Community discussions

MikroTik App
  4. l雷竞技
  5. General

Problems with VPN

帖子Reply
rpress
Member Candidate
Member Candidate
Topic Author
Posts: 113
加入: Thu May 07, 2009 5:13 am

Problems with VPN

Thu May 07, 2009 8:35 am

I am trying to get a MT-MT VPN working but I ran into some snags.

1) I first tried to set up a L2TP VPN. After configuring it all it still did not work so I used the packet sniffer. What I saw was that the client was sending connect data (normal) but the server would respond on another of the public IPs. It would not respond on the same IP that it received the connect request. If I disabled the public IP on the server it would just pick another. For testing, I changed the client IP to the one the server had picked and the connection was established. I tried setting the local IP in the profile and in secret but it had no effect. I only have srcnat and no masquerede. What is wrong?

2) I removed the L2TP and then tried a OVPN connection. I could get it to connect but it would immediately disconnect. On the server using WinBox I could see the OVPN connection being created in the PPP->interface window and then it would disappear, over and over. It would happen so fast, but you could see it flickering.

Thanks for any help. The MT box is otherwise working great and I'd like to get a MT-MT VPN going.
Top
rpress
Member Candidate
Member Candidate
Topic Author
Posts: 113
加入: Thu May 07, 2009 5:13 am

Re: Problems with VPN

Thu May 07, 2009 5:40 pm

Here is my L2TP config:
Code:Select all 
[admin@client] /ip route> export /ip route add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ xxx.xxx.43.32 scope=30 target-scope=10 add comment="" disabled=no distance=1 dst-address=192.168.0.0/16 gateway=\ 192.168.90.254 scope=30 target-scope=10 [admin@client] /interface l2tp-client> export /interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \ connect-to=xxx.xxx.105.194 dial-on-demand=yes disabled=no max-mru=1460 \ max-mtu=1460 mrru=disabled name=officevpn password=\ "secret" profile=default-encryption user=\ office [admin@client] /ppp> export /ppp profile set default change-tcp-mss=yes comment="" name=default only-one=default \ use-compression=default use-encryption=default use-vj-compression=default set default-encryption change-tcp-mss=yes comment="" local-address=\ 10.69.99.254 name=default-encryption only-one=default remote-address=\ 192.168.90.254 use-compression=default use-encryption=required \ use-vj-compression=default /ppp aaa set accounting=yes interim-update=0s use-radius=no [admin@server] /interface l2tp-server> export /interface l2tp-server add comment="" disabled=no name=officevpn user=office /interface l2tp-server server set authentication=chap,mschap2 default-profile=default-encryption enabled=yes \ max-mru=1460 max-mtu=1460 mrru=disabled [admin@server] /ppp> export /ppp profile set default change-tcp-mss=yes comment="" name=default only-one=default \ use-compression=default use-encryption=default use-vj-compression=default set default-encryption change-tcp-mss=yes comment="" name=default-encryption \ only-one=default use-compression=default use-encryption=required \ use-vj-compression=default /ppp aaa set accounting=yes interim-update=0s use-radius=no /ppp secret add caller-id=xxx.xxx.43.34 comment="" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 local-address=192.168.90.254 name=office password=\ "secret" profile=default-encryption \ remote-address=10.69.99.254 routes="10.69.0.0/16 10.69.99.254 1" service=\ any
Like I said before, the VPN itself works fine. The only problem is that the IP I tell the client to connect to is not the one I want to use. The server seems to respond using any external IP it likes, here is the client log:
Code:Select all 
07:33:58 l2tp,debug,packet sent control message to xxx.xxx.105.194:1701 07:33:58 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0 07:33:58 l2tp,debug,packet (M) Message-Type=SCCRQ 07:33:58 l2tp,debug,packet (M) Protocol-Version=0x01:00 07:33:58 l2tp,debug,packet (M) Framing-Capabilities=0x1 07:33:58 l2tp,debug,packet (M) Bearer-Capabilities=0x0 07:33:58 l2tp,debug,packet Firmware-Revision=0x1 07:33:58 l2tp,debug,packet (M) Host-Name="client" 07:33:58 l2tp,debug,packet Vendor-Name="MikroTik" 07:33:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=52 07:33:58 l2tp,debug,packet (M) Receive-Window-Size=4 07:33:58 l2tp,debug,packet rcvd control message from xxx.xxx.105.249:1701 07:33:58 l2tp,debug,packet tunnel-id=52, session-id=0, ns=0, nr=1 07:33:58 l2tp,debug,packet (M) Message-Type=SCCRP 07:33:58 l2tp,debug,packet (M) Protocol-Version=0x01:00 07:33:58 l2tp,debug,packet (M) Framing-Capabilities=0x1 07:33:58 l2tp,debug,packet (M) Bearer-Capabilities=0x0 07:33:58 l2tp,debug,packet Firmware-Revision=0x1 07:33:58 l2tp,debug,packet (M) Host-Name="server" 07:33:58 l2tp,debug,packet Vendor-Name="MikroTik" 07:33:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=115 07:33:58 l2tp,debug,packet (M) Receive-Window-Size=4 07:33:58 l2tp,debug received SCCRP before SCCRQ, rejecting
You can see that it is connecting to .194 but the server is responding on .249. If I set the client to send on .249 it works. If I disable .249 on the server it just picks another outgoing ip. How can I force the server to use a certain IP?
Top
rpress
Member Candidate
Member Candidate
Topic Author
Posts: 113
加入: Thu May 07, 2009 5:13 am

Re: Problems with VPN

Fri May 08, 2009 9:20 am

So, is the L2TP problem a bug? Does anyone else have L2TP working with multiple IPs on the outgoing subnet?
Top
rpress
Member Candidate
Member Candidate
Topic Author
Posts: 113
加入: Thu May 07, 2009 5:13 am

Re: Problems with VPN

Sun May 10, 2009 8:44 am

bump
Top
rpress
Member Candidate
Member Candidate
Topic Author
Posts: 113
加入: Thu May 07, 2009 5:13 am

Re: Problems with VPN

Thu May 14, 2009 8:41 pm

Well the L2TP problem still exists. I guess nobody else has this problem based on the lack of response. The L2TP server seems to respond on the "preferred source" address from the IP routing table even if the client connected to a different IP. This seems like a bug.

I've mostly figured out the OpenVPN for my MT-MT VPN. This does not exhibit the problem with the IP address of the response being different, it will respond on the same address that the client connects with, as expected.
Top
l0ft13
刚刚加入了
Posts: 23
加入: Wed May 28, 2008 11:22 am

Re: Problems with VPN

2009年10月15日星期四32

I am on RouterOS 3.29 and am also experiencing the problem of l2tp server responding on random external ip's ignoring the ip it came in on.
Unfortunately I can't get away from having multiple external IP's in my setup so have to use a different vpn solution
Top
l0ft13
刚刚加入了
Posts: 23
加入: Wed May 28, 2008 11:22 am

Re: Problems with VPN

Thu Oct 15, 2009 1:39 pm

just tried upgrading to 4.0 on both ends with same problem.
Top
rpress
Member Candidate
Member Candidate
Topic Author
Posts: 113
加入: Thu May 07, 2009 5:13 am

Re: Problems with VPN

Thu Oct 15, 2009 7:33 pm

I just sent an email to support so we'll see what they think.
Top
roadracer96
Forum Veteran
Forum Veteran
Posts: 724
加入: Tue Aug 25, 2009 12:01 am

Re: Problems with VPN

Fri Dec 25, 2009 4:31 am

Bump for me to. I was having the same problem when trying L2TP/Ipsec. The policy generated in IPSEC clearly showed the nat IP, but L2TP is responding and banging the firewall protecting the client side.

FWIW, the client side firewall I was testing with was a RB433.;)
Top
ish
刚刚加入了
Posts: 3
加入: Mon Sep 06, 2010 7:27 pm

Re: Problems with VPN

Thu Sep 09, 2010 4:45 pm

Hi,
after some nice email conversation I wrote this mail to the MikroTik Support Team:
Hi Support Team,
NAT-T is enabled on the MikroTik router.
Yesterday I tested 3 times the L2TP/IPSec connection form the Windows XP SP3 Client-PC to the MikroTik Router (VPN Server), while changing the NAT-T-Registry-Parameter "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec" in Windows XP, set the "AssumeUDPEncapsulationContextOnSendRule" to 0, 1 or 2 and restarted the IPSec service on the Windows XP PC (seehttp://support.microsoft.com/kb/926179/en-us).
It doesn't matter if the Parameter "AssumeUDPEncapsulationContextOnSendRule" is set or which value it has.
The L2TP/IPSec connection is not working.

Reason:
IKE connection comes in via UDP/500 (because my SOHO-NAT-Router leaves the port as it is) into the MikroTik Router.
The MikroTik Router is not recognizing that the connecting IPSec peer (Windows XP PC) is behind a NAT-Router and is not forcing the Windows XP PC to connect via UDP/4500 (NAT-T). So the IKE connection is not changing to the NAT-T mode. The IPSec connection (ESP) is established while the IPSec peer addresses are the Public IP's of the MikroTik Router and the Windows XP Client (here the Public IP of the NAT-Router of course). The IPSec Policy inside the MikroTik Router is created automatically and uses as SA Source IP the PRIVATE IP (e.g. 192.168.10.5) of the Windows XP Client.

现在发生了什么是IPSec隧道”ready" but the L2TP connection to the L2TP server on the MikroTik Router is comming from the PUBLIC IP of the Windows XP Client, while the IPSec SA is using the PRIVATE IP. The MikroTik Router is not securing the L2TP answering packets. You can see this on the NAT-Router (Windows XP client behind) while doing a paket captureing. The L2TP answer packets are coming directly to the PUBLIC IP (so reaching directly the NAT Router).
[...]
And I got the following answer:
[...]

Thank you very much for the description. Right now I understand where is the problem.
Currently there is issue with NAT-T and generate-policy. The policy is being generated for private IP address of the router, you should add manually additional policy with src-address=your_MikroTik_router dst-address=your_NAT_router
Either use static /ip ipsec policy.

We are working on the solution for this problem.
[...]
Top
帖子Reply

Who is online

Users browsing this forum:Ahrefs [Bot],Semrush [Bot]and 19 guests
  4. l雷竞技
  5. General