Community discussions

MikroTik App
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 2:27 pm

Hello,
I just set up a CHR in a VPS, and I found a bug.

From any RB l2tp client with ipsec just wont connect to the CHR, also from the CHR l2tp client wont connet to any RB. I tested from my windows laptop I can connect to CHR with built in l2tp ipsec driver and of course I can connect to a RB also.

So I set up a CHR on my computer (in a virtualbox vm), no configuration, no firewall rules, just l2tp server with one profile and from a RB (nor 5009, or ac2) I can not connect to this server, and from this CHR I can not connect a RB. (Every mikrotik is on a local network, no firewall rules) From my laptop I can connect to CHR and RBs also.

Last test was, from my virtualized CHR I can connect to the CHR in the VPS !!!, so between two CHR everything is OK, between computer and CHR is ok, but between CHR and a RB there is a problem !! I tested the latest 6.49.2 CHR and latest 7.1.1 CHR too. CHR version 7 also can connect to CHR version 6.

I assume the problem comes from ipsec, phase 1 negotiation maybe, without ipsec l2tp just works ok.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 3:55 pm

Could you provide any log or error?
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 4:12 pm

There is nothing informative in the log

client side:
initializing...
connecting...
init new pahase 1
terminating...-session closed
disconnected

End it starts from initializing again..

server side:
respond new phase 1
ISAKMP-SA established
purging ISAKMP-SA
ISAKMP-SA deleted
first L2TP UDP paket received from ...
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 4:16 pm

are you sure this is all you get ? for 1 L2TP connection, I will have more than 25 lines in the log even if it fails.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 4:24 pm

Yes, so strange.

Please test it. I have more than 500 customer, mostly use l2tp to connect their router or to my router and there are more than 50 RB-s which connect to my router via l2tp ipsec.
As you can see I am not virgin setting up this kind of connection.

This is my first CHR and I could not connect to or from it via l2tp ipsec with RBs. But from a computer or a virtualized CHR I could. ?!
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 4:28 pm

I have a CHR with L2TP setup and I also have an RB2011 I can confirm everything works.
I think it's better to have a firewall with established and related accept in input and forward chain also accept for 1701 500 4500 and IPsec ESP protocol 50 in input chain.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 4:43 pm

I testen on a local network with no firewall rules, no other config. (no default config off course)

So I dont understand your advise :(
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 4:51 pm

I'm saying it's better to have a firewall with what l2tp will use as allowed.
as you can see there is no bug regarding this issue.
2022-01-20_18-19-02.png
You do not have the required permissions to view the files attached to this post.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 4:55 pm

This is not a CHR version !! You have an x86 version.



Must see on the title bar like this :
chr.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 5:02 pm

What's the difference in l2tp implantation?
I think both of them have the same daemon.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 5:14 pm

Try it. CHR wont connect. I dont know why, it is a bug, I think
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 5:19 pm

I think it's better to post your config.
L2TP is a very old protocol I'm sure if there was a bug, It had been reported and fixed so far.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 5:30 pm

TRY IT !
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 5:56 pm

@engiman
2022-01-20_19-24-47.png
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Thu Jan 20, 2022 7:38 pm, edited 2 times in total.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 6:01 pm

Maybe I should downgrade CHR.. 6.49.2 and 7.1.1 did not work here.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 6:02 pm

let me upgrade cuz I don't think that's the problem.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 6:07 pm

2022-01-20_19-36-36.png
You do not have the required permissions to view the files attached to this post.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 6:09 pm

CHR 6.48.6 works OK.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 6:15 pm

as you can see I'm at the latest V6 so 6.49.2 and 7.1.1 are also working.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
User avatar
inteq
Member
Member
Posts: 317
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 6:38 pm

Tested from a RB1100AHx4 to a CHR on a ESXI 7 VM. Both on RoS 6.49.2
All good. Both ways.
You are missing/messing something in your config.
 
sindy
Forum Guru
Forum Guru
Posts: 8833
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 6:46 pm

You are missing/messing something in your config.
Since the same config works for the OP in 6.48.6 but doesn't in 6.49.2 and 7.1.1, I'd assume some encryption algo or alike to behave different between the versions, depending on CPU architecture. So I'd suggest to compare the /ip ipsec profile and /ip ipsec proposal rows both of you use. RB1100AHx4 is an ARM architecture like hAP ac², so this should not explain the difference.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 7:03 pm

I downgraded my CHR to 6.48.6 and now it works as I expected. No configuration has changed. So must be something bug..
 
mhaluska
just joined
Posts: 18
Joined: Sat Jun 13, 2020 1:20 pm

Re: l2tp with ipsec between CHR and RB

Thu Jan 20, 2022 7:28 pm

Working fine for me: CHR <-> HexS, both on ROS 7.1.1
 
User avatar
inteq
Member
Member
Posts: 317
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: l2tp with ipsec between CHR and RB

Fri Jan 21, 2022 6:03 am

You are missing/messing something in your config.
Since the same config works for the OP in 6.48.6 but doesn't in 6.49.2 and 7.1.1, I'd assume some encryption algo or alike to behave different between the versions, depending on CPU architecture. So I'd suggest to compare the /ip ipsec profile and /ip ipsec proposal rows both of you use. RB1100AHx4 is an ARM architecture like hAP ac², so this should not explain the difference.
l2tp.jpg
l2tp-con.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
engiman
just joined
Topic Author
Posts: 14
Joined: Tue Nov 02, 2010 7:35 pm
Location: Budapest

Re: l2tp with ipsec between CHR and RB

Fri Jan 21, 2022 12:12 pm

OK, thanks everybody, there is no bug. My VPS provider has a special DDOS filter, for a test I asked them to turn off, and tadaam !
So they made an exception for my VPS IP, filter must be turned off for eternity. :)

However there were some strange thing, I do not understand why it worked after downgraded CHR, and how it worked from my laptop and not worked from main router, and worked from a router behind my NAT, but I think all of them caused the DDOS filter rules which is now off.

I also updated my oracle virtual box to the latest, now everything works in my test environment too. :)

Who is online

Users browsing this forum: Ahrefs [Bot], Anime4000, Google [Bot], l0kifs, mkx, Semrush [Bot] and 63 guests