Community discussions

MikroTik App
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

IPSec + iOS doesn't work

Thu Mar 13, 2014 10:23 am

Hi all. I have Mikrotik with RouterOS 6.10
Setting up the L2TP+IPSec server on it. My config is below
Connection from computer with winxp is ok.
Connection from IPhone gives this in log:
09:52:55 ipsec,debug no suitable proposal found.
09:52:55 ipsec,debug failed to get valid proposal.
09:52:55 ipsec,debug failed to pre-process ph1 packet (side: 1, status 1).
09:52:55 ipsec,debug phase1 negotiation failed.
Full log:
log.txt
Config:
export-ipsec.rsc
Short config:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-128-ctr
/ip pool
add name=l2tp-pool ranges=192.168.100.2-192.168.100.200
/ppp profile
add change-tcp-mss=yes local-address=192.168.100.1 name=l2tp remote-address=\
    l2tp-pool
/interface l2tp-server server
set authentication=pap,chap,mschap1 default-profile=l2tp enabled=yes \
    keepalive-timeout=15 max-mru=1418 max-mtu=1418
/ip address
add address=192.168.88.1/24 comment=Settings_Port interface=eth12-192.168.88 \
    network=192.168.88.0
add address=192.168.0.1/24 comment="AMIGO LAN" interface=eth1-192.168.0 \
    network=192.168.0.0
add address=192.168.3.1/24 interface=eth2-192.168.3 network=192.168.3.0
add address=91.196.229.6/30 comment=Stels interface=eth10-Stels network=\
    91.196.229.4
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input comment=Accept_established_connections connection-state=\
    established
add chain=forward connection-state=established
add chain=input comment=Accept_related_connections connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment=Drop_invalid_connections \
    connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment=Allow_UDP protocol=udp
add chain=forward protocol=udp
add chain=forward comment="Amigo Traffic" dst-address=192.168.0.0/16 \
    src-address=192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for Amigo networks" \
    out-interface=eth10-Stels src-address=192.168.0.0/16
/ip ipsec peer
add enc-algorithm=aes-256 generate-policy=port-override nat-traversal=yes \
    secret=topsecret
/ip route
add distance=1 gateway=91.196.229.5
add distance=1 dst-address=192.168.1.0/24 gateway=172.17.17.21
add distance=1 dst-address=192.168.10.0/24 gateway=172.17.17.13
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=client1 password=secret1 profile=l2tp service=l2tp
/system logging
add topics=ipsec
add disabled=yes topics=l2tp
/system ntp client
set enabled=yes mode=unicast primary-ntp=62.149.0.30
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
Please, help ;)
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2954
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 10:53 am

Find what algorithms can use iOS

/ppp profile
add change-tcp-mss=yes local-address=192.168.100.1 name=l2tp remote-address=l2tp-pool use-encryption=yes

/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=l2tp enabled=yes keepalive-timeout=15 max-mru=1450 max-mtu=1450 mrru=1614
Last edited by rextended on Thu Mar 13, 2014 11:14 am, edited 1 time in total.
I'm Italian, not English. Sorry for my imperfect grammar.
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:06 am

set authentication=pap,chap,mschap1,mschap1
you're using mschap1 two times, is it ok?
You mean mschap2?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:08 am

Apple writes
iOS works with VPN servers that support the following protocols and authentication methods:

L2TP/IPSec with user authentication by MS-CHAPV2 Password, RSA SecurID or CryptoCard, and machine authentication by shared secret.
You have

ros code

/interface l2tp-server server set authentication=pap,chap,mschap1
Have you tried

ros code

/interface l2tp-server server set authentication=mschap2
?
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:11 am

Turned on mschap2, everything is the same. Failed to get valid proposal
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2954
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:14 am

yes a misspelling, mschap2 (i fix my post)

normis give you the list of supported authentication methods on iOS, mschap2 must be on.
I'm Italian, not English. Sorry for my imperfect grammar.
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:21 am

Sorry for desinformation.
When i use 3des encryption in Peers - everything is ok from computer. From iphone connetction doesn't work
When i use aes256 encryption in Peers - Connection doesn't work from computer and iphone.
The error is the same. No suitable proposal found.

Turned on mschap2. Doesn't work
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:23 am

Some other stuff from the internet, what the iOS wants to see:

dh-group: modp1024
hash-algorithm: sha1
Encryption algorithm: AES / 256 bits (other interneet place says 128, so try both )
auth-method: pre-shared-key-xauth
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:28 am

Some other stuff from the internet, what the iOS wants to see:

dh-group: modp1024
hash-algorithm: sha1
Encryption algorithm: AES / 256 bits (other interneet place says 128, so try both )
/ip ipsec proposal
set [ find default=yes ] enc-algorithms="3des,aes-128-cbc,aes-192-cbc,aes-256-\
    cbc,aes-128-ctr,aes-192-ctr,aes-256-ctr"

[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled 
 0   address=0.0.0.0/0 passive=no port=500 auth-method=pre-shared-key 
     secret="topsecret" generate-policy=port-override exchange-mode=main 
     send-initial-contact=yes nat-traversal=yes proposal-check=obey 
     hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d 
     lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 

Tried aes-128 and aes-256. Doesn't work on both comp an iphone. On computer works only with 3des encryption.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:30 am

The idea is to disable the 3des and others, leave only the one that iOS supports
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:30 am

Also, Changelog of 6.10 says, that aes-256 doesn't work.
http://www.mikrotik.com/download/CHANGELOG_6
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2954
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:31 am

Try:

/ip ipsec proposal
set [ find default=yes ] pfs-group=modp1024 auth-algorithms=md5,sha1 enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc,aes-128-ctr,aes-192-ctr,aes-256-ctr

Or:

/ip ipsec proposal
set [ find default=yes ] pfs-group=modp1024 auth-algorithms=null enc-algorithms=aes-128-gcm,aes-192-gcm,aes-256-gcm
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:32 am

Also, Changelog of 6.10 says, that aes-256 doesn't work.
http://www.mikrotik.com/download/CHANGELOG_6
try v6.11 for now. what architecture do you need?
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:34 am

The idea is to disable the 3des and others, leave only the one that iOS supports
You mean in proposal?
Ok, making that:
[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-128-cbc,aes-128-ctr lifetime=30m pfs-group=modp1024
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=0.0.0.0/0 passive=no port=500 auth-method=pre-shared-key
secret="topsecret" generate-policy=port-override exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] >
and it doesn't work
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:35 am

we will make a setup like that here, and test. meanwhile, let me know which device you use, and I will give you v6.11 with the 256 bit fix.
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:37 am

Also, Changelog of 6.10 says, that aes-256 doesn't work.
http://www.mikrotik.com/download/CHANGELOG_6
try v6.11 for now. what architecture do you need?
i use ROS on Mikrotik CCR1016-12G
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:39 am

Also, Changelog of 6.10 says, that aes-256 doesn't work.
http://www.mikrotik.com/download/CHANGELOG_6
try v6.11 for now. what architecture do you need?
i use ROS on Mikrotik CCR1016-12G
I can't say if this is the bug that causes your problem, we will test it locally anyway, but now you can just try this:
http://www.mikrotik.com/download/share/ ... e-6.11.npk
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Thu Mar 13, 2014 11:52 am

Upgraded to 6.11. Tried aes-256. Error is the same
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Fri Mar 14, 2014 12:04 pm

Still no answer? ):
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Fri Mar 14, 2014 12:13 pm

We are replicating the setup.
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Tue Mar 18, 2014 1:13 pm

We are replicating the setup.
maybe you need some help with replicating? :)))
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24666
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: IPSec + iOS doesn't work

Tue Mar 18, 2014 4:53 pm

It works, but specific settings are needed in RouterOS. We have added which settings iOS supports in this article section:
http://wiki.mikrotik.com/wiki/Manual:IP ... .29_Client
No answer to your question? How to write posts
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 12:51 pm

Okay, my mistake was trying to set up l2tp+ipsec for iphone clients.
Understood, that we need ipsec with pre-shared key and xauth for using "Cisco" ipsec in Iphone
Went here http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
And tried to set it up.
My config(192.168.0.0/24 is workstation network, 192.168.3.0 is server network)
export_ipsec.rsc
My log:
log_ipsec.txt
The iPhone error is "Error when negotiating the server". Maybe in English it sounds a little different. I have Russian-languaged iPhone :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6080
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 1:03 pm

If your device is behind NAT then try to enable NAT-T in peers config.
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 2:27 pm

If your device is behind NAT then try to enable NAT-T in peers config.
Ok! It's connected. Problem was not only in nat-t. In proposal we had no Auth Methods checked.
But iPhone can't access computers in 192.168.0.0/24 network. Even Ping to 192.168.0.1(Mikrotik IP address) doesn't work
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6080
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 2:54 pm

Because you are giving out ip addresses to ipsec tunnels from the same 192.168.0.0/24 subnet. Use different address range or set up proxy arp.
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 3:02 pm

Because you are giving out ip addresses to ipsec tunnels from the same 192.168.0.0/24 subnet. Use different address range or set up proxy arp.
I can't understand, why in manual http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf addresses for tunnel are the same as in "inside" network
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 3:15 pm

Because you are giving out ip addresses to ipsec tunnels from the same 192.168.0.0/24 subnet. Use different address range or set up proxy arp.
Changed RW-pool:
[admin@MikroTik] /ip pool> print
 # NAME                                                                                                                                                                       RANGES                         
 1 ipsec-RW                                                                                                                               192.168.200.200-192.168.200.205
Now we have error while connecting from iphone: "Error when negotiating the server"
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6080
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 3:24 pm

And have you changed also policy templates to match new addresses?
 
velter
just joined
Topic Author
Posts: 18
Joined: Wed Jan 29, 2014 10:38 am

Re: IPSec + iOS doesn't work

Fri Mar 21, 2014 3:43 pm

And have you changed also policy templates to match new addresses?
Already understood that. Everything is ok. Thanks for help.
 
kasparsv
just joined
Posts: 1
Joined: Fri Mar 21, 2014 3:21 pm

Re: IPSec + iOS doesn't work

Mon Mar 24, 2014 4:45 pm

Hi,

I have successfully connected via ipsec xauth in road warrior setup as in the manual using the same subnet as in target network.

I have enabled proxy arp on the bridge interface (includes wireless and ethernet ports) and I can connect via VPN successfully, but I cannot reach hosts on internal network. I can reach router just fine.

I'm connecting from Mac OS X 10.9.2.
 
iamtuxmeister
just joined
Posts: 1
Joined: Fri Jan 22, 2016 11:34 pm

Re: IPSec + iOS doesn't work

Sat Jan 23, 2016 12:05 am

This is for Posterity:
Googling issues with Apple iOS 9 Mikrotik and L2TP VPN lead me to this Post.
I had many troubles and finally got it to work. I will post my commands below to hopefully save others some headache. :D

this assumes some default configuration on the router:
local subnet 192.168.1.0/24
router address 192.168.1.1
dhcp pool 192.168.1.100 - 192.168.1.200
/interface l2tp-server server
set default-profile=l2tp-profile enabled=yes ipsec-secret=MyIpsecSecret use-ipsec=yes
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.1.1 name=l2tp-profile \
    remote-address=dhcp use-encryption=yes
/ppp secret
add local-address=192.168.1.201 name=myPppUser password=myPppPassword profile=default-encryption remote-address=\
    192.168.1.202 service=l2tp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1,sha256,sha512 enc-algorithms=\
    aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h pfs-group=none
/ip ipsec peer
add dpd-interval=2s enc-algorithm=aes-128,aes-256 exchange-mode=main-l2tp generate-policy=port-override \
    secret=MyIpsecSecret
/interface ethernet set 0 arp=proxy-arp
/interface bridge set 0 arp=proxy-arp
These commands should be all that is needed for a successful connection with an iOS device running 9.2+, and a Mac running 10.10+

Kyle.
 
ilia2s
just joined
Posts: 3
Joined: Mon Sep 12, 2016 3:02 pm

Re: IPSec + iOS doesn't work

Mon Sep 12, 2016 3:15 pm

Hello. I tried to setup L2TP/IpSec with Ipad mini 2 on IOS v. 9.3.5 and ROS 6.36.3, but with no success.

Here is my config:
/ip ipsec peer> print
Flags: X - disabled, D - dynamic 
 0    address=0.0.0.0/0 local-address=:: passive=yes port=500 auth-method=pre-shared-key-xauth 
      secret="secret" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp 
      send-initial-contact=no nat-traversal=yes hash-algorithm=sha1 enc-algorithm=aes-256,aes-128 
      dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

/ip ipsec proposal> print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha512,sha256,sha1,md5 
      enc-algorithms=aes-256-cbc,aes-256-ctr,aes-128-cbc,aes-128-ctr lifetime=8h pfs-group=none 

 /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 
Debug log attached. Please Help.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6080
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec + iOS doesn't work

Mon Sep 12, 2016 3:40 pm

It doesn't work because on ipad you have selected to use ipsec with xauth and modeconf, not ipsec/l2tp.
 
ilia2s
just joined
Posts: 3
Joined: Mon Sep 12, 2016 3:02 pm

Re: IPSec + iOS doesn't work

Mon Sep 12, 2016 9:28 pm

It doesn't work because on ipad you have selected to use ipsec with xauth and modeconf, not ipsec/l2tp.
thank you, it was client-side mistake. Ipad have 3 vpn types, it's pptp, l2tp = l2tp/ipsec and ipsec=cisco ipsec (wo l2tp)
 
alex7xl
just joined
Posts: 4
Joined: Fri Sep 16, 2016 11:51 am

Re: IPSec + iOS doesn't work

Fri Sep 16, 2016 11:58 am

Hi all,

Since iOS 10 not support PPTP I tried L2TP VPN.

It works perfectly via my WiFi, but not worked via mobile 4G Internet.

From the client side I got:
The L2TP-VPN server did not respond
In the ROS log I got this:
08:36:02 l2tp,info first L2TP UDP packet received from 37.104.222.180
08:36:33 ipsec,error key length mismatched, mine:128 peer:256.
08:36:33 ipsec,error key length mismatched, mine:192 peer:256.
Does this mean that L2TP VPN just blocked on 4G mobile Internet or I can do something with my ROS settings?
 
EngineerAustin
just joined
Posts: 6
Joined: Sat Jun 20, 2015 6:57 pm

Re: IPSec + iOS doesn't work

Fri Oct 28, 2016 5:07 am

Did you ever figure out how to get the L2TP with VPN for the iOS 10 to work? I'm not having any luck following any of the forums...

I would really appreciate some help.

Thanks,

Lynn
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 960
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: IPSec + iOS doesn't work

Fri Oct 28, 2016 1:18 pm

Look at this post:
http://forum.mikrotik.com/viewtopic.php ... 47#p564947
You'll need to select "Send all traffic through VPN" (or similar) on the client device.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data

Who is online

Users browsing this forum: No registered users and 121 guests