IPSec succeeds but L2TP fails to establish - client lonely

ners · Tue Jul 23, 2013 6:03 pm

Hi, i'm having rouble setting up L2TP+IPSec on RouterOS 6.1
I've been banging my head against a wall over the past couple of days. Please tell me what is wrong with my setup?

As I see it, the client does not get any L2TP control responses from the server.

My configs:

ros code

/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    nat-traversal=yes secret=govno send-initial-contact=no

/ppp profile
add local-address=10.20.36.1 name=L2TP remote-address=l2tp use-encryption=no

/ppp secret
add name=user password=test profile=L2TP service=l2tp

/interface l2tp-server server
set authentication=chap default-profile=L2TP enabled=yes

/ip firewall filter
add chain=input comment=L2TP dst-port=4500 protocol=udp
add chain=input comment=IPSEC protocol=ipsec-esp
add chain=input comment=l2tp port=500 protocol=udp
add chain=input comment=l2tp port=1701 protocol=udp

Here's what client says in the logs:

7/23/13 6:49:59.837 PM pppd[3419]: pppd 2.4.2 (Apple version 596.13) started by vitaly, uid 501
7/23/13 6:49:59.878 PM pppd[3419]: L2TP connecting to server '81.92.25.1' (81.92.25.1)...
7/23/13 6:49:59.881 PM pppd[3419]: IPSec connection started
7/23/13 6:49:59.906 PM racoon[3422]: Connecting.
7/23/13 6:49:59.906 PM racoon[3422]: IPSec Phase1 started (Initiated by me).
7/23/13 6:49:59.909 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
7/23/13 6:49:59.929 PM racoon[3422]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
7/23/13 6:49:59.936 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
7/23/13 6:49:59.982 PM racoon[3422]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
7/23/13 6:50:00.003 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).
7/23/13 6:50:00.000 PM kernel[0]: L2TP domain init
7/23/13 6:50:00.000 PM kernel[0]: L2TP domain init complete
7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).
7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
7/23/13 6:50:01.048 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
7/23/13 6:50:01.048 PM racoon[3422]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
7/23/13 6:50:01.049 PM racoon[3422]: IPSec Phase2 established (Initiated by me).
7/23/13 6:50:01.049 PM pppd[3419]: IPSec connection established
7/23/13 6:50:21.050 PM pppd[3419]: L2TP cannot connect to the server
7/23/13 6:50:21.052 PM racoon[3422]: IPSec disconnecting from server 81.92.25.1
7/23/13 6:50:21.053 PM racoon[3422]: IKE Packet: transmit success. (Information message).
7/23/13 6:50:21.054 PM racoon[3422]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
7/23/13 6:50:21.054 PM racoon[3422]: IKE Packet: transmit success. (Information message).
7/23/13 6:50:21.055 PM racoon[3422]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

Server:

18:55:08 l2tp,debug,packet rcvd control message from 81.92.23.13:62515
18:55:08 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
18:55:08 l2tp,debug,packet     (M) Message-Type=SCCRQ
18:55:08 l2tp,debug,packet     (M) Protocol-Version=0x01:00
18:55:08 l2tp,debug,packet     (M) Framing-Capabilities=0x3
18:55:08 l2tp,debug,packet     (M) Host-Name=0x72:6f:62:6f:62:6f:6f:6b:00
18:55:08 l2tp,debug,packet     (M) Assigned-Tunnel-ID=2
18:55:08 l2tp,debug,packet     (M) Receive-Window-Size=4
18:55:08 l2tp,debug,packet sent control message (ack) to 81.92.23.13:62515
18:55:08 l2tp,debug,packet     tunnel-id=2, session-id=0, ns=1, nr=1
18:55:10 l2tp,debug,packet sent control message to 81.92.23.13:62515
18:55:10 l2tp,debug,packet     tunnel-id=2, session-id=0, ns=0, nr=1
18:55:10 l2tp,debug,packet     (M) Message-Type=SCCRP
18:55:10 l2tp,debug,packet     (M) Protocol-Version=0x01:00
18:55:10 l2tp,debug,packet     (M) Framing-Capabilities=0x1
18:55:10 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
18:55:10 l2tp,debug,packet     Firmware-Revision=0x1
18:55:10 l2tp,debug,packet     (M) Host-Name="gw"
18:55:10 l2tp,debug,packet     Vendor-Name="MikroTik"
18:55:10 l2tp,debug,packet     (M) Assigned-Tunnel-ID=101
18:55:10 l2tp,debug,packet     (M) Receive-Window-Size=4
18:55:12 l2tp,debug,packet rcvd control message from 81.92.23.13:62515
18:55:12 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
18:55:12 l2tp,debug,packet     (M) Message-Type=SCCRQ
18:55:12 l2tp,debug,packet     (M) Protocol-Version=0x01:00
18:55:12 l2tp,debug,packet     (M) Framing-Capabilities=0x3
18:55:12 l2tp,debug,packet     (M) Host-Name=0x72:6f:62:6f:62:6f:6f:6b:00
18:55:12 l2tp,debug,packet     (M) Assigned-Tunnel-ID=2
18:55:12 l2tp,debug,packet     (M) Receive-Window-Size=4
18:55:12 l2tp,debug,packet sent control message (ack) to 81.92.23.13:62515
18:55:12 l2tp,debug,packet     tunnel-id=2, session-id=0, ns=1, nr=1
18:55:12 l2tp,debug tunnel 101 received no replies, disconnecting
18:55:12 l2tp,debug tunnel 101 entering state: dead

jasonhbrand · Sun Aug 04, 2013 5:06 am

Hi, did you find what the cause was, i have just found the same issue, using 6.2 version

tomaskir · Sun Aug 04, 2013 11:45 am

Do you have multiple IP addresses on the WAN interface?

StephenDearden · Thu Dec 11, 2014 10:51 pm

Same probem. IPsec sets up fine, just the L2TP tunnel doesn't connect.

43north · Sun Dec 14, 2014 9:46 am

What is the error that is showing in the log when you are trying to connect to the L2TP tunnel?

StephenDearden · Mon Dec 15, 2014 7:50 pm

This is what shows up in the log afterward:

Wed Dec 10 13:23:44 2014 : publish_entry SCDSet() failed: Success!
Wed Dec 10 13:23:44 2014 : L2TP connecting to server '50.160.18.125' (50.160.18.125)...
Wed Dec 10 13:23:44 2014 : IPSec connection started
Wed Dec 10 13:23:44 2014 : IPSec phase 1 client started
Wed Dec 10 13:23:45 2014 : IPSec phase 1 server replied
Wed Dec 10 13:23:45 2014 : IPSec phase 2 started
Wed Dec 10 13:23:46 2014 : IPSec phase 2 established
Wed Dec 10 13:23:46 2014 : IPSec connection established
Wed Dec 10 13:23:46 2014 : L2TP sent SCCRQ
Wed Dec 10 13:24:06 2014 : L2TP cannot connect to the server

Is there a way that I can get a more descriptive log of the problem? I don't know how if there is.
Thanks for the reply. I'm new to this and have been looking for a solution all over.

tomaskir · Tue Dec 16, 2014 11:26 am

What version of RouterOS are you using?

Post export from:
/ip add
/ip ipsec
/ip fi
/ppp

Feel free to remove sensitive information.

zopper · Sat Dec 27, 2014 5:49 pm

I have this issue too. Log from L2TP client looks exactly the same as in StephenDearden's post. From Mikrotik log it looks like the client is sending SCCRQ packets and Mikrotik is replying SCCRP, but the reply never gets to the client.

#this is repeated few times until timeout:

Dec/27/2014 16:31:58 l2tp,debug,packet rcvd control message from 37.48.38.83:53552
Dec/27/2014 16:31:58 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Message-Type=SCCRQ
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Protocol-Version=0x01:00
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Framing-Capabilities=0x3
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Host-Name=0x4a:61:6e:73:2d:4d:61:63:42:6f:6f:6b:2d:50:72:6f
Dec/27/2014 16:31:58 l2tp,debug,packet         2e:6c:6f:63:61:6c:00
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Assigned-Tunnel-ID=42
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Receive-Window-Size=4
Dec/27/2014 16:31:58 l2tp,debug,packet sent control message (ack) to 37.48.38.83:53552
Dec/27/2014 16:31:58 l2tp,debug,packet     tunnel-id=42, session-id=0, ns=1, nr=1
Dec/27/2014 16:31:58 l2tp,debug,packet sent control message to 37.48.38.83:53552
Dec/27/2014 16:31:58 l2tp,debug,packet     tunnel-id=42, session-id=0, ns=0, nr=1
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Message-Type=SCCRP
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Protocol-Version=0x01:00
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Framing-Capabilities=0x1
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
Dec/27/2014 16:31:58 l2tp,debug,packet     Firmware-Revision=0x1
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Host-Name="MikroTik"
Dec/27/2014 16:31:58 l2tp,debug,packet     Vendor-Name="MikroTik"
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Assigned-Tunnel-ID=41
Dec/27/2014 16:31:58 l2tp,debug,packet     (M) Receive-Window-Size=4

Some network info: The Mikrotik router is behind another router (an ASUS SOHO box with the Mikrotik in DMZ), which is passing all incoming connections to the Mikrotik - the gateway interface has ip 192.168.254.2, gateway is 192.168.254.1. Local network has 192.168.2.0/24 address space, but I thought to start with different address space on VPN to avoid some messing with LAN.
PPTP on my Mikrotik works, so network seems to be ok.

Router OS version:

# dec/27/2014 16:18:59 by RouterOS 6.23
# software id = V18U-266H

Requested exports:

/ip address
add address=192.168.2.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.2.0
add address=192.168.254.2/24 interface=ether1-gateway network=192.168.254.0

/ip ipsec peer
add enc-algorithm=3des,aes-128,aes-192,aes-256 generate-policy=port-strict \
    secret=some_secret

/ip firewall filter
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add chain=forward comment="default configuration" connection-state=invalid
add chain=input dst-port=1194 in-interface=ether1-gateway protocol=tcp
add chain=input comment="L2TP " dst-port=1701,500,4500 protocol=udp
add chain=input comment=L2TP protocol=ipsec-esp
add action=drop chain=input connection-state=new connection-type="" disabled=\
    yes in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="http(s) to server" dst-port=80,443 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.2
add action=dst-nat chain=dstnat comment="SSH to server" dst-port=22 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.2

/ppp profile
set 0 local-address=192.168.3.30 remote-address=vpn-pool
add address-list="" local-address=192.168.3.30 name=L2TP remote-address=\
    vpn-pool use-encryption=no
set 2 local-address=192.168.3.30 remote-address=vpn-pool use-encryption=\
    required
/ppp secret
add name=login password=pass

gcraenen · Mon Dec 29, 2014 11:49 am

Same problem here!

The requested exports:

/ip add

# dec/29/2014 10:59:29 by RouterOS 6.24
# software id = CDRV-B447
#
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2 
    network=192.168.88.0
add address=192.168.90.1/24 comment="IP Guest wlan" interface=duck network=\
    192.168.90.0

/ip ipsec

# dec/29/2014 11:00:33 by RouterOS 6.24
# software id = CDRV-B447
#
/ip ipsec policy group
set
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc pfs-group=none
/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=\
    secret
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip fi

# dec/29/2014 11:01:25 by RouterOS 6.24
# software id = CDRV-B447
#
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=add-src-to-address-list address-list=Login_tries address-list-timeout=1d \
    chain=input dst-port=20-23,8291 log=yes protocol=tcp
add action=drop chain=input comment="Block home network --> guests" dst-address=\
    192.168.90.0/24 src-address=192.168.88.0/24
add action=drop chain=input comment="Block guests --> home network" dst-address=\
    192.168.88.0/24 src-address=192.168.90.0/24
add chain=input comment=l2tp connection-state=new dst-port=500,1701,4500 in-interface=\
    ether1-gateway log=yes log-prefix=vpn- protocol=udp
add chain=input connection-state=new in-interface=ether1-gateway log=yes log-prefix=\
    VPN-FW protocol=ipsec-esp
add chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment="masq. vpn traffic" out-interface=\
    ether1-gateway src-address=192.168.89.0/24
add action=masquerade chain=srcnat log=yes out-interface=ether1-gateway src-address=\
    192.168.90.0/24
/ip firewall service-port
set tftp disabled=yes

/ppp

# dec/29/2014 11:04:08 by RouterOS 6.24
# software id = CDRV-B447
#
/ppp profile
add change-tcp-mss=yes dns-server=192.168.88.1 local-address=192.168.89.1 nam
    L2TP-profile remote-address=vpn
set 2 local-address=192.168.89.1 remote-address=vpn
/ppp secret
add name=vpn password=secret profile=L2TP-profile service=l2tp

Thanks in advance for looking into it.

kielerjung · Wed Dec 31, 2014 2:58 pm

Same problem here. Configs looking the same as above.

gcraenen · Mon Jan 05, 2015 10:55 am

Hi,

I stopped trying and am using OpenVPN instead. On youtube there is a good "tutorial" for the OVPN setup from Pascom:

https://www.youtube.com/channel/UCSnsMv ... agJREg9EdA

Works ok for my situation with "road-warriors".

Same problem here. Configs looking the same as above.

zaedi · Wed Aug 26, 2015 6:44 am

Do you have multiple IP addresses on the WAN interface?

How to configure L2TP/IPsec VPN when WAN interface has got multiple public ip address?

zopper · Sat Sep 19, 2015 6:17 pm

So I just got it working.

I'm not sure whether I didn't made any other change, but the step between not working and working was to go to IP/IPSec/Policy and enable the default entry I have there.

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
       proposal=default template=yes

With this policy disabled, I could see incoming connections in the log, and I could see even remote peers connected for a moment in IPSec/Remote Peers, but after a moment they disconnected with timeout. After enabling it, it works like a charm.

(On a side note, it was this thread that kicked me to look on the policy.)

andyanthoine · Mon Sep 21, 2015 7:24 am

As far as i m concerned, it works perfectly on my router, so i'll try to explain my setup

First :

PPP > Interface, click on L2TP Server

Enable, same for USE IPSEC and put a ipsec key there

Then :

Create a user, with service : L2TP
local and remote adress
and a route

Let's say your transport block is 172.24.103.0/24
Local address is : 172.24.103.254
Remote : 172.24.103.2

Route will be : 172.24.103.0/24 172.24.103.254 1

In profile, edit the associated profile and add your DNS SERVER ip

Mine is 172.24.102.254 (that's the address of my MKT inside my lan)

And that's it... since they added the IPSEC rule to L2TP SERVER it's really easy to setup, shouldn't be harder than that to make it work

Btw, don't forget to open all the necessary ports for L2TP, ipsec etc