back to listing index

[Solved...finally] Is Mikrotik's Road Warrior L2TP/IPsec a Pipe Dream? No! - MikroTik RouterOS

[web search]
Original source (forum.mikrotik.com)
Tags: vpn mikrotik l2tp
Clipped on: 2016-10-09

L
Image (Asset 2/21) alt=Mikrotik for Public / Open access Deployments by Pepin Woolcock (Retrocade, Canada) Other presentations from the MUM in Canada, 2015: http://mum.mikrotik.com/2015/CA/agenda Image (Asset 3/21) alt=Wireless workshop by Uldis Cernevskis (MikroTik, Latvia) Image (Asset 4/21) alt=The Dude is back! by Patrik Schaub (FMS, Germany) PDF slides: http://mum.mikrotik.com/presentations/EU16/presentation_2893_1457350837.pdf Other presenations from the MUM in Europe, 2016: http://mum.mikrotik.com/2016/EU/agenda Image (Asset 5/21) alt=DDoS Mitigation Playbook by Tom Smyth (Wireless Connect Ltd, Ireland) Image (Asset 6/21) alt=Demo 4G mikrotik router with failover from WAN side to 4G using script by Niclas Sackerud (Winther Wireless AB, Sweden) Image (Asset 7/21) alt=FastPath Overview by Janis Megis (MikroTik, Latvia). Slides PDF: http://mum.mikrotik.com/presentations/DK16/presentation_3505_1464877434.pdf Other presentations from MUM Denmark, 2016:: http://mum.mikrotik.com/2016/DK/agenda Image (Asset 8/21) alt=Roskilde Festival: Building a redundant city-sized network in less than two weeks by Kasper Bræmer-Jensen (beo.io ApS, Denmark) Slides PDF: http://mum.mikrotik.com/presentations/DK16/presentation_3532_1464936163.pdf Other presentations from MUM Denmark, 2016: http://mum.mikrotik.com/2016/DK/agenda Image (Asset 9/21) alt=High Availability Infrastructures for SMBs by Alain Casault (Canada) Slides PDF: http://mum.mikrotik.com/presentations/CA15/presentation_2809_1447251413.pdf Other presentations from MUM in Canada, 2015: http://mum.mikrotik.com/2015/CA/agenda Image (Asset 10/21) alt=CAPsManager Workshop by Patrik Schaub (FMS Internetservice GmbH, Germany) Other presentations from the MUM in Germany, 2016: http://mum.mikrotik.com/2016/DE/agenda Image (Asset 11/21) alt=High Availability Methods with Mikrotik by Greg Sowell (Greg Sowell Consulting, USA) PDF slides: http://mum.mikrotik.com/presentations/US16/presentation_3266_1462455568.pdf Other presentations from the MUM in USA, 2016: http://mum.mikrotik.com/2016/US/agenda Image (Asset 12/21) alt=The mAP and the mAP lite: The wireless swiss knife always in your pocket by Lorenzo Busatti (Grifonline S.r.l., Italy) PDF slides: http://mum.mikrotik.com/presentations/US16/presentation_3371_1462179397.pdf Other presentations from the MUM in USA, 2016: http://mum.mikrotik.com/2016/US/agenda Image (Asset 13/21) alt=Mikrotik for Emergency Responders by Gord Scott (Xagyl Communications Inc., Canada) Other presentations from the MUM in Canada, 2015: http://mum.mikrotik.com/2015/CA/agenda
R
 
Image (Asset 14/21) alt=
Nollitik
Member Candidate
Image (Asset 15/21) alt=

Sat Jun 13, 2015 4:59 am

This road warrior L2TP/IPsec is so, so FRUSTRATING, it seems that it could make one jump over the cliff. No matter how much improvements, it just seem to follow a golden rule: the more things change, the more they remain the same.

The problem I have is the L2TP server never gets to the authentication process...even when a dynamic policy gets generated. Everything works at home using a guess network to connect. However, when on the road, the L2TP server just won't authenticate. This failure was described in 2012 here: viewtopic.php?t=67746 and again in 2014 here: https://www.mail-archive.com/mikrotik@m ... 08704.html

It's not the firewall as the L2TP server is sending and receiving control messages with the client...it NEVER authenticates and enter a dead zone. Is it a bug (read that in the pass)? Can any Guru or others provide a working solution? Is IPsec Policy really doesn't like an unknown IP address...if so, then how can a road warrior VPN work?
Last edited by Nollitik on Thu Jul 09, 2015 5:57 am, edited 3 times in total.
 
Image (Asset 16/21) alt=
fallenwrx
newbie

Sat Jun 13, 2015 5:12 am

Can you please confirm that this is using mobile networks eg 3G/4G as i know in NZ we have to change our APN settings on mobile devices to allow VPN traffic through.
 
Image (Asset 17/21) alt=
Nollitik
Member Candidate
Image (Asset 18/21) alt=

Sat Jun 13, 2015 8:08 pm

fallenwrx wrote:
Can you please confirm that this is using mobile networks eg 3G/4G as i know in NZ we have to change our APN settings on mobile devices to allow VPN traffic through.


No, the client is using either iOS devices or Android devices over WIFI.
 
Image (Asset 19/21) alt=
wcsnet
Frequent Visitor
Image (Asset 20/21) alt=

Sat Jun 13, 2015 9:35 pm

Yep same issue here cant get l2tp working with iOS however pptp works fine


Sent from my iPhone using Tapatalk
 
Image (Asset 21/21) alt=
Nollitik
Member Candidate

Mon Jun 15, 2015 6:05 pm

Since I can connect to my VPN from my guess network at home...connection from the coffee failed, to trouble shoot most would say check firewall. However, from the coffee shop, L2TP is sending and receiving control messages with the client...therefore that would imply going through the firewall, doesn't it! Also that would imply that IPsec established successfully as well. Here is my firewall (screen shoot below)...does it look acceptable and as recommended?

Screen Shot 2015-06-15 at 9.44.22 AM.png (35.32 KiB) Viewed 2705 times
 
mrz
MikroTik Support

Mon Jun 15, 2015 6:41 pm

Enable ipsec debug logs in /system logging menu.

Try to connect and post the log output here.
 
fallenwrx
newbie

Tue Jun 16, 2015 10:10 am

under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.
 
Nollitik
Member Candidate

Wed Jun 17, 2015 6:41 am

mrz wrote:
Enable ipsec debug logs in /system logging menu.

Try to connect and post the log output here.


Thanks for responding and awaiting my follow MrZ. My log is very long (both L2TP and IPsec)...would take too much time to redact confidential info. Could I just send the supout file to Mikrotik support...I have been in communication with Maris B.
 
Nollitik
Member Candidate

Wed Jun 17, 2015 6:49 am

fallenwrx wrote:
under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.


Thanks Fallenwrx for responding. I am using RouterOS 6.29 and when one selects IPsec in the L2TP server, it auto generates an IPsec Peer with a policy to "port strict" that's unchangeable.
 
mrz
MikroTik Support

Wed Jun 17, 2015 11:26 am

What ticket number?
 
fallenwrx
newbie

Wed Jun 17, 2015 12:25 pm

if you open the dynamic peer and copy it - make the required change and then delete the original peer does that work for you?
 
atlanticd
just joined

Wed Jun 17, 2015 12:48 pm

I had/have similar issue, described here.
Only workaround I find is that you need to add always manually the outgoing policy. (which is very inconvenient in case of roadwarriors)
I was also in contact with Mikrotik support (ticket number is Ticket#2015061266000262), where they stated in case both client and server are behind NAT, then L2TP/IPsec will not work. This is a limitation of Mikrotik I guess, because with SoftEther it works.
Let's hope there will be an improvement in v7.
 
Nollitik
Member Candidate

Wed Jun 17, 2015 10:28 pm

mrz wrote:
What ticket number?


[Ticket#2015061066000766] VPN Analysis and Recommendation
 
Nollitik
Member Candidate

Wed Jun 17, 2015 11:19 pm

Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communication with the client...just not engaging and completing the authentication process...so, one could see how I am leaning towards the conclusion.

The way to resolve is to use advance configuration to forward that port to a secure port that's firewall friendly such as port 443. I searched and found this: http://wiki.mikrotik.com/wiki/Traffic_P ... ion_Script
Of course, that's not clear to me. I want to keep my firewall setup and hope I can get the help to resolve my VPN issue.
 
Nollitik
Member Candidate

Fri Jun 19, 2015 4:24 am

Per Mikrotik support, I disabled all drop rules and that doesn't resolve the L2TP authentication process thus making connection possible, despite IPsec successfully connects. Sent another supout file.
 
Nollitik
Member Candidate

Fri Jun 19, 2015 4:30 am

atlanticd wrote:
I had/have similar issue, described here.
Only workaround I find is that you need to add always manually the outgoing policy. (which is very inconvenient in case of roadwarriors)
I was also in contact with Mikrotik support (ticket number is Ticket#2015061266000262), where they stated in case both client and server are behind NAT, then L2TP/IPsec will not work. This is a limitation of Mikrotik I guess, because with SoftEther it works.
Let's hope there will be an improvement in v7.


I read that you got yours working...when you say "need to add always manually the outgoing policy" what exactly do you mean? Is it that before you go to the outside world you add the policy manually?
 
Nollitik
Member Candidate

Fri Jun 19, 2015 7:34 pm

Nollitik wrote:
Doing some research today seems to leading me to a conclusion that my robust firewall might be having issues with L2TP and port 500. It seems that a common problem and thus the main weakness of L2TP. Since IPsec establishes successfully and L2TP establishes both send as well as receive communication with the client...just not engaging and completing the authentication process...so, one could see how I am leaning towards the conclusion.

The way to resolve is to use advance configuration to forward that port to a secure port that's firewall friendly such as port 443. I searched and found this: http://wiki.mikrotik.com/wiki/Traffic_P ... ion_Script
Of course, that's not clear to me. I want to keep my firewall setup and hope I can get the help to resolve my VPN issue.


Thought to share the web document claiming what I stated above about the weakness of L2TP...the firewall issue. It might help others in their VPN decision making. Here's the link: https://www.bestvpn.com/blog/4147/pptp- ... -vs-ikev2/
 
Nollitik
Member Candidate

Mon Jun 29, 2015 3:40 pm

I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.
 
Nollitik
Member Candidate

Tue Jun 30, 2015 5:02 pm

Nollitik wrote:
I would never have guess that having special characters in password would jam up my VPN...wow...thanks Mikrotik support and a special thank you to MrZ.


Sorry that was a false alarm...problem still has not resolved.
 
Nollitik
Member Candidate

Thu Jul 09, 2015 6:09 am

Thanks to Mikrotik support for resolving my VPN issue. It turned out to be the dynamic generated peer where the problem resided. So, if I reboot the router, I would need to delete the dynamic generated peer for the manually created peer to take effect.

My hope is that Mikrotik gives one the option in the L2TP server to elect whether to issue a dynamic generated peer or manually create the peer in up coming RouterOS releases. One thing I noticed is that once the L2TP server has been enabled with an IPsec pre-shared key, one cannot edit the key...so that needs to change.
 
mrz
MikroTik Support

Thu Jul 09, 2015 9:56 am

One thing I noticed is that once the L2TP server has been enabled with an IPsec pre-shared key, one cannot edit the key...so that needs to change.


Not exactly clear where you are trying to edit the key.
In /ip ipsec peers it will not be possible because peer is Dynamic.
But you can edit ipsec-secret in L2TP server settings.
 
Nollitik
Member Candidate

Thu Jul 09, 2015 7:22 pm

fallenwrx wrote:
under IPSEC peer 0.0.0.0/0 try changing under generate policy to "port override" as this has resolved issues for me in the past.


Actually, Fallenwrx, that's exactly what worked with passive unchecked...thanks for sharing. Maybe Mikrotik should allow the option to select generate IPsec-peer manually in the L2TP server in future RouterOS releases.
 
micjustin33
just joined

Wed Dec 16, 2015 12:53 pm

L2TP/IPSec is known to provide better security compared to PPTP and is built-in to the latest operating systems and devices. However, you can face the problem in setting up L2TP/IPSec if it is blocked by your firewall (this is where you require Port Forwarding). Also, the revelations brought to the limelight by Edward Snowden show that L2TP was deliberately weakened by NSA during the design stages.
You may try another VPN "http://www.bestvpnprovider.com/purevpn-review/" hope it will work with mikrotik.
Display posts from previous: All posts Sort by Post time Ascending

Who is online

Users browsing this forum: Bing [Bot], mike99, pe1chl and 13 guests