VPN L2TP

[kongo]

Zdravim,

mam problem sa autentifikovat na l2tp serveri.
v4.17
otvorene UDP porty vo firewalle: 500,1701

Kód: Vybrat vše

/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=\
    yes max-mru=1460 max-mtu=1460 mrru=disabled

/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
    local-address=192.168.1.1 name=meno password=heslo profile=\
    default remote-address=192.168.1.10 routes="" service=l2tp


vo firewalle nabieha pocitadlo paketov na porte 500 pri kazdom pokuse o autenfikaciu a pritom klient hlasi chybu.
ako klienta pouzivam nativneho v MAC OS a taktiez som skusal vo WIN.
Dakujem za rady

[cino]

Zdravim.
Ja to pouzivan takto

Kód: Vybrat vše

/interface l2tp-server
add comment="" disabled=no name=z_notebooku user=MENO
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=L2TP-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=\
    disabled
/ppp profile
set L2TP-encryption change-tcp-mss=yes comment="" idle-timeout=10m name=default-encryption only-one=default \
    use-compression=default use-encryption=yes use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.1.1 name=MENO \
    password=HESLO profile=default-encryption remote-address=192.168.1.10 routes="" service=l2tp


Beží to na 411-ke Ros3.30 a pripajam sa z "DrayTek Smart VPN client 3.6.2" pre WinXP

[kongo]

super, dakujem. takze problem bol u mna v klientovi pod MAC OS, ktory sa nevie pripojit bez ipsec. S tym draytekom vo win to slape bez ipsec.
Teraz mi uz len zostava rozbehat ipsec ...
ma s tym niekto skusenosti ? dakujem.

[cino]

L2TP zostane nastavený rovnako a do Firewall a v IPSec treba nastaviť toto:

Kód: Vybrat vše

/ip firewall filter
add action=accept chain=input comment=ipsec disabled=no dst-port=500 protocol=udp
add action=accept chain=input comment="" disabled=no dst-port=1701 protocol=udp
add action=accept chain=input comment="" disabled=no protocol=ipsec-esp
/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 \
    lifetime=10m nat-traversal=no proposal-check=obey secret=TAJNE_HESLO send-initial-contact=yes
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024


Potom to beží napr. aj s tým Draytek client cez "L2TP over IPSec"

Good luck

[kongo]

cino, stale si s tym neviem dat rady
vlozil som konfiguraciu ako si uviedol vyssie a l2tp s ipsec a zial nic ...
vid. log:

Kód: Vybrat vše

20:21:50 l2tp,debug,packet sent control message to X.X.X.X:1701
20:21:50 l2tp,debug,packet     tunnel-id=64, session-id=0, ns=5704, nr=5701
20:21:50 l2tp,debug,packet     (M) Message-Type=HELLO
20:21:50 l2tp,debug,packet rcvd control message (ack) from X.X.X.X:1701
20:21:50 l2tp,debug,packet     tunnel-id=5, session-id=0, ns=5701, nr=5705
20:21:50 ipsec couldn't find configuration.
20:21:51 ipsec couldn't find configuration.
20:21:53 ipsec couldn't find configuration.
20:21:57 ipsec couldn't find configuration.


[cino]

Neviem kde si urobil chybu ale ak chceš môžem sa na to pozrieť ak by si mi k tomu dal prístup. (SZ)

[kongo]

Problem bol vo verzii v4.17, zrejme nejaky bug. Upgradol som na 5.x a uz nehlasilo chybu "ipsec couldn't find configuration". Nasledne bolo treba restartnut (disable, enable) /ip/ipsec/peer

dakujem za pomoc