Community discussions

 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

[Solved...finally] Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream? No!

Sat Jun 13, 2015 4:59 am

This road warrior L2TP/IPsec is so, so FRUSTRATING, it seems that it could make one jump over the cliff. No matter how much improvements, it just seem to follow a golden rule: the more things change, the more they remain the same.

The problem I have is the L2TP server never gets to the authentication process...even when a dynamic policy gets generated. Everything works at home using a guess network to connect. However, when on the road, the L2TP server just won't authenticate. This failure was described in 2012 here: http://forum.mikrotik.com/viewtopic.php?t=67746 and again in 2014 here: https://www.mail-archive.com/mikrotik@m ... 08704.html

It's not the firewall as the L2TP server is sending and receiving control messages with the client...it NEVER authenticates and enter a dead zone. Is it a bug (read that in the pass)? Can any Guru or others provide a working solution? Is IPsec Policy really doesn't like an unknown IP address...if so, then how can a road warrior VPN work?
Last edited by Nollitik on Thu Jul 09, 2015 5:57 am, edited 3 times in total.
 
fallenwrx
newbie
Posts: 46
Joined: Mon Jan 20, 2014 10:59 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Sat Jun 13, 2015 5:12 am

Can you please confirm that this is using mobile networks eg 3G/4G as i know in NZ we have to change our APN settings on mobile devices to allow VPN traffic through.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Sat Jun 13, 2015 8:08 pm

Can you please confirm that this is using mobile networks eg 3G/4G as i know in NZ we have to change our APN settings on mobile devices to allow VPN traffic through.
No, the client is using either iOS devices or Android devices over WIFI.
 
wcsnet
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Mon Apr 29, 2013 12:43 pm
Location: South Africa

Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Sat Jun 13, 2015 9:35 pm

Yep same issue here cant get l2tp working with iOS however pptp works fine


Sent from my iPhone using Tapatalk
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Mon Jun 15, 2015 6:05 pm

Since I can connect to my VPN from my guess network at home...connection from the coffee failed, to trouble shoot most would say check firewall. However, from the coffee shop, L2TP is sending and receiving control messages with the client...therefore that would imply going through the firewall, doesn't it! Also that would imply that IPsec established successfully as well. Here is my firewall (screen shoot below)...does it look acceptable and as recommended?
Screen Shot 2015-06-15 at 9.44.22 AM.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Mon Jun 15, 2015 6:41 pm

Enable ipsec debug logs in /system logging menu.

Try to connect and post the log output here.
 
fallenwrx
newbie
Posts: 46
Joined: Mon Jan 20, 2014 10:59 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Tue Jun 16, 2015 10:10 am

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Wed Jun 17, 2015 6:41 am

Enable ipsec debug logs in /system logging menu.

Try to connect and post the log output here.
Thanks for responding and awaiting my follow MrZ. My log is very long (both L2TP and IPsec)...would take too much time to redact confidential info. Could I just send the supout file to Mikrotik support...I have been in communication with Maris B.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Wed Jun 17, 2015 6:49 am

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.
Thanks Fallenwrx for responding. I am using RouterOS 6.29 and when one selects IPsec in the L2TP server, it auto generates an IPsec Peer with a policy to "port strict" that's unchangeable.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Wed Jun 17, 2015 11:26 am

What ticket number?
 
fallenwrx
newbie
Posts: 46
Joined: Mon Jan 20, 2014 10:59 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Wed Jun 17, 2015 12:25 pm

if you open the dynamic peer and copy it - make the required change and then delete the original peer does that work for you?
 
atlanticd
newbie
Posts: 29
Joined: Thu Jun 11, 2015 6:42 pm

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Wed Jun 17, 2015 12:48 pm

I had/have similar issue, described here.
Only workaround I find is that you need to add always manually the outgoing policy. (which is very inconvenient in case of roadwarriors)
I was also in contact with Mikrotik support (ticket number is Ticket#2015061266000262), where they stated in case both client and server are behind NAT, then L2TP/IPsec will not work. This is a limitation of Mikrotik I guess, because with SoftEther it works.
Let's hope there will be an improvement in v7.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Wed Jun 17, 2015 10:28 pm

What ticket number?
[Ticket#2015061066000766] VPN Analysis and Recommendation
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Wed Jun 17, 2015 11:19 pm

Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communication with the client...just not engaging and completing the authentication process...so, one could see how I am leaning towards the conclusion.

The way to resolve is to use advance configuration to forward that port to a secure port that's firewall friendly such as port 443. I searched and found this: http://wiki.mikrotik.com/wiki/Traffic_P ... ion_Script
Of course, that's not clear to me. I want to keep my firewall setup and hope I can get the help to resolve my VPN issue.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Fri Jun 19, 2015 4:24 am

Per Mikrotik support, I disabled all drop rules and that doesn't resolve the L2TP authentication process thus making connection possible, despite IPsec successfully connects. Sent another supout file.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Fri Jun 19, 2015 4:30 am

I had/have similar issue, described here.
Only workaround I find is that you need to add always manually the outgoing policy. (which is very inconvenient in case of roadwarriors)
I was also in contact with Mikrotik support (ticket number is Ticket#2015061266000262), where they stated in case both client and server are behind NAT, then L2TP/IPsec will not work. This is a limitation of Mikrotik I guess, because with SoftEther it works.
Let's hope there will be an improvement in v7.
I read that you got yours working...when you say "need to add always manually the outgoing policy" what exactly do you mean? Is it that before you go to the outside world you add the policy manually?
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Fri Jun 19, 2015 7:34 pm

Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communication with the client...just not engaging and completing the authentication process...so, one could see how I am leaning towards the conclusion.

The way to resolve is to use advance configuration to forward that port to a secure port that's firewall friendly such as port 443. I searched and found this: http://wiki.mikrotik.com/wiki/Traffic_P ... ion_Script
Of course, that's not clear to me. I want to keep my firewall setup and hope I can get the help to resolve my VPN issue.
Thought to share the web document claiming what I stated above about the weakness of L2TP...the firewall issue. It might help others in their VPN decision making. Here's the link: https://www.bestvpn.com/blog/4147/pptp- ... -vs-ikev2/
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: [Solved] Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream? No!

Mon Jun 29, 2015 3:40 pm

I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: [Solved] Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream? No!

Tue Jun 30, 2015 5:02 pm

I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.
Sorry that was a false alarm...problem still has not resolved. :(
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: [Solved...finally] Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream? No!

Thu Jul 09, 2015 6:09 am

Thanks to Mikrotik support for resolving my VPN issue. It turned out to be the dynamic generated peer where the problem resided. So, if I reboot the router, I would need to delete the dynamic generated peer for the manually created peer to take effect.

My hope is that Mikrotik gives one the option in the L2TP server to elect whether to issue a dynamic generated peer or manually create the peer in up coming RouterOS releases. One thing I noticed is that once the L2TP server has been enabled with an IPsec pre-shared key, one cannot edit the key...so that needs to change.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: [Solved...finally] Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream? No!

Thu Jul 09, 2015 9:56 am

One thing I noticed is that once the L2TP server has been enabled with an IPsec pre-shared key, one cannot edit the key...so that needs to change.
Not exactly clear where you are trying to edit the key.
In /ip ipsec peers it will not be possible because peer is Dynamic.
But you can edit ipsec-secret in L2TP server settings.
 
User avatar
Nollitik
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 07, 2010 8:16 am

Re: Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream?

Thu Jul 09, 2015 7:22 pm

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.
Actually, Fallenwrx, that's exactly what worked with passive unchecked...thanks for sharing. Maybe Mikrotik should allow the option to select generate IPsec-peer manually in the L2TP server in future RouterOS releases.

Who is online

Users browsing this forum: Google [Bot] and 98 guests