Re: [Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

Thu, 23 Jan 2014 11:10:31 -0800

Not sure if this applies to your configuration, but I recently ran into the same symptom in two similar cases. The short version is, regardless of what the config and logs say, the IPSec packets will have a source IP of the pref-src value for the route matching the IPSec endpoint. Example... 

/ip addr add address=1.2.3.4/24 interface=wan
/ip addr add address=2.2.2.2/32 interface=wan
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254
The pref-src for the default route will be 1.2.3.4, unless otherwise specified.
If your remote endpoint connects to 2.2.2.2 to establish the IPSec SA, the SA will come up and everything will look fine, but the the L2TP/IPSec traffic will originate from the 1.2.3.4 address. Especially if you're doing NAT-T, the router in front of the remote endpoint will just drop the UDP packets because the connection tracking won't know where they came from.
I'm fudging some of the details from because I'm a bit swamped and pulling this from memory, but the underlying point is the same. If the remote endpoint connects to 2.2.2.2, it won't work, and if you connect to 1.2.3.4, it does.
I also noticed some related badness when setting up IPSec with a static policy in a dual-WAN config. Even though sa-src-address was set to the second WAN address, it turns out the deciding factor was the pref-src on the matching route for the outbound traffic. I tried NAT, policy routing, yelling, and the pref-src value was the only thing that would change it. Even the logs (ipsec,raw,packet) showed the correct src address, but torch on the upstream routers proved the logs to be incorrect. The worst part was, once I did get it to change by setting the pref-src on a static /32 route matching the remote endpoint, removing the route didn't change it back. I had to reboot the router to switch it back to the first WAN address. Suffice it to say, I should set this up in a lab carefully documenting it and send it to MikroTik, but who has time for that. 


hth,

-Kristian

On 01/21/2014 03:30 PM, Scott Lambert wrote:

I appologize for the length of this e-mail.  I didn't want to leave out
any of the work I've already done trying to troubleshoot this.  I really
appreciate anyone willing to slog through it.

I am having fits with my IPSect/L2TP VPNs I use to get into various
places.  Someone posted a recipe to this list which just worked for
RouterOS 5.x and I have been running that on a few routers for a while
now.  It just worked so I never actually spent the time to learn what
was what.  I have been trying to correct that laziness over the past few
days and nights.  But I am out of time and hitting a wall now.

Unfortunately, I have been upgrading a few of the test routers to 6.x
and now need to setup VPNs on a couple of CCRs.  I have not had to use
the IPSec VPNs since the upgrade to 6.x, or at least the upgrade to 6.5
and up.  I do not have logs of the last time I used the VPNs.

Where I have 6.5 and up, I cannot seem to get ISAKMP to complete.

I only have 6.4 on the new CCR and have configured it to be the moral
equivalent of the config on my remaining functional RouterOS 5.21
493G site.  I could not get ISAKMP to come up on the CCR with 6.5.  I
upgraded it to 6.7.  Still toast.

I am also trying to get a site to site tunnel running between the CCR
and a CiscoASA.  Never got a successful ISAKMP link on 6.5 or 6.7.

So, I went down to 6.4.  I instantly had a good ISAKMP SA with the
CiscoASA.  I am stil working out some issues with passing traffic on
that tunnel.  Is IPsec completely broken above 6.4?

I am also finally getting to the L2TP negotiation with my laptop.  I
have a priority need to get the IPsec/L2TP road warrior tunnel up before
I finish with the CiscoASA.

>From what I can see in the logs, IPsec is happy.  I think the MikroTik
is happy with the L2TP request sent by the laptop.  But it looks like
the laptop never acknowleges hearing the MikroTik's ACK.  I have triple
and quadruple checked the secrets.  I have even changed the secrets a
few times, shortening them, to see if that would result in any different
error messages.

If I connect the laptop to the IPsec/L2TP on the RouterOS 5.21 box, the
VPN is fully negotiated and passing traffic in less than 3 seconds.  So
that tells me I should not have issues with the firewall behind which
the laptop lives.

I have been trying to use info in this article to understand where L2TP
is getting stuck.

   
https://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=34

C.D.1.22 and A.B.32.129 are both on the CCR.  C.D.1.22 faces the
Internet and A.B.32.129 is the public IP for the network into which I am
trying to VPN.  I have the Site to Site tunnel using C.D.1.22 because
that is closer to the ASA.  I have tried with the IP on the CCR which is
closest to the Laptop's router with the same results.

When I connect to the RouterOS 6.4 CCR, here is what the MikroTik shows:

16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:500->A.B.32.129:500, len 328
16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:500->A.B.32.129:500, len 256
16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 132
16:29:08 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:08 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
16:29:08 l2tp,debug,packet     (M) Message-Type=SCCRQ
                        [ My laptop sent a request to start the control 
connection (SCCRQ) ]
16:29:08 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:08 l2tp,debug,packet     (M) Framing-Capabilities=0x3
16:29:08 l2tp,debug,packet     (M) Host-Name=""
16:29:08 l2tp,debug,packet     (M) Assigned-Tunnel-ID=62
16:29:08 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:08 l2tp,info first L2TP UDP packet received from A.B.34.126
16:29:08 l2tp,debug tunnel 12 entering state: wait-ctl-conn
16:29:08 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:08 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=0, nr=1
16:29:08 l2tp,debug,packet     (M) Message-Type=SCCRP
                        [ My CCR likes my request and is accepting the control 
connecion (SCCRP) ]
16:29:08 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:08 l2tp,debug,packet     (M) Framing-Capabilities=0x1
16:29:08 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
16:29:08 l2tp,debug,packet     Firmware-Revision=0x1
16:29:08 l2tp,debug,packet     (M) Host-Name="gw2.cwy.domain"
16:29:08 l2tp,debug,packet     Vendor-Name="MikroTik"
16:29:08 l2tp,debug,packet     (M) Assigned-Tunnel-ID=12
16:29:08 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 284
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 92
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:09 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:09 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
16:29:09 l2tp,debug,packet     (M) Message-Type=SCCRQ
                        [ My laptop sent a request to start the control 
connection (SCCRQ) again ]
16:29:09 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:09 l2tp,debug,packet     (M) Framing-Capabilities=0x3
16:29:09 l2tp,debug,packet     (M) Host-Name=""
16:29:09 l2tp,debug,packet     (M) Assigned-Tunnel-ID=62
16:29:09 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:09 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:09 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=1, nr=1
16:29:09 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:09 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:09 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=0, nr=1
16:29:09 l2tp,debug,packet     (M) Message-Type=SCCRP
                        [ My CCR likes my request and is accepting the control 
connecion (SCCRP) again ]
16:29:09 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:09 l2tp,debug,packet     (M) Framing-Capabilities=0x1
16:29:09 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
16:29:09 l2tp,debug,packet     Firmware-Revision=0x1
16:29:09 l2tp,debug,packet     (M) Host-Name="gw2.cwy.domain"
16:29:09 l2tp,debug,packet     Vendor-Name="MikroTik"
16:29:09 l2tp,debug,packet     (M) Assigned-Tunnel-ID=12
16:29:09 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:10 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:10 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=0, nr=1
16:29:10 l2tp,debug,packet     (M) Message-Type=SCCRP
                        [ My CCR likes my request and is accepting the control 
connecion (SCCRP) again ]
16:29:10 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:10 l2tp,debug,packet     (M) Framing-Capabilities=0x1
16:29:10 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
16:29:10 l2tp,debug,packet     Firmware-Revision=0x1
16:29:10 l2tp,debug,packet     (M) Host-Name="gw2.cwy.domain"
16:29:10 l2tp,debug,packet     Vendor-Name="MikroTik"
16:29:10 l2tp,debug,packet     (M) Assigned-Tunnel-ID=12
16:29:10 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:11 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:11 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
16:29:11 l2tp,debug,packet     (M) Message-Type=SCCRQ
                        [ My laptop sent a request to start the control 
connection (SCCRQ) again ]
16:29:11 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:11 l2tp,debug,packet     (M) Framing-Capabilities=0x3
16:29:11 l2tp,debug,packet     (M) Host-Name=""
16:29:11 l2tp,debug,packet     (M) Assigned-Tunnel-ID=62
16:29:11 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:11 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:11 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=1, nr=1
16:29:11 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:12 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:12 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=0, nr=1
16:29:12 l2tp,debug,packet     (M) Message-Type=SCCRP
                        [ My CCR likes my request and is accepting the control 
connecion (SCCRP) again ]
16:29:12 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:12 l2tp,debug,packet     (M) Framing-Capabilities=0x1
16:29:12 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
16:29:12 l2tp,debug,packet     Firmware-Revision=0x1
16:29:12 l2tp,debug,packet     (M) Host-Name="gw2.cwy.domain"
16:29:12 l2tp,debug,packet     Vendor-Name="MikroTik"
16:29:12 l2tp,debug,packet     (M) Assigned-Tunnel-ID=12
16:29:12 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:15 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:15 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
16:29:15 l2tp,debug,packet     (M) Message-Type=SCCRQ
                        [ My laptop sent a request to start the control 
connection (SCCRQ) again ]
16:29:15 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:15 l2tp,debug,packet     (M) Framing-Capabilities=0x3
16:29:15 l2tp,debug,packet     (M) Host-Name=""
16:29:15 l2tp,debug,packet     (M) Assigned-Tunnel-ID=62
16:29:15 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:15 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:15 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=1, nr=1
16:29:15 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:16 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:16 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=0, nr=1
16:29:16 l2tp,debug,packet     (M) Message-Type=SCCRP
                        [ My CCR likes my request and is accepting the control 
connecion (SCCRP) again ]
16:29:16 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:16 l2tp,debug,packet     (M) Framing-Capabilities=0x1
16:29:16 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
16:29:16 l2tp,debug,packet     Firmware-Revision=0x1
16:29:16 l2tp,debug,packet     (M) Host-Name="gw2.cwy.domain"
16:29:16 l2tp,debug,packet     Vendor-Name="MikroTik"
16:29:16 l2tp,debug,packet     (M) Assigned-Tunnel-ID=12
16:29:16 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:23 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:23 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0
16:29:23 l2tp,debug,packet     (M) Message-Type=SCCRQ
                        [ My laptop sent a request to start the control 
connection (SCCRQ) again ]
16:29:23 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:23 l2tp,debug,packet     (M) Framing-Capabilities=0x3
16:29:23 l2tp,debug,packet     (M) Host-Name=""
16:29:23 l2tp,debug,packet     (M) Assigned-Tunnel-ID=62
16:29:23 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:23 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:23 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=1, nr=1
16:29:23 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:24 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:24 l2tp,debug,packet     tunnel-id=62, session-id=0, ns=0, nr=1
16:29:24 l2tp,debug,packet     (M) Message-Type=SCCRP
                        [ My CCR likes my request and is accepting the control 
connecion (SCCRP) again ]
16:29:24 l2tp,debug,packet     (M) Protocol-Version=0x01:00
16:29:24 l2tp,debug,packet     (M) Framing-Capabilities=0x1
16:29:24 l2tp,debug,packet     (M) Bearer-Capabilities=0x0
16:29:24 l2tp,debug,packet     Firmware-Revision=0x1
16:29:24 l2tp,debug,packet     (M) Host-Name="gw2.cwy.domain"
16:29:24 l2tp,debug,packet     Vendor-Name="MikroTik"
16:29:24 l2tp,debug,packet     (M) Assigned-Tunnel-ID=12
16:29:24 l2tp,debug,packet     (M) Receive-Window-Size=4
16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 29
16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 108
16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 116
16:29:32 l2tp,debug tunnel 12 received no replies, disconnecting
16:29:32 l2tp,debug tunnel 12 entering state: dead

Then the CCR gives up.

I cannot figure out from that information what is not matched up.

This is the laptop's perspective, which doesn't help me:

Jan 21 16:29:07 lambertmbp pppd[23979]: pppd 2.4.2 (Apple version 412.5.70) 
started by lambert, uid 501
Jan 21 16:29:07 lambertmbp pppd[23979]: L2TP connecting to server 'A.B.32.129' 
(A.B.32.129)...
Jan 21 16:29:07 lambertmbp pppd[23979]: IPSec connection started
Jan 21 16:29:07 lambertmbp racoon[20913]: Connecting.
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. 
(Initiator, Main-Mode message 1).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. 
(Initiator, Main-Mode message 2).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. 
(Initiator, Main-Mode message 3).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. 
(Initiator, Main-Mode message 4).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success. 
(Initiator, Main-Mode message 5).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 AUTH: success. 
(Initiator, Main-Mode Message 6).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success. 
(Initiator, Main-Mode message 6).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 Initiator: success. 
(Initiator, Main-Mode).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success. 
(Initiator, Quick-Mode message 1).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: receive success. 
(Initiator, Quick-Mode message 2).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success. 
(Initiator, Quick-Mode message 3).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKEv1 Phase2 Initiator: success. 
(Initiator, Quick-Mode).
Jan 21 16:29:08 lambertmbp racoon[20913]: Connected.
Jan 21 16:29:08 lambertmbp pppd[23979]: IPSec connection established
Jan 21 16:29:28 lambertmbp pppd[23979]: L2TP cannot connect to the server
Jan 21 16:29:28 lambertmbp configd[14]: SCNCController: Disconnecting. 
(Connection tried to negotiate for, 21 seconds).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success. 
(Information message).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: transmit 
success. (Delete IPSEC-SA).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success. 
(Information message).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: transmit 
success. (Delete ISAKMP-SA).
Jan 21 16:29:29 lambertmbp racoon[20913]: Disconnecting. (Connection was up 
for, 21.016530 seconds).


This is the MikroTik config:

/ip firewall filter
<early in the list before any drops>
add action=log chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add chain=input comment="IPSec ESP" protocol=ipsec-esp
add chain=input comment="IPSec AH" protocol=ipsec-ah
add action=log chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp

I do not have an anti-nat rule for this session.  I am not getting far
enough to be assigned an IP.  So, it should not matter.  I think it
would only be necessary for the Site to Site link with the CiscoASA,
anyway.  The 5.x box does not have an anti-nat rule either.

I am not using the below mode-cfg part of the config, that I know of,
yet.  It is leftover from trying to combine what worked on 5.x with what
is on the MikroTik wiki.

/ip ipsec mode-cfg
add address-pool=xyz_dhcp_pool1 name=RW-cfg split-include=\
     10.10.230.0/24,192.168.10.0/24
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=3des,aes-256
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 \
     nat-traversal=yes secret=abc123456789
add address=M.N.O.121/32 hash-algorithm=sha1 my-id-user-fqdn=C.D.1.226 \
     nat-traversal=yes secret=supersecret
/ip ipsec policy
add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121 
sa-src-address=\
     C.D.1.226 src-address=10.10.230.0/24 tunnel=yes
add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121 
sa-src-address=\
     C.D.1.226 src-address=192.168.10.0/24 tunnel=yes

/ppp profile
add bridge=XYZ change-tcp-mss=yes dns-server=192.168.10.9 local-address=\
     10.10.230.1 name=xyz remote-address=xyz_dhcp_pool1
/ppp secret
add name=lambert-l2tp password=secret profile=xyz service=l2tp

/interface l2tp-server server
set default-profile=xyz enabled=yes keepalive-timeout=disabled max-mru=1460 
max-mtu=\
     1460

Thanks for taking the time to read through.  I would really appreciate
any wild guesses you might have.




_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Reply via email to