I appologize for the length of this e-mail. I didn't want to leave out
any of the work I've already done trying to troubleshoot this. I really
appreciate anyone willing to slog through it.
I am having fits with my IPSect/L2TP VPNs I use to get into various
places. Someone posted a recipe to this list which just worked for
RouterOS 5.x and I have been running that on a few routers for a while
now. It just worked so I never actually spent the time to learn what
was what. I have been trying to correct that laziness over the past few
days and nights. But I am out of time and hitting a wall now.
Unfortunately, I have been upgrading a few of the test routers to 6.x
and now need to setup VPNs on a couple of CCRs. I have not had to use
the IPSec VPNs since the upgrade to 6.x, or at least the upgrade to 6.5
and up. I do not have logs of the last time I used the VPNs.
Where I have 6.5 and up, I cannot seem to get ISAKMP to complete.
I only have 6.4 on the new CCR and have configured it to be the moral
equivalent of the config on my remaining functional RouterOS 5.21
493G site. I could not get ISAKMP to come up on the CCR with 6.5. I
upgraded it to 6.7. Still toast.
I am also trying to get a site to site tunnel running between the CCR
and a CiscoASA. Never got a successful ISAKMP link on 6.5 or 6.7.
So, I went down to 6.4. I instantly had a good ISAKMP SA with the
CiscoASA. I am stil working out some issues with passing traffic on
that tunnel. Is IPsec completely broken above 6.4?
I am also finally getting to the L2TP negotiation with my laptop. I
have a priority need to get the IPsec/L2TP road warrior tunnel up before
I finish with the CiscoASA.
>From what I can see in the logs, IPsec is happy. I think the MikroTik
is happy with the L2TP request sent by the laptop. But it looks like
the laptop never acknowleges hearing the MikroTik's ACK. I have triple
and quadruple checked the secrets. I have even changed the secrets a
few times, shortening them, to see if that would result in any different
error messages.
If I connect the laptop to the IPsec/L2TP on the RouterOS 5.21 box, the
VPN is fully negotiated and passing traffic in less than 3 seconds. So
that tells me I should not have issues with the firewall behind which
the laptop lives.
I have been trying to use info in this article to understand where L2TP
is getting stuck.
https://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=34
C.D.1.22 and A.B.32.129 are both on the CCR. C.D.1.22 faces the
Internet and A.B.32.129 is the public IP for the network into which I am
trying to VPN. I have the Site to Site tunnel using C.D.1.22 because
that is closer to the ASA. I have tried with the IP on the CCR which is
closest to the Laptop's router with the same results.
When I connect to the RouterOS 6.4 CCR, here is what the MikroTik shows:
16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:500->A.B.32.129:500, len 328
16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:500->A.B.32.129:500, len 256
16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 132
16:29:08 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:08 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:29:08 l2tp,debug,packet (M) Message-Type=SCCRQ
[ My laptop sent a request to start the control
connection (SCCRQ) ]
16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x3
16:29:08 l2tp,debug,packet (M) Host-Name=""
16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=62
16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:08 l2tp,info first L2TP UDP packet received from A.B.34.126
16:29:08 l2tp,debug tunnel 12 entering state: wait-ctl-conn
16:29:08 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:08 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1
16:29:08 l2tp,debug,packet (M) Message-Type=SCCRP
[ My CCR likes my request and is accepting the control
connecion (SCCRP) ]
16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:29:08 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:29:08 l2tp,debug,packet Firmware-Revision=0x1
16:29:08 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain"
16:29:08 l2tp,debug,packet Vendor-Name="MikroTik"
16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=12
16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 284
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 92
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:09 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:09 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:29:09 l2tp,debug,packet (M) Message-Type=SCCRQ
[ My laptop sent a request to start the control
connection (SCCRQ) again ]
16:29:09 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:09 l2tp,debug,packet (M) Framing-Capabilities=0x3
16:29:09 l2tp,debug,packet (M) Host-Name=""
16:29:09 l2tp,debug,packet (M) Assigned-Tunnel-ID=62
16:29:09 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:09 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:09 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1
16:29:09 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:09 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:09 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1
16:29:09 l2tp,debug,packet (M) Message-Type=SCCRP
[ My CCR likes my request and is accepting the control
connecion (SCCRP) again ]
16:29:09 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:09 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:29:09 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:29:09 l2tp,debug,packet Firmware-Revision=0x1
16:29:09 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain"
16:29:09 l2tp,debug,packet Vendor-Name="MikroTik"
16:29:09 l2tp,debug,packet (M) Assigned-Tunnel-ID=12
16:29:09 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:10 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:10 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1
16:29:10 l2tp,debug,packet (M) Message-Type=SCCRP
[ My CCR likes my request and is accepting the control
connecion (SCCRP) again ]
16:29:10 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:10 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:29:10 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:29:10 l2tp,debug,packet Firmware-Revision=0x1
16:29:10 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain"
16:29:10 l2tp,debug,packet Vendor-Name="MikroTik"
16:29:10 l2tp,debug,packet (M) Assigned-Tunnel-ID=12
16:29:10 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:11 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:11 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:29:11 l2tp,debug,packet (M) Message-Type=SCCRQ
[ My laptop sent a request to start the control
connection (SCCRQ) again ]
16:29:11 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:11 l2tp,debug,packet (M) Framing-Capabilities=0x3
16:29:11 l2tp,debug,packet (M) Host-Name=""
16:29:11 l2tp,debug,packet (M) Assigned-Tunnel-ID=62
16:29:11 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:11 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:11 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1
16:29:11 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:12 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:12 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1
16:29:12 l2tp,debug,packet (M) Message-Type=SCCRP
[ My CCR likes my request and is accepting the control
connecion (SCCRP) again ]
16:29:12 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:12 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:29:12 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:29:12 l2tp,debug,packet Firmware-Revision=0x1
16:29:12 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain"
16:29:12 l2tp,debug,packet Vendor-Name="MikroTik"
16:29:12 l2tp,debug,packet (M) Assigned-Tunnel-ID=12
16:29:12 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:15 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:15 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:29:15 l2tp,debug,packet (M) Message-Type=SCCRQ
[ My laptop sent a request to start the control
connection (SCCRQ) again ]
16:29:15 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:15 l2tp,debug,packet (M) Framing-Capabilities=0x3
16:29:15 l2tp,debug,packet (M) Host-Name=""
16:29:15 l2tp,debug,packet (M) Assigned-Tunnel-ID=62
16:29:15 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:15 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:15 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1
16:29:15 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:16 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:16 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1
16:29:16 l2tp,debug,packet (M) Message-Type=SCCRP
[ My CCR likes my request and is accepting the control
connecion (SCCRP) again ]
16:29:16 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:16 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:29:16 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:29:16 l2tp,debug,packet Firmware-Revision=0x1
16:29:16 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain"
16:29:16 l2tp,debug,packet Vendor-Name="MikroTik"
16:29:16 l2tp,debug,packet (M) Assigned-Tunnel-ID=12
16:29:16 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:23 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:23 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:29:23 l2tp,debug,packet (M) Message-Type=SCCRQ
[ My laptop sent a request to start the control
connection (SCCRQ) again ]
16:29:23 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:23 l2tp,debug,packet (M) Framing-Capabilities=0x3
16:29:23 l2tp,debug,packet (M) Host-Name=""
16:29:23 l2tp,debug,packet (M) Assigned-Tunnel-ID=62
16:29:23 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:23 l2tp,debug,packet sent control message (ack) to A.B.34.126:51593
16:29:23 l2tp,debug,packet tunnel-id=62, session-id=0, ns=1, nr=1
16:29:23 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 144
16:29:24 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:24 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1
16:29:24 l2tp,debug,packet (M) Message-Type=SCCRP
[ My CCR likes my request and is accepting the control
connecion (SCCRP) again ]
16:29:24 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:24 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:29:24 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:29:24 l2tp,debug,packet Firmware-Revision=0x1
16:29:24 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain"
16:29:24 l2tp,debug,packet Vendor-Name="MikroTik"
16:29:24 l2tp,debug,packet (M) Assigned-Tunnel-ID=12
16:29:24 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 29
16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 108
16:29:28 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8,
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 116
16:29:32 l2tp,debug tunnel 12 received no replies, disconnecting
16:29:32 l2tp,debug tunnel 12 entering state: dead
Then the CCR gives up.
I cannot figure out from that information what is not matched up.
This is the laptop's perspective, which doesn't help me:
Jan 21 16:29:07 lambertmbp pppd[23979]: pppd 2.4.2 (Apple version 412.5.70)
started by lambert, uid 501
Jan 21 16:29:07 lambertmbp pppd[23979]: L2TP connecting to server 'A.B.32.129'
(A.B.32.129)...
Jan 21 16:29:07 lambertmbp pppd[23979]: IPSec connection started
Jan 21 16:29:07 lambertmbp racoon[20913]: Connecting.
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success.
(Initiator, Main-Mode message 1).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success.
(Initiator, Main-Mode message 2).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success.
(Initiator, Main-Mode message 3).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success.
(Initiator, Main-Mode message 4).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: transmit success.
(Initiator, Main-Mode message 5).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 AUTH: success.
(Initiator, Main-Mode Message 6).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKE Packet: receive success.
(Initiator, Main-Mode message 6).
Jan 21 16:29:07 lambertmbp racoon[20913]: IKEv1 Phase1 Initiator: success.
(Initiator, Main-Mode).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success.
(Initiator, Quick-Mode message 1).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: receive success.
(Initiator, Quick-Mode message 2).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKE Packet: transmit success.
(Initiator, Quick-Mode message 3).
Jan 21 16:29:08 lambertmbp racoon[20913]: IKEv1 Phase2 Initiator: success.
(Initiator, Quick-Mode).
Jan 21 16:29:08 lambertmbp racoon[20913]: Connected.
Jan 21 16:29:08 lambertmbp pppd[23979]: IPSec connection established
Jan 21 16:29:28 lambertmbp pppd[23979]: L2TP cannot connect to the server
Jan 21 16:29:28 lambertmbp configd[14]: SCNCController: Disconnecting.
(Connection tried to negotiate for, 21 seconds).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success.
(Information message).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: transmit
success. (Delete IPSEC-SA).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKE Packet: transmit success.
(Information message).
Jan 21 16:29:28 lambertmbp racoon[20913]: IKEv1 Information-Notice: transmit
success. (Delete ISAKMP-SA).
Jan 21 16:29:29 lambertmbp racoon[20913]: Disconnecting. (Connection was up
for, 21.016530 seconds).
This is the MikroTik config:
/ip firewall filter
<early in the list before any drops>
add action=log chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add chain=input comment="IPSec ESP" protocol=ipsec-esp
add chain=input comment="IPSec AH" protocol=ipsec-ah
add action=log chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp
I do not have an anti-nat rule for this session. I am not getting far
enough to be assigned an IP. So, it should not matter. I think it
would only be necessary for the Site to Site link with the CiscoASA,
anyway. The 5.x box does not have an anti-nat rule either.
I am not using the below mode-cfg part of the config, that I know of,
yet. It is leftover from trying to combine what worked on 5.x with what
is on the MikroTik wiki.
/ip ipsec mode-cfg
add address-pool=xyz_dhcp_pool1 name=RW-cfg split-include=\
10.10.230.0/24,192.168.10.0/24
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=3des,aes-256
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 \
nat-traversal=yes secret=abc123456789
add address=M.N.O.121/32 hash-algorithm=sha1 my-id-user-fqdn=C.D.1.226 \
nat-traversal=yes secret=supersecret
/ip ipsec policy
add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121
sa-src-address=\
C.D.1.226 src-address=10.10.230.0/24 tunnel=yes
add dst-address=172.18.84.0/24 level=use sa-dst-address=M.N.O.121
sa-src-address=\
C.D.1.226 src-address=192.168.10.0/24 tunnel=yes
/ppp profile
add bridge=XYZ change-tcp-mss=yes dns-server=192.168.10.9 local-address=\
10.10.230.1 name=xyz remote-address=xyz_dhcp_pool1
/ppp secret
add name=lambert-l2tp password=secret profile=xyz service=l2tp
/interface l2tp-server server
set default-profile=xyz enabled=yes keepalive-timeout=disabled max-mru=1460
max-mtu=\
1460
Thanks for taking the time to read through. I would really appreciate
any wild guesses you might have.