So again, you know the remote IP, and you can filter with it in firewall.

Please actually re-read my post from before, and you really should look more into how all this works. Same as you were thinking that L2TP traffic is in forward chain and you were wrong, you are wrong here as well. IPSec and L2TP are handled very well in Mikrotik, it seems you just have a big mess out of how it works.
1) Why the heck does Linux give you an IPSec policy match if you really don't need it? [Answer: You do, but you can get by without it, if you sacrifice security.]

2) Re: the above...
"Again, you either know the remote IP (becuase you have to configure it in policy), or the policy is generated and you can get the IP from there"

So, you're generating dynamic firewall rules based on the IPSec generated policy? Really? Since I'm not aware of any event driven rule methods, I'm not sure how that works. Please tell.

Obviously if you know the connecting IP, which rules out road-warrior, then you don't have to use generated policies.

3) Since they can connect to L2TP direct, you have reduced the security of your system to the PPP credential - you've thrown away any benefits of validation of identity that IPSec gave you. Not a good plan IMO.

But I have watched IPSec traffic flows, esp for Road-warrior connections and I know what's coming in.
For
-road-warrier connects,
-where connecting IP isn't known,
-without IPSec policy match,
-and a non-NAT WAN <-> LAN,
...it's suicide.
[Unless you can somehow make a dynamic firewall that works, based on generated IPSec policy IP source addresses.]

But I'm not going to argue. It's your network, and however you want to run it, have at it. I won't run mine that way, but that doesn't impact you.

But if you have a working dynamic firewall that accounts for IPSec auto-generated SA's - the I'd be glad to see it. It would perhaps be a start in securing RW IPSec connections.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 9:45 pm

Obviously IPSec policy matcher would be a welcome addition and would make things easier. You can get by without it without sacrificing security, you just need to know how to. You can easily script its functionality with Mikrotik. I already posted above how to create dynamic firewall rules based on auto generated IPSec policies.

To quote my earlier post:
IPSec will always be established from an unknown dynamic IP. But that is protected with a PSK and all the configs have to match on both sides. So IPSec will be available on the router to the world. But that is secure, its IPSec. Besides, since I dont know the remote IP, there is no other way to do it.

L2TP will only be availible to IPSec connected clients. That can be scripted easily. Just get the dynamic peers IP with ":put [/ip ipsec remote-peers get [find] remote-address]" That will get you remote IPs of all clients that are properly connected with IPSec. So L2TP server will not be availible to the world, only to the clients which are properly connected through IPSec.

The L2TP server assigns an IP to its clients from a pool I specify in the L2TP profile. So in forward chain, the access to my LAN is secured with a firewall rule that only allows access to my LAN from the clients from this L2TP IP pool.
All you need is a 10 line script which modifies ONE address-list with the IP addresses of IPSec clients. So L2TP server is secured in firewall with this address-list. The script adds IPs of IPSec clients to this address-list.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 9:56 pm

L2TP will only be availible to IPSec connected clients.
That's simply incorrect.

I emailed support, and here's the query and response.
> I've setup L2TP on my RB450G - I want to tighten security down some...
>
> 1) Prevent people from logging on via L2TP and their PPP credentials without
first
> connecting via IPSec.
> I assume that blocking [or not allowing depending on your POV] port
> 1701 UDP on the WAN/external interface [or any interface you don't want someone
> making a regular L2TP connect from] should be sufficient.
>
> *However* - since IPSec traffic is going to look like it's coming directly from
> the WAN ethernet port - how to do this? [This is why we desperately need a
> "normal" IPSec implementation to allow us to match it in filter rules by an
> interface like IPTables on Linux does!]
>
> So,
> I can't filter on interface.
> I can't filter based on IP [since it's going to be the publicly routed
> IP address of the connecting client. Road-warrior]
> I can't filter on Port [Obviously I can't just block UDP 1701 - that will block
> everything.]
>
> So, how to generate a rule that allows L2TP over IPSec, but not alone?

Hello,

Currently it is not possible. We will consider adding ipsec policy matcher in the
future versions.

Regards,
Maris
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 10:17 pm

"Simply incorrect" doesnt work as a reasonable agrument. All the things you suggested in your email to support are indeed not possible. Policy matching is also NOT possible.

However, doing it the way I described is possible. Read it again, and tell me why it would not work.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: L2TP/IPSec with Android

Thu Nov 29, 2012 11:40 pm

However, doing it the way I described is possible. Read it again, and tell me why it would not work.
You have a script [or can fashion one] that will allow an IPSec connect, and then modify the "/ip firewall filter" rules to allow L2TP for ONLY that associated SA IP source address? Is that what you're claiming?

...and you can do that so fast as not to interfere with the L2TP process which will occur in milliseconds after the SA association?

Really?

How are you going to kick off the script when the SA association occurs?
How are you going to accomplish this in less than a few dozen milliseconds?

I'm really interested to see how you do that - frankly it would be pretty incredible.

I'm the first in line to see it.

Let me know.

---
As far as claiming "it's simply incorrect." I'm only telling you what Mikrotik says is true. Perhaps they're wrong. It wouldn't exactly surprise me. But I asked them specifically about it, and Mikrotik themselves said there's no way to prevent users from connecting to L2TP directly and attempting to build a L2TP session outside IPSec.

So, if you want to argue, go argue with Maris, not me.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Fri Nov 30, 2012 2:09 am

Alright, got it working completly now. Works with the Android, iPhone and Win 7 L2TP/IPSec clients flawlessly.

In case someone finds this thread later on, here is the working config:
/ppp profile
add name=L2TP local-address=10.0.31.1 remote-address=l2tp-pool address-list=L2TP_Clients
/ip pool
add name=l2tp-pool ranges=10.0.31.101-10.0.31.199
/ppp secret
add name=username password=password profile=L2TP service=l2tp

/interface l2tp-server server
set default-profile=L2TP enabled=yes

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=1h
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 secret=vpnsecret send-initial-contact=no
If your clients are behind NAT, you have to set nat-traversal=yes in IPSec Peer, and allow UDP 4500 in firewall.

As for securing the L2TP server to IPSec clients only, I will post tommorow.
Last edited by tomaskir on Tue Dec 04, 2012 11:50 am, edited 3 times in total.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Sun Dec 02, 2012 11:24 am

Alright, got it working completly now. Works with the Android, iPhone and Win 7 L2TP/IPSec clients flawlessly.

In case someone finds this thread later on, here is the working config:
/ppp profile
add name=L2TP local-address=10.0.31.1 remote-address=l2tp-pool address-list=L2TP_Clients
/ip pool
add name=l2tp-pool ranges=10.0.31.101-10.0.31.199
/ppp secret
add name=username password=password profile=L2TP service=l2tp

/interface l2tp-server server
set default-profile=L2TP enabled=yes

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=1h
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 secret=vpnsecret send-initial-contact=no
As for securing the L2TP server to IPSec clients only, I will post tommorow.
I'm also interested in getting L2TP work for my Apple devices. But I had no luck with this configuration.
I'm getting the following output in the logs while trying to connect..
10:18:35 ipsec,debug,packet 500 bytes message received from XXX.XXX.XXX.XXX[10104] to XXX.XXX.XXX.XXX[500] 
10:18:35 ipsec,debug,packet 8b5e2b11 e5c48a85 00000000 00000000 01100200 00000000 000001f4 0d0000e4 
*removed similar lines*
10:18:35 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100 
10:18:35 ipsec,debug couldn't find configuration.
So your working config doesn't seem to be complete? Does anybody know what i'm missing here?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Sun Dec 02, 2012 2:01 pm

Is your Ipsec peer correct with 0.0.0.0/0 address? That error means that the corresponding peer can't be found.

Also, sometimes after importing an Ipsec config, for it to start working you need to reboot the router.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Mon Dec 03, 2012 11:13 am

[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled 
 0   address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="XXXXXXX" generate-policy=yes exchange-mode=main-l2tp 
     send-initial-contact=no nat-traversal=no my-id-user-fqdn="" hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 
     lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
I haven't rebooted router yet.. Can't do it right now.. So could try when I get home tonight.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Mon Dec 03, 2012 12:49 pm

Another possibility is that the client is behind NAT, and this config has NAT-T disabled. My clients all have public IPs directly, so I didnt need it. If you do, enable NAT-T and allow UDP 4500 in firewall.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Mon Dec 03, 2012 4:53 pm

I've rebooted the router, and more things happen, but still no connection..
The output generated while connecting is very long and no real clues (to me) on what's going wrong.
So which part to post here? :shock:

Small portion of what happens.:
00:04:02 ipsec,debug,packet ========== 
00:04:02 ipsec,debug,packet 76 bytes message received from XXX.XXX.XXX.XXX[20834] to XXX.XXX.XXX.XXX[500] 
00:04:02 ipsec,debug,packet 3438a353 29a6dee4 371e9397 3e3d1e60 08100501 a7364386 0000004c e66eede4 
00:04:02 ipsec,debug,packet a12a9010 192e175c 82bd3be4 280fc396 ab30d999 b700d885 40d82d7a 734b6917 
00:04:02 ipsec,debug,packet b9a8b1b0 9baea82a ccb2cae7 
00:04:02 ipsec,debug,packet receive Information. 
00:04:02 ipsec,debug,packet compute IV for phase2 
00:04:02 ipsec,debug,packet phase1 last IV: 
00:04:02 ipsec,debug,packet 2ac5389b 917c9b75 a7364386 
00:04:02 ipsec,debug,packet hash(sha1) 
00:04:02 ipsec,debug,packet encryption(3des) 
00:04:02 ipsec,debug,packet phase2 IV computed: 
00:04:02 ipsec,debug,packet abd3dcc6 29517135 
00:04:02 ipsec,debug,packet encryption(3des) 
00:04:02 ipsec,debug,packet IV was saved for next processing: 
00:04:02 ipsec,debug,packet 9baea82a ccb2cae7 
00:04:02 ipsec,debug,packet encryption(3des) 
00:04:02 ipsec,debug,packet with key: 
00:04:02 ipsec,debug,packet 858a148a f71c5e7e f3ce2c5f ded41c70 698776df 2213b241 
00:04:02 ipsec,debug,packet decrypted payload by IV: 
00:04:02 ipsec,debug,packet abd3dcc6 29517135 
00:04:02 ipsec,debug,packet decrypted payload, but not trimed. 
00:04:02 ipsec,debug,packet 0c000018 23e384f6 b44eb09a f4221969 d901892e c6b47062 00000010 00000001 
00:04:02 ipsec,debug,packet 03040001 0e56063e 00000000 00000008 
00:04:02 ipsec,debug,packet padding len=9 
00:04:02 ipsec,debug,packet skip to trim padding. 
00:04:02 ipsec,debug,packet decrypted. 
00:04:02 ipsec,debug,packet 3438a353 29a6dee4 371e9397 3e3d1e60 08100501 a7364386 0000004c 0c000018 
00:04:02 ipsec,debug,packet 23e384f6 b44eb09a f4221969 d901892e c6b47062 00000010 00000001 03040001 
00:04:02 ipsec,debug,packet 0e56063e 00000000 00000008 
00:04:02 ipsec,debug,packet HASH with: 
00:04:02 ipsec,debug,packet a7364386 00000010 00000001 03040001 0e56063e 
00:04:02 ipsec,debug,packet hmac(hmac_sha1) 
00:04:02 ipsec,debug,packet HASH computed: 
00:04:02 ipsec,debug,packet 23e384f6 b44eb09a f4221969 d901892e c6b47062 
00:04:02 ipsec,debug,packet hash validated. 
00:04:02 ipsec,debug,packet begin. 
00:04:02 ipsec,debug,packet seen nptype=8(hash) 
00:04:02 ipsec,debug,packet seen nptype=12(delete) 
00:04:02 ipsec,debug,packet succeed. 
00:04:02 ipsec,debug,packet delete payload for protocol ESP 
00:04:02 ipsec,debug,packet purge_ipsec_spi: 
00:04:02 ipsec,debug,packet dst0: 46.144.134.200[20834] 
00:04:02 ipsec,debug,packet SPI: 0E56063E 
00:04:02 ipsec,debug,packet purged SAs. 
00:04:02 ipsec,debug,packet ========== 
00:04:02 ipsec,debug,packet 84 bytes message received from XXX.XXX.XXX.XXX[20834] to XXX.XXX.XXX.XXX[500] 
00:04:02 ipsec,debug,packet 3438a353 29a6dee4 371e9397 3e3d1e60 08100501 9408d1cf 00000054 5ea29aee 
00:04:02 ipsec,debug,packet 36918ea2 0303addc 245b669a 13c0169f 954aa5b0 351d3468 6469ca11 77ebda96 
00:04:02 ipsec,debug,packet 0ab5b038 45b5cbdb 518cf0e9 5b5abae2 032235f0 
00:04:02 ipsec,debug,packet receive Information. 
00:04:02 ipsec,debug,packet compute IV for phase2 
00:04:02 ipsec,debug,packet phase1 last IV: 
00:04:02 ipsec,debug,packet 2ac5389b 917c9b75 9408d1cf 
00:04:02 ipsec,debug,packet hash(sha1) 
00:04:02 ipsec,debug,packet encryption(3des) 
00:04:02 ipsec,debug,packet phase2 IV computed: 
00:04:02 ipsec,debug,packet ff7c4d78 bf1064db 
00:04:02 ipsec,debug,packet encryption(3des) 
00:04:02 ipsec,debug,packet IV was saved for next processing: 
00:04:02 ipsec,debug,packet 5b5abae2 032235f0 
00:04:02 ipsec,debug,packet encryption(3des) 
00:04:02 ipsec,debug,packet with key: 
00:04:02 ipsec,debug,packet 858a148a f71c5e7e f3ce2c5f ded41c70 698776df 2213b241 
00:04:02 ipsec,debug,packet decrypted payload by IV: 
00:04:02 ipsec,debug,packet ff7c4d78 bf1064db 
00:04:02 ipsec,debug,packet decrypted payload, but not trimed. 
00:04:02 ipsec,debug,packet 0c000018 25e97cce 8c6dc015 08084b6d 185ea32c f09c8ee6 0000001c 00000001 
00:04:02 ipsec,debug,packet 01100001 3438a353 29a6dee4 371e9397 3e3d1e60 00000004 
00:04:02 ipsec,debug,packet padding len=5 
00:04:02 ipsec,debug,packet skip to trim padding. 
00:04:02 ipsec,debug,packet decrypted. 
00:04:02 ipsec,debug,packet 3438a353 29a6dee4 371e9397 3e3d1e60 08100501 9408d1cf 00000054 0c000018 
00:04:02 ipsec,debug,packet 25e97cce 8c6dc015 08084b6d 185ea32c f09c8ee6 0000001c 00000001 01100001 
00:04:02 ipsec,debug,packet 3438a353 29a6dee4 371e9397 3e3d1e60 00000004 
00:04:02 ipsec,debug,packet HASH with: 
00:04:02 ipsec,debug,packet 9408d1cf 0000001c 00000001 01100001 3438a353 29a6dee4 371e9397 3e3d1e60 
00:04:02 ipsec,debug,packet hmac(hmac_sha1) 
00:04:02 ipsec,debug,packet HASH computed: 
00:04:02 ipsec,debug,packet 25e97cce 8c6dc015 08084b6d 185ea32c f09c8ee6 
00:04:02 ipsec,debug,packet hash validated. 
00:04:02 ipsec,debug,packet begin. 
00:04:02 ipsec,debug,packet seen nptype=8(hash) 
00:04:02 ipsec,debug,packet seen nptype=12(delete) 
00:04:02 ipsec,debug,packet succeed. 
00:04:02 ipsec,debug,packet delete payload for protocol ISAKMP 
00:04:02 ipsec,debug ISAKMP-SA expired XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[20834] spi:3438a35329a6dee4:371e93973e3d1e60 
00:04:02 ipsec,debug,packet purged SAs. 
00:04:03 ipsec,debug ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[20834] spi:3438a35329a6dee4:371e93973e3d1e60 
00:04:03 ipsec,debug,packet an undead schedule has been deleted. 
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Mon Dec 03, 2012 5:53 pm

Is the client behind NAT or does it have a public IP? Do you have multiple WAN connections on the concentrator? Are you sure everything thats needed is allowed in firewall?
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Mon Dec 03, 2012 11:23 pm

The client was behind NAT but not at my local network. (some external location)
There is only one WAN connection on the router.. (a PPPoE interface)
These are the firewall filters as needed:
 4   chain=input action=accept protocol=udp dst-port=4500 
 5   chain=input action=accept protocol=udp dst-port=1701 
 6   chain=input action=accept protocol=udp dst-port=500 
 7   chain=input action=accept protocol=ipsec-esp 
I don't know if there are more filters required?
These ones will be set a bit more specific after L2TP works.. I'd like to specify an incoming interface also.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 11:32 am

Did you set nat-traversal=yes and try with that? Also, try to connect from the inside of your LAN, to see if that works or not.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 11:37 am

Did you set nat-traversal=yes and try with that? Also, try to connect from the inside of your LAN, to see if that works or not.
I don't recall.. But I could test it now.. Where do I set that option?

--edit--
ah, found the option: /ip ipsec peer

Going to set it now and try.
Last edited by inSaNo on Tue Dec 04, 2012 11:38 am, edited 1 time in total.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 11:38 am

If your clients are behind NAT, you need to set that in IPSec peer.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 11:44 am

Ok, the change had some effect.. I see that it's generating a policy for the traffic.. Whole lot of output generated but still the connection can't be established at the end.. Do I need to restart router again for this? Or is there still something else wrong?


Output on my Macbook Air (L2TP Client)
Dec  4 10:47:57 MacBookAir racoon[12567]: Connecting.
Dec  4 10:47:57 MacBookAir racoon[12567]: IPSec Phase1 started (Initiated by me).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Dec  4 10:47:57 MacBookAir racoon[12567]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Dec  4 10:47:57 MacBookAir racoon[12567]: IPSec Phase1 established (Initiated by me).
Dec  4 10:47:58 MacBookAir racoon[12567]: IPSec Phase2 started (Initiated by me).
Dec  4 10:47:58 MacBookAir racoon[12567]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec  4 10:47:58 MacBookAir racoon[12567]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Dec  4 10:47:58 MacBookAir racoon[12567]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Dec  4 10:47:58 MacBookAir racoon[12567]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Dec  4 10:47:58 MacBookAir racoon[12567]: IPSec Phase2 established (Initiated by me).
Dec  4 10:47:58 MacBookAir pppd[12587]: IPSec connection established
Dec  4 10:47:59 MacBookAir pppd[12587]: L2TP connection established.
Dec  4 10:47:59 MacBookAir pppd[12587]: Connect: ppp0 <--> socket[34:18]
Dec  4 10:47:59 MacBookAir pppd[12587]: Unsupported protocol 0x8281 received
Dec  4 10:47:59 MacBookAir pppd[12587]: Unsupported protocol 'Bridging NCP' (0x8031) received
Dec  4 10:48:00 MacBookAir pppd[12587]: Fatal signal 6
Dec  4 10:48:00 MacBookAir racoon[12567]: IPSec disconnecting from server XXX.XXX.XXX.XXX
Dec  4 10:48:00 MacBookAir racoon[12567]: IKE Packet: transmit success. (Information message).
Dec  4 10:48:00 MacBookAir racoon[12567]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
Dec  4 10:48:00 MacBookAir racoon[12567]: IKE Packet: transmit success. (Information message).
Dec  4 10:48:00 MacBookAir racoon[12567]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Last edited by inSaNo on Tue Dec 04, 2012 11:49 am, edited 1 time in total.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 11:48 am

I would advise flusing the SAs and disabling/enablind the peer, just to be sure.

Whats the problem afterwards, needs to be found out. Is the L2TP client getting the IP from the server? If IPSec dynamic policy and SAs are generated properly, need to look at L2TP server logs.

Edit: As for the Macbook logs; IPSec now works for you, it seems something is wrong with your L2TP config.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 12:05 pm

I've flushed SA's and disabled/enabled the peer, still no go.

Here is l2tp server log for the last try:
I've changed the real client IP with <client-IP>
19:14:53 l2tp,debug,packet rcvd control message from <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
19:14:53 l2tp,debug,packet     (M) Message-Type=SCCRQ 
19:14:53 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
19:14:53 l2tp,debug,packet     (M) Framing-Capabilities=0x3 
19:14:53 l2tp,debug,packet     (M) Host-Name=0x4d:61:63:42:6f:6f:6b:41:69:72:00 
19:14:53 l2tp,debug,packet     (M) Assigned-Tunnel-ID=13 
19:14:53 l2tp,debug,packet     (M) Receive-Window-Size=4 
19:14:53 l2tp,info first L2TP UDP packet received from <client-IP> 
19:14:53 l2tp,debug tunnel 8 entering state: wait-ctl-conn 
19:14:53 l2tp,debug,packet sent control message to <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=13, session-id=0, ns=0, nr=1 
19:14:53 l2tp,debug,packet     (M) Message-Type=SCCRP 
19:14:53 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
19:14:53 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
19:14:53 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
19:14:53 l2tp,debug,packet     Firmware-Revision=0x1 
19:14:53 l2tp,debug,packet     (M) Host-Name="MikroTik" 
19:14:53 l2tp,debug,packet     Vendor-Name="MikroTik" 
19:14:53 l2tp,debug,packet     (M) Assigned-Tunnel-ID=8 
19:14:53 l2tp,debug,packet     (M) Receive-Window-Size=4 
19:14:53 l2tp,debug,packet rcvd control message from <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=8, session-id=0, ns=1, nr=1 
19:14:53 l2tp,debug,packet     (M) Message-Type=SCCCN 
19:14:53 l2tp,debug tunnel 8 entering state: estabilished 
19:14:53 l2tp,debug,packet sent control message (ack) to <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=13, session-id=0, ns=1, nr=2 
19:14:53 l2tp,debug,packet rcvd control message from <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=8, session-id=0, ns=2, nr=1 
19:14:53 l2tp,debug,packet     (M) Message-Type=ICRQ 
19:14:53 l2tp,debug,packet     (M) Assigned-Session-ID=12625 
19:14:53 l2tp,debug,packet     (M) Call-Serial-Number=1 
19:14:53 l2tp,debug session 1 entering state: wait-connect 
19:14:53 l2tp,debug,packet sent control message to <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=13, session-id=12625, ns=1, nr=3 
19:14:53 l2tp,debug,packet     (M) Message-Type=ICRP 
19:14:53 l2tp,debug,packet     (M) Assigned-Session-ID=1 
19:14:53 l2tp,debug,packet rcvd control message from <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=8, session-id=1, ns=3, nr=2 
19:14:53 l2tp,debug,packet     (M) Message-Type=ICCN 
19:14:53 l2tp,debug,packet     (M) Tx-Connect-Speed-BPS=1000000 
19:14:53 l2tp,debug,packet     (M) Framing-Type=0x3 
19:14:53 l2tp,debug session 1 entering state: established 
19:14:53 l2tp,debug,packet sent control message (ack) to <client-IP>:54373 
19:14:53 l2tp,debug,packet     tunnel-id=13, session-id=0, ns=2, nr=4 
19:14:53 l2tp,ppp,info <l2tp-0>: waiting for call... 
19:14:53 l2tp,ppp,debug <<client-IP>>: LCP lowerup 
19:14:53 l2tp,ppp,debug <<client-IP>>: LCP open 
19:14:53 l2tp,ppp,debug,packet  <<client-IP>>: rcvd LCP ConfReq id=0x1 
19:14:53 l2tp,ppp,debug,packet    <asyncmap 0x0> 
19:14:53 l2tp,ppp,debug,packet    <magic 0xf51f2b6> 
19:14:53 l2tp,ppp,debug,packet    <pcomp> 
19:14:53 l2tp,ppp,debug,packet    <accomp> 
19:14:53 l2tp,ppp,debug,packet  <<client-IP>>: sent LCP ConfReq id=0x1 
19:14:53 l2tp,ppp,debug,packet    <mru 1460> 
19:14:53 l2tp,ppp,debug,packet    <magic 0x25e5ba2a> 
19:14:53 l2tp,ppp,debug,packet    <auth  mschap2> 
19:14:53 l2tp,ppp,debug,packet  <<client-IP>>: sent LCP ConfRej id=0x1 
19:14:53 l2tp,ppp,debug,packet    <asyncmap 0x0> 
19:14:53 l2tp,ppp,debug,packet    <pcomp> 
19:14:53 l2tp,ppp,debug,packet    <accomp> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd LCP ConfAck id=0x1 
19:14:54 l2tp,ppp,debug,packet    <mru 1460> 
19:14:54 l2tp,ppp,debug,packet    <magic 0x25e5ba2a> 
19:14:54 l2tp,ppp,debug,packet    <auth  mschap2> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd LCP ConfReq id=0x2 
19:14:54 l2tp,ppp,debug,packet    <magic 0xf51f2b6> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent LCP ConfAck id=0x2 
19:14:54 l2tp,ppp,debug,packet    <magic 0xf51f2b6> 
19:14:54 l2tp,ppp,debug <<client-IP>>: LCP opened 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent CHAP Challenge id=0x1 
19:14:54 l2tp,ppp,debug,packet     <challenge len=10> 
19:14:54 l2tp,ppp,debug,packet     <name MikroTik> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd LCP EchoReq id=0x0 
19:14:54 l2tp,ppp,debug,packet     <magic 0xf51f2b6> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent LCP EchoRep id=0x0 
19:14:54 l2tp,ppp,debug,packet     <magic 0x25e5ba2a> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd CHAP Response id=0x1 
19:14:54 l2tp,ppp,debug,packet     <response len=31> 
19:14:54 l2tp,ppp,debug,packet     <name dsteenstra> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent CHAP Success id=0x1 
19:14:54 l2tp,ppp,debug,packet     S=06B2D22FD912B9AB75780A080D62C2C40726E901 
19:14:54 l2tp,ppp,info <l2tp-0>: authenticated 
19:14:54 l2tp,ppp,debug <<client-IP>>: IPCP lowerup 
19:14:54 l2tp,ppp,debug <<client-IP>>: IPCP open 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfReq id=0x1 
19:14:54 l2tp,ppp,debug,packet     <addr 192.168.88.200> 
19:14:54 l2tp,ppp,debug <<client-IP>>: IPV6CP open 
19:14:54 l2tp,ppp,debug <<client-IP>>: MPLSCP lowerup 
19:14:54 l2tp,ppp,debug <<client-IP>>: MPLSCP open 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent MPLSCP ConfReq id=0x1 
19:14:54 l2tp,ppp,debug <<client-IP>>: BCP lowerup 
19:14:54 l2tp,ppp,debug <<client-IP>>: BCP open 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent BCP ConfReq id=0x1 
19:14:54 l2tp,ppp,debug,packet    <mac-support 1> 
19:14:54 l2tp,ppp,debug,packet    <802-tagged-frame 1> 
19:14:54 l2tp,ppp,debug,packet    <management-inline> 
19:14:54 l2tp,ppp,debug <<client-IP>>: CCP lowerup 
19:14:54 l2tp,ppp,debug <<client-IP>>: CCP open 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x1 
19:14:54 l2tp,ppp,debug,packet     <addr 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x1 
19:14:54 l2tp,ppp,debug,packet     <addr 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd LCP ProtRej id=0x3 
19:14:54 l2tp,ppp,debug,packet      82 81 01 01 00 04 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPV6CP ConfReq id=0x1 
19:14:54 l2tp,ppp,debug,packet     <interface-identifier 1610:9fff:fef1:24f2> 
19:14:54 l2tp,ppp,debug <<client-IP>>: received unsupported protocol 0x8057 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent LCP ProtRej id=0x2 
19:14:54 l2tp,ppp,debug,packet      80 57 01 01 00 0e 01 0a 16 10 9f ff fe f1 24 f2 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd LCP ProtRej id=0x4 
19:14:54 l2tp,ppp,debug,packet      80 31 01 01 00 0c 03 03 01 08 03 01 09 02 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd proto=0x8235 01 01 00 10 01 06 00 00... 
19:14:54 l2tp,ppp,debug <<client-IP>>: received unsupported protocol 0x8235 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent LCP ProtRej id=0x3 
19:14:54 l2tp,ppp,debug,packet      82 35 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfAck id=0x1 
19:14:54 l2tp,ppp,debug,packet     <addr 192.168.88.200> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x2 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x2 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x3 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x3 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x4 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x4 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x5 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x5 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x6 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x6 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x7 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x7 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x8 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x8 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x9 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x9 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0xa 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0xa 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0xb 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0xb 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0xc 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0xc 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0xd 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0xd 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0xe 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:54 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0xe 
19:14:54 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug <<client-IP>>: IPCP timer 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfReq id=0x2 
19:14:55 l2tp,ppp,debug,packet     <addr 192.168.88.200> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0xf 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0xf 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfAck id=0x2 
19:14:55 l2tp,ppp,debug,packet     <addr 192.168.88.200> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x10 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x10 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x11 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x11 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x12 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x12 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x13 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x13 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x14 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP ConfRej id=0x14 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug <<client-IP>>: IPCP close 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent IPCP TermReq id=0x3 
19:14:55 l2tp,ppp,debug,packet     protocol negotiation failed\00 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP ConfReq id=0x15 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
19:14:55 l2tp,ppp,debug,packet     <0x01 0a 00 00 00 00 00 00 00 00> 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd IPCP TermAck id=0x3 
19:14:55 l2tp,ppp,debug <<client-IP>>: LCP close 
19:14:55 l2tp,ppp,debug <<client-IP>>: LCP closed 
19:14:55 l2tp,ppp,debug <<client-IP>>: CCP lowerdown 
19:14:55 l2tp,ppp,debug <<client-IP>>: BCP lowerdown 
19:14:55 l2tp,ppp,debug <<client-IP>>: IPCP lowerdown 
19:14:55 l2tp,ppp,debug <<client-IP>>: IPV6CP lowerdown 
19:14:55 l2tp,ppp,debug <<client-IP>>: IPV6CP down event in starting state 
19:14:55 l2tp,ppp,debug <<client-IP>>: MPLSCP lowerdown 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: sent LCP TermReq id=0x4 
19:14:55 l2tp,ppp,debug,packet     could not determine local IP address\00 
19:14:55 l2tp,ppp,debug,packet  <<client-IP>>: rcvd LCP TermAck id=0x4 
19:14:55 l2tp,ppp,debug <<client-IP>>: LCP lowerdown 
19:14:55 l2tp,ppp,info <l2tp-0>: terminating... - could not determine local IP address 
19:14:55 l2tp,debug,packet sent control message to <client-IP>:54373 
19:14:55 l2tp,debug,packet     tunnel-id=13, session-id=12625, ns=2, nr=4 
19:14:55 l2tp,debug,packet     (M) Message-Type=CDN 
19:14:55 l2tp,debug,packet     (M) Result-Code=1 
19:14:55 l2tp,debug,packet     (M) Assigned-Session-ID=1 
19:14:55 l2tp,debug session 1 entering state: stopping 
19:14:55 l2tp,ppp,debug <<client-IP>>: LCP lowerdown 
19:14:55 l2tp,ppp,debug <<client-IP>>: LCP down event in initial state 
19:14:55 l2tp,ppp,info <l2tp-0>: disconnected 
19:14:56 l2tp,debug,packet sent control message to <client-IP>:54373 
19:14:56 l2tp,debug,packet     tunnel-id=13, session-id=12625, ns=2, nr=4 
19:14:56 l2tp,debug,packet     (M) Message-Type=CDN 
19:14:56 l2tp,debug,packet     (M) Result-Code=1 
19:14:56 l2tp,debug,packet     (M) Assigned-Session-ID=1 
19:14:57 l2tp,debug,packet sent control message to <client-IP>:54373 
19:14:57 l2tp,debug,packet     tunnel-id=13, session-id=12625, ns=2, nr=4 
19:14:57 l2tp,debug,packet     (M) Message-Type=CDN 
19:14:57 l2tp,debug,packet     (M) Result-Code=1 
19:14:57 l2tp,debug,packet     (M) Assigned-Session-ID=1 
19:14:59 l2tp,debug,packet sent control message to <client-IP>:54373 
19:14:59 l2tp,debug,packet     tunnel-id=13, session-id=12625, ns=2, nr=4 
19:14:59 l2tp,debug,packet     (M) Message-Type=CDN 
19:14:59 l2tp,debug,packet     (M) Result-Code=1 
19:14:59 l2tp,debug,packet     (M) Assigned-Session-ID=1 
the message that stands out:
19:14:55 l2tp,ppp,info <l2tp-0>: terminating... - could not determine local IP address
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 12:13 pm

Post your

/ppp secret exp com
/ppp profile exp com
/interface l2tp-server server exp
/ip address exp com
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 12:14 pm

Ok, i found it.. I had removed "remote-address=l2tp-pool" earlier.. but that was wrong..
After resetting that option the tunnel is working.
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
	inet 192.168.88.205 --> 192.168.88.200 netmask 0xffffff00 
So thats good.. but now how to connect to my local systems? Is there some more bridging or filtering to do?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 12:19 pm

Now its a completly routed connection. You can directly connect to the IP addresses inside your local LAN.

Basically, the TCP connection will be from [L2TP IP] -> [IP in your LAN] and it will be IPSec secured.

However, check your firewall forward chain to see if anything might be blocking it.

I have no idea how OSX handles routing however, in windows or Android you can specify which subnet goes through the VPN, but OSX might use the VPN gateway as default gateway, that, you need to find out.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 12:38 pm

Routes are set correctly by the client.. It seems that packets can get to the router, but can't get out of the router.
in my /ppp profile i have set: bridge=bridge-local is this correct? Or can I do without?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 12:40 pm

No, do dont configure any bridges for the VPN. This is all routed. As I mentioned, dont do any config besides the one I posted and if your firewall is not blocking it, it will work.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: L2TP/IPSec with Android

Tue Dec 04, 2012 1:20 pm

Alright, as promised, here is a script to secure the L2TP server to IPSec clients only:

Link to my wiki article: http://wiki.mikrotik.com/wiki/Securing_ ... _for_IPSec

Works wonderfully. Make sure your firewall is properly configured with
add chain=input dst-port=1701 protocol=udp src-address-list=L2TP_Allowed
Schedule the script to run every 2 or 3 seconds, and the L2TP server is secured.
If you are allowing established and related connections in firewall, the L2TP server will be availible for as long as the connection is in the conn track table, watch out for that. (Default UDP stream timeout is 3 minutes.)
Last edited by tomaskir on Mon Sep 30, 2013 11:35 am, edited 2 times in total.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: [Solved] L2TP/IPSec with Android

Tue Dec 04, 2012 3:26 pm

I almost have it working.. I can see packets with tcpdump on the "target" system coming in from the L2TP client and return packets going back to my "remote-address". But they never arrive at the client?
So somewhere is still a filter which kills it? But almost everything is on ACCEPT?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Tue Dec 04, 2012 3:37 pm

Post
/ip firewall filter exp com
/ip firewall mangle exp com
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: [Solved] L2TP/IPSec with Android

Tue Dec 04, 2012 3:49 pm

[admin@MikroTik] > ip firewal filter exp com
# jan/02/1970 23:06:34 by RouterOS 5.20
# software id = VSCX-GZXH
#
/ip firewall filter
add chain=forward dst-address=192.186.88.11 dst-port=22 in-interface=pppoe-kpn protocol=tcp
add chain=input in-interface=bridge-local src-address=192.168.0.0/16
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=4500 protocol=udp
add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=forward
add action=drop chain=input in-interface=sfp1-gateway
add action=drop chain=input in-interface=ether1-gateway
add action=drop chain=input in-interface=pppoe-kpn
[admin@MikroTik] > ip firewal mangle exp com      
# jan/02/1970 23:06:42 by RouterOS 5.20
# software id = VSCX-GZXH
#
--edit--

Could it be a routing problem?
The l2tp-pool has a range of adresses which are in my own network subnet.. Should this be completely separate?

--edit 2--

Yup, that seems to be the case.. Now I can connect to my local clients..
The last item which I have is when i set "send all traffic over VPN connection" that I cannot access the internet. DNS settings are not correct, and maybe some firewall filter needed?

--edit 3--
dns is now correct.. So the only thing left is to get packets from the l2tp client to the internet working..

--edit 4--
all done!
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=pppoe-kpn src-address=10.0.0.0/8 to-addresses=0.0.0.0
Yea finally working! Learned a lot these last couple of days.. Thanks! :)

Next year i'll sign up for MTCNA track.. which will make it all easier :)
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
inSaNo
newbie
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: [Solved] L2TP/IPSec with Android

Tue Dec 04, 2012 4:48 pm

is it possible to set default DNS search suffix with /ppp profile?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Tue Dec 04, 2012 5:30 pm

You can actually use the IP from your local subnet, but you would have to use proxy-arp on the router. Or use it in a separate subnet like you do and route the connections.

You can set the DNS server in PPP profile, but not the default search suffix. You will have to fix that on the client OS.

Also, you might not want to send all traffic to the L2TP tunnel, but only the traffic destined to the local subnet behind the VPN. That also has to be fixed in the client OS, in its routing table.
If you are OK with sending all traffic through the L2TP tunnel, then you are all set.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
jaytcsd
Member Candidate
Member Candidate
Posts: 289
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: [Solved] L2TP/IPSec with Android

Fri Dec 14, 2012 3:12 am

tomaskir - This is what I have and it works from a Win 7 netbook but not for my Droid.
Going to use your rules and see what happens.
Not sure why my rules work when a Droid won't.

[code]

/ppp profile> pr
Flags: * - default
0 * name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default
use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=yes

1 * name="default-encryption" remote-ipv6-prefix-pool=(unknown) use-ipv6=no
use-mpls=default use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=yes

] /ip pool> pr
# NAME RANGES
0 pool1 192.168.100.110
192.168.100.115
/ppp secret> pr
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 usser l2tp testing default-... 192.168.100.249


/interface l2tp-server server> pr
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
default-profile: default-encryption

/ip ipsec proposal> pr
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024


/ip ipsec peer> pr
Flags: X - disabled
0 address=0.0.0.0/0 port=500 auth-method=pre-shared-key
secret="heymoe" generate-policy=yes exchange-mode=main
send-initial-contact=yes nat-traversal=yes my-id-user-fqdn=""
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=1

[/code]
 
mbedyn
just joined
Posts: 7
Joined: Thu Mar 27, 2008 1:05 pm

Re: [Solved] L2TP/IPSec with Android

Fri Jun 07, 2013 1:32 am

Tomaskir did you find solution for this issue?
15:00:42 l2tp,debug tunnel 51 received no replies, disconnecting 
15:00:42 l2tp,debug tunnel 51 entering state: dead
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Fri Jun 07, 2013 12:00 pm

I never had any of those problems. Make sure all your config is correct.
There is a presentation in my sig, if you follow that setup, all should work.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
mbedyn
just joined
Posts: 7
Joined: Thu Mar 27, 2008 1:05 pm

Re: [Solved] L2TP/IPSec with Android

Fri Jun 07, 2013 5:35 pm

I thought You had a problem when I read your first post in this topic???
I'm asking because I have similar situation..
I have working l2tp server but disabled ipsec in windows registry. When I enable IPsec in registry, got successful connection on Ipsec but tunell L2tp is daed and logs shows something similar to yours in first post...
Any clue ??
thanks
Michael
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Fri Jun 07, 2013 5:47 pm

My original problem was on android devices, but you are right similiar as this.

It was fixed by correcting the config as written above.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Leolo
just joined
Posts: 8
Joined: Wed Aug 21, 2013 7:01 am

Re: [Solved] L2TP/IPSec with Android

Wed Aug 21, 2013 6:38 pm

tomaskir,

I don't understand why it is a risk to leave the UDP port 1701 open to the world.

What's the problem? Just use a very long and strong password, allow only "CHAP" authentication on the Mikrotik (disable PAP, MS-CHAPv1 and MS-CHAPv2 because they are very broken) and you're good to go!

Legitimate clients will never connect to the port 1701 directly (they will use UDP 500 or UDP 4500).

And any attacker who connects directly to UDP 1701 will fail because they won't be able to pass CHAP (they don't know the ultra-long password).

So, again, what's really the risk? Am I missing something?
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Wed Aug 21, 2013 8:25 pm

Multiple risks:
1) The attacker knows you are running L2TP, and can exploit any bugs in the underlying L2TP server's code (if there are any)
2) The attacker can try bruteforce and dictionary attacks. If you have many clients which passwords you dont control (as is usually the case, since L2TP authenticates through radius), you can never rely on the password being secure.
3) Port scaning and inteligence gathering tools will consider you a target, and potentionally gather more information about your architecture.
4) There are best practices and security guidelines which consider not securing a service which is not accessed (L2TP is not accesses without IPSec) as a major security vulnerability.

Etc, etc, there are many many reasons. You think its gonna be ok to leave it, when the right approach is to say "its not secured, its a risk". Any serious security analist in the bussiness will tell you that. Why in the world would you EVER leave a service that is not used open to the world? (L2TP is not used without IPSec transport)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Leolo
just joined
Posts: 8
Joined: Wed Aug 21, 2013 7:01 am

Re: [Solved] L2TP/IPSec with Android

Wed Aug 21, 2013 10:59 pm

Ok, thanks for the detailed info. I knew there had to be a reason I was missing.

I agree with you on points 1, 2, and 4.

But in my particular case I think I can leave port 1701 open, because I can control the passwords, as there are only very few road warriors in our organization who need to use the VPN.

I don't use RADIUS, I just enter the passwords manually into the Mikrotik router configuration (not scalable, I know, but enough for my purposes). I also configure all their laptops manually (they are only a handful).

The risks of a bug in the L2TP server code are similar to the risk of a bug in the IPSec code, so I guess I'm doubling my risk by exposing an unnecessary port.

However, I don't quite agree with you on point 3. Having UDP port 500 for IPSec open to the world is also detected by port scanners. We will be detected anyway, we cannot hide!!
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 2:33 am

Its entirelly different for someone to find you have IPSec enabled on your IP address then to find you have L2TP enabled. IPSec can be used for any reason, from securing peer-to-peer traffic in transport mode, to encapsulating whatever in transport mode, to tunneling or VPNing in tunnel mode, and IPSec will not expose any information other then the fact that its enabled.

L2TP being open tells the attacker right away that this is a VPN AC, and that you run L2TP, and even reveals supported auth encryption protocols and other things right away. Why would you ever want to give an attacker more information?
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Leolo
just joined
Posts: 8
Joined: Wed Aug 21, 2013 7:01 am

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 4:25 am

tomaskir, I agree that the ideal solution would be to close port 1701 completely. And your script is a valid and useful temporary solution while we wait for Mikrotik to improve their firewall.

But I still see the risk of having L2TP open as reasonable and acceptable if these conditions can be true:

- All the user passwords are very long and random

- PAP, MS-CHAPv1 and MS-CHAPv2 are disabled because they are all broken

- Only CHAP is enabled for authentication

- L2TP Server will throttle failed authentication attempts (make the attacker wait 30 seconds, then 2 minutes, then 10 minutes, etc)

Do you know if it's possible to configure Mikrotik to throttle attackers when using CHAP authentication?

The bruteforcing of the password would be slowed down immensely, making it practically impossible!
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 10:58 am

Man, you really are thinking small scale. In any serious deployment, you will always use a central point of authentification (radius with LDAP or AD backend). You need Single-Sing-On for you users, and you should never control the passwords of your users. Thats the industry tested best practices. You also need a single point of authentification, so if a user gets his password compromised, or wants it changed, you only need to change it in one place.

Do you think any, even small-sized company, with 50 road-warriors will not want to use SSO? How about if a user is out of company and needs his password changed? You will not have access to reconfigure it on his VPN client.

Did you ever think that the VPN clients (because they are thin clients, or propietary devices), may require PAP, or MS-CHAP? Also, why cut your user off for minutes if he simply mispells his password only once.

Are you also assuming your users will have their passwords saved in their VPN client? If its really complex and long random passwords, how will they remember them? This is unacceptable as well. The VPN clients should NEVER have passwords saved. What if the road warrior user's device gets stolen? The attacker will right away VPN into your infrastructure, no matter how hardcore the password is, cause its saved.

I'm done discussing this, since you are just not listening and I keep repeating the same things for 3 posts now.
Close down L2TP, you will NEVER use it without IPSec anyway. Thats the point, and it solves so many security issues.
If you want to open needless risks and security holes in your own infrastructure, thats your problem.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Leolo
just joined
Posts: 8
Joined: Wed Aug 21, 2013 7:01 am

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 1:33 pm

You make very good and valid points.

In my case I'm thinking at a extremely small scale, and that's why I didn't see the problem with leaving the port open.

To be honest, I'm not using certificates with IPSec (I'm just using a PSK, which is permanently stored into the user's laptop), even though Microsoft clearly warns you against using a Pre Shared Key.

This is a security risk if the laptop gets stolen, as you've correctly mentioned.

I'll keep that in mind for the future and try to improve the security a little bit.

Thanks a lot for your script and all the information!

Kind regards.
 
iBlueDragon
newbie
Posts: 29
Joined: Sun Sep 29, 2013 5:29 pm

Re: [Solved] L2TP/IPSec with Android

Sun Sep 29, 2013 5:58 pm

Thomas,

First, thanks for your great explanations!
I am new to RouterOS but I got standard L2TP/IPSec working fine (for iPhone and Win 7). Now I wanted to increase security with your setup and script, but something doesn't work out:

1)
/ppp profile add name=L2TP local-address=10.0.31.1 remote-address=l2tp-pool address-list=L2TP_Clients
a) I think address-list should be "L2TP_Allowed" as this is the one later populated by the script.
b) The profile seems to work (with my old firewall rules) even if the script is not running. How can that be if there are no addresses in the address list?

2)
add chain=input dst-port=1701 protocol=udp src-address-list=L2TP_Allowed
Without dst-port 500 I don't get anywhere, as the first connection is made to port 500 (at least from my iPhone). But even with ports 500, 1701 and 4500 in the rule, I don't get a connection. Switching back to the old rule without Source Address List and it works...

3) A more general question: Is it possible to use a custom IPSec proposal instead of the default one?

Would you mind helping me out? Thanks!

Kind regards,
iBlueDragon
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Mon Sep 30, 2013 11:29 am

iBlueDragon:
1) The /ppp profile address list simply means that all clients which successfully establist an L2TP session will be put INTO that address list. It has nothing to do with firewall rules to establist an L2TP session. Hope that makes it clear. L2TP_Allowed address list should NOT be defind in the /ppp profile, that would break things.

2) You of course need other firewall input rules allowed to establish IPSec session:
UDP 500 – IKE
UDP 4500 – NAT Traversal
L4 Proto 50 – IPSec ESP

The rule for UDP 1701 is to protect the L2TP server to IPSec enabled clients only.

3) Sure you can. Simply configure the proposal to whatever your clients are compatible with.

4) Watch my MUM presentation on IPSec, it should explain a lot of things, its in my sig.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
iBlueDragon
newbie
Posts: 29
Joined: Sun Sep 29, 2013 5:29 pm

Re: [Solved] L2TP/IPSec with Android

Mon Sep 30, 2013 4:21 pm

Tomas:

Thanks for your quick reply!
1) Okay. Will try again on Thursday when I'm back home.
2) Clear.
3) Sorry, misunderstanding. In the Road Warrior setup the IPSec Policies in the router are generated automatically based on the default proposal. How do I get the router to use another proposal (e.g. one named L2TP)?
4) Thanks. Really helped a lot!

Kind regards,
iBlueDragon
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Tue Oct 01, 2013 11:26 am

3) Sorry, misunderstanding. In the Road Warrior setup the IPSec Policies in the router are generated automatically based on the default proposal. How do I get the router to use another proposal (e.g. one named L2TP)?
Currently impossible. You have to configure the default proposal to what you want for the dynamic policies to use.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
iBlueDragon
newbie
Posts: 29
Joined: Sun Sep 29, 2013 5:29 pm

Re: [Solved] L2TP/IPSec with Android

Thu Oct 03, 2013 9:47 am

Hi Tomas,

Now works as described!
In the log file I get "address list entry added by admin" when the connection gets established and "address list entry removed by admin" when it's terminated.

Thanks again for taking the time to answer my questions.

Kind regards,
iBlueDragon
 
BennyT
just joined
Posts: 20
Joined: Mon Apr 18, 2016 4:03 pm

Re: [Solved] L2TP/IPSec with Android

Sun Jul 10, 2016 8:50 pm

Hi Tomas,

i am trying to get my L2TP/IPSec running with Android Phone but without success. I don't know any more steps... hope you can have a look at it. I have a dynamic WAN address which is in that case the 85.176.65.xxx address. Internal WAN address is 192.168.10.1 ... so i enter on local address of IPSec Config: 192.168.10.1 (from eth1 gateway interface). On the IPSec peer i see the external 85.xxx.xxx.xx adress from ISP. Is this correct?  I had a Fritzbox which dial in and send all traffic to Mikrotik Router...

Here is a part of the log file:
<13>1 2016-07-10T19:33:42.645190+02:00 ipsec,debug,packet such - - - such policy does not already exist: 109.47.3.85/32[0] 85.176.65.54/32[0] proto=udp dir=in
<13>1 2016-07-10T19:33:42.645413+02:00 ipsec,debug,packet such - - - such policy does not already exist: 85.176.65.54/32[0] 109.47.3.85/32[0] proto=udp dir=out
<13>1 2016-07-10T19:33:42.659828+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:42.659996+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:42.660408+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:42.660822+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:42.661208+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:42.661612+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:42.662025+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:42.662428+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:42.662809+02:00 l2tp,info first - - - first L2TP UDP packet received from 109.47.3.85
<13>1 2016-07-10T19:33:42.663322+02:00 l2tp,debug tunnel - - - tunnel 40 entering state: wait-ctl-conn
<13>1 2016-07-10T19:33:42.664214+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:42.664641+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:42.665025+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:42.665434+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:42.665865+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:42.666772+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:42.667188+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:42.667575+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:42.667954+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:42.668357+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:42.668768+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:43.670513+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:43.670677+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:43.670892+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:43.671104+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:43.671409+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:43.671594+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:43.671806+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:43.672019+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:43.672230+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:43.672443+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:43.672662+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:44.669744+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:44.669902+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:44.670119+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:44.670328+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:44.670537+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:44.670748+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:44.670962+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:44.671169+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:44.671781+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:44.672202+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:44.673065+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:44.673489+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:44.673871+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:44.674274+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:44.674676+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:44.675099+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:44.675489+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:44.675875+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:44.676256+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:44.676661+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:44.677073+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:46.680101+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:46.680523+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:46.680899+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:46.681302+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:46.681701+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:46.682630+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:46.683033+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:46.684153+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:46.684538+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:46.684948+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:46.685350+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:46.718726+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:46.719138+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:46.720103+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:46.720430+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:46.720620+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:46.720833+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:46.721048+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:46.721261+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:46.721485+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:46.721701+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:48.676510+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:48.676667+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:48.676884+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:48.677094+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:48.677305+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:48.677624+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:48.677808+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:48.678021+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:48.678243+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:48.678464+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:50.679092+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:50.679250+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:50.679556+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:50.679749+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:50.679981+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:50.680175+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:50.680386+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:50.680596+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:50.680807+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:50.681017+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:50.681231+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:50.681457+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:50.681670+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:50.681879+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:50.682095+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:50.682307+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:50.682519+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:50.682729+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:50.682942+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:50.683175+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:50.683389+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:52.682872+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:52.683046+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:52.683264+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:52.683506+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:52.683725+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:52.683949+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:52.684156+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:52.684371+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:52.684605+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:52.684820+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1

<13>1 2016-07-10T19:33:54.693998+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:54.694152+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:54.694368+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:54.694580+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:54.694808+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:54.695007+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:54.695220+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:54.695441+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:54.695660+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:54.695875+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:56.691763+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:56.691968+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:56.692185+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:56.692401+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:56.692618+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:56.692836+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:56.693056+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:56.693266+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:56.693502+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:56.693718+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:58.674545+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:58.674704+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:58.674939+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:58.675130+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:58.675337+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:58.675548+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:58.675757+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:58.675970+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:58.676182+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:58.676395+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:58.676604+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:58.729047+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:58.729216+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:58.729531+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:58.729712+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:58.729945+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:58.730139+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:58.730351+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:58.730565+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:58.730792+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:58.731010+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:58.731221+02:00 l2tp,debug tunnel - - - tunnel 40 received no replies, disconnecting
<13>1 2016-07-10T19:33:58.731445+02:00 l2tp,debug tunnel - - - tunnel 40 entering state: dead
This repeats some times after the android phone cancelled the request. Any idea?
Thanks.
Regards,
Ben
 
Renz
just joined
Posts: 1
Joined: Fri Apr 07, 2017 4:35 am

Re: [Solved] L2TP/IPSec with Android

Wed Apr 26, 2017 6:35 am

Hi Tomas,

i found your post with regards to L2TP with IPsec. and manage to set it up correctly! I think. hahahaha. Because when i connect to it locally i can connect with no problem at all. all are working fine.

Now the problem occurs when i try to connect to it using a different ISP, or other place with a different ISP Connection.

i tested it with my laptop at it always hang up at connecting to 192.168.xxx.xxx using "WAN Miniport (L2TP) and then i got an error of Error 789. it just stops their!

but locally i can connect to it, with LAN cable connection and connected to a Switch that is connected to my Mikrotik RB.

Hope you can help me to find a solution to this!

Thanks!
 
Chega
just joined
Posts: 16
Joined: Fri Dec 04, 2015 12:18 pm

Re: [Solved] L2TP/IPSec with Android

Fri Jul 13, 2018 5:31 pm

Have the same problem, my laptop connected from different ISP through L2TP to my home have full access to home network and home internet connection. But Android can be connected only to home mikrotik by mikrotik app, no internet access, no access to home network. NAT traversal enabled, firewall rule for 4500 udp present. What else can i forgot?
/ppp secret
add name=vpn_chega password=szvcxzcbe3f profile=l2tp_profile service=l2tp


/ppp profile
add change-tcp-mss=yes dns-server=192.168.58.1 local-address=192.168.50.1 name=\
    l2tp_profile remote-address=vpn_pool use-upnp=yes

/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes \
    ipsec-secret=askjdlkerjl459834 use-ipsec=yes

/ip address
add address=192.168.58.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.58.0
add address=172.16.1.1/30 interface=ether5-slave-local-den network=172.16.1.0
add address=192.168.59.1/24 comment=Den interface=ether5-slave-local-den \
    network=192.168.59.0

Who is online

Users browsing this forum: eworm, fbritop, jorgemarques, lastovsky, MSN [Bot], Sob and 124 guests