Community discussions

 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1086
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 2:33 am

Its entirelly different for someone to find you have IPSec enabled on your IP address then to find you have L2TP enabled. IPSec can be used for any reason, from securing peer-to-peer traffic in transport mode, to encapsulating whatever in transport mode, to tunneling or VPNing in tunnel mode, and IPSec will not expose any information other then the fact that its enabled.

L2TP being open tells the attacker right away that this is a VPN AC, and that you run L2TP, and even reveals supported auth encryption protocols and other things right away. Why would you ever want to give an attacker more information?
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Leolo
just joined
Posts: 8
Joined: Wed Aug 21, 2013 7:01 am

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 4:25 am

tomaskir, I agree that the ideal solution would be to close port 1701 completely. And your script is a valid and useful temporary solution while we wait for Mikrotik to improve their firewall.

But I still see the risk of having L2TP open as reasonable and acceptable if these conditions can be true:

- All the user passwords are very long and random

- PAP, MS-CHAPv1 and MS-CHAPv2 are disabled because they are all broken

- Only CHAP is enabled for authentication

- L2TP Server will throttle failed authentication attempts (make the attacker wait 30 seconds, then 2 minutes, then 10 minutes, etc)

Do you know if it's possible to configure Mikrotik to throttle attackers when using CHAP authentication?

The bruteforcing of the password would be slowed down immensely, making it practically impossible!
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1086
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 10:58 am

Man, you really are thinking small scale. In any serious deployment, you will always use a central point of authentification (radius with LDAP or AD backend). You need Single-Sing-On for you users, and you should never control the passwords of your users. Thats the industry tested best practices. You also need a single point of authentification, so if a user gets his password compromised, or wants it changed, you only need to change it in one place.

Do you think any, even small-sized company, with 50 road-warriors will not want to use SSO? How about if a user is out of company and needs his password changed? You will not have access to reconfigure it on his VPN client.

Did you ever think that the VPN clients (because they are thin clients, or propietary devices), may require PAP, or MS-CHAP? Also, why cut your user off for minutes if he simply mispells his password only once.

Are you also assuming your users will have their passwords saved in their VPN client? If its really complex and long random passwords, how will they remember them? This is unacceptable as well. The VPN clients should NEVER have passwords saved. What if the road warrior user's device gets stolen? The attacker will right away VPN into your infrastructure, no matter how hardcore the password is, cause its saved.

I'm done discussing this, since you are just not listening and I keep repeating the same things for 3 posts now.
Close down L2TP, you will NEVER use it without IPSec anyway. Thats the point, and it solves so many security issues.
If you want to open needless risks and security holes in your own infrastructure, thats your problem.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Leolo
just joined
Posts: 8
Joined: Wed Aug 21, 2013 7:01 am

Re: [Solved] L2TP/IPSec with Android

Thu Aug 22, 2013 1:33 pm

You make very good and valid points.

In my case I'm thinking at a extremely small scale, and that's why I didn't see the problem with leaving the port open.

To be honest, I'm not using certificates with IPSec (I'm just using a PSK, which is permanently stored into the user's laptop), even though Microsoft clearly warns you against using a Pre Shared Key.

This is a security risk if the laptop gets stolen, as you've correctly mentioned.

I'll keep that in mind for the future and try to improve the security a little bit.

Thanks a lot for your script and all the information!

Kind regards.
 
iBlueDragon
newbie
Posts: 29
Joined: Sun Sep 29, 2013 5:29 pm

Re: [Solved] L2TP/IPSec with Android

Sun Sep 29, 2013 5:58 pm

Thomas,

First, thanks for your great explanations!
I am new to RouterOS but I got standard L2TP/IPSec working fine (for iPhone and Win 7). Now I wanted to increase security with your setup and script, but something doesn't work out:

1)
/ppp profile add name=L2TP local-address=10.0.31.1 remote-address=l2tp-pool address-list=L2TP_Clients
a) I think address-list should be "L2TP_Allowed" as this is the one later populated by the script.
b) The profile seems to work (with my old firewall rules) even if the script is not running. How can that be if there are no addresses in the address list?

2)
add chain=input dst-port=1701 protocol=udp src-address-list=L2TP_Allowed
Without dst-port 500 I don't get anywhere, as the first connection is made to port 500 (at least from my iPhone). But even with ports 500, 1701 and 4500 in the rule, I don't get a connection. Switching back to the old rule without Source Address List and it works...

3) A more general question: Is it possible to use a custom IPSec proposal instead of the default one?

Would you mind helping me out? Thanks!

Kind regards,
iBlueDragon
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1086
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Mon Sep 30, 2013 11:29 am

iBlueDragon:
1) The /ppp profile address list simply means that all clients which successfully establist an L2TP session will be put INTO that address list. It has nothing to do with firewall rules to establist an L2TP session. Hope that makes it clear. L2TP_Allowed address list should NOT be defind in the /ppp profile, that would break things.

2) You of course need other firewall input rules allowed to establish IPSec session:
UDP 500 – IKE
UDP 4500 – NAT Traversal
L4 Proto 50 – IPSec ESP

The rule for UDP 1701 is to protect the L2TP server to IPSec enabled clients only.

3) Sure you can. Simply configure the proposal to whatever your clients are compatible with.

4) Watch my MUM presentation on IPSec, it should explain a lot of things, its in my sig.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
iBlueDragon
newbie
Posts: 29
Joined: Sun Sep 29, 2013 5:29 pm

Re: [Solved] L2TP/IPSec with Android

Mon Sep 30, 2013 4:21 pm

Tomas:

Thanks for your quick reply!
1) Okay. Will try again on Thursday when I'm back home.
2) Clear.
3) Sorry, misunderstanding. In the Road Warrior setup the IPSec Policies in the router are generated automatically based on the default proposal. How do I get the router to use another proposal (e.g. one named L2TP)?
4) Thanks. Really helped a lot!

Kind regards,
iBlueDragon
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1086
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: [Solved] L2TP/IPSec with Android

Tue Oct 01, 2013 11:26 am

3) Sorry, misunderstanding. In the Road Warrior setup the IPSec Policies in the router are generated automatically based on the default proposal. How do I get the router to use another proposal (e.g. one named L2TP)?
Currently impossible. You have to configure the default proposal to what you want for the dynamic policies to use.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
iBlueDragon
newbie
Posts: 29
Joined: Sun Sep 29, 2013 5:29 pm

Re: [Solved] L2TP/IPSec with Android

Thu Oct 03, 2013 9:47 am

Hi Tomas,

Now works as described!
In the log file I get "address list entry added by admin" when the connection gets established and "address list entry removed by admin" when it's terminated.

Thanks again for taking the time to answer my questions.

Kind regards,
iBlueDragon
 
BennyT
just joined
Posts: 20
Joined: Mon Apr 18, 2016 4:03 pm

Re: [Solved] L2TP/IPSec with Android

Sun Jul 10, 2016 8:50 pm

Hi Tomas,

i am trying to get my L2TP/IPSec running with Android Phone but without success. I don't know any more steps... hope you can have a look at it. I have a dynamic WAN address which is in that case the 85.176.65.xxx address. Internal WAN address is 192.168.10.1 ... so i enter on local address of IPSec Config: 192.168.10.1 (from eth1 gateway interface). On the IPSec peer i see the external 85.xxx.xxx.xx adress from ISP. Is this correct?  I had a Fritzbox which dial in and send all traffic to Mikrotik Router...

Here is a part of the log file:
<13>1 2016-07-10T19:33:42.645190+02:00 ipsec,debug,packet such - - - such policy does not already exist: 109.47.3.85/32[0] 85.176.65.54/32[0] proto=udp dir=in
<13>1 2016-07-10T19:33:42.645413+02:00 ipsec,debug,packet such - - - such policy does not already exist: 85.176.65.54/32[0] 109.47.3.85/32[0] proto=udp dir=out
<13>1 2016-07-10T19:33:42.659828+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:42.659996+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:42.660408+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:42.660822+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:42.661208+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:42.661612+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:42.662025+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:42.662428+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:42.662809+02:00 l2tp,info first - - - first L2TP UDP packet received from 109.47.3.85
<13>1 2016-07-10T19:33:42.663322+02:00 l2tp,debug tunnel - - - tunnel 40 entering state: wait-ctl-conn
<13>1 2016-07-10T19:33:42.664214+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:42.664641+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:42.665025+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:42.665434+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:42.665865+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:42.666772+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:42.667188+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:42.667575+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:42.667954+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:42.668357+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:42.668768+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:43.670513+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:43.670677+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:43.670892+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:43.671104+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:43.671409+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:43.671594+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:43.671806+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:43.672019+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:43.672230+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:43.672443+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:43.672662+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:44.669744+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:44.669902+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:44.670119+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:44.670328+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:44.670537+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:44.670748+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:44.670962+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:44.671169+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:44.671781+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:44.672202+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:44.673065+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:44.673489+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:44.673871+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:44.674274+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:44.674676+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:44.675099+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:44.675489+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:44.675875+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:44.676256+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:44.676661+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:44.677073+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:46.680101+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:46.680523+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:46.680899+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:46.681302+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:46.681701+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:46.682630+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:46.683033+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:46.684153+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:46.684538+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:46.684948+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:46.685350+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:46.718726+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:46.719138+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:46.720103+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:46.720430+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:46.720620+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:46.720833+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:46.721048+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:46.721261+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:46.721485+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:46.721701+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:48.676510+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:48.676667+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:48.676884+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:48.677094+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:48.677305+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:48.677624+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:48.677808+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:48.678021+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:48.678243+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:48.678464+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:50.679092+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:50.679250+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:50.679556+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:50.679749+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:50.679981+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:50.680175+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:50.680386+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:50.680596+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:50.680807+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:50.681017+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:50.681231+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:50.681457+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:50.681670+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:50.681879+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:50.682095+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:50.682307+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:50.682519+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:50.682729+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:50.682942+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:50.683175+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:50.683389+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:52.682872+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:52.683046+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:52.683264+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:52.683506+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:52.683725+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:52.683949+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:52.684156+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:52.684371+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:52.684605+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:52.684820+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1

<13>1 2016-07-10T19:33:54.693998+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:54.694152+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:54.694368+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:54.694580+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:54.694808+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:54.695007+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:54.695220+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:54.695441+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:54.695660+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:54.695875+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:56.691763+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:56.691968+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:56.692185+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:56.692401+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:56.692618+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:56.692836+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:56.693056+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:56.693266+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:56.693502+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:56.693718+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:58.674545+02:00 l2tp,debug,packet sent - - - sent control message to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:58.674704+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=0, nr=1
<13>1 2016-07-10T19:33:58.674939+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRP
<13>1 2016-07-10T19:33:58.675130+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:58.675337+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x1
<13>1 2016-07-10T19:33:58.675548+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Bearer-Capabilities=0x0
<13>1 2016-07-10T19:33:58.675757+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Firmware-Revision=0x1
<13>1 2016-07-10T19:33:58.675970+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="MikroTik"
<13>1 2016-07-10T19:33:58.676182+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    Vendor-Name="MikroTik"
<13>1 2016-07-10T19:33:58.676395+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=40
<13>1 2016-07-10T19:33:58.676604+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=4
<13>1 2016-07-10T19:33:58.729047+02:00 l2tp,debug,packet rcvd - - - rcvd control message from 109.47.3.85:54180 to 192.168.10.1:1701
<13>1 2016-07-10T19:33:58.729216+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=0, session-id=0, ns=0, nr=0
<13>1 2016-07-10T19:33:58.729531+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Message-Type=SCCRQ
<13>1 2016-07-10T19:33:58.729712+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Protocol-Version=0x01:00
<13>1 2016-07-10T19:33:58.729945+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Host-Name="anonymous"
<13>1 2016-07-10T19:33:58.730139+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Framing-Capabilities=0x3
<13>1 2016-07-10T19:33:58.730351+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Assigned-Tunnel-ID=17076
<13>1 2016-07-10T19:33:58.730565+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    (M) Receive-Window-Size=1
<13>1 2016-07-10T19:33:58.730792+02:00 l2tp,debug,packet sent - - - sent control message (ack) to 109.47.3.85:54180 from 192.168.10.1:1701
<13>1 2016-07-10T19:33:58.731010+02:00 router l2tp,debug,packet - - - l2tp,debug,packet    tunnel-id=17076, session-id=0, ns=1, nr=1
<13>1 2016-07-10T19:33:58.731221+02:00 l2tp,debug tunnel - - - tunnel 40 received no replies, disconnecting
<13>1 2016-07-10T19:33:58.731445+02:00 l2tp,debug tunnel - - - tunnel 40 entering state: dead
This repeats some times after the android phone cancelled the request. Any idea?
Thanks.
Regards,
Ben
 
Renz
just joined
Posts: 1
Joined: Fri Apr 07, 2017 4:35 am

Re: [Solved] L2TP/IPSec with Android

Wed Apr 26, 2017 6:35 am

Hi Tomas,

i found your post with regards to L2TP with IPsec. and manage to set it up correctly! I think. hahahaha. Because when i connect to it locally i can connect with no problem at all. all are working fine.

Now the problem occurs when i try to connect to it using a different ISP, or other place with a different ISP Connection.

i tested it with my laptop at it always hang up at connecting to 192.168.xxx.xxx using "WAN Miniport (L2TP) and then i got an error of Error 789. it just stops their!

but locally i can connect to it, with LAN cable connection and connected to a Switch that is connected to my Mikrotik RB.

Hope you can help me to find a solution to this!

Thanks!
 
Chega
just joined
Posts: 16
Joined: Fri Dec 04, 2015 12:18 pm

Re: [Solved] L2TP/IPSec with Android

Fri Jul 13, 2018 5:31 pm

Have the same problem, my laptop connected from different ISP through L2TP to my home have full access to home network and home internet connection. But Android can be connected only to home mikrotik by mikrotik app, no internet access, no access to home network. NAT traversal enabled, firewall rule for 4500 udp present. What else can i forgot?
/ppp secret
add name=vpn_chega password=szvcxzcbe3f profile=l2tp_profile service=l2tp


/ppp profile
add change-tcp-mss=yes dns-server=192.168.58.1 local-address=192.168.50.1 name=\
    l2tp_profile remote-address=vpn_pool use-upnp=yes

/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes \
    ipsec-secret=askjdlkerjl459834 use-ipsec=yes

/ip address
add address=192.168.58.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.58.0
add address=172.16.1.1/30 interface=ether5-slave-local-den network=172.16.1.0
add address=192.168.59.1/24 comment=Den interface=ether5-slave-local-den \
    network=192.168.59.0

Who is online

Users browsing this forum: No registered users and 2 guests