Hello,
I am trying again to get an IPSec/L2TP VPN connection to a Draytek router. It seems the IPSec part is finally working. At least to me it looks good in the log ("ISAKMP-SA established").
But the L2TP Client connection can't connect. The config:
Interface:
Connect to: WAN IP of the Draytek
User: (same as Draytek)
Password: (same as Draytek)
Profile: L2TP
Keepalive Timeout: 60
Allow: pap, chap, mschap 1, mschap 2
Profile:
Use MPLS: default
Use Compression: default
Use VJ Compression: yes (same as Draytek)
Use Encryption: required
In the Log I keep getting "connecting..." and 25 seconds later "terminating... - session closed"
Any ideas what is going wrong here?
Thanks!
iBlueDragon
Re: VPN MikroTik-Draytek: Problems with L2TP
Just a hunch, but maybe change the value of Use Encryption to something other than required. L2TP is a tunneling protocol so it doesn't encrypt - that's what the IPSec portion does. I don't think MT is smart enough to disregard these settings if they do not apply - pretty sure I had that same problem with a PPTP tunnel I had set up.
Re: VPN MikroTik-Draytek: Problems with L2TP
I only allow mschap 2 and have VJ compression = default.
I only use windows clients to connect.
[url]mikrotik.patokatech.com[/url] has screen shots of winbox settings if that helps.
I only use windows clients to connect.
[url]mikrotik.patokatech.com[/url] has screen shots of winbox settings if that helps.
-
-
iBlueDragon
newbie
- Posts: 29
- Joined:
Re: VPN MikroTik-Draytek: Problems with L2TP
Thanks for the reply, rmmccann. Actually that's a valid point, but it was not the problem here.
I finally got it working, just had to remember the basics. For L2TP to work the IPSec tunnel must be set up in transport mode...
Now it does not matter if I enbale encryption in the profile or not. So I set it to 'default'.
Funny side note:
In RouterOS version 6.18 the L2TP client connection did not show any encoding (as is to be expected). But in Version 6.19 it shows the encryption of the underlying IPSec tunnel.
Thanks for the reply as well, jaytcsd, but in my case the Mikrotik router is the L2TP client (LAN-to-LAN).
Kind regards,
iBlueDragon
I finally got it working, just had to remember the basics. For L2TP to work the IPSec tunnel must be set up in transport mode...
Now it does not matter if I enbale encryption in the profile or not. So I set it to 'default'.
Funny side note:
In RouterOS version 6.18 the L2TP client connection did not show any encoding (as is to be expected). But in Version 6.19 it shows the encryption of the underlying IPSec tunnel.
Thanks for the reply as well, jaytcsd, but in my case the Mikrotik router is the L2TP client (LAN-to-LAN).
Kind regards,
iBlueDragon
Re: VPN MikroTik-Draytek: Problems with L2TP
Could you share your configs please?
-
-
iBlueDragon
newbie
- Posts: 29
- Joined:
Re: VPN MikroTik-Draytek: Problems with L2TP
Here you go:
Mikrotik:
Draytek (here Vigor 2710):
VPN and Remote Access
Remote Access Control
Enable IPSec VPN Service
Enable L2TP VPN Service
IPSec General Setup
IKE Authentication Method: IPSecPassword
IPSec Security Method: High (ESP) DES / 3DES / AES
LAN to LAN
New Profile:
1. Common Settings:
Name: MTIn
Call Direction: Dial-In
3. Dial-In Settings:
L2TP with IPSec Policy: Must
Username: L2TPUser
Password: L2TPPassword
The rest is greyed out.
4. TCP/IP Network Settings:
My WAN iP: Draytek Internal IP
Remote Gateway IP: MT Internal IP
Remote Netowrk IP: MT Network
Remote Network Mask: MT Network Mask
Local IP: Draytek Network
Local Network Mask: Dratek Network Mask
I don't use the tunnel right now, so IPSec Peer and IPSec Policy are disabled.
The tunnel takes some time and tries to come up, but after a few minutes it should work. If you don't need the additional routing possibilities of L2TP (in the Mikrotik environment), tunnel mode seems to be more stable (based on the same config with the obvious changes). You will see, the IPSec tunnel always comes up fine, it's the L2TP part that does not work so well (at least in my setup, which also suffers from the poor (international) internet connection I have right now).
Kind regards,
iBlueDragon
Mikrotik:
Code: Select all
/ip ipsec proposal
add enc-algorithms=3des,aes-256-cbc,aes-256-ctr lifetime=0s name=IPSecDT \
pfs-group=none
/interface l2tp-client
add allow=mschap1,mschap2 connect-to=DraytekPublicIP keepalive-timeout=\
disabled max-mru=1442 max-mtu=1442 name=Draytek password=L2TPPassword \
profile=default user=L2TPUser
/ip ipsec peer
add address=DraytekPublicIP/32 comment=Draytek disabled=yes enc-algorithm=\
3des,aes-256 secret=IPSecPassword
/ip ipsec policy
add comment=Draytek disabled=yes dst-address=DraytekPublicIP/32 proposal=\
IPSecDT sa-dst-address=DraytekPublicIP sa-src-address=LocalPublicIP \
src-address=LocalPublicIP/32VPN and Remote Access
Remote Access Control
Enable IPSec VPN Service
Enable L2TP VPN Service
IPSec General Setup
IKE Authentication Method: IPSecPassword
IPSec Security Method: High (ESP) DES / 3DES / AES
LAN to LAN
New Profile:
1. Common Settings:
Name: MTIn
Call Direction: Dial-In
3. Dial-In Settings:
L2TP with IPSec Policy: Must
Username: L2TPUser
Password: L2TPPassword
The rest is greyed out.
4. TCP/IP Network Settings:
My WAN iP: Draytek Internal IP
Remote Gateway IP: MT Internal IP
Remote Netowrk IP: MT Network
Remote Network Mask: MT Network Mask
Local IP: Draytek Network
Local Network Mask: Dratek Network Mask
I don't use the tunnel right now, so IPSec Peer and IPSec Policy are disabled.
The tunnel takes some time and tries to come up, but after a few minutes it should work. If you don't need the additional routing possibilities of L2TP (in the Mikrotik environment), tunnel mode seems to be more stable (based on the same config with the obvious changes). You will see, the IPSec tunnel always comes up fine, it's the L2TP part that does not work so well (at least in my setup, which also suffers from the poor (international) internet connection I have right now).
Kind regards,
iBlueDragon
Re: VPN MikroTik-Draytek: Problems with L2TP
Thanks for posting! I have followed the instructions and in the /interfaces/draytek (l2tp) section of webfig in the status section I get:
Status: link-established
then it fails with:
Status: terminating... - failed to authenticate ourselves to peer
It's worth noting that the Mikrotik is sitting behind another router (double NAT), apart from that nothing special.
Any obvious suggestions?
Status: link-established
then it fails with:
Status: terminating... - failed to authenticate ourselves to peer
It's worth noting that the Mikrotik is sitting behind another router (double NAT), apart from that nothing special.
Any obvious suggestions?
-
-
iBlueDragon
newbie
- Posts: 29
- Joined:
Re: VPN MikroTik-Draytek: Problems with L2TP
Hi,
I don't know if the double NAT is a problem or not, but try the following:
1. Try a simple password for the L2TP connection. Only letters and numbers, max. 11 characters. If it works, you can try a stronger one later.
2. Check if the IPSec tunnel is stable. In Winbox check IP/IPSec/Remote Peers if the tunnel comes up and stays up for several minutes.
3. If the IPSec tunnel is not stable, enable logging for IPSec to see what the problem is.
4. Enable logging for L2TP.
It can help to disable the L2TP connection and the IPSec peer for a few minutes before trying again.
Hope that helps.
Kind regards,
iBlueDragon
I don't know if the double NAT is a problem or not, but try the following:
1. Try a simple password for the L2TP connection. Only letters and numbers, max. 11 characters. If it works, you can try a stronger one later.
2. Check if the IPSec tunnel is stable. In Winbox check IP/IPSec/Remote Peers if the tunnel comes up and stays up for several minutes.
3. If the IPSec tunnel is not stable, enable logging for IPSec to see what the problem is.
4. Enable logging for L2TP.
It can help to disable the L2TP connection and the IPSec peer for a few minutes before trying again.
Hope that helps.
Kind regards,
iBlueDragon