I appologize for the length of this e-mail. I didn't want to leave out any of the work I've already done trying to troubleshoot this. I really appreciate anyone willing to slog through it.
I am having fits with my IPSect/L2TP VPNs I use to get into various places. Someone posted a recipe to this list which just worked for RouterOS 5.x and I have been running that on a few routers for a while now. It just worked so I never actually spent the time to learn what was what. I have been trying to correct that laziness over the past few days and nights. But I am out of time and hitting a wall now. Unfortunately, I have been upgrading a few of the test routers to 6.x and now need to setup VPNs on a couple of CCRs. I have not had to use the IPSec VPNs since the upgrade to 6.x, or at least the upgrade to 6.5 and up. I do not have logs of the last time I used the VPNs. Where I have 6.5 and up, I cannot seem to get ISAKMP to complete. I only have 6.4 on the new CCR and have configured it to be the moral equivalent of the config on my remaining functional RouterOS 5.21 493G site. I could not get ISAKMP to come up on the CCR with 6.5. I upgraded it to 6.7. Still toast. I am also trying to get a site to site tunnel running between the CCR and a CiscoASA. Never got a successful ISAKMP link on 6.5 or 6.7. So, I went down to 6.4. I instantly had a good ISAKMP SA with the CiscoASA. I am stil working out some issues with passing traffic on that tunnel. Is IPsec completely broken above 6.4? I am also finally getting to the L2TP negotiation with my laptop. I have a priority need to get the IPsec/L2TP road warrior tunnel up before I finish with the CiscoASA. >From what I can see in the logs, IPsec is happy. I think the MikroTik is happy with the L2TP request sent by the laptop. But it looks like the laptop never acknowleges hearing the MikroTik's ACK. I have triple and quadruple checked the secrets. I have even changed the secrets a few times, shortening them, to see if that would result in any different error messages. If I connect the laptop to the IPsec/L2TP on the RouterOS 5.21 box, the VPN is fully negotiated and passing traffic in less than 3 seconds. So that tells me I should not have issues with the firewall behind which the laptop lives. I have been trying to use info in this article to understand where L2TP is getting stuck. https://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=34 C.D.1.22 and A.B.32.129 are both on the CCR. C.D.1.22 faces the Internet and A.B.32.129 is the public IP for the network into which I am trying to VPN. I have the Site to Site tunnel using C.D.1.22 because that is closer to the ASA. I have tried with the IP on the CCR which is closest to the Laptop's router with the same results. When I connect to the RouterOS 6.4 CCR, here is what the MikroTik shows: 16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:500->A.B.32.129:500, len 328 16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:500->A.B.32.129:500, len 256 16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 132 16:29:08 l2tp,debug,packet rcvd control message from A.B.34.126:51593 16:29:08 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 16:29:08 l2tp,debug,packet (M) Message-Type=SCCRQ [ My laptop sent a request to start the control connection (SCCRQ) ] 16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x3 16:29:08 l2tp,debug,packet (M) Host-Name="" 16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:08 l2tp,info first L2TP UDP packet received from A.B.34.126 16:29:08 l2tp,debug tunnel 12 entering state: wait-ctl-conn 16:29:08 l2tp,debug,packet sent control message to A.B.34.126:51593 16:29:08 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 16:29:08 l2tp,debug,packet (M) Message-Type=SCCRP [ My CCR likes my request and is accepting the control connecion (SCCRP) ] 16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x1 16:29:08 l2tp,debug,packet (M) Bearer-Capabilities=0x0 16:29:08 l2tp,debug,packet Firmware-Revision=0x1 16:29:08 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" 16:29:08 l2tp,debug,packet Vendor-Name="MikroTik" 16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 284 16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 92 16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 16:29:09 l2tp,debug,packet rcvd control message from A.B.34.126:51593 16:29:09 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 16:29:09 l2tp,debug,packet (M) Message-Type=SCCRQ [ My laptop sent a request to start the control connection (SCCRQ) again ] 16:29:09 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:09 l2tp,debug,packet (M) Framing-Capabilities=0x3 16:29:09 l2tp,debug,packet (M) Host-Name="" 16:29:09 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 16:29:09 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:09 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 16:29:09 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 16:29:09 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 16:29:09 l2tp,debug,packet sent control message to A.B.34.126:51593 16:29:09 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 16:29:09 l2tp,debug,packet (M) Message-Type=SCCRP [ My CCR likes my request and is accepting the control connecion (SCCRP) again ] 16:29:09 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:09 l2tp,debug,packet (M) Framing-Capabilities=0x1 16:29:09 l2tp,debug,packet (M) Bearer-Capabilities=0x0 16:29:09 l2tp,debug,packet Firmware-Revision=0x1 16:29:09 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" 16:29:09 l2tp,debug,packet Vendor-Name="MikroTik" 16:29:09 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 16:29:09 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:10 l2tp,debug,packet sent control message to A.B.34.126:51593 16:29:10 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 16:29:10 l2tp,debug,packet (M) Message-Type=SCCRP [ My CCR likes my request and is accepting the control connecion (SCCRP) again ] 16:29:10 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:10 l2tp,debug,packet (M) Framing-Capabilities=0x1 16:29:10 l2tp,debug,packet (M) Bearer-Capabilities=0x0 16:29:10 l2tp,debug,packet Firmware-Revision=0x1 16:29:10 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" 16:29:10 l2tp,debug,packet Vendor-Name="MikroTik" 16:29:10 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 16:29:10 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:11 l2tp,debug,packet rcvd control message from A.B.34.126:51593 16:29:11 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 16:29:11 l2tp,debug,packet (M) Message-Type=SCCRQ [ My laptop sent a request to start the control connection (SCCRQ) again ] 16:29:11 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:11 l2tp,debug,packet (M) Framing-Capabilities=0x3 16:29:11 l2tp,debug,packet (M) Host-Name="" 16:29:11 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 16:29:11 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:11 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 16:29:11 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 16:29:11 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 16:29:12 l2tp,debug,packet sent control message to A.B.34.126:51593 16:29:12 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 16:29:12 l2tp,debug,packet (M) Message-Type=SCCRP [ My CCR likes my request and is accepting the control connecion (SCCRP) again ] 16:29:12 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:12 l2tp,debug,packet (M) Framing-Capabilities=0x1 16:29:12 l2tp,debug,packet (M) Bearer-Capabilities=0x0 16:29:12 l2tp,debug,packet Firmware-Revision=0x1 16:29:12 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" 16:29:12 l2tp,debug,packet Vendor-Name="MikroTik" 16:29:12 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 16:29:12 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:15 l2tp,debug,packet rcvd control message from A.B.34.126:51593 16:29:15 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 16:29:15 l2tp,debug,packet (M) Message-Type=SCCRQ [ My laptop sent a request to start the control connection (SCCRQ) again ] 16:29:15 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:15 l2tp,debug,packet (M) Framing-Capabilities=0x3 16:29:15 l2tp,debug,packet (M) Host-Name="" 16:29:15 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 16:29:15 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:15 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 16:29:15 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 16:29:15 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 16:29:16 l2tp,debug,packet sent control message to A.B.34.126:51593 16:29:16 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 16:29:16 l2tp,debug,packet (M) Message-Type=SCCRP [ My CCR likes my request and is accepting the control connecion (SCCRP) again ] 16:29:16 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:16 l2tp,debug,packet (M) Framing-Capabilities=0x1 16:29:16 l2tp,debug,packet (M) Bearer-Capabilities=0x0 16:29:16 l2tp,debug,packet Firmware-Revision=0x1 16:29:16 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" 16:29:16 l2tp,debug,packet Vendor-Name="MikroTik" 16:29:16 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 16:29:16 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:23 l2tp,debug,packet rcvd control message from A.B.34.126:51593 16:29:23 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 16:29:23 l2tp,debug,packet (M) Message-Type=SCCRQ [ My laptop sent a request to start the control connection (SCCRQ) again ] 16:29:23 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:23 l2tp,debug,packet (M) Framing-Capabilities=0x3 16:29:23 l2tp,debug,packet (M) Host-Name="" 16:29:23 l2tp,debug,packet (M) Assigned-Tunnel-ID=62 16:29:23 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:23 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593 16:29:23 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1 16:29:23 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144 16:29:24 l2tp,debug,packet sent control message to A.B.34.126:51593 16:29:24 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1 16:29:24 l2tp,debug,packet (M) Message-Type=SCCRP [ My CCR likes my request and is accepting the control connecion (SCCRP) again ] 16:29:24 l2tp,debug,packet (M) Protocol-Version=0x01:00 16:29:24 l2tp,debug,packet (M) Framing-Capabilities=0x1 16:29:24 l2tp,debug,packet (M) Bearer-Capabilities=0x0 16:29:24 l2tp,debug,packet Firmware-Revision=0x1 16:29:24 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain" 16:29:24 l2tp,debug,packet Vendor-Name="MikroTik" 16:29:24 l2tp,debug,packet (M) Assigned-Tunnel-ID=12 16:29:24 l2tp,debug,packet (M) Receive-Window-Size=4 16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 29 16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 108 16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 116 16:29:32 l2tp,debug tunnel 12 received no replies, disconnecting 16:29:32 l2tp,debug tunnel 12 entering state: dead Then the CCR gives up. I cannot figure out from that information what is not matched up. This is the laptop's perspective, which doesn't help me: Jan 21 16:29:07 lambertmbp pppd[23979]: pppd 2.4.2 (Apple version 412.5.70) started by lambert, uid 501 Jan 21 16:29:07 lambertmbp pppd[23979]: L2TP connecting to server 'A.B.32.129' (A.B.32.129)... Jan 21 16:29:07 lambertmbp pppd[23979]: IPSec connection started Jan 21 16:29:07 lambertmbp racoon[20913]: Connecting. Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. (Initiator, Main-Mode message 1). Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. (Initiator, Main-Mode message 2). Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. (Initiator, Main-Mode message 3). Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. (Initiator, Main-Mode message 4). Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. (Initiator, Main-Mode message 5). Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6). Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. (Initiator, Main-Mode message 6). Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode). Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1). Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: receive success. (Initiator, Quick-Mode message 2). Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3). Jan 21 16:29:08 lambertmbp racoon[20913]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode). Jan 21 16:29:08 lambertmbp racoon[20913]: Connected. Jan 21 16:29:08 lambertmbp pppd[23979]: IPSec connection established Jan 21 16:29:28 lambertmbp pppd[23979]: L2TP cannot connect to the server Jan 21 16:29:28 lambertmbp configd[14]: SCNCController: Disconnecting. (Connection tried to negotiate for, 21 seconds). Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success. (Information message). Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA). Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success. (Information message). Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA). Jan 21 16:29:29 lambertmbp racoon[20913]: Disconnecting. (Connection was up for, 21.016530 seconds). This is the MikroTik config: /ip firewall filter <early in the list before any drops> add action=log chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp add chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp add chain=input comment="IPSec ESP" protocol=ipsec-esp add chain=input comment="IPSec AH" protocol=ipsec-ah add action=log chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp add chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp add chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp I do not have an anti-nat rule for this session. I am not getting far enough to be assigned an IP. So, it should not matter. I think it would only be necessary for the Site to Site link with the CiscoASA, anyway. The 5.x box does not have an anti-nat rule either. I am not using the below mode-cfg part of the config, that I know of, yet. It is leftover from trying to combine what worked on 5.x with what is on the MikroTik wiki. /ip ipsec mode-cfg add address-pool=xyz_dhcp_pool1 name=RW-cfg split-include=\ 10.10.230.0/24,192.168.10.0/24 /ip ipsec policy group add name=RoadWarrior /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=3des,aes-256 /ip ipsec peer add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 \ nat-traversal=yes secret=abc123456789 add address=M.N.O.121/32 hash-algorithm=sha1 my-id-user-fqdn=C.D.1.226 \ nat-traversal=yes secret=supersecret /ip ipsec policy add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121 sa-src-address=\ C.D.1.226 src-address=10.10.230.0/24 tunnel=yes add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121 sa-src-address=\ C.D.1.226 src-address=192.168.10.0/24 tunnel=yes /ppp profile add bridge=XYZ change-tcp-mss=yes dns-server=192.168.10.9 local-address=\ 10.10.230.1 name=xyz remote-address=xyz_dhcp_pool1 /ppp secret add name=lambert-l2tp password=secret profile=xyz service=l2tp /interface l2tp-server server set default-profile=xyz enabled=yes keepalive-timeout=disabled max-mru=1460 max-mtu=\ 1460 Thanks for taking the time to read through. I would really appreciate any wild guesses you might have. -- Scott Lambert KC5MLE Unix SysAdmin lamb...@lambertfam.org _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
